CN110176989B - Quantum communication service station identity authentication method and system based on asymmetric key pool - Google Patents

Quantum communication service station identity authentication method and system based on asymmetric key pool Download PDF

Info

Publication number
CN110176989B
CN110176989B CN201910402444.0A CN201910402444A CN110176989B CN 110176989 B CN110176989 B CN 110176989B CN 201910402444 A CN201910402444 A CN 201910402444A CN 110176989 B CN110176989 B CN 110176989B
Authority
CN
China
Prior art keywords
key
service station
signature
party
authentication parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910402444.0A
Other languages
Chinese (zh)
Other versions
CN110176989A (en
Inventor
富尧
钟一民
余秋炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201910402444.0A priority Critical patent/CN110176989B/en
Publication of CN110176989A publication Critical patent/CN110176989A/en
Application granted granted Critical
Publication of CN110176989B publication Critical patent/CN110176989B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The application relates to a quantum communication service station identity authentication method and system based on an asymmetric key pool. The public key, the private key and other related parameters are stored in a data security zone in the key fob, so that the possibility of stealing the key by malicious software or malicious operations is greatly reduced, and the key cannot be acquired and cracked by a quantum computer. In addition, the QKD is adopted between the service stations to encrypt and transmit messages, so that the safety of the messages is greatly guaranteed. The key fob guarantees the communication security of both communication parties in the group, and also greatly improves the security of identity authentication. Meanwhile, the asymmetric key pool solves the problem that the symmetric key pool brings key storage pressure to the quantum communication service station, and the storage cost is reduced.

Description

Quantum communication service station identity authentication method and system based on asymmetric key pool
Technical Field
The application relates to the technical field of secure communication, in particular to a quantum communication service station identity authentication method and system based on an asymmetric key pool.
Background
The rapidly developing Internet brings great convenience to the life and work of people, and people can sit at home to receive and send e-mails, make calls, perform online shopping, bank transfer and other activities through the Internet. Meanwhile, network information security is becoming a potential huge problem. Generally, network information faces the following security risks: network information is stolen, information is tampered, an attacker impersonates information, malicious damage and the like.
Identity authentication is one of the means to protect people's network information. Identity authentication is also called as "identity verification" or "identity authentication" and refers to a process of confirming the identity of an operator in a computer and a computer network system, so as to determine whether the user has access and use authority to a certain resource, thereby enabling access policies of the computer and the network system to be reliably and effectively executed, preventing an attacker from impersonating a legitimate user to obtain the access authority of the resource, ensuring the security of the system and data, and authorizing the legitimate benefit of the accessor.
However, the current method for ensuring the success of identity authentication mainly depends on cryptographic technology, and in the field of cryptography today, there are two kinds of cryptographic systems, one is a symmetric key cryptographic system, i.e. the encryption key and the decryption key use the same key. The other is a public key cryptosystem, i.e. the encryption key and the decryption key are different, one of which may be public. At present, most of identity authentication algorithms mainly rely on a public key cryptography.
Public key cryptography systems employ different encryption keys (public keys) and decryption keys (private keys). Since the encryption key is public, the distribution and management of the key is simple, and the public key encryption system can easily implement digital signature.
Since the public key encryption was introduced, scholars have proposed a variety of public key encryption methods, the security of which is based on complex mathematical problems. Classified according to the mathematical problem on which they are based, there are three categories of systems currently considered safe and effective: large integer factorization systems (typically RSA), discrete logarithm systems (typically DSA), and elliptic discrete logarithm systems (ECC).
However, with the development of quantum computers, the classical asymmetric key encryption algorithm is no longer secure, and the quantum computer can obtain a private key through public key calculation no matter the encryption and decryption method or the key exchange method, so that the currently used asymmetric key becomes unbearable in the quantum era. The quantum key distribution device QKD can now ensure that the negotiated key cannot be obtained. However, the QKD is mainly used for quantum trunk, and the user end device to the quantum communication service station is still a classical network, so that it is difficult to ensure the security of the identity authentication process by means of an asymmetric algorithm.
The problems existing in the prior art are as follows:
1. a symmetric key pool is used between the quantum communication service station and the quantum key card, and the capacity of the symmetric key pool is huge, so that pressure is brought to key storage of the quantum communication service station;
2. because the key capacity of the symmetric key pool is huge, the quantum communication service station has to encrypt and store the key in a common storage medium such as a hard disk, but cannot store the key in a key card of the quantum communication service station;
3. the key backup is troublesome due to the huge capacity of the keys in the symmetric key pool.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a quantum communication service station identity authentication method based on asymmetric key pools, which can reduce the amount of data stored in the service station.
The quantum communication service station identity authentication method based on the asymmetric key pool is implemented on an active side and comprises the following steps:
sending a first authentication parameter X encrypted by a first key KR1 and the first key KR1 encrypted by a public key of a service station to the service station; the first authentication parameter X is used for generating a first signature by the passive party after being forwarded to the passive party by the service station;
acquiring a fourth key KR4 encrypted by using a public key of an active party from a service station, a first authentication parameter X encrypted by using the fourth key KR4, a second authentication parameter Y provided by a passive party and a second signature; the second signature is generated by using a first authentication parameter X and a second authentication parameter Y after the service station authenticates the first signature from the passive party;
after the second signature is decrypted and verified, a third signature is generated by utilizing the first authentication parameter X and the second authentication parameter Y;
sending a fifth key KR5 encrypted by a service station public key and a first authentication parameter X, a second authentication parameter Y and the third signature encrypted by the fifth key KR5 to the service station; the third signature is used for generating a fourth signature for the passive party to authenticate after the service station authenticates.
The quantum communication service station identity authentication method based on the asymmetric key pool is implemented on a passive side, and comprises the following steps:
acquiring a first authentication parameter X provided by an active party and encrypted by using a second key KR2 from a service station and a second key KR2 encrypted by using a passive party public key, and generating a first signature by using the first authentication parameter X and a second authentication parameter Y generated by the own party;
sending a third key KR3 encrypted by using a public key of the service station and a first authentication parameter X, a second authentication parameter Y and a first signature encrypted by using the third key KR3 to the service station; the first signature is used for generating a second signature for authentication of the active party after the service station authenticates;
acquiring a sixth secret key KR6 encrypted by using the public key of the passive party from the service station, a first authentication parameter X encrypted by using the sixth secret key KR6, a second authentication parameter Y and a fourth signature; the fourth signature is generated by the service station by using a first authentication parameter X and a second authentication parameter Y after authenticating a third signature from the master, and the third signature is generated by the master after authenticating the second signature;
decrypting and verifying the fourth signature.
The quantum communication service station identity authentication method based on the asymmetric key pool is implemented in a service station, and comprises the following steps:
acquiring a first authentication parameter X encrypted by using a first key KR1 from an active party and the first key KR1 encrypted by using a public key of a service station, decrypting and sending the first authentication parameter X encrypted by using a second key KR2 and the second key KR2 encrypted by using a public key of a passive party to the passive party;
the method comprises the steps of obtaining a third secret key KR3 encrypted by a service station public key from a passive party, a first authentication parameter X encrypted by the third secret key KR3, a second authentication parameter Y and a first signature provided by the passive party, decrypting and verifying the first signature successfully, then generating a second signature by using the first authentication parameter X and the second authentication parameter Y, and sending a fourth secret key KR4 encrypted by an active party public key and the first authentication parameter X, the second authentication parameter Y and the second signature encrypted by the fourth secret key KR4 to the active party;
the method comprises the steps of obtaining a fifth secret key KR5 encrypted by a service station public key from an active party, a first authentication parameter X and a second authentication parameter Y encrypted by the fifth secret key KR5 and a third signature provided by the active party, decrypting and verifying the third signature successfully, generating a fourth signature for the passive party to verify by the first authentication parameter X and the second authentication parameter Y, and sending a sixth secret key KR6 encrypted by a passive party public key and the first authentication parameter X, the second authentication parameter Y and the fourth signature encrypted by the sixth secret key KR6 to the passive party.
The quantum communication service station identity authentication method based on the asymmetric key pool comprises the following steps:
the active side sends first information to a service station, wherein the first information comprises a first authentication parameter X encrypted by a first secret key KR1 and the first secret key KR1 encrypted by a public key of the service station;
the service station acquires and decrypts the first information packet and sends second information to the passive party, wherein the second information comprises a first authentication parameter X encrypted by using a second key KR2 and the second key KR2 encrypted by using a public key of the passive party;
the passive party acquires and decrypts the second information to generate a second authentication parameter Y, generates a first signature by using the first authentication parameter X and the second authentication parameter Y, and sends third information to the service station, wherein the third information comprises a third secret key KR3 encrypted by using a public key of the service station and a first authentication parameter X, a second authentication parameter Y and a first signature encrypted by using the third secret key KR3;
after the service station acquires and decrypts the third information and verifies that the first signature is successful, a second signature is generated by using a first authentication parameter X and a second authentication parameter Y, and fourth information is sent to the active party, wherein the fourth information comprises a fourth secret key KR4 encrypted by using a public key of the active party and the first authentication parameter X, the second authentication parameter Y and the second signature encrypted by using the fourth secret key KR4;
after the master party acquires and decrypts the fourth information and verifies that the second signature is successful, a third signature is generated by using a first authentication parameter X and a second authentication parameter Y; sending fifth information to the service station, wherein the fifth information comprises a fifth key KR5 encrypted by using a service station public key and a first authentication parameter X, a second authentication parameter Y and the third signature encrypted by using the fifth key KR5;
after the service station acquires and decrypts the fifth information and successfully verifies the third signature, a fourth signature for verification of the passive party is generated by using a first authentication parameter X and a second authentication parameter Y, and sixth information is sent to the passive party, wherein the sixth information comprises a sixth secret key KR6 encrypted by using a public key of the passive party and the first authentication parameter X, the second authentication parameter Y and the fourth signature encrypted by using the sixth secret key KR6;
and the passive party acquires and decrypts the sixth information and verifies the fourth signature.
Further, in the method for authenticating an identity of a quantum communication service station based on an asymmetric key pool in the above technical solution, the first signature is generated by using a private key of a passive party; the second signature and the fourth signature are generated by using a private key of a service station side; the third signature is generated using an active private key.
Further, in the method for authenticating an identity of a quantum communication service station based on an asymmetric key pool in the above technical solution, the active party is configured with an active party key fob, and a service station public key, an active party public key and an active party private key are stored in the active party key fob; the passive party is configured with a passive party key fob, and a service station public key, a passive party public key and a passive party private key are stored in the mobile party key fob; the service station is configured with a service station key card, and a service station private key, an active party public key and a passive party public key are stored in the service station key card.
The application also provides an active side device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the quantum communication service station authentication method in the application when executing the computer program.
The application also provides a passive side device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the quantum communication service station authentication method in the application when executing the computer program.
The application further provides a service station device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the quantum communication service station authentication method in this application when executing the computer program.
The application also provides an asymmetric key pool-based quantum communication service station identity authentication system, which comprises an active party, a passive party, a service station and a communication network; the active party is configured with an active party key card, and a service station public key, an active party public key and an active party private key are stored in the active party key card; the passive side is provided with a passive side key card, and a service station public key, a passive side public key and a passive side private key are stored in the mobile side key card; the service station is configured with a service station key card, and a service station private key, an active party public key and a passive party public key are stored in the service station key card;
the active side, the passive side and the service station realize the steps of the quantum communication service station authentication method in the application through the communication network.
In the present application, the key fob used is a stand-alone hardware isolation device. The public key, the private key and other related parameters are stored in a data security zone in the key fob, so that the possibility of stealing the key by malicious software or malicious operations is greatly reduced, and the key cannot be acquired and cracked by a quantum computer. In addition, the QKD is adopted between the service stations to encrypt and transmit messages, so that the safety of the messages is greatly guaranteed. The key fob guarantees the communication security of both communication parties in the group, and also greatly improves the security of identity authentication. Meanwhile, the asymmetric key pool solves the problem that the symmetric key pool brings key storage pressure to the quantum communication service station, and the storage cost is reduced. For example, the size of the symmetric key pool of the original client is 1G, and the number of the clients is N, the quantum communication service station needs to store a key pool of N × G, whereas if the asymmetric key pool is stored, the size of the client storage key pool is also 1G, and the quantum communication service station also only needs to store a key pool of 1G.
Drawings
Fig. 1 is a schematic diagram of key pool distribution of a service station key fob in the present application;
FIG. 2 is a schematic diagram of key pool distribution for a client key fob according to the present application;
FIG. 3 is a flowchart of the identity authentication process when the active and passive parties are connected to the same service station;
fig. 4 is a flowchart of the identity authentication process when the active party and the passive party are connected to different service stations.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. The service stations in the application are quantum communication service stations under the condition that no special description is made, all names in the application are subject to letter and number combination, such as Q and Q, and the service stations are expressed in the same meaning hereinafter, namely Q; for example, the first keys KR1, true random number KR1, the first keys are defined as the same meaning, i.e., the first key KR1, and the rest of the names are the same. In a specific application scenario, for convenience of description, the active side is assumed to be a client a, the passive side is assumed to be a client B, and the service station is assumed to be a service station Q. Setting the ID of the client A as IDA, the public key of the client A as PKA, and the private key of the client A as SKA; and setting the ID of the client B as IDB, the public key of the client B as PKB and the private key of the client B as SKB.
The application provides an asymmetric key pool-based quantum communication service station identity authentication method, which comprises the following steps that in one embodiment, when an active side is implemented, the authentication method of the quantum communication service station comprises the following steps:
sending a first authentication parameter X encrypted by a first key KR1 and the first key KR1 encrypted by a public key of the service station to the service station; the first authentication parameter X is used for being forwarded to the passive party through the service station and then being provided for the passive party to generate a first signature;
acquiring a fourth key KR4 encrypted by using the public key of the active party from the service station, a first authentication parameter X encrypted by using the fourth key KR4, a second authentication parameter Y provided by the passive party and a second signature S2; the second signature S2 is generated by the service station by using the first authentication parameter X and the second authentication parameter Y after the service station authenticates the first signature from the passive party;
after the second signature is decrypted and verified, a third signature is generated by using the first authentication parameter X and the second authentication parameter Y;
sending a fifth secret key KR5 encrypted by using the public key of the service station and a first authentication parameter X, a second authentication parameter Y and a third signature encrypted by using the fifth secret key KR5 to the service station; the third signature is used for generating a fourth signature for the passive party to authenticate after the service station authenticates.
In a specific application scenario, for convenience of description, the active side is assumed to be a client a, the passive side is assumed to be a client B, and the service station is assumed to be a service station Q. Wherein the client a performs the following actions:
generating a request Req for identity authentication with the client B, wherein the request Req contains a | | B and other necessary information, such as a unique random number generated as an ID of the request;
generating a first authentication parameter X and a first secret key KR1, wherein the first authentication parameter X and the first secret key KR1 are true random numbers, and symmetrically encrypting the request Req and the first authentication parameter X by using KR1 to obtain { Req | | X } KR1;
generating a first signature parameter R1 which is a true random number, and calculating the first signature parameter R1 through an asymmetric key pointer function fkp to obtain a key position pointer kp1; taking out a service station public key PKQ1 from a service station public key pool in a memory according to the key position pointer kp1; encrypting the first key KR1 by using the public key PKQ1 of the service station to obtain { KR1} PKQ1;
and combining the R1, { Req | | | X } KR1 and { KR1} PKQ1 to obtain the R1| { Req | | | | X } KR1| | { KR1} PKQ1. The client A sends R1| { Req | | | X } KR1| | { KR1} PKQ1 to the service station Q; the R1| { Req | | | X } KR1| | { KR1} PKQ1 is used for being forwarded to the client B through the service station Q and then used for the client B to generate a first signature S1;
receiving the identity authentication request forwarded by the service station Q to reply to { Req Y X S2R 3} KR4 { KR4} PKA and analyzing to obtain { Req Y X S2R 3} KR4 and { KR4} PKA; decrypting the { KR4} PKA by using a private key SKA of the client A to obtain a fourth secret key KR4; decrypting { Req Y X S2R 3} KR4 by using a fourth key KR4 to obtain Req Y X S2R 3;
the second authentication parameter Y is provided by the client B, and the third signature parameter R3 is a true random number generated after the service station Q authenticates the first signature S1, and is used to obtain a key position pointer kp3 through calculation of an asymmetric key pointer function fkp; the key position pointer kp3 is used for providing the service station Q to take out a service station private key SKQ3 from a service station private key pool in the memory according to the key position pointer; the service station private key SKQ3 is used for providing the service station Q to sign Req Y X to obtain a second signature S2;
calculating the third signature parameter R3 through an asymmetric key pointer function fkp to obtain a key position pointer kp3; taking out a service station public key PKQ3 from a service station public key pool in a memory according to the key position pointer; verifying a second signature S2 of Req Y X by using a public key PKQ3 of the service station; if the verification is passed, the next step is carried out, otherwise, the identity authentication is failed;
signing Req X Y by using a private key SKA of the client A to obtain a third signature S3;
generating a fifth key KR5, and symmetrically encrypting Req X Y S3 by using the fifth key KR5 to obtain { Req X Y S3} KR5; generating a fourth signature parameter R4, and calculating the fourth signature parameter R4 through an asymmetric key pointer function fkp to obtain a key position pointer kp4; taking out a service station public key PKQ4 from a service station public key pool in a memory of the service station public key pool according to the key position pointer kp4; encrypting the fifth key KR5 by using the service station public key PKQ4 to obtain { KR5} PKQ4;
combining R4, { Req | | X | | Y | | | S3} KR5 and { KR5} PKQ4 to obtain R4| { Req | | X | | Y | | S3} KR5| | { KR5} PKQ4; sending the recovered R4| { Req | | X | | Y | | | S3} KR5| | { KR5} PKQ4 to the service station Q; wherein the third signature S3 generates a fourth signature S4 for the client B to authenticate after the service station Q authenticates.
In the quantum communication service station authentication method implemented on the active side, the technical characteristics are reasonably deduced, so that the beneficial effect of solving the technical problems in the background art is achieved.
The application provides a quantum communication service station identity authentication method based on an asymmetric key pool, and in one embodiment, the quantum communication service station authentication method implemented on a passive side comprises the following steps:
acquiring a first authentication parameter X provided by an active party and encrypted by using a second key KR2 from a service station and a second key KR2 encrypted by using a public key of a passive party, and generating a first signature by using the first authentication parameter X and a second authentication parameter Y generated by the own party;
sending a third secret key KR3 encrypted by using the public key of the service station and a first authentication parameter X, a second authentication parameter Y and a first signature encrypted by using the third secret key KR3 to the service station; the first signature is used for generating a second signature for the authentication of the active party after the authentication of the service station;
acquiring a sixth secret key KR6 encrypted by using the public key of the passive party from the service station, a first authentication parameter X encrypted by using the sixth secret key KR6, a second authentication parameter Y and a fourth signature; the fourth signature is generated by the service station by using the first authentication parameter X and the second authentication parameter Y after authenticating the third signature from the active party, and the third signature is generated by the active party after authenticating the second signature;
the fourth signature is decrypted and verified.
In a specific application scenario, for convenience of description, the active side is assumed to be a client a, the passive side is assumed to be a client B, and the service station is assumed to be a service station Q. Wherein the client B performs the following actions:
receiving an identity authentication request { Req | | X } KR2| | { KR2} PKB forwarded by a service station Q, and analyzing to obtain { Req | | X } KR2 and { KR2} PKB; decrypting the { KR2} PKB by using a private key SKB of the client B to obtain a second key KR; decrypting the { Req | X } KR2 by using a second key KR2 to obtain a request Req and a first authentication parameter X;
generating a second authentication parameter Y, wherein the second authentication parameter Y is a true random number; signing Req Y X by using a private key SKB of a client B to obtain a first signature S1;
generating a third key KR3 which is a true random number, and symmetrically encrypting Req Y X S1 by using the third key KR3 to obtain { Req Y X S1} KR3; generating a second signature parameter R2 which is a true random number, and calculating the second signature parameter R2 through an asymmetric key pointer function fkp to obtain a key position pointer kp2; and taking out the service station public key PKQ2 from the service station public key pool in the memory of the service station public key according to the key position pointer kp2. (ii) a Encrypting the third key KR3 by using the public key PKQ2 of the service station to obtain { KR3} PKQ2; combining R2, { Req | | Y | | X | | | S1} KR3 and { KR3} PKQ2 to obtain R2| { Req | | Y | | X | | S1} KR3| { KR3} PKQ2; sending a request reply R2| { Req | | Y | | | X | | S1} KR3| | { KR3} PKQ2 to a service station Q;
the first signature S1 is used for generating a second signature S2 for the authentication of the client A after the authentication of the service station Q;
receiving the identity authentication request forwarded by the service station Q to reply to { Req | | | X | | Y | | S4| | R5} KR6| { KR6} PKB, and analyzing to obtain { Req | | | X | Y | | S4| | R5} KR6 and { KR6} PKB; decrypting the { KR6} PKB by using a private key SKB of the client B to obtain a sixth secret key KR6; decrypting the { Req X Y S4R 5} KR6 by using a sixth key KR6 to obtain Req X Y S4R 5; the fourth signature S4 is generated after the service station Q authenticates the third signature S3 from the client a, and the third signature S3 is generated after the client a authenticates the second signature S2;
calculating a fifth signature parameter R5 through an asymmetric key pointer function fkp to obtain a key position pointer kp5; taking out a service station public key PKQ5 from a service station public key pool in a memory of the service station public key pool according to the key position pointer kp5; the fourth signature S4 of Req | | | X | | Y is verified with the service station public key PKQ5. If the verification is passed, the identity authentication is successfully carried out, otherwise, the identity authentication is failed.
In the method for authenticating the quantum communication service station of the passive side, the technical characteristics are reasonably deduced, so that the method has the beneficial effect of solving the technical problems in the background technology.
The application provides an asymmetric key pool-based quantum communication service station identity authentication method, which is implemented in a service station in one embodiment and comprises the following steps:
acquiring a first authentication parameter X encrypted by using a first key KR1 from an active party and the first key KR1 encrypted by using a public key of a service station, decrypting and sending the first authentication parameter X encrypted by using a second key KR2 and the second key KR2 encrypted by using a public key of a passive party to the passive party;
the method comprises the steps of obtaining a third secret key KR3 encrypted by a service station public key from a passive party, a first authentication parameter X encrypted by the third secret key KR3, a second authentication parameter Y and a first signature provided by the passive party, decrypting and verifying the first signature successfully, then generating a second signature by using the first authentication parameter X and the second authentication parameter Y, and sending a fourth secret key KR4 encrypted by an active party public key and the first authentication parameter X, the second authentication parameter Y and the second signature encrypted by the fourth secret key KR4 to the active party;
the method comprises the steps of obtaining a fifth secret key KR5 which is encrypted by a public key of a service station from an active party, a first authentication parameter X and a second authentication parameter Y which are encrypted by the fifth secret key KR5, and a third signature which is provided by the active party, decrypting and verifying the third signature successfully, generating a fourth signature which is verified by the passive party by the first authentication parameter X and the second authentication parameter Y, and sending a sixth secret key KR6 which is encrypted by a public key of the passive party, the first authentication parameter X and the second authentication parameter Y which are encrypted by the sixth secret key KR6, and the fourth signature to the passive party.
In a specific application scenario, for convenience of description, the active side is assumed to be a client a, the passive side is assumed to be a client B, and the service station is assumed to be a service station Q. Wherein the service station Q performs the following actions:
receiving a request R1| { Req | | X } KR1| | { KR1} PKQ1 sent by a client A, analyzing to obtain R1, { Req | | X } KR1 and { KR1} PKQ1; calculating the first signature parameter R1 through an asymmetric key pointer function fkp to obtain a key position pointer kp1; taking out a service station private key SKQ1 from a service station private key pool in a memory according to the key position pointer kp1; decrypting the { KR1} PKQ1 by using a private key SKQ1 of the service station to obtain a first key KR1; decrypting the { Req | X } KR1 by using the decrypted first key KR1 to obtain a request Req and a first authentication parameter X;
generating a second key KR2 which is a true random number, and symmetrically encrypting Req | X by using the second key KR2 to obtain { Req | X } KR2; the public key PKB of the client is sent out from the public key pool of the client according to the IDB contained in the request Req; encrypting the second key KR2 by using the public key PKB of the client B to obtain { KR2} PKB; combining { ReqlX } KR2 and { KR2} PKB to obtain { ReqlX } KR2| { KR2} PKB; { Req | | X } KR2| | { KR2} PKB is sent to client B.
The method comprises the steps that R2| { Req | | | Y | | | X | | S1} KR3| { KR3} PKQ2 is replied by receiving a request sent by a client B, and R2, { Req | | Y | X | | S1} KR3 and { KR3} PKQ2 are obtained through analysis; calculating a second signature parameter R2 through an asymmetric key pointer function fkp to obtain a key position pointer kp2; taking out a service station private key SKQ2 from a service station private key pool in a memory of the service station private key according to the key position pointer kp2; decrypting the { KR3} PKQ2 by using a private key SKQ2 of the service station to obtain a third key KR3; and decrypting the { Req Y X S1} KR3 by using the decrypted third key KR3 to obtain { Req Y X S1}.
Acquiring a public key PKB of the client B, and verifying a first signature S1 of Req | | | Y | | X by using the public key PKB of the client B; if the verification is passed, the next step is carried out, otherwise, the identity authentication is failed; generating a third signature parameter R3 which is a true random number, and calculating the third signature parameter R3 through an asymmetric key pointer function fkp to obtain a key position pointer kp3; taking out a service station private key SKQ3 from a service station private key pool in a memory of the service station private key according to the key position pointer kp3; signing Req Y X by using a private key SKQ3 of a service station to obtain a quadric signature S2;
generating a fourth key KR4 which is a true random number, and symmetrically encrypting Req Y X S2R 3 by using the fourth key KR4 to obtain { Req Y X S2R 3} KR4; taking out a public key PKA of the client A from the public key pool of the client according to the IDA contained in the request Req; encrypting the fourth key KR4 by using the public key PKA of the client A to obtain { KR4} PKA;
combining { Req | | Y | | X | | S2| | | R3} KR4 and { KR4} PKA to obtain { Req | | Y | | X | S2| | R3} KR4| | { KR4} PKA; and sending { Req | | Y | | X | | S2| | | R3} KR4| | { KR4} PKA to the client A.
Receiving a reply R4| { Req | | | X | | Y | | S3} KR5| | { KR5} PKQ4 sent by the client A, analyzing to obtain R4, { Req | | | X | | Y | | S3} KR5 and { KR5} PKQ4; calculating a fourth signature parameter R4 through an asymmetric key pointer function fkp to obtain a key position pointer kp4; taking out a service station private key SKQ4 from a service station private key pool in a memory of the service station private key according to a key position pointer kp4; decrypting the { KR5} PKQ4 by using a private key SKQ4 of the service station to obtain a fifth key KR5; decrypting the { Req | | X | | | Y | | | S3} KR5 by using the decrypted fifth key KR5 to obtain { Req | | X | | Y | | | S3};
obtaining a client A public key PKA, and verifying a third signature S3 of Req | | | X | | Y by using the client A public key PKA; if the verification is passed, the next step is carried out, otherwise, the identity authentication is failed; generating a fifth signature parameter R5 which is a true random number, and calculating the fifth signature parameter R5 through an asymmetric key pointer function fkp to obtain a key position pointer kp5; taking out a service station private key SKQ5 from a service station private key pool in a memory of the service station private key according to the key position pointer kp5; signing Req X Y by using a private key SKQ5 of the service station to obtain a fourth signature S4;
generating a sixth key KR6 which is a true random number, and symmetrically encrypting Req X Y S4R 5 by using the sixth key KR6 to obtain { Req X Y S4R 5} KR6; taking out a public key PKB of the client B from the client public key pool; and encrypting the sixth key KR6 by using the public key PKB of the client B to obtain { KR6} PKB.
Combining { Req | | X | | Y | | S4| | | R5} KR6 and { KR6} PKB to obtain { Req | | | X | | Y | | S4| | R5} KR6| | { KR6} PKB; and sending { Req | | | X | | Y | | | S4| | R5} KR6| | { KR6} PKB to the client B.
In the quantum communication service station authentication method implemented in the service station, the technical characteristics are reasonably deduced, so that the technical problem in the background art can be solved.
The application provides an asymmetric key pool-based quantum communication service station identity authentication method, which in one embodiment comprises the following steps:
the method comprises the steps that a first message is sent to a service station by an active side, wherein the first message comprises a first authentication parameter X encrypted by a first secret key KR1 and the first secret key KR1 encrypted by a public key of the service station;
the service station acquires and decrypts the first information packet and then sends second information to the passive party, wherein the second information comprises a first authentication parameter X encrypted by using a second key KR2 and a second key KR2 encrypted by using a public key of the passive party;
the passive side acquires and decrypts the second information to generate a second authentication parameter Y, generates a first signature by using the first authentication parameter X and the second authentication parameter Y, and sends third information to the service station, wherein the third information comprises a third secret key KR3 encrypted by using the public key of the service station and the first authentication parameter X, the second authentication parameter Y and the first signature encrypted by using the third secret key KR3;
after the service station acquires and decrypts the third information and verifies that the first signature is successful, a second signature is generated by using a first authentication parameter X and a second authentication parameter Y, and fourth information is sent to the active party, wherein the fourth information comprises a fourth secret key KR4 encrypted by using a public key of the active party and the first authentication parameter X, the second authentication parameter Y and the second signature encrypted by using the fourth secret key KR4;
after the master side acquires and decrypts the fourth information and verifies that the second signature is successful, a third signature is generated by using the first authentication parameter X and the second authentication parameter Y; sending fifth information to the service station, wherein the fifth information comprises a fifth secret key KR5 encrypted by using the public key of the service station and a first authentication parameter X, a second authentication parameter Y and a third signature encrypted by using the fifth secret key KR5;
after the service station acquires and decrypts the fifth information and successfully verifies the third signature, a fourth signature for verification by the passive party is generated by using the first authentication parameter X and the second authentication parameter Y, and sixth information is sent to the passive party, wherein the sixth information comprises a sixth secret key KR6 encrypted by using a public key of the passive party and the first authentication parameter X, the second authentication parameter Y and the fourth signature encrypted by using the sixth secret key KR6;
and the passive party acquires and decrypts the sixth information and verifies the fourth signature.
In a specific application scenario, for convenience of description, the active side is assumed to be a client a, the passive side is assumed to be a client B, and the service station is assumed to be a service station Q.
Step 1: client A initiates an identity authentication request with client B
The client a generates a request Req for identity authentication with the client B, and the Req contains a | | B and other necessary information, for example, generates a unique random number as the ID of the current request. The client A generates two X and KR1 which are true random numbers, and the client A symmetrically encrypts the Req and the X by using the KR1 to obtain { Req | | X } KR1.
The client A generates a R1 of the true random number, and calculates the R1 of the true random number through an asymmetric key pointer function fkp to obtain a key position pointer kp1. And the client A takes out the service station public key PKQ1 from the service station public key pool in the key card of the client A according to the key position pointer kp1. The client A encrypts KR1 by using PKQ1 to obtain { KR1} PKQ1.
The client A combines the R1, { Req | | X } KR1 and { KR1} PKQ1 to obtain R1| | { Req | | | X } KR1| | { KR1} PKQ1. The client A sends R1| { Req | | X } KR1| | { KR1} PKQ1 to the quantum communication service station Q.
Step 2: the quantum communication service station Q forwards the request to the client B
The service station Q analyzes the received request R1| | { Req | | | X } KR1| | { KR1} PKQ1 sent by the client A to obtain R1, { Req | | X } KR1 and { KR1} PKQ1. The service station Q calculates R1 of the true random number through an asymmetric key pointer function fkp to obtain a key position pointer kp1. And the service station Q takes out the service station private key SKQ1 from the service station private key pool in the service station key card according to the key position pointer kp1. And the service station Q decrypts the { KR1} PKQ1 by using the SKQ1 to obtain KR1. And the service station Q decrypts the { Req | | X } KR1 by using the KR1 obtained by decryption to obtain the Req and the X.
The service station Q generates KR2 of a true random number, and the KR2 is used for symmetrically encrypting Req | X to obtain { Req | X } KR2. The service station Q removes the public key PKB of the client B from the client public key pool according to the IDB contained in the Req. The service station Q encrypts KR2 by using PKB to obtain { KR2} PKB.
The service station Q combines the { Req | | X } KR2 and the { KR2} PKB to obtain { Req | | | X } KR2| | { KR2} PKB. The service station Q sends { Req | | | X } KR2| | { KR2} PKB to client B.
And step 3: client B replies to the request
And the client B receives the identity authentication request { Req | | X } KR2| | { KR2} PKB forwarded by the service station Q and analyzes the identity authentication request to obtain { Req | | X } KR2 and { KR2} PKB. And the client B decrypts the { KR2} PKB by using the private key SKB of the client B to obtain KR2. And the client B decrypts the { Req | | X } KR2 by using KR2 to obtain Req and X.
Client B generates a Y of true random numbers. The client B signs the Req Y X by using a private key SKB of the client B to obtain S1. The client B generates a true random number KR3, and symmetrically encrypts Req Y X S1 by using the KR3 to obtain { Req Y X S1} KR3. And the client B generates a true random number R2 again, and calculates the true random number R2 through an asymmetric key pointer function fkp to obtain a key position pointer kp2. And the client B takes out the service station public key PKQ2 from the service station public key pool in the key card of the client B according to the key position pointer. And the client B encrypts KR3 by using PKQ2 to obtain { KR3} PKQ2.
The client B combines R2, { Req Y X S1} KR3 and { KR3} PKQ2 to obtain R2 { Req Y X S1} KR3} PKQ2. The client B sends a request reply R2| { Req | | Y | | | X | | S1} KR3| { KR3} PKQ2 to the quantum communication service station Q.
And 4, step 4: the quantum communication service station Q forwards the request reply to the client A
The service station Q replies R2, { Req Y X S1} KR3} PKQ2 according to the received request sent by the client B, and the R2, { Req Y X S1} KR3, and { KR3} PKQ2 are obtained through analysis. The service station Q calculates R2 of the true random number by the asymmetric key pointer function fkp to obtain the key position pointer kp2. And the service station Q takes out the service station private key SKQ2 from the service station private key pool in the service station key card according to the key position pointer kp2. And the service station Q decrypts the { KR3} PKQ2 by using the SKQ2 to obtain KR3. The service station Q decrypts the { Req | | Y | | | X | | | S1} KR3 by using the KR3 obtained by decryption to obtain { Req | | Y | | X | | S1}.
The service station Q obtains a public key PKB of the client B, and verifies the signature S1 of Req | | | Y | | X by using the public key PKB. If the verification is passed, the next step is carried out, otherwise, the identity authentication is failed. The server station Q generates a true random number R3 and computes the true random number R3 by an asymmetric key pointer function fkp to obtain a key position pointer kp3. And the service station Q takes out the service station private key SKQ3 from the service station private key pool in the service station key card according to the key position pointer kp3. The service station Q signs Req Y X by using SKQ3 to obtain S2.
The service station Q generates KR4 of a true random number, and the KR4 is used for symmetrically encrypting Req Y X S2R 3 to obtain { Req Y X S2R 3} KR4. The service station Q fetches the public key PKA of the client a from the client public key pool according to the IDA contained in the Req. The service station Q encrypts KR4 by using PKA to obtain { KR4} PKA.
The service station Q combines { Req Y X S2R 3} KR4 and { KR4} PKA to obtain { Req Y X S2R 3} KR4 { KR4} PKA. The service station Q sends { Req Y X R3} KR4 { KR4} PKA to the client A.
And 5: client A authenticates client B and replies
The client A receives the identity authentication request forwarded by the service station Q to reply to the { Req Y X S2R 3} KR4 { KR4} PKA, and analyzes to obtain { Req Y X S2R 3} KR4 and { KR4} PKA. And the client A decrypts the { KR4} PKA by using the private key SKA of the client A to obtain KR4. The client A decrypts the { Req Y X S2R 3} KR4 by using KR4 to obtain Req Y X S2R 3.
The client A calculates R3 of the true random number through an asymmetric key pointer function fkp to obtain a key position pointer kp3. The client a takes out the service station public key PKQ3 from the service station public key pool in the client a key fob according to the key position pointer kp3. The signature S2 of Req | | | Y | | | X is verified with the public key PKQ3. If the verification is passed, the next step is carried out, otherwise, the identity authentication is failed.
The client A signs Req | | | X | | | Y by using a private key SKA of the client A to obtain S3. The client A generates a true random number KR5, and symmetrically encrypts Req X Y S3 by using the KR5 to obtain { Req X Y S3} KR5. The client A generates a true random number R4 again, and calculates the true random number R4 through an asymmetric key pointer function fkp to obtain a key position pointer kp4. The client a takes out the service station public key PKQ4 from the service station public key pool in the client a key fob according to the key position pointer kp4. The client A encrypts KR5 by using PKQ4 to obtain { KR5} PKQ4.
The client A combines R4, { Req | | X | | Y | | | | S3} KR5 and { KR5} PKQ4 to obtain R4| { Req | | X | | Y | | S3} KR5| | { KR5} PKQ4. The client A sends the reply R4| { Req | | | X | | | Y | | S3} KR5| | { KR5} PKQ4 to the quantum communication service station Q.
Step 6: the quantum communication service station Q forwards the reply to the client B
The service station Q resolves the returned R4| { Req | | | X | | Y | | S3} KR5| { KR5} PKQ4 sent by the client A according to the received reply to obtain the R4, { Req | | X | Y | | S3} KR5 and { KR5} PKQ4. The server station Q calculates R4 of the true random number by an asymmetric key pointer function fkp to obtain a key position pointer kp4. And the service station Q takes out the service station private key SKQ4 from the service station private key pool in the service station key card according to the key position pointer kp4. And the service station Q decrypts the { KR5} PKQ4 by using the SKQ4 to obtain KR5. The service station Q decrypts the { Req | | X | | Y | | | S3} KR5 by using the KR5 obtained by decryption to obtain { Req | | X | | Y | | S3}.
The service station Q obtains a public key PKA of the client A, and verifies the signature S3 of Req | | | X | | Y by using the public key PKA. If the verification is passed, the next step is carried out, otherwise, the identity authentication is failed. The service station Q generates a true random number R5, and calculates the true random number R5 by the asymmetric key pointer function fkp to obtain the key position pointer kp5. And the service station Q takes out the service station private key SKQ5 from the service station private key pool in the service station key card according to the key position pointer kp5. The service station Q signs the Req X Y by using SKQ5 to obtain S4.
The service station Q generates a true random number KR6, and the KR6 is used for symmetrically encrypting Req X Y S4R 5 to obtain { Req X Y S4R 5} KR6. The service station Q removes the public key PKB of client B from the pool of client public keys. The service station Q encrypts KR6 by using PKB to obtain { KR6} PKB.
The service station Q combines { Req X Y S4R 5} KR6 and { KR6} PKB to obtain { Req X Y S4R 5} KR6} PKB. The service station Q transmits { Req | | | X | | Y | | | | S4| | R5} KR6| { KR6} PKB to the client B.
And 7: client B authenticates client A
The client B receives the identity authentication request forwarded by the service station Q to reply to the { Req X Y S4R 5} KR6 { KR6} PKB, and analyzes the response to obtain { Req X Y S4R 5} KR6 and { KR6} PKB. And the client B decrypts the { KR6} PKB by using the private key SKB of the client B to obtain KR6. The client B decrypts the { Req X Y S4R 5} KR6 by using the KR6 to obtain the Req X Y S4R 5.
And the client B calculates the R5 of the true random number through an asymmetric key pointer function fkp to obtain a key position pointer kp5. The client B takes the service station public key PKQ5 from the pool of service station public keys in the client B key fob according to the key position pointer kp5. The signature S4 of Req | | | X | | | Y is verified with the public key PKQ5. If the verification is passed, the identity authentication is successfully carried out, otherwise, the identity authentication fails.
The authentication method of the quantum communication service station comprises the following steps of reasonably deducing technical characteristics, and realizing the beneficial effect of solving the technical problems in the background technology.
In one embodiment, an active party and a passive party are respectively positioned in different service station systems, for convenience of description, the active party is assumed to be a client A, the passive party is assumed to be a client B, the two service stations are respectively a service station QA and a service station QB, and communication and authentication processes of the client A and the service station QA are consistent with those in the technical scheme and are not expressed; the communication and authentication process between the client B and the service station QB are the same as those in the above technical solution and therefore will not be described, and the following description will focus on the communication process between the service station QA and the service station QB.
Taking the example that after receiving the request of the client a, the service station QA forwards the request to the service station QB:
the QA resolves the request R1| | { Req | | | X } KR1| | { KR1} PKQA1 sent by the client A according to the received request to obtain R1, { Req | | | X } KR1 and { KR1} PKQA1. The service station QA calculates R1 of the true random number by the asymmetric key pointer function fkp to obtain the key position pointer kp1. And the QA takes out a QA private key SKQA1 of the service station from a private key pool of the service station in the QA key card of the service station according to the key position pointer kp1. And the QA decrypts the { KR1} PKQA1 by using the SKQA1 to obtain the KR1. The service station QA decrypts the { Req | | | X } KR1 by using the KR1 obtained by decryption to obtain Req and X.
The QA generates a message authentication code for Req and X by using the QKD negotiated key, symmetrically encrypts the message authentication code and Req | | X and then sends the encrypted message authentication code and Req | | X to the QB. In the present application, the message authentication algorithm for generating the message authentication code is preferably an HMAC algorithm.
Taking as an example that the service station QB receives the request reply of the client B and forwards the request reply to the service station QA:
the service station QB replies to R2| { Req | | Y | | X | | S1} KR3| { KR3} PKQB1 according to the received request sent by the client B to obtain R2, { Req | | Y | | X | | S1} KR3 and { KR3} PKQB1 through analysis. And the service station QB calculates R2 of the true random number through an asymmetric key pointer function fkp to obtain a key position pointer kp2. And the service station QB takes out the service station QB private key SKQB1 from a service station private key pool in the service station QB key card according to the key position pointer kp2. And the QB decrypts the { KR3} PKQB1 by using the SKQB1 to obtain KR3. The service station QB decrypts the { Req Y X S1} KR3 to obtain { Req Y X S1} by using the KR3 obtained by decryption.
The service station QB obtains a public key PKB of the client B, and verifies the signature S1 of Req | | Y | | X by using the public key PKB. If the verification is passed, the next step is carried out, otherwise, the identity authentication is failed.
The QB generates a message authentication code for Req Y X by using a key negotiated by the QKD, symmetrically encrypts the message authentication code and the Req Y X and then transmits the encrypted message authentication code and the encrypted message authentication code to the QA.
Taking as an example that the service station QA receives the reply signature after the client a verifies the signature of the client B, and forwards the reply signature to the quantum communication service station QB:
the QA resolves the response R4| { Req | | | X | | Y | | S3} KR5| { KR5} PKQA3 sent by the client A according to the received response to obtain R4, { Req | | X | | Y | | S3} KR5 and { KR5} PKQA3. The service station QA calculates R4 of the true random number by the asymmetric key pointer function fkp to obtain the key position pointer kp4. And the QA takes out a private key SKQA3 of the QA from a private key pool of the QA in the QA key card according to the key position pointer kp4. And the QA decrypts the { KR5} PKQA3 by using the SKQ4 to obtain KR5. The QA decrypts the { Req | | | X | | | Y | | | | S3} KR5 by using the KR5 obtained by decryption to obtain { Req | | X | | Y | | | S3}.
The service station Q obtains a public key PKA of the client A, and verifies the signature S3 of Req | | | X | | Y by using the public key PKA. If the verification is passed, the next step is carried out, otherwise, the identity authentication is failed.
The QA generates a message authentication code for Req X Y by using a key negotiated by the QKD, symmetrically encrypts the message authentication code and the Req X Y and then sends the encrypted message authentication code and the encrypted message authentication code to the QB.
In one embodiment, the first signature is generated using a passive private key; the second signature and the fourth signature are generated by using a private key of the service station side; the third signature is generated using the master private key.
The design fully utilizes the advantage that a public key encryption system in asymmetric encryption can also easily realize digital signature, and improves the efficiency while ensuring the safety of the identity authentication process.
In one embodiment, an active party key card is arranged on an active party, and a service station public key, an active party public key and an active party private key are stored in the active party key card; a passive party key card is arranged on the passive party, and a service station public key, a passive party public key and a passive party private key are stored in the mobile party key card; the service station is provided with a service station key card, and a service station private key, an active party public key and a passive party public key are stored in the service station key card.
The key fob issuer in the present application is the owner of the key fob, typically the management of a group, such as the management of a business or institution; the key fob is issued as a member of the key fob's master management, typically a staff of all levels of a business or institution. The client of the active or passive party first applies for an account opening to the supervisor of the key fob. When the client of the active or passive side is authorized to register, the key fob (having a unique key fob ID) will be obtained. The key fob stores customer registration information. The public key pools in the client key fobs of the active or passive parties under the same service station are all downloaded from the same key management server, and the public key pools stored in the client key fobs of each active or passive party issued by the same key management server are completely consistent. Preferably, the key pool size stored in the key fob can be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G, and so forth.
Key fobs have evolved from smart card technology as identity authentication and encryption/decryption products that incorporate true random number generators (preferably quantum random number generators), cryptography, and hardware security isolation techniques. The embedded chip and operating system of the key fob may provide secure storage of keys and cryptographic algorithms, among other functions. Due to its independent data processing capabilities and good security, the key fob becomes a secure carrier for private keys and key pools. Each key fob is protected by a hardware PIN code, the PIN code and hardware constituting two essential factors for the user to use the key fob. So-called "two-factor authentication," a user can log into the system only by simultaneously acquiring a key fob and a user PIN code that store relevant authentication information. Even if the PIN code of the user is leaked, the identity of the legal user cannot be counterfeited as long as the key fob held by the user is not stolen; if the key card of the user is lost, the finder can not imitate the identity of the legal user because the user PIN code is not known.
In the present application, key fobs are divided into a service station key fob and a client key fob, and the client key fob includes an active side key fob and a passive side key fob. As shown in fig. 1, the key zone of the service station key fob mainly stores a client public key pool and a service station private key pool; as shown in fig. 2, the key region of the client key fob primarily stores a pool of service station public keys and a pair of public and private keys. The key fobs are each issued by a key management server.
The key management server selects an algorithm that supports both encryption and decryption and signing before issuing the key fob. The key management server generates numbers which correspond to the number of the clients and conform to the algorithm specification as a private key and a public key. The key management server generates a corresponding number of IDs, selects a corresponding number of public and private key pairs, combines the public keys with the IDs to obtain ID/public keys, and writes the ID/public keys into the same file to form a public key pool file, namely the client public key pool. Meanwhile, the key management server writes the corresponding private key into the file in the same way to form a private key pool file, namely a client private key pool. The ID of each private key in the client private key pool is the same as the ID of the corresponding public key in the client public key pool. The key management server again generates a large number of numbers that conform to the algorithm specification as private and public keys. And respectively writing the public and private keys into the two files by the key management server to form a service station public key pool and a service station private key pool. And the public key in the service station public key pool corresponds to the private key at the same position in the service station private key pool. And the key management server defines the issued first key fob as a service station key fob and writes a service station private key pool and a client public key pool and related algorithm parameters into a key zone of the key fob. The key fobs subsequently issued by the key management server are client key fobs. The random number of the key management server selects an unassigned ID to be allocated to the key fob, a public and private key with the same ID is taken from a client public key pool and a client private key pool and written into a key area of the key fob together with a service station public key pool, and related parameters are written into the key fob.
In one embodiment, a computer device is provided, for example, the computer device may be a following active side device, a following passive side device or a service station device, and the internal structure diagram thereof may be as shown in fig. Y. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a XXX method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on a shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In another embodiment of the present application, a master device is provided, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the quantum communication service station authentication method in the foregoing embodiments when executing the computer program.
In another embodiment of the present application, a passive device is provided, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the quantum communication service station authentication method in the foregoing embodiments when executing the computer program.
In another embodiment of the present application, a service station device is provided, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the quantum communication service station authentication method in the foregoing embodiments when executing the computer program.
For specific limitations of the active device, the passive device, and the service station device and system, reference may be made to the above limitations of the quantum communication service station authentication method, which is not described herein again. The various modules in the above-described master device may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In another embodiment of the present application, an authentication system for a quantum communication service station based on an asymmetric key pool is provided, which includes an active party, a passive party, a service station and a communication network; the active side is configured with an active side key card, and a service station public key, an active side public key and an active side private key are stored in the active side key card; the passive side is provided with a passive side key card, and a service station public key, a passive side public key and a passive side private key are stored in the mobile side key card; the service station is configured with a service station key card, and a service station private key, an active side public key and a passive side public key are stored in the service station key card;
the steps of the authentication method of the quantum communication service station in the above embodiments are realized by the active party, the passive party and the service station through a communication network.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present patent application shall be subject to the appended claims.

Claims (9)

1. The quantum communication service station identity authentication method based on the asymmetric key pool is implemented on an active side, and is characterized by comprising the following steps:
sending a first authentication parameter X encrypted by a first key KR1 and the first key KR1 encrypted by a public key of a service station to the service station; the first authentication parameter X is used for being forwarded to the passive party through the service station and then being provided for the passive party to generate a first signature;
acquiring a fourth key KR4 encrypted by using a public key of an active party from a service station, a first authentication parameter X encrypted by using the fourth key KR4, a second authentication parameter Y provided by a passive party and a second signature; the second signature is generated by using a first authentication parameter X and a second authentication parameter Y after the service station authenticates the first signature from the passive party;
after the second signature is decrypted and verified, a third signature is generated by utilizing the first authentication parameter X and the second authentication parameter Y;
sending a fifth key KR5 encrypted by using a public key of the service station and a first authentication parameter X, a second authentication parameter Y and the third signature encrypted by using the fifth key KR5 to the service station; the third signature is used for generating a fourth signature for the passive party to authenticate after the service station authenticates;
the active side is configured with an active side key card, and a service station public key, an active side public key and an active side private key are stored in the active side key card; the passive side is provided with a passive side key card, and a service station public key, a passive side public key and a passive side private key are stored in the mobile side key card; the service station is configured with a service station key card, and a service station private key, an active party public key and a passive party public key are stored in the service station key card.
2. The quantum communication service station identity authentication method based on the asymmetric key pool is implemented on a passive side, and is characterized by comprising the following steps:
acquiring a first authentication parameter X provided by an active party and encrypted by a second key KR2 from a service station, and a second key KR2 encrypted by a passive party public key, and generating a first signature by using the first authentication parameter X and a second authentication parameter Y generated by the own party;
sending a third secret key KR3 encrypted by a public key of the service station and a first authentication parameter X, a second authentication parameter Y and a first signature encrypted by the third secret key KR3 to the service station; the first signature is used for generating a second signature for authentication of the active party after the service station authenticates;
acquiring a sixth secret key KR6 encrypted by using the public key of the passive party from the service station, a first authentication parameter X encrypted by using the sixth secret key KR6, a second authentication parameter Y and a fourth signature; the fourth signature is generated by the service station by using a first authentication parameter X and a second authentication parameter Y after authenticating a third signature from the master, and the third signature is generated by the master after authenticating the second signature;
decrypting and verifying the fourth signature;
the active side is configured with an active side key card, and a service station public key, an active side public key and an active side private key are stored in the active side key card; the passive side is provided with a passive side key card, and a service station public key, a passive side public key and a passive side private key are stored in the mobile side key card; the service station is configured with a service station key card, and a service station private key, an active party public key and a passive party public key are stored in the service station key card.
3. The quantum communication service station identity authentication method based on the asymmetric key pool is implemented in a service station, and is characterized by comprising the following steps:
acquiring a first authentication parameter X encrypted by using a first key KR1 from an active party and the first key KR1 encrypted by using a public key of a service station, decrypting and sending the first authentication parameter X encrypted by using a second key KR2 and the second key KR2 encrypted by using a public key of a passive party to the passive party;
acquiring a third key KR3 encrypted by using a service station public key from a passive party, a first authentication parameter X encrypted by using the third key KR3, a second authentication parameter Y and a first signature provided by the passive party, decrypting and verifying the first signature successfully, generating a second signature by using the first authentication parameter X and the second authentication parameter Y, and sending a fourth key KR4 encrypted by using an active party public key and the first authentication parameter X, the second authentication parameter Y and the second signature encrypted by using the fourth key KR4 to the active party;
acquiring a fifth key KR5 from an active party and encrypted by using a service station public key, a first authentication parameter X and a second authentication parameter Y encrypted by using the fifth key KR5, and a third signature provided by the active party, decrypting and verifying the third signature successfully, generating a fourth signature for verification by using the first authentication parameter X and the second authentication parameter Y, and sending a sixth key KR6 encrypted by using a passive party public key and the first authentication parameter X, the second authentication parameter Y and the fourth signature encrypted by using the sixth key KR6 to the passive party;
the active side is configured with an active side key card, and a service station public key, an active side public key and an active side private key are stored in the active side key card; the passive side is provided with a passive side key card, and a service station public key, a passive side public key and a passive side private key are stored in the mobile side key card; the service station is configured with a service station key card, and a service station private key, an active party public key and a passive party public key are stored in the service station key card.
4. The quantum communication service station identity authentication method based on the asymmetric key pool is characterized by comprising the following steps:
the active side sends first information to a service station, wherein the first information comprises a first authentication parameter X encrypted by a first secret key KR1 and the first secret key KR1 encrypted by a public key of the service station;
the service station acquires and decrypts the first information packet and then sends second information to the passive party, wherein the second information comprises a first authentication parameter X encrypted by using a second key KR2 and a second key KR2 encrypted by using a public key of the passive party;
the passive party acquires and decrypts the second information, generates a second authentication parameter Y, generates a first signature by using the first authentication parameter X and the second authentication parameter Y, and sends third information to the service station, wherein the third information comprises a third key KR3 encrypted by using a public key of the service station and a first authentication parameter X, a second authentication parameter Y and a first signature encrypted by using the third key KR3;
after the service station acquires and decrypts the third information and verifies that the first signature is successful, a second signature is generated by using a first authentication parameter X and a second authentication parameter Y, and fourth information is sent to the active party, wherein the fourth information comprises a fourth secret key KR4 encrypted by using a public key of the active party and the first authentication parameter X, the second authentication parameter Y and the second signature encrypted by using the fourth secret key KR4;
after the master party acquires and decrypts the fourth information and verifies that the second signature is successful, a third signature is generated by using a first authentication parameter X and a second authentication parameter Y; sending fifth information to the service station, wherein the fifth information comprises a fifth key KR5 encrypted by using a service station public key and a first authentication parameter X, a second authentication parameter Y and the third signature encrypted by using the fifth key KR5;
after the service station acquires and decrypts the fifth information and verifies the third signature successfully, a fourth signature for verification of the passive party is generated by using a first authentication parameter X and a second authentication parameter Y, and sixth information is sent to the passive party, wherein the sixth information comprises a sixth secret key KR6 encrypted by using a public key of the passive party and the first authentication parameter X, the second authentication parameter Y and the fourth signature encrypted by using the sixth secret key KR6;
the passive party acquires and decrypts the sixth information and verifies the fourth signature;
the active party is configured with an active party key card, and a service station public key, an active party public key and an active party private key are stored in the active party key card; the passive side is provided with a passive side key card, and a service station public key, a passive side public key and a passive side private key are stored in the mobile side key card; the service station is configured with a service station key card, and a service station private key, an active party public key and a passive party public key are stored in the service station key card.
5. The quantum communication service station identity authentication method based on the asymmetric key pool as claimed in any one of claims 1 to 4, wherein the first signature is generated by a passive party private key; the second signature and the fourth signature are generated by using a private key of a service station side; the third signature is generated using an active private key.
6. A master device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program performs the steps of the quantum communication service station authentication method as claimed in claim 1.
7. A passive-side device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the quantum communication service station authentication method of claim 2.
8. A service station apparatus comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the quantum communication service station authentication method of claim 3.
9. The quantum communication service station identity authentication system based on the asymmetric key pool is characterized by comprising an active party, a passive party, a service station and a communication network; the active side is configured with an active side key card, and a service station public key, an active side public key and an active side private key are stored in the active side key card; the passive side is provided with a passive side key card, and a service station public key, a passive side public key and a passive side private key are stored in the mobile side key card; the service station is configured with a service station key card, and a service station private key, an active party public key and a passive party public key are stored in the service station key card;
the steps of the quantum communication service station authentication method in claim 4 are implemented by the active party, the passive party and the service station through the communication network.
CN201910402444.0A 2019-05-15 2019-05-15 Quantum communication service station identity authentication method and system based on asymmetric key pool Active CN110176989B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910402444.0A CN110176989B (en) 2019-05-15 2019-05-15 Quantum communication service station identity authentication method and system based on asymmetric key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910402444.0A CN110176989B (en) 2019-05-15 2019-05-15 Quantum communication service station identity authentication method and system based on asymmetric key pool

Publications (2)

Publication Number Publication Date
CN110176989A CN110176989A (en) 2019-08-27
CN110176989B true CN110176989B (en) 2023-03-14

Family

ID=67691057

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910402444.0A Active CN110176989B (en) 2019-05-15 2019-05-15 Quantum communication service station identity authentication method and system based on asymmetric key pool

Country Status (1)

Country Link
CN (1) CN110176989B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493010B (en) * 2019-09-24 2022-03-15 南京邮电大学 Mail receiving and sending method of mail system based on quantum digital signature
CN113452687B (en) * 2021-06-24 2022-12-09 中电信量子科技有限公司 Method and system for encrypting sent mail based on quantum security key
CN117643010A (en) * 2021-11-02 2024-03-01 华为技术有限公司 Certificateless authentication and secure communication

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond
CN109660338B (en) * 2018-11-19 2021-07-27 如般量子科技有限公司 Anti-quantum computation digital signature method and system based on symmetric key pool

Also Published As

Publication number Publication date
CN110176989A (en) 2019-08-27

Similar Documents

Publication Publication Date Title
CN111475796B (en) Anti-quantum computation identity authentication method and system based on secret sharing and quantum communication service station
CN109728906B (en) Anti-quantum-computation asymmetric encryption method and system based on asymmetric key pool
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN109064324A (en) Method of commerce, electronic device and readable storage medium storing program for executing based on alliance's chain
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN109921905B (en) Anti-quantum computation key negotiation method and system based on private key pool
CN109936456B (en) Anti-quantum computation digital signature method and system based on private key pool
CN109787758B (en) Anti-quantum computation MQV key agreement method and system based on private key pool and Elgamal
CN110505055B (en) External network access identity authentication method and system based on asymmetric key pool pair and key fob
CN110830245B (en) Anti-quantum-computation distributed Internet of vehicles method and system based on identity secret sharing and implicit certificate
CN109918888B (en) Anti-quantum certificate issuing method and issuing system based on public key pool
CN112351037B (en) Information processing method and device for secure communication
CN109951274B (en) Anti-quantum computing point-to-point message transmission method and system based on private key pool
CN110176989B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool
CN105553654A (en) Key information query processing method and device and key information management system
CN109728905B (en) Anti-quantum computation MQV key negotiation method and system based on asymmetric key pool
CN109905229B (en) Anti-quantum computing Elgamal encryption and decryption method and system based on group asymmetric key pool
CN110098925B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and random number
CN110365472B (en) Quantum communication service station digital signature method and system based on asymmetric key pool pair
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
US9641333B2 (en) Authentication methods, systems, devices, servers and computer program products, using a pairing-based cryptographic approach
CN110266483B (en) Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD
CN110677253B (en) Anti-quantum computation RFID authentication method and system based on asymmetric key pool and ECC
CN110176997B (en) Quantum communication service station AKA key negotiation method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant