CN110176989A - Quantum communications service station identity identifying method and system based on unsymmetrical key pond - Google Patents
Quantum communications service station identity identifying method and system based on unsymmetrical key pond Download PDFInfo
- Publication number
- CN110176989A CN110176989A CN201910402444.0A CN201910402444A CN110176989A CN 110176989 A CN110176989 A CN 110176989A CN 201910402444 A CN201910402444 A CN 201910402444A CN 110176989 A CN110176989 A CN 110176989A
- Authority
- CN
- China
- Prior art keywords
- key
- service station
- authentication
- parameters
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Storage Device Security (AREA)
Abstract
This application involves a kind of quantum communications service station identity identifying method and system based on unsymmetrical key pond, in the application, the key card used is independent hardware isolated equipment.A possibility that public key, private key and other relevant parameters are stored in the data safety area in key card, steal key by Malware or malicious operation substantially reduces, and will not be obtained and be cracked by quantum computer.Since, without the transmitting of public and private key and algorithm parameter is related to, the risk that unsymmetrical key is cracked is very low in classic network, in addition, encrypted transmission message is carried out using QKD between service station and service station, so the safety of message is greatly ensured.Key card has ensured communication security of the communicating pair in group, also greatly improves the safety of authentication.Unsymmetrical key pond solves pool of symmetric keys and brings key storage pressure to quantum communications service station simultaneously, reduces carrying cost.
Description
Technical field
This application involves safety communication technology fields, more particularly to the quantum communications service station based on unsymmetrical key pond
Identity identifying method and system.
Background technique
The Internet of rapid development brings huge convenience to people's lives, work, and people can be sitting in family
It sent and received e-mail, made a phone call by Internet, carrying out the activities such as shopping online, bank transfer.The network information security simultaneously
It is increasingly becoming a potential huge problem.In general the network information is faced with following several security risks: the network information
It is stolen, information is tampered, attacker palms off information, malicious sabotage etc..
Wherein authentication is a kind of means of one of protection people's network information.Authentication is also referred to as " identity
Verifying " or " identity identification ", refer to the process of confirmation operation person's identity in computer and computer network system, so that it is determined that
Whether the user has access and access right to certain resource, and then enables the access strategy of computer and networks system
It reliably and efficiently executes, prevents attacker from palming off the access authority that legitimate user obtains resource, guarantee the peace of system and data
Entirely, and authorization visitor legitimate interests.
And currently ensure that authentication successfully mainly relies on cryptographic technique, and in field of cryptography of today, it is main
Will there are two types of cryptographic system, first is that symmetric key cryptosystem, i.e. encryption key and decruption key use it is same.The other is
Public key cryptosystem, i.e. encryption key and decruption key difference, one of them can be disclosed.Current most identity is recognized
Card relies primarily on public key cryptography system using algorithm.
The encryption key pair (public key) and decryption key (private key) that Public Key Cryptographic Systems uses are different.Due to encryption
Key be it is disclosed, the distribution of key and management are just very simple, and Public Key Cryptographic Systems can also be easily carried out number
Signature.
Since public key encryption comes out, scholars propose many kinds of public key encryption methods, their safety is all base
In complicated difficult math question.Classified according to the difficult math question being based on, have following three classes system be presently believed to be safety and
It is effective: big integer factorization system (representative to have RSA), Discrete log systems (representative to have DSA) and ellipse from
It dissipates Logarithmic system (ECC).
But with the development of quantum computer, classical asymmetric-key encryption algorithm will be no longer safe, no matter encryption and decryption
Or private key can be calculated in key exchange method, quantum computer by public key, therefore currently used asymmetric close
Key will become cannot withstand a single blow in the quantum epoch.Quantum key distribution equipment QKD can ensure that the key of negotiation can not be acquired at present.
But QKD is mainly used for quantum main line, ustomer premises access equipment to quantum communications service station is still classic network, therefore by non-right
Claim algorithm it is difficult to ensure that authentication procedures safety.
Problem of the existing technology:
1. using pool of symmetric keys between quantum communications service station and quantum key card, capacity is huge, to quantum communications
The key storage in service station brings pressure;
2. quantum communications service station, which has to encrypt key, to be stored in commonly since pool of symmetric keys key capacity is huge
In storage medium such as hard disk, and it can not be stored in the key card in quantum communications service station;
3. causing trouble to cipher key backup since pool of symmetric keys key capacity is huge.
Summary of the invention
Based on this, it is necessary in view of the above technical problems, provide it is a kind of can reduce service station storage data quantity based on
The quantum communications service station identity identifying method in unsymmetrical key pond.
Quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in masters, and the quantum is logical
Telecommunications services station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1 is sent to service station, and utilizes service station public key encryption
The first key KR1;The first parameters for authentication X is used to generate first for passive side after service station is forwarded to passive side
Signature;
The 4th key KR4 of utilization masters public key encryption from service station is obtained, is encrypted using the 4th key KR4
The first parameters for authentication X, passive side provide the second parameters for authentication Y and second signature;Second signature is that service station is recognized
Card is generated after the first signature from passive side using the first parameters for authentication X and the second parameters for authentication Y;
After decrypting and verifying second signature, third label are generated using the first parameters for authentication X and the second parameters for authentication Y
Name;
The 5th key KR5 using service station public key encryption is sent to the service station and utilizes the 5th key KR5
The first parameters for authentication X, the second parameters for authentication Y of encryption and third signature;The third signature is in the service
The 4th for generating after authenticating and authenticating for passive side that stand signs.
Quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in passive side, and the quantum is logical
Telecommunications services station authentication method includes:
Obtain the first parameters for authentication X and utilization that the masters of utilization the second key KR2 encryption from service station provide
Second key KR2 of passive side's public key encryption, the second parameters for authentication Y generated using the first parameters for authentication X and one's own side are raw
At the first signature;
It sends to service station using the third key KR3 of service station public key encryption and is encrypted using the third key KR3
The first parameters for authentication X, the second parameters for authentication Y and first signature;First signature is for after the certification of the service station
Generate the second signature authenticated for masters;
The 6th key KR6 using passive side's public key encryption from service station is obtained, the 6th key KR6 encryption is utilized
The signature of first parameters for authentication X, the second parameters for authentication Y and the 4th;4th signature is service station certification from masters
It is generated after third signature using the first parameters for authentication X and the second parameters for authentication Y, the third signature is masters certification described the
It is generated after two signatures;
It decrypts and verifies the 4th signature.
Quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in service station, and the quantum is logical
Telecommunications services station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1 from masters is obtained, and utilizes service station public key
Encryption the first key KR1, decrypt and to passive side send using the second key KR2 encrypt the first parameters for authentication X and
Utilize the second key KR2 of passive side's public key encryption;
Obtain the third key KR3 and the utilization third key KR3 using service station public key encryption from passive side
First parameters for authentication X of encryption, the signature of the second parameters for authentication Y and first that passive side provides, decrypts and verifies described first
After signing successfully, the second signature is generated using first parameters for authentication X the second parameters for authentication Y, is sent to masters and utilizes masters
4th key KR4 of public key encryption and the first parameters for authentication X using the 4th key KR4 encryption, the second parameters for authentication Y and the
Two signatures;
Obtain the 5th key KR5 and utilization the 5th key KR5 using service station public key encryption from masters
The third signature that the first parameters for authentication X, the second parameters for authentication Y and masters of encryption are provided, decrypts and verifies the third
After signing successfully, the 4th signature for passive side verifying is generated using first parameters for authentication X the second parameters for authentication Y, to quilt
Dynamic side sends the 6th key KR6 using passive side's public key encryption and the first parameters for authentication X using the 6th key KR6 encryption,
The signature of second parameters for authentication Y and the 4th.
Quantum communications service station identity identifying method based on unsymmetrical key pond, quantum communications service station authenticating party
Method includes:
Active direction service station send the first information, the first information encrypted including the use of first key KR1 first
The parameters for authentication X and first key KR1 for utilizing service station public key encryption;
The service station, which obtains and decrypts the first information Bao Houxiang passive side, sends the second information, second information
Including the use of the second key KR2 the first parameters for authentication X encrypted and utilize the second key KR2 of passive side's public key encryption;
The passive side obtains and generates the second parameters for authentication Y after decrypting second information and utilize first certification
Parameter X and the second parameters for authentication Y generates the first signature, sends third information to service station, the third information is including the use of clothes
The third key KR3 of business station public key encryption and the first parameters for authentication X encrypted using the third key KR3, the second certification ginseng
The signature of number Y and first;
The service station obtain, decrypt the third information and verify described first sign successfully after, utilize first to authenticate
Parameter X the second parameters for authentication Y generates the second signature, sends the 4th information to masters, the 4th information is including the use of actively
4th key KR4 of square public key encryption and the first parameters for authentication X using the 4th key KR4 encryption, the second parameters for authentication Y and
Second signature;
The masters obtain, decrypt the 4th information and verify described second sign successfully after, utilize first to authenticate
Parameter X, the second parameters for authentication Y generate third signature;To the service station send the 5th information, the 5th information including the use of
5th key KR5 of service station public key encryption and the first parameters for authentication X using the 5th key KR5 encryption, the second certification
Parameter Y and third signature;
The service station obtains, decrypts the 5th information and verifies after the third sign successfully, utilizes first to authenticate
Parameter X the second parameters for authentication Y generates the 4th signature for passive side verifying, sends the 6th information to passive side, and described the
Sixth key KR6 of six information including the use of passive side's public key encryption and the first parameters for authentication using the 6th key KR6 encryption
X, the second parameters for authentication Y and the 4th signature;
The passive side obtains, decrypts the 6th information and verify the 4th signature.
Further, the quantum communications service station identity based on unsymmetrical key pond is recognized in the above-mentioned technical solutions
Card method, first signature are generated using passive side's private key;Second signature and the 4th signature utilize service station side
Private key generates;The third signature is generated using masters private key.
Further, the quantum communications service station identity based on unsymmetrical key pond is recognized in the above-mentioned technical solutions
Card method, the masters are configured with masters key card, are stored with service station public key, masters in the masters key card
Public key and masters private key;The passive side is configured with passive side's key card, is stored with service station in dynamic side's key card
Public key, passive side's public key and passive side's private key;The service station is configured with service station key card, in the service station key card
It is stored with service station private key, masters public key and passive side's public key.
The application also provides a kind of active method, apparatus, including memory and processor, and the memory is stored with computer
Program, the processor realize above-mentioned quantum communications service station described herein authentication method when executing the computer program
The step of.
The application also provides a kind of passive method, apparatus, including memory and processor, and the memory is stored with computer
Program, the processor realize the step of quantum communications service station described herein authentication method when executing the computer program
Suddenly.
The application also provides a kind of service station equipment, including memory and processor, and the memory is stored with computer
Program, the processor realize the step of quantum communications service station described herein authentication method when executing the computer program
Suddenly.
The application also provides the quantum communications service station identity authorization system based on unsymmetrical key pond, including is equipped with actively
Side, passive side, service station and communication network;The masters are configured with masters key card, in the masters key card
It is stored with service station public key, masters public key and masters private key;The passive side is configured with passive side's key card, described dynamic
Service station public key, passive side's public key and passive side's private key are stored in square key card;The service station is close configured with service station
Key card is stored with service station private key, masters public key and passive side's public key in the service station key card;
The masters, passive side and service station realize that quantum communications described herein take by the communication network
The step of business station authentication method.
In the application, the key card used is independent hardware isolated equipment.Public key, private key and other relevant parameters are deposited
A possibility that storing up the data safety area in key card, stealing key by Malware or malicious operation substantially reduces, will not
It is obtained and is cracked by quantum computer.It is non-since nothing is related to the transmitting of public and private key and algorithm parameter in classic network
The risk that symmetric key is cracked is very low, in addition, encrypted transmission message is carried out using QKD between service station and service station, so
The safety of message is greatly ensured.Key card has ensured communication security of the communicating pair in group, also greatly mentions
The high safety of authentication.Unsymmetrical key pond solves pool of symmetric keys and brings key to quantum communications service station simultaneously
Pressure is stored, carrying cost is reduced.For example, the pool of symmetric keys size of original client is 1G, client number is N,
Then quantum communications service station needs to store the pool of keys of N*G, and if storage unsymmetrical key pond, it is big that client stores pool of keys
Small to be similarly 1G, quantum communications service station equally only needs to store the pool of keys of 1G size.
Detailed description of the invention
Fig. 1 is the pool of keys distribution schematic diagram of service station key card in the application;
Fig. 2 is the pool of keys distribution schematic diagram of client key card in the application;
Fig. 3 is that masters and passive side are connected to the authentication process figure under same service station;
Fig. 4 is that masters and passive side are connected to the authentication process figure under different service stations.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not
For limiting the application.Wherein the service station in the application is quantum communications service station in the case where not doing specified otherwise,
Each title in the application is subject to letter and number and is combined, such as Q, service station Q, service station indicate same meaning below,
That is service station Q;Such as first key KR1 again, KR1, true random number KR1, first key hereinafter indicate same meaning, i.e.,
One key KR1, remaining title is similarly.In concrete application scene, for ease of description, masters are assumed to be customer end A, passively
Side is assumed to be customer end B, and service station is service station Q.If the ID of customer end A is IDA, customer end A public key is PKA, and customer end A is private
Key is SKA;If the ID of customer end B is IDB, customer end B public key is PKB, and customer end B private key is SKB.
The application provides the quantum communications service station identity identifying method based on unsymmetrical key pond, in one embodiment,
Implementing the quantum communications service station authentication method in masters includes:
The the first parameters for authentication X encrypted using first key KR1 is sent to service station, and utilizes service station public key encryption
First key KR1;First parameters for authentication X is used to after service station is forwarded to passive side generate the first signature for passive side;
The 4th key KR4 of utilization masters public key encryption from service station is obtained, the encrypted using the 4th key KR4
One parameters for authentication X, the signature of the second parameters for authentication Y and second S2 that passive side provides;Second signature S2 is that service station certification comes
It is generated from after the first signature of passive side using the first parameters for authentication X and the second parameters for authentication Y;
After decrypting and verifying the second signature, third is generated using the first parameters for authentication X and the second parameters for authentication Y and is signed;
The for sending the 5th key KR5 using service station public key encryption to service station and being encrypted using the 5th key KR5
One parameters for authentication X, the second parameters for authentication Y and third signature;Third signature after service station authenticates for generating for passive side
4th signature of certification.
In concrete application scene, for ease of description, masters are assumed to be customer end A, and passive side is assumed to be client
B, service station are service station Q.Wherein customer end A is acted as follows:
The request Req with the authentication of customer end B is generated, requests in Req to include A | | B and other necessary informations, example
Such as generate the ID that uniqueness random number is requested as this;
The first parameters for authentication X and first key KR1 is generated, wherein the first parameters for authentication X and first key KR1 is truly random
Number carries out symmetric cryptography to request Req and the first parameters for authentication X using KR1 and obtains { Req | | X } KR1;
It is produced as the first signature parameter R1 of true random number, and the first signature parameter R1 is passed through into unsymmetrical key pointer letter
Cipher key location pointer kp1 is calculated in number fkp;It is taken from the service station public key pond in memory according to cipher key location pointer kp1
Service station public key PKQ1 out;First key KR1 is encrypted using service station public key PKQ1 to obtain { KR1 } PKQ1;
Combine R1, { Req | | X } KR1 and { KR1 } PKQ1 to obtain R1 | | and Req | | X } KR1 | | { KR1 } PKQ1.Customer end A
By R1 | | and Req | | X } KR1 | | { KR1 } PKQ1 is sent to service station Q;R1 | | and Req | | X } KR1 | | { KR1 } PKQ1 is used for through taking
Business station Q is forwarded to after customer end B and generates the first signature S1 for customer end B;
Receive service station Q forwarding ID authentication request reply Req | | Y | | X | | S2 | | R3 } KR4 | | { KR4 } PKA is simultaneously
Parsing obtain Req | | Y | | X | | S2 | | R3 } KR4 and { KR4 } PKA;{ KR4 } PKA is decrypted to obtain using customer end A private key SKA
4th key KR4;Using the 4th key KR4 to Req | | Y | | X | | S2 | | R3 } KR4 decrypt to obtain Req | | Y | | X | | S2 | | R3;
Wherein the second parameters for authentication Y is provided by customer end B, and third signature parameter R3 is the first signature of service station Q certification S1
The true random number generated afterwards, and for cipher key location pointer kp3 to be calculated by unsymmetrical key pointer function fkp;
Cipher key location pointer kp3 takes out from the service station private key pond in memory for providing service station Q according to cipher key location pointer
Service station private key SKQ3;Service station private key SKQ3 is for providing service station Q to Req | | Y | | X is signed to obtain the second signature
S2;
Cipher key location pointer kp3 is calculated by unsymmetrical key pointer function fkp in third signature parameter R3;According to
Cipher key location pointer takes out service station public key PKQ3 from the service station public key pond in memory;Utilize service station public key PKQ3
To Req | | Y | | the second signature S2 of X is verified;If the verification passes, then it carries out in next step, on the contrary then authentication fails;
Using customer end A private key SKA to Req | | X | | Y is signed to obtain third signature S3;
A the 5th key KR5 is generated, and using the 5th key KR5 to Req | | X | | Y | | S3 carries out symmetric cryptography and obtains
{Req||X||Y||S3}KR5;A the 4th signature parameter R4 is generated again, and the 4th signature parameter R4 is passed through into unsymmetrical key
Cipher key location pointer kp4 is calculated in pointer function fkp;According to cipher key location pointer kp4 from the service station in memory
Public key PKQ4 in service station is taken out in public key pond;The 5th key KR5 is encrypted to obtain { KR5 } using service station public key PKQ4
PKQ4;
By R4, Req | | X | | Y | | S3 KR5 and { KR5 } PKQ4 combine to obtain R4 | | Req | | X | | Y | | S3 KR5 | |
{KR5}PKQ4;R4 will be replied | | and Req | | X | | Y | | S3 } KR5 | | { KR5 } PKQ4 is sent to service station Q;Wherein third signature S3
The 4th signature S4 authenticated for customer end B is generated after service station Q certification.
Above-mentioned implementation includes in method, by carrying out to technical characteristic in the quantum communications service station authentication method of masters
It rationally derives, realizes the beneficial effect for the technical issues of being able to solve proposed in background technique.
The application provides the quantum communications service station identity identifying method based on unsymmetrical key pond, in one embodiment,
Implementing the quantum communications service station authentication method in passive side includes:
Obtain the first parameters for authentication X and utilization that the masters of utilization the second key KR2 encryption from service station provide
Second key KR2 of passive side's public key encryption generates the using the second parameters for authentication Y that the first parameters for authentication X and one's own side generate
One signature;
The for sending the third key KR3 using service station public key encryption to service station and being encrypted using third key KR3
The signature of one parameters for authentication X, the second parameters for authentication Y and first;First signature after service station authenticates for generating for masters
Second signature of certification;
The 6th key KR6 using passive side's public key encryption from service station is obtained, the 6th key KR6 encryption is utilized
The signature of first parameters for authentication X, the second parameters for authentication Y and the 4th;4th signature is third of the service station certification from masters
It is generated after signature using the first parameters for authentication X and the second parameters for authentication Y, third signature is raw after masters certification second is signed
At;
It decrypts and verifies the 4th signature.
In concrete application scene, for ease of description, masters are assumed to be customer end A, and passive side is assumed to be client
B, service station are service station Q.Wherein customer end B is acted as follows:
Receive ID authentication request { Req | | X } KR2 of service station Q forwarding | | { KR2 } PKB and parsing obtain Req | |
X } KR2 and { KR2 } PKB;{ KR2 } PKB is decrypted using customer end B private key SKB to obtain the second key KR;Utilize the second key
KR2 decrypts { Req | | X } KR2 to obtain request Req and the first parameters for authentication X;
Generating the second parameters for authentication Y, the second parameters for authentication Y is true random number;Using customer end B private key SKB to Req | | Y |
| X is signed to obtain the first signature S1;
It is produced as the third key KR3 of true random number, and using third key KR3 to Req | | Y | | X | | S1 carries out symmetrical
Encryption obtain Req | | Y | | X | | S1 KR3;It is produced as the second signature parameter R2 of true random number again, and by the second signature parameter
Cipher key location pointer kp2 is calculated by unsymmetrical key pointer function fkp in R2;According to cipher key location pointer kp2 from itself
Public key PKQ2 in service station is taken out in service station public key pond in memory.;Using service station public key PKQ2 to third key KR3 into
Row encryption obtains { KR3 } PKQ2;By R2, Req | | Y | | X | | S1 KR3 and { KR3 } PKQ2 combine to obtain R2 | | Req | | Y | | X |
|S1}KR3||{KR3}PKQ2;R2 is replied into request | | and Req | | Y | | X | | S1 } KR3 | | { KR3 } PKQ2 is sent to service station Q;
Wherein the first signature S1 is used to after service station Q certification generate the second signature S2 authenticated for customer end A;
Receive service station Q forwarding ID authentication request reply Req | | X | | Y | | S4 | | R5 } KR6 | | { KR6 } PKB is simultaneously
Parsing obtain Req | | X | | Y | | S4 | | R5 } KR6 and { KR6 } PKB;{ KR6 } PKB is decrypted to obtain using customer end B private key SKB
6th key KR6;Using the 6th key KR6 to Req | | X | | Y | | S4 | | R5 } KR6 decrypt to obtain Req | | X | | Y | | S4 | | R5;
Wherein the 4th signature S4 is generated after service station Q authenticates the third signature S3 from customer end A, and third signature S3 is customer end A
It is generated after the second signature of certification S2;
Cipher key location pointer kp5 is calculated by unsymmetrical key pointer function fkp in 5th signature parameter R5;According to
Cipher key location pointer kp5 takes out service station public key PKQ5 from the service station public key pond in memory;Utilize service station public affairs
Key PKQ5 is to Req | | X | | the 4th signature S4 of Y is verified.If the verification passes, then carry out authentication success, it is on the contrary then
Authentication failure.
Above-mentioned implementation includes in method, by carrying out to technical characteristic in the quantum communications service station authentication method of passive side
It rationally derives, realizes the beneficial effect for the technical issues of being able to solve proposed in background technique.
The application provides the quantum communications service station identity identifying method based on unsymmetrical key pond, in one embodiment,
Implement in service station, quantum communications service station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1 from masters is obtained, and utilizes service station public key
The first key KR1 of encryption is decrypted and is sent the first parameters for authentication X and the utilization using the second key KR2 encryption to passive side
Second key KR2 of passive side's public key encryption;
Obtain encrypting using the third key KR3 of service station public key encryption and using third key KR3 from passive side
The first parameters for authentication X, passive side provide the second parameters for authentication Y and first signature, decrypt and verify the first signature success
Afterwards, the second signature is generated using first parameters for authentication X the second parameters for authentication Y, is sent to masters and utilizes masters public key encryption
The 4th key KR4 and using the 4th key KR4 encryption the first parameters for authentication X, the second parameters for authentication Y and second signature;
Obtain encrypting using the 5th key KR5 of service station public key encryption and using the 5th key KR5 from masters
The first parameters for authentication X, the second parameters for authentication Y and masters provide third signature, decrypt and verify third and sign successfully
Afterwards, the 4th signature verified for passive side is generated using first parameters for authentication X the second parameters for authentication Y, is sent and is utilized to passive side
6th key KR6 of passive side's public key encryption and the first parameters for authentication X, the second parameters for authentication Y encrypted using the 6th key KR6
And the 4th signature.
In concrete application scene, for ease of description, masters are assumed to be customer end A, and passive side is assumed to be client
B, service station are service station Q.Wherein service station Q is acted as follows:
Receive the request R1 that customer end A is sent | | { Req | | X } KR1 | | { KR1 } PKQ1 parses to obtain R1, { Req | | X }
KR1 and { KR1 } PKQ1;Cipher key location pointer is calculated by unsymmetrical key pointer function fkp in first signature parameter R1
kp1;Private key SKQ1 in service station is taken out from the service station private key pond in memory according to cipher key location pointer kp1;Utilize service
The private key SKQ1 that stands is decrypted to obtain first key KR1 to { KR1 } PKQ1;Using the obtained first key KR1 of decryption to Req |
| X } KR1 decrypts to obtain request Req and the first parameters for authentication X;
It is produced as the second key KR2 of true random number, and using the second key KR2 to Req | | X carries out symmetric cryptography and obtains
{Req||X}KR2;Customer end B public key PKB is removed out from client public key pond according to the IDB for including in request Req;Utilize client
B public key PKB encrypts the second key KR2 to obtain { KR2 } PKB;It combines { Req | | X } KR2 and { KR2 } PKB to obtain { Req
||X}KR2||{KR2}PKB;Will Req | | and X } KR2 | | { KR2 } PKB is sent to customer end B.
Receive the request that customer end B is sent and reply R2 | | and Req | | Y | | X | | S1 } KR3 | | { KR3 } PKQ2 parses to obtain
R2, Req | | Y | | X | | S1 } KR3 and { KR3 } PKQ2;Second signature parameter R2 is counted by unsymmetrical key pointer function fkp
Calculation obtains cipher key location pointer kp2;Clothes are taken out from the service station private key pond in memory according to cipher key location pointer kp2
Business station private key SKQ2;{ KR3 } PKQ2 is decrypted using service station private key SKQ2 to obtain third key KR3;Using decrypting
To third key KR3 to Req | | Y | | X | | S1 KR3 decrypt to obtain Req | | Y | | X | | S1.
Customer end B public key PKB is obtained, using customer end B public key PKB to Req | | Y | | the first signature S1 of X is verified;
If the verification passes, then it carries out in next step, on the contrary then authentication fails;It is produced as the third signature parameter R3 of true random number,
And cipher key location pointer kp3 is calculated by unsymmetrical key pointer function fkp in third signature parameter R3;According to secret key bits
It sets pointer kp3 and takes out private key SKQ3 in service station from the service station private key pond in memory;Utilize service station private key SKQ3
To Req | | Y | | X is signed to obtain four youngsters signature S2;
It is produced as the 4th key KR4 of true random number, and using the 4th key KR4 to Req | | Y | | X | | S2 | | R3 is carried out
Symmetric cryptography obtain Req | | Y | | X | | S2 | | R3 } KR4;Visitor is taken out from client public key pond according to the IDA for including in request Req
Family end A public key PKA;The 4th key KR4 is encrypted using customer end A public key PKA to obtain { KR4 } PKA;
Will Req | | Y | | X | | S2 | | R3 } KR4 and { KR4 } PKA combine to obtain Req | | Y | | X | | S2 | | R3 } KR4 | |
{KR4}PKA;Will Req | | Y | | X | | S2 | | R3 } KR4 | | { KR4 } PKA is sent to customer end A.
Receive the reply R4 that customer end A is sent | | and Req | | X | | Y | | S3 KR5 | | { KR5 } PKQ4 parse to obtain R4,
Req | | X | | Y | | S3 } KR5 and { KR5 } PKQ4;4th signature parameter R4 is calculated by unsymmetrical key pointer function fkp
To cipher key location pointer kp4;Service station is taken out from the service station private key pond in memory according to cipher key location pointer kp4
Private key SKQ4;{ KR5 } PKQ4 is decrypted to obtain the 5th key KR5 using service station private key SKQ4;It is obtained using decryption
5th key KR5 to Req | | X | | Y | | S3 KR5 decrypt to obtain Req | | X | | Y | | S3;
Customer end A public key PKA is obtained, using customer end A public key PKA to Req | | X | | the third signature S3 of Y is verified;
If the verification passes, then it carries out in next step, on the contrary then authentication fails;It is produced as the 5th signature parameter R5 of true random number,
And cipher key location pointer kp5 is calculated by unsymmetrical key pointer function fkp in the 5th signature parameter R5;According to secret key bits
It sets pointer kp5 and takes out private key SKQ5 in service station from the service station private key pond in memory;Utilize service station private key SKQ5
To Req | | X | | Y is signed to obtain the 4th signature S4;
It is produced as the 6th key KR6 of true random number, and using the 6th key KR6 to Req | | X | | Y | | S4 | | R5 is carried out
Symmetric cryptography obtain Req | | X | | Y | | S4 | | R5 } KR6;Customer end B public key PKB is taken out from client public key pond;Utilize client
End B public key PKB encrypts the 6th key KR6 to obtain { KR6 } PKB.
Will Req | | X | | Y | | S4 | | R5 } KR6 and { KR6 } PKB combine to obtain Req | | X | | Y | | S4 | | R5 } KR6 | |
{KR6}PKB;Will Req | | X | | Y | | S4 | | R5 } KR6 | | { KR6 } PKB is sent to customer end B.
Quantum communications service station authentication method of the above-mentioned implementation in service station includes in method, by carrying out to technical characteristic
It rationally derives, realizes the beneficial effect for the technical issues of being able to solve proposed in background technique.
The application provides the quantum communications service station identity identifying method based on unsymmetrical key pond, in one embodiment,
Quantum communications service station authentication method includes:
Active direction service station sends the first information, the first certification that the first information is encrypted including the use of first key KR1
The parameter X and first key KR1 for utilizing service station public key encryption;
Service station, which obtains and decrypts first information Bao Houxiang passive side, sends the second information, and the second information is including the use of second
First parameters for authentication X of key KR2 encryption and the second key KR2 for utilizing passive side's public key encryption;
Passive side obtains and generates the second parameters for authentication Y after decrypting the second information and utilize the first parameters for authentication X and second
Parameters for authentication Y generates the first signature, sends third information to service station, third information is including the use of the of service station public key encryption
Three key KR3 and the signature of the first parameters for authentication X, the second parameters for authentication Y and first for utilizing third key KR3 encryption;
After service station obtains, decrypts third information and verifying first is signed successfully, the first parameters for authentication X second is utilized to authenticate
Parameter Y generates the second signature, sends the 4th information to masters, the 4th information is the 4th close including the use of masters public key encryption
Key KR4 and the first parameters for authentication X encrypted using the 4th key KR4, the second parameters for authentication Y and the second signature;
After masters obtain, decrypt the 4th information and verifying second is signed successfully, recognized using the first parameters for authentication X, second
It demonstrate,proves parameter Y and generates third signature;The 5th information is sent to service station, the 5th information is including the use of the 5th of service station public key encryption
Key KR5 and the first parameters for authentication X, the second parameters for authentication Y and third signature for utilizing the 5th key KR5 encryption;
Service station obtains, the 5th information of decryption and verifies after third sign successfully, utilizes the first parameters for authentication X second certification
Parameter Y generates the 4th signature verified for passive side, sends the 6th information to passive side, the 6th information is including the use of passive side's public affairs
6th key KR6 of key encryption and the first parameters for authentication X, the second parameters for authentication Y and the 4th encrypted using the 6th key KR6
Signature;
Passive side obtains, the 6th information of decryption and verifying the 4th are signed.
In concrete application scene, for ease of description, masters are assumed to be customer end A, and passive side is assumed to be client
B, service station are service station Q.
Step 1: customer end A initiates the ID authentication request with customer end B
Include A in customer end A generation and the request Req, Req of the authentication of customer end B | | B and other necessity are believed
Breath, such as generate the ID that uniqueness random number is requested as this.Customer end A generates the X and KR1 that two are true random number, visitor
Family end A carries out symmetric cryptography to Req and X using KR1 and obtains { Req | | X } KR1.
Customer end A generates the R1 of a true random number, and the R1 of true random number is passed through unsymmetrical key pointer function fkp
Cipher key location pointer kp1 is calculated.Customer end A is public from the service station in customer end A key card according to cipher key location pointer kp1
Public key PKQ1 in service station is taken out in key pond.Customer end A encrypts KR1 using PKQ1 to obtain { KR1 } PKQ1.
Customer end A combines R1, { Req | | X } KR1 and { KR1 } PKQ1 to obtain R1 | | and Req | | X } KR1 | | { KR1 } PKQ1.
Customer end A is by R1 | | and Req | | X } KR1 | | { KR1 } PKQ1 is sent to quantum communications service station Q.
Step 2: quantum communications service station Q forwards the request to customer end B
The request R1 that service station Q is sent according to customer end A is received | | and Req | | X } KR1 | | { KR1 } PKQ1 parses to obtain
R1, Req | | and X } KR1 and { KR1 } PKQ1.Service station Q calculates the R1 of true random number by unsymmetrical key pointer function fkp
Obtain cipher key location pointer kp1.Service station Q is according to cipher key location pointer kp1 from the service station private key pond in the key card of service station
Middle taking-up service station private key SKQ1.Service station Q is decrypted to obtain KR1 using SKQ1 to { KR1 } PKQ1.Service station Q utilizes solution
Close obtained KR1 decrypts to obtain Req and X to { Req | | X } KR1.
Service station Q generates the KR2 of a true random number, and using KR2 to Req | | X progress symmetric cryptography obtain Req | |
X}KR2.Service station Q removes out the public key PKB of customer end B according to the IDB for including in Req from client public key pond.Service station Q is utilized
PKB encrypts KR2 to obtain { KR2 } PKB.
Service station Q combines { Req | | X } KR2 and { KR2 } PKB to obtain { Req | | X } KR2 | | { KR2 } PKB.Service station Q will
Req | | and X } KR2 | | { KR2 } PKB is sent to customer end B.
Step 3: customer end B replys request
Customer end B receives ID authentication request { Req | | X } KR2 of service station Q forwarding | | { KR2 } PKB and parsing is obtained
Req | | and X } KR2 and { KR2 } PKB.Customer end B decrypts to obtain KR2 using customer end B private key SKB to { KR2 } PKB.Customer end B
{ Req | | X } KR2 is decrypted to obtain Req and X using KR2.
Customer end B generates the Y of a true random number.Customer end B is using customer end B private key SKB to Req | | Y | | X is signed
Name obtains S1.Customer end B generates the KR3 of a true random number, and using KR3 to Req | | Y | | X | | S1 carries out symmetric cryptography and obtains
To Req | | Y | | X | | S1 } KR3.Customer end B generates the R2 of a true random number again, and true random number R2 is passed through asymmetric close
Cipher key location pointer kp2 is calculated in key pointer function fkp.Customer end B is according to cipher key location pointer from customer end B key card
Service station public key pond in take out service station public key PKQ2.Customer end B encrypts KR3 using PKQ2 to obtain { KR3 } PKQ2.
Customer end B by R2, Req | | Y | | X | | S1 KR3 and { KR3 } PKQ2 combine to obtain R2 | | Req | | Y | | X | | S1
KR3||{KR3}PKQ2.Request is replied R2 by customer end B | | and Req | | Y | | X | | S1 } KR3 | | it is logical that { KR3 } PKQ2 is sent to quantum
Telecommunications services station Q.
Step 4: request is replied and is forwarded to customer end A by quantum communications service station Q
Service station Q replys R2 according to the request that customer end B is sent is received | | and Req | | Y | | X | | S1 } KR3 | | { KR3 }
PKQ2 parse to obtain R2, Req | | Y | | X | | S1 KR3 and { KR3 } PKQ2.Service station Q passes through the R2 of true random number asymmetric
Cipher key location pointer kp2 is calculated in key indicator function fkp.Service station Q is according to cipher key location pointer kp2 from service station key
Private key SKQ2 in service station is taken out in service station private key pond in card.Service station Q is decrypted to obtain using SKQ2 to { KR3 } PKQ2
KR3.Service station Q using the obtained KR3 of decryption to Req | | Y | | X | | S1 KR3 decrypt to obtain Req | | Y | | X | | S1.
Service station Q obtains the public key PKB of customer end B, using public key PKB to Req | | Y | | the signature S1 of X is verified.Such as
Fruit is verified, then carries out in next step, on the contrary then authentication fails.Service station Q generates the R3 of a true random number, and will be true
Cipher key location pointer kp3 is calculated by unsymmetrical key pointer function fkp in the R3 of random number.Service station Q is according to secret key bits
It sets pointer kp3 and takes out private key SKQ3 in service station from the service station private key pond in the key card of service station.Service station Q utilizes SKQ3 pairs
Req | | Y | | X is signed to obtain S2.
Service station Q generates the KR4 of a true random number, and using KR4 to Req | | Y | | X | | S2 | | R3 carries out symmetric cryptography
Obtain Req | | Y | | X | | S2 | | R3 } KR4.Service station Q takes out customer end A from client public key pond according to the IDA for including in Req
Public key PKA.Service station Q encrypts KR4 using PKA to obtain { KR4 } PKA.
Service station Q will Req | | Y | | X | | S2 | | R3 } KR4 and { KR4 } PKA combine to obtain Req | | Y | | X | | S2 | | R3 }
KR4||{KR4}PKA.Service station Q general Req | | Y | | X | | S2 | | R3 } KR4 | | { KR4 } PKA is sent to customer end A.
Step 5: customer end A Authentication Client B is simultaneously replied
Customer end A receive service station Q forwarding ID authentication request reply Req | | Y | | X | | S2 | | R3 } KR4 | |
{ KR4 } PKA and parsing obtain Req | | Y | | X | | S2 | | R3 } KR4 and { KR4 } PKA.Customer end A utilizes customer end A private key SKA
{ KR4 } PKA is decrypted to obtain KR4.Customer end A using KR4 to Req | | Y | | X | | S2 | | R3 } KR4 decrypt to obtain Req | | Y | | X
||S2||R3。
Cipher key location pointer is calculated by unsymmetrical key pointer function fkp in the R3 of true random number by customer end A
kp3.Customer end A takes out service station public key according to cipher key location pointer kp3 from the service station public key pond in customer end A key card
PKQ3.Using public key PKQ3 to Req | | Y | | the signature S2 of X is verified.If the verification passes, then carry out in next step, it is on the contrary then
Authentication failure.
Customer end A is using customer end A private key SKA to Req | | X | | Y is signed to obtain S3.Customer end A generates one very
The KR5 of random number, and using KR5 to Req | | X | | Y | | S3 carry out symmetric cryptography obtain Req | | X | | Y | | S3 KR5.Client
A generates the R4 of a true random number again, and key is calculated by unsymmetrical key pointer function fkp in the R4 of true random number
Position indicator pointer kp4.Customer end A takes out clothes according to cipher key location pointer kp4 from the service station public key pond in customer end A key card
Business station public key PKQ4.Customer end A encrypts KR5 using PKQ4 to obtain { KR5 } PKQ4.
Customer end A by R4, Req | | X | | Y | | S3 KR5 and { KR5 } PKQ4 combine to obtain R4 | | Req | | X | | Y | | S3
KR5||{KR5}PKQ4.Customer end A will reply R4 | | and Req | | X | | Y | | S3 } KR5 | | { KR5 } PKQ4 is sent to quantum communications clothes
Business station Q.
Step 6: reply is forwarded to customer end B by quantum communications service station Q
The reply R4 that service station Q is sent according to customer end A is received | | and Req | | X | | Y | | S3 } KR5 | | { KR5 } PKQ4 solution
Analysis obtain R4, Req | | X | | Y | | S3 KR5 and { KR5 } PKQ4.Service station Q refers to the R4 of true random number by unsymmetrical key
Cipher key location pointer kp4 is calculated in needle function fkp.Service station Q is according to cipher key location pointer kp4 from the key card of service station
Private key SKQ4 in service station is taken out in the private key pond of service station.Service station Q is decrypted to obtain KR5 using SKQ4 to { KR5 } PKQ4.Clothes
Business station Q using the obtained KR5 of decryption to Req | | X | | Y | | S3 KR5 decrypt to obtain Req | | X | | Y | | S3.
Service station Q obtains the public key PKA of customer end A, using public key PKA to Req | | X | | the signature S3 of Y is verified.Such as
Fruit is verified, then carries out in next step, on the contrary then authentication fails.Service station Q generates the R5 of a true random number, and will be true
Cipher key location pointer kp5 is calculated by unsymmetrical key pointer function fkp in the R5 of random number.Service station Q is according to secret key bits
It sets pointer kp5 and takes out private key SKQ5 in service station from the service station private key pond in the key card of service station.Service station Q utilizes SKQ5 pairs
Req | | X | | Y is signed to obtain S4.
Service station Q generates the KR6 of a true random number, and using KR6 to Req | | X | | Y | | S4 | | R5 carries out symmetric cryptography
Obtain Req | | X | | Y | | S4 | | R5 } KR6.Service station Q removes out the public key PKB of customer end B from client public key pond.Service station Q
KR6 is encrypted using PKB to obtain { KR6 } PKB.
Service station Q will Req | | X | | Y | | S4 | | R5 } KR6 and { KR6 } PKB combine to obtain Req | | X | | Y | | S4 | | R5 }
KR6||{KR6}PKB.Service station Q general Req | | X | | Y | | S4 | | R5 } KR6 | | { KR6 } PKB is sent to customer end B.
Step 7: customer end B Authentication Client A
Customer end B receive service station Q forwarding ID authentication request reply Req | | X | | Y | | S4 | | R5 } KR6 | |
{ KR6 } PKB and parsing obtain Req | | X | | Y | | S4 | | R5 } KR6 and { KR6 } PKB.Customer end B utilizes customer end B private key SKB
{ KR6 } PKB is decrypted to obtain KR6.Customer end B using KR6 to Req | | X | | Y | | S4 | | R5 } KR6 decrypt to obtain Req | | X | | Y
||S4||R5。
Cipher key location pointer is calculated by unsymmetrical key pointer function fkp in the R5 of true random number by customer end B
kp5.Customer end B takes out service station public key according to cipher key location pointer kp5 from the service station public key pond in customer end B key card
PKQ5.Using public key PKQ5 to Req | | X | | the signature S4 of Y is verified.If the verification passes, then authentication success is carried out,
On the contrary then authentication fails.
Above-mentioned quantum communications service station authentication method includes, by rationally being derived to technical characteristic, realizing in method
The beneficial effect for the technical issues of being able to solve proposed in background technique.
Disclosed herein as well is the quantum communications service station identity identifying methods based on unsymmetrical key pond, in an embodiment
In, masters and passive side are located in different service station systems, and for ease of description, masters are assumed to be customer end A,
Passive side is assumed to be customer end B, and two service stations are respectively service station QA and service station QB, and customer end A and service station QA's is logical
Believe and verification process is consistent in above-mentioned technical proposal therefore is not stating;The communication of customer end B and service station QB and recognize
Therefore card process is consistent in above-mentioned technical proposal no longer to be stated, hereafter describe emphasis between service station QA and service station QB
Communication process.
By service station, QA is received for request after the request of customer end A is forwarded to service station QB:
The request R1 that service station QA is sent according to customer end A is received | | and Req | | X } KR1 | | { KR1 } PKQA1 is parsed
To R1, { Req | | X } KR1 and { KR1 } PKQA1.The R1 of true random number is passed through unsymmetrical key pointer function fkp by service station QA
Cipher key location pointer kp1 is calculated.Service station QA is according to cipher key location pointer kp1 from the service station in the QA key card of service station
Service station QA private key SKQA1 is taken out in private key pond.Service station QA is decrypted to obtain KR1 using SKQA1 to { KR1 } PKQA1.Clothes
Business station QA decrypts to obtain Req and X using the obtained KR1 of decryption to { Req | | X } KR1.
The key pair Req and X that service station QA is negotiated using QKD generate message authentication code and by message authentication codes and Req | | X
Quantum communications service station QB is sent to after symmetric cryptography.In the application, the message authentication algorithm for generating message authentication code is excellent
It is selected as hmac algorithm.
For request reply is forwarded to service station QA after replying by the request that QB receives customer end B by service station:
Service station QB replys R2 according to the request that customer end B is sent is received | | and Req | | Y | | X | | S1 } KR3 | | { KR3 }
PKQB1 parse to obtain R2, Req | | Y | | X | | S1 KR3 and { KR3 } PKQB1.It is non-right that service station QB passes through the R2 of true random number
Claim key indicator function fkp that cipher key location pointer kp2 is calculated.Service station QB is according to cipher key location pointer kp2 from service station
Service station QB private key SKQB1 is taken out in service station private key pond in QB key card.Service station QB is using SKQB1 to { KR3 } PKQB1
It is decrypted to obtain KR3.Service station QB using the obtained KR3 of decryption to Req | | Y | | X | | S1 KR3 decrypt to obtain Req | | Y |
|X||S1}。
Service station QB obtains the public key PKB of customer end B, using public key PKB to Req | | Y | | the signature S1 of X is verified.
If the verification passes, then it carries out in next step, on the contrary then authentication fails.
The key pair Req that service station QB utilizes QKD to negotiate | | Y | | X generates message authentication code and by message authentication code and Req
| | Y | | quantum communications service station QA is sent to after X symmetric cryptography.
Reply signature after receiving the signature of customer end A verifying customer end B with service station QA will reply the amount of being forwarded to of signing
For sub- communication service station QB:
The reply R4 that service station QA is sent according to customer end A is received | | and Req | | X | | Y | | S3 } KR5 | | { KR5 } PKQA3
Parsing obtain R4, Req | | X | | Y | | S3 KR5 and { KR5 } PKQA3.Service station QA passes through the R4 of true random number asymmetric close
Cipher key location pointer kp4 is calculated in key pointer function fkp.Service station QA is close from service station QA according to cipher key location pointer kp4
Service station QA private key SKQA3 is taken out in service station private key pond in key card.Service station QA carries out { KR5 } PKQA3 using SKQ4
Decryption obtains KR5.Service station QA using the obtained KR5 of decryption to Req | | X | | Y | | S3 KR5 decrypt to obtain Req | | X | | Y | |
S3}。
Service station Q obtains the public key PKA of customer end A, using public key PKA to Req | | X | | the signature S3 of Y is verified.Such as
Fruit is verified, then carries out in next step, on the contrary then authentication fails.
The key pair Req that service station QA utilizes QKD to negotiate | | X | | Y generates message authentication code and by message authentication code and Req
| | X | | quantum communications service station QB is sent to after Y symmetric cryptography.
In one embodiment, the first signature is generated using passive side's private key;Second signature and the 4th signature utilize service station
Square private key generates;Third signature is generated using masters private key.
The design makes full use of the Public Key Cryptographic Systems in asymmetric encryption that can also be easily carried out digital label
It the advantages of name, is improved efficiency while the safety for ensuring authentication procedures.
In one embodiment, masters are equipped with masters key card, are stored with service station public key in masters key card,
Masters public key and masters private key;Passive side is equipped with passive side's key card, is stored with service station public affairs in dynamic side's key card
Key, passive side's public key and passive side's private key;Service station is equipped with service station key card, is stored with service in the key card of service station
It stands private key, masters public key and passive side's public key.
The key card side of issuing in the application is the supervisor side of key card, the generally administrative department of group, such as certain
The administrative department of enterprise or public institution;The member that the key card side of being awarded is managed by the supervisor side of key card, generally certain
The employees at different levels of enterprise or public institution.Supervisor side's application that masters or the client of passive side arrive key card first is opened an account.
After masters or the client of passive side carry out registering granted, key card will be obtained (there is unique key card ID).
Key card stores client enrollment register information.Public affairs in the client key card of masters or passive side under same service station
Key pond is all downloaded from down the same Key Management server, and in the client key card of its each masters or passive side issued
The public key pond of storage is completely the same.Preferably, the pool of keys size stored in key card can be 1G, 2G, 4G, 8G,
16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G etc..
Key card is developed from smart card techniques, is combined with real random number generator (preferably quantum random number
Generator), cryptological technique, the authentication of hardware security isolation technology and encryption and decryption product.The embedded chip of key card and
Operating system can provide the functions such as secure storage and the cryptographic algorithm of key.Due to it with independent data-handling capacity and
Good safety, key card become the safety barrier of private key and pool of keys.Each key card has the protection of hardware PIN code,
PIN code and hardware constitute two necessary factors that user uses key card.I.e. so-called " double factor authentication, " user is only simultaneously
The key card and user's PIN code for saving relevant authentication information are obtained, it just can be with login system.Even if the PIN code of user is let out
Dew, as long as the key card that user holds is not stolen, the identity of legitimate user would not be counterfeit;If the key card of user is lost
It loses, the person of picking up also cannot counterfeit the identity of legitimate user due to not knowing user's PIN code.
In the application, key card is divided into service station key card and client key card, and client key card includes masters
Key card and passive side's key card.As shown in figure 1, the key zone of service station key card is mainly stored with client public key pond and service
It stands private key pond;In Fig. 2, the key zone of client key card is mainly stored with service station public key pond and a pair of of public private key pair.Institute
Key card is stated to be issued by Key Management server.
Key Management server can select a kind of algorithm for not only having supported encryption and decryption but also support signature before issuing key card.
Key Management server generates respective numbers according to the quantity of client and meets the number of the algorithm specification as private key and public key.
Key Management server generates the ID of respective numbers, and chooses the public private key pair of respective numbers, and public key therein and ID is taken to carry out
Combination obtains ID/ public key, and formation public key pond file in same file is written in the form of ID/ public key, i.e., above-mentioned client is public
Key pond.Meanwhile corresponding private key is also written to formation private key pond file in file by Key Management server in an identical manner,
That is client private key pond.The ID of each private key is identical as the ID of corresponding public key in client public key pond in client private key pond.It is close
Key management server generates the number for largely meeting the algorithm specification as private key and public key again.Key Management server will be public
Private key, which is respectively written into two files, forms service station public key pond and service station private key pond.Public key in the public key pond of service station with
The private key of same position is corresponding in the private key pond of service station.The first key card issued is defined as service station by Key Management server
Key card, and by service station private key pond and client public key pond and related algorithm parameter write-in key card key zone.Key
The subsequent key card issued of management server is client key card.Key Management server random number selection one is unallocated
ID distribute to key card, and public and private key and the service station public key pond of identical ID are taken from client public key pond and client private key pond
The key zone of key card is written, relevant parameter is written in key card together.
In one embodiment, a kind of computer equipment is provided, such as computer equipment can be masters hereafter
Equipment, passive method, apparatus or service station equipment, internal structure chart can be as shown in figure Y.The computer equipment includes passing through to be
Processor, memory, network interface, display screen and the input unit of bus of uniting connection.Wherein, the processor of the computer equipment
For providing calculating and control ability.The memory of the computer equipment includes non-volatile memory medium, built-in storage.This is non-
Volatile storage medium is stored with operating system and computer program.The built-in storage is the operation in non-volatile memory medium
The operation of system and computer program provides environment.The network interface of the computer equipment is used to pass through network with external terminal
Connection communication.To realize a kind of XXX method when the computer program is executed by processor.The display screen of the computer equipment can be with
It is liquid crystal display or electric ink display screen, the input unit of the computer equipment can be the touch covered on display screen
Layer, is also possible to the key being arranged on computer equipment shell, trace ball or Trackpad, can also be external keyboard, touch-control
Plate or mouse etc..
It will be understood by those skilled in the art that structure shown in Fig. 3, only part relevant to application scheme is tied
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
In another embodiment of the application, a kind of active method, apparatus is provided, including memory and processor, memory are deposited
Computer program is contained, processor realizes quantum communications service station authenticating party in the respective embodiments described above when executing computer program
The step of method.
In another embodiment of the application, a kind of passive method, apparatus is provided, including memory and processor, memory are deposited
Computer program is contained, processor realizes quantum communications service station authenticating party in the respective embodiments described above when executing computer program
The step of method.
In another embodiment of the application, a kind of service station equipment is provided, including memory and processor, memory are deposited
Computer program is contained, processor realizes quantum communications service station authenticating party in the respective embodiments described above when executing computer program
The step of method.
Specific restriction about active method, apparatus, passive method, apparatus and service station equipment and system may refer to above
In restriction for quantum communications service station authentication method, details are not described herein.Modules in above-mentioned active method, apparatus can
It is realized fully or partially through software, hardware and combinations thereof.Above-mentioned each module can be embedded in the form of hardware or independently of meter
It calculates in the processor in machine equipment, can also be stored in a software form in the memory in computer equipment, in order to handle
Device, which calls, executes the corresponding operation of the above modules.
In another embodiment of the application, provides a kind of quantum communications service station identity based on unsymmetrical key pond and recognize
Card system, including it is equipped with masters, passive side, service station and communication network;The masters are configured with masters key card,
Service station public key, masters public key and masters private key are stored in the masters key card;The passive side is configured with
Passive side's key card is stored with service station public key, passive side's public key and passive side's private key in dynamic side's key card;The clothes
Business station is configured with service station key card, is stored with service station private key in the service station key card, masters public key and passive
Square public key;
The masters, passive side and service station realize that quantum communications take in the respective embodiments described above by communication network
The step of business station authentication method.
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment
In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance
Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art
It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application
Range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.
Claims (10)
1. the quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in masters, which is characterized in that institute
Stating quantum communications service station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1, and the institute using service station public key encryption are sent to service station
State first key KR1;The first parameters for authentication X is used to after service station is forwarded to passive side generate the first label for passive side
Name;
The 4th key KR4 of utilization masters public key encryption from service station is obtained, the encrypted using the 4th key KR4
One parameters for authentication X, the signature of the second parameters for authentication Y and second that passive side provides;Second signature is that service station certification comes
It is generated from after the first signature of passive side using the first parameters for authentication X and the second parameters for authentication Y;
After decrypting and verifying second signature, third is generated using the first parameters for authentication X and the second parameters for authentication Y and is signed;
It sends to the service station using the 5th key KR5 of service station public key encryption and is encrypted using the 5th key KR5
The first parameters for authentication X, the second parameters for authentication Y and the third signature;The third signature in the service station for recognizing
The 4th signature authenticated for passive side is generated after card.
2. the quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in passive side, which is characterized in that institute
Stating quantum communications service station authentication method includes:
The the first parameters for authentication X and utilize passively that the masters of utilization second key KR2 encryption of the acquisition from service station provide
Second key KR2 of square public key encryption generates the using the second parameters for authentication Y that the first parameters for authentication X and one's own side generate
One signature;
The for sending the third key KR3 using service station public key encryption to service station and being encrypted using the third key KR3
The signature of one parameters for authentication X, the second parameters for authentication Y and first;First signature after the certification of the service station for generating
For the second signature of masters certification;
The 6th key KR6 using passive side's public key encryption from service station is obtained, utilizes the first of the 6th key KR6 encryption
Parameters for authentication X, the second parameters for authentication Y and the 4th signature;4th signature is third of the service station certification from masters
It is generated after signature using the first parameters for authentication X and the second parameters for authentication Y, the third signature is masters certification second label
It is generated after name;
It decrypts and verifies the 4th signature.
3. the quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in service station, which is characterized in that institute
Stating quantum communications service station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1 from masters is obtained, and utilizes service station public key encryption
The first key KR1, decrypt simultaneously to passive side send using the second key KR2 encrypt the first parameters for authentication X and utilization
Second key KR2 of passive side's public key encryption;
Obtain encrypting using the third key KR3 of service station public key encryption and using the third key KR3 from passive side
The first parameters for authentication X, passive side provide the second parameters for authentication Y and first signature, decrypt and verify it is described first signature
After success, the second signature is generated using first parameters for authentication X the second parameters for authentication Y, is sent to masters and utilizes masters public key
4th key KR4 of encryption and the first parameters for authentication X encrypted using the 4th key KR4, the second parameters for authentication Y and the second label
Name;
Obtain encrypting using the 5th key KR5 of service station public key encryption and using the 5th key KR5 from masters
The first parameters for authentication X, the second parameters for authentication Y and the third signature that provides of masters, decrypt and verify third signature
After success, the 4th signature for passive side verifying is generated using first parameters for authentication X the second parameters for authentication Y, to passive side
The the first parameters for authentication X for sending the 6th key KR6 using passive side's public key encryption and being encrypted using the 6th key KR6, second
The signature of parameters for authentication Y and the 4th.
4. the quantum communications service station identity identifying method based on unsymmetrical key pond, which is characterized in that the quantum communications clothes
Business station authentication method include:
Active direction service station sends the first information, the first certification that the first information is encrypted including the use of first key KR1
The parameter X and first key KR1 for utilizing service station public key encryption;
The service station, which obtains and decrypts the first information Bao Houxiang passive side, sends the second information, and second information includes
Using the second key KR2 the first parameters for authentication X encrypted and utilize the second key KR2 of passive side's public key encryption;
The passive side obtains and generates the second parameters for authentication Y after decrypting second information and utilize first parameters for authentication
X and the second parameters for authentication Y generates the first signature, sends third information to service station, the third information is including the use of service station
The third key KR3 of public key encryption and using third key KR3 encryption the first parameters for authentication X, the second parameters for authentication Y with
And first signature;
The service station obtain, decrypt the third information and verify described first sign successfully after, utilize the first parameters for authentication X
Second parameters for authentication Y generates the second signature, sends the 4th information to masters, the 4th information is including the use of masters public key
4th key KR4 of encryption and the first parameters for authentication X encrypted using the 4th key KR4, the second parameters for authentication Y and the second label
Name;
The masters obtain, decrypt the 4th information and verify described second sign successfully after, utilize the first parameters for authentication
X, the second parameters for authentication Y generates third signature;The 5th information is sent to the service station, the 5th information is including the use of service
Stand the 5th key KR5 of public key encryption and the first parameters for authentication X, the second parameters for authentication Y of utilization the 5th key KR5 encryption
And the third signature;
The service station obtains, decrypts the 5th information and verifies after the third signs successfully, utilizes the first parameters for authentication X
Second parameters for authentication Y generates the 4th signature for passive side verifying, sends the 6th information, the 6th information to passive side
The 6th key KR6 including the use of passive side's public key encryption and the first parameters for authentication X using the 6th key KR6 encryption, second
The signature of parameters for authentication Y and the 4th;
The passive side obtains, decrypts the 6th information and verify the 4th signature.
5. such as the described in any item quantum communications service station identity identifying methods based on unsymmetrical key pond of Claims 1-4,
It is characterized in that, first signature is generated using passive side's private key;Second signature and the 4th signature utilize service
The side's of station private key generates;The third signature is generated using masters private key.
6. such as the described in any item quantum communications service station identity identifying methods based on unsymmetrical key pond of Claims 1-4,
It is characterized in that, the masters are configured with masters key card, it is stored with service station public key in the masters key card, it is main
Dynamic side's public key and masters private key;The passive side is configured with passive side's key card, is stored with clothes in dynamic side's key card
Business station public key, passive side's public key and passive side's private key;The service station is configured with service station key card, the service station key
Service station private key, masters public key and passive side's public key are stored in card.
7. a kind of active method, apparatus, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station authentication method described in claim 1 when executing the computer program
Step.
8. a kind of passive method, apparatus, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station authentication method described in claim 2 when executing the computer program
Step.
9. a kind of service station equipment, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station authentication method described in claim 3 when executing the computer program
Step.
10. the quantum communications service station identity authorization system based on unsymmetrical key pond, which is characterized in that including being equipped with actively
Side, passive side, service station and communication network;The masters are configured with masters key card, in the masters key card
It is stored with service station public key, masters public key and masters private key;The passive side is configured with passive side's key card, described dynamic
Service station public key, passive side's public key and passive side's private key are stored in square key card;The service station is close configured with service station
Key card is stored with service station private key, masters public key and passive side's public key in the service station key card;
The masters, passive side and service station realize that quantum communications described in claim 4 take by the communication network
The step of business station authentication method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910402444.0A CN110176989B (en) | 2019-05-15 | 2019-05-15 | Quantum communication service station identity authentication method and system based on asymmetric key pool |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910402444.0A CN110176989B (en) | 2019-05-15 | 2019-05-15 | Quantum communication service station identity authentication method and system based on asymmetric key pool |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110176989A true CN110176989A (en) | 2019-08-27 |
CN110176989B CN110176989B (en) | 2023-03-14 |
Family
ID=67691057
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910402444.0A Active CN110176989B (en) | 2019-05-15 | 2019-05-15 | Quantum communication service station identity authentication method and system based on asymmetric key pool |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110176989B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110493010A (en) * | 2019-09-24 | 2019-11-22 | 南京邮电大学 | Mailing system and receiving/transmission method based on Quantum Digital Signature Research |
CN113452687A (en) * | 2021-06-24 | 2021-09-28 | 中电信量子科技有限公司 | Method and system for encrypting sent mail based on quantum security key |
WO2023077280A1 (en) * | 2021-11-02 | 2023-05-11 | Huawei Technologies Co., Ltd. | Certificate-less authentication and secure communication |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109450623A (en) * | 2018-10-16 | 2019-03-08 | 如般量子科技有限公司 | Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond |
CN109660338A (en) * | 2018-11-19 | 2019-04-19 | 如般量子科技有限公司 | Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on pool of symmetric keys |
-
2019
- 2019-05-15 CN CN201910402444.0A patent/CN110176989B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109450623A (en) * | 2018-10-16 | 2019-03-08 | 如般量子科技有限公司 | Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond |
CN109660338A (en) * | 2018-11-19 | 2019-04-19 | 如般量子科技有限公司 | Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on pool of symmetric keys |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110493010A (en) * | 2019-09-24 | 2019-11-22 | 南京邮电大学 | Mailing system and receiving/transmission method based on Quantum Digital Signature Research |
CN110493010B (en) * | 2019-09-24 | 2022-03-15 | 南京邮电大学 | Mail receiving and sending method of mail system based on quantum digital signature |
CN113452687A (en) * | 2021-06-24 | 2021-09-28 | 中电信量子科技有限公司 | Method and system for encrypting sent mail based on quantum security key |
WO2023077280A1 (en) * | 2021-11-02 | 2023-05-11 | Huawei Technologies Co., Ltd. | Certificate-less authentication and secure communication |
Also Published As
Publication number | Publication date |
---|---|
CN110176989B (en) | 2023-03-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Tsai | Efficient multi-server authentication scheme based on one-way hash function without verification table | |
CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
CN109728906B (en) | Anti-quantum-computation asymmetric encryption method and system based on asymmetric key pool | |
CN105553654B (en) | Key information processing method and device, key information management system | |
CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
CN108566273A (en) | Identity authorization system based on quantum network | |
CN109936456B (en) | Anti-quantum computation digital signature method and system based on private key pool | |
CN109921905B (en) | Anti-quantum computation key negotiation method and system based on private key pool | |
CN110138548B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol | |
CN110505055A (en) | Based on unsymmetrical key pond to and key card outer net access identity authentication method and system | |
CN109951274A (en) | The point-to-point method for message transmission of anti-quantum calculation and system based on private key pond | |
CN109787758A (en) | Anti- quantum calculation MQV cryptographic key negotiation method and system based on private key pond and Elgamal | |
CN110176989A (en) | Quantum communications service station identity identifying method and system based on unsymmetrical key pond | |
CN110535626A (en) | The quantum communications service station secret communication method and system of identity-based | |
CN108769029A (en) | It is a kind of to application system authentication device, method and system | |
CN109728905A (en) | Anti- quantum calculation MQV cryptographic key negotiation method and system based on unsymmetrical key pond | |
CN109905229A (en) | Anti- quantum calculation Elgamal encryption and decryption method and system based on group's unsymmetrical key pond | |
CN109495244A (en) | Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys | |
CN110365472B (en) | Quantum communication service station digital signature method and system based on asymmetric key pool pair | |
CN110866754A (en) | Pure software DPVA (distributed data authentication and privacy infrastructure) identity authentication method based on dynamic password | |
CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system | |
CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
CN110266483B (en) | Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD | |
CN201717885U (en) | Code providing equipment and code identification system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |