CN110266483B - Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD - Google Patents

Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD Download PDF

Info

Publication number
CN110266483B
CN110266483B CN201910554864.0A CN201910554864A CN110266483B CN 110266483 B CN110266483 B CN 110266483B CN 201910554864 A CN201910554864 A CN 201910554864A CN 110266483 B CN110266483 B CN 110266483B
Authority
CN
China
Prior art keywords
key
service station
message
client
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910554864.0A
Other languages
Chinese (zh)
Other versions
CN110266483A (en
Inventor
富尧
钟一民
杨羽成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201910554864.0A priority Critical patent/CN110266483B/en
Publication of CN110266483A publication Critical patent/CN110266483A/en
Application granted granted Critical
Publication of CN110266483B publication Critical patent/CN110266483B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention discloses a quantum communication service station key negotiation method, a system and equipment based on an asymmetric key pool pair and QKD, wherein a participant comprises a client A, a service station QB and a service station QA, wherein the client A is a sub-equipment of the service station QA, data in an authentication process is encrypted, a key is obtained by an asymmetric key negotiation algorithm, the key obtained by the asymmetric key negotiation algorithm can only be decrypted by both parties of the asymmetric key negotiation algorithm, and any other person cannot decrypt the key. And the client and the quantum communication service stations other than the quantum communication service station affiliated to the own party in the invention can respectively acquire the session key through key negotiation. Therefore, for the client, only a key pool between the client and the quantum communication service station affiliated to the client is maintained, and the key pool between the client and other large number of quantum communication service stations is not required to be preset, so that the key management flow is greatly simplified.

Description

Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD
Technical Field
The application belongs to the technical field of secure communication, and particularly relates to a quantum communication service station key negotiation method, system and equipment based on an asymmetric key pool pair and QKD. And the identity authentication between the client side under the quantum communication service station and the quantum communication service station is realized.
Background
The rapidly developed Internet brings great convenience to the life and work of people, and people can sit at home to send and receive e-mails, make calls, conduct online shopping, bank transfer and other activities through the Internet. At the same time, network information security is becoming a potential huge problem. Generally, network information faces the following security risks: network information is stolen, information is tampered with, attacker counterfeits information, maliciously destroyed, etc.
Identity authentication is one of the means for protecting network information of people. Identity authentication is also called "identity verification" or "identity authentication" and refers to the process of confirming the identity of an operator in a computer and a computer network system, so as to determine whether the user has access and use rights to a certain resource, further enable the access policies of the computer and the network system to be reliably and effectively executed, prevent an attacker from impersonating a legal user to obtain the access rights of the resource, ensure the security of the system and data, and authorize the legal interests of the visitor.
While the current guarantee of successful authentication mainly depends on cryptography, in the field of cryptography today there are mainly two types of cryptosystems, namely symmetric key cryptosystems, i.e. the encryption key and decryption key use the same. The other is a public key cryptosystem, i.e. the encryption key and the decryption key are different, one of which can be disclosed. Most of the identity authentication using algorithms currently mainly rely on public key cryptography.
The encryption key (public key) and the decryption key (private key) employed by the public key encryption system are different. Since the encryption key is public, distribution and management of keys is simple, and the public key encryption system can easily implement digital signatures.
Since the advent of public key encryption, scholars have proposed many public key encryption methods, the security of which is based on complex mathematical problems. Classified according to the mathematical problem on which it is based, there are three types of systems currently considered safe and effective: large integer factorization systems (typically RSA), discrete logarithmic systems (typically DSA), and elliptic discrete logarithmic systems (ECC).
However, with the development of a quantum computer, the classical asymmetric key encryption algorithm is no longer safe, and the quantum computer can obtain a private key through public key calculation no matter encryption and decryption or a key exchange method, so that the currently commonly used asymmetric key becomes incomparable in the quantum age. The current quantum key distribution device QKD can ensure that the negotiated key cannot be obtained. QKD is mainly used for quantum trunks, however, the client device to the quantum communication service station is still a classical network, and thus it is difficult to secure the identity authentication process by means of asymmetric algorithms.
Because of the potential threat of the quantum computer, the existing scheme for carrying out identity authentication based on the symmetric key pool utilizes the symmetric key between the quantum communication service station and the quantum key fob to carry out identity authentication, and public key cryptography is abandoned to avoid the identity authentication system being cracked by the quantum computer.
Problems of the prior art:
1. the existing scheme for identity authentication based on the symmetric key pool uses the symmetric key pool between the quantum communication service station and the quantum key card, has huge capacity and brings pressure to the key storage of the quantum communication service station;
2. the existing scheme for identity authentication based on a symmetric key pool has the problem that the key is encrypted and stored in a common storage medium such as a hard disk by a quantum communication service station but cannot be stored in a key fob of the quantum communication service station because of the huge key capacity of the symmetric key pool;
3. the prior scheme for carrying out identity authentication based on the symmetric key pool causes trouble to key backup due to huge key capacity of the symmetric key pool.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, system, and apparatus for quantum communication service station key agreement based on an asymmetric key pool pair and QKD.
The application discloses a quantum communication service station key negotiation method based on an asymmetric key pool pair and QKD, wherein a participant comprises a client A, a service station QB and a service station QA, the client A is sub-equipment of the service station QA, and the quantum communication service station key negotiation method is implemented at the client A and comprises the following steps:
generating a parameter X according to the random number X;
transmitting a message M1 to the service station QB, the message M1 comprising the device parameter IDA of the client a and encrypting the parameter X; the IDA is used for the service station QB to find the service station QA and obtain a parameter KS through key negotiation with the service station QA, the message M1 is used for the service station QA to obtain a parameter X, the parameter X is used for the service station QA to calculate and obtain a key KAQ according to a random number Y generated by a self party, and the random number Y is used for the service station QA to generate a parameter Y;
receiving a message M4 from a service station QB, the message M4 comprising a ticket TA, the ticket TA being generated by the service station QA, the ticket TA comprising the parameter Y and an authentication message MT encrypted with a key KAQ generated by the service station QA, the authentication message MT comprising a parameter KS;
generating a key KAQ according to a parameter Y in the received ticket TA and a random number X of a self party, decrypting by using the key KAQ to obtain an authentication message MT, verifying the authentication message MT, confirming that a parameter KS is a negotiation key KS between a service station QB after passing, generating a message authentication code MACAQ according to the parameter KS, and generating an encryption signature SIGNA according to the parameter X and the parameter Y;
Transmitting a message M5 to a service station QB, said message M5 comprising said message authentication code MACAQ and said encrypted signature; the message authentication code MACAQ is used for the service station QB to verify that the passing confirmation parameter KS is the negotiation key KS with the client a and generate the message authentication code MACQB; the encrypted signature sign is used for the service station QA to finish the authentication of the client a, and the message authentication code MACQB is used for the service station QA to finish the authentication of the service station QB.
The application discloses a quantum communication service station key agreement method based on an asymmetric key pool pair and QKD, wherein a participant comprises a client A, a service station QB and a service station QA, the client A is a sub-device of the service station QA, and the quantum communication service station key agreement method is implemented in the service station QB and comprises the following steps:
receiving a message M1 from a client a, the message M1 comprising a device parameter IDA and an encrypted parameter X of the client a; the parameter X is generated by the client A according to the random number X;
finding a service station QA according to the IDA, and negotiating with the service station QA through QKD to obtain a key KQ with a key parameter KID, wherein the key KQ comprises a parameter Kreq and a parameter KS;
transmitting a message M2 to the service station QA, the message M2 including a KID, parameter Kreq encrypted message M1; the KID is used for the service station QA to obtain a parameter Kreq and a parameter KS, the message M1 is used for the service station QA to obtain a parameter X, the parameter X is used for the service station QA to calculate and obtain a secret key KAQ according to a random number Y generated by a self party, and the random number Y is used for the service station QA to generate a parameter Y;
Receiving a message M3 from a service station QA, said message M3 comprising an encrypted ticket TA and an encrypted session ID; the ticket TA is generated by a service station QA, the ticket TA comprises a parameter Y generated by the service station QA and an authentication message MT encrypted by a key KAQ generated by the service station QA, the session ID is generated by the service station QA, and the authentication message MT comprises a parameter KS;
verifying the received session ID, and after the verification is passed, sending a message M4 to the client A, wherein the message M4 comprises a bill TA; the parameter Y in the ticket TA is used for the client A to combine with the own random number x to generate a secret key KAQ, and the authentication message MT is used for the client A to verify that the passing authentication message passes and then confirms that the parameter KS is a negotiation secret key KS with the service station QB;
receiving a message M5 from a client A, wherein the message M5 comprises a message authentication code MACAQ and an encryption signature SIGNA; the message authentication code MACAQ is generated by the client A according to the parameter KS, and the encrypted signature SIGNA is generated by the client A according to the parameter X and the parameter Y;
verifying the received message authentication code MACAQ, confirming that the parameter KS is a negotiation key KS between the client A after the verification is passed, and generating a message authentication code MACAQ;
Transmitting a message M6 to the service station QA, said message M6 comprising a cryptographic signature and a message authentication code MACQB; the encrypted signature sign is used for the service station QA to finish the authentication of the client a, and the message authentication code MACQB is used for the service station QA to finish the authentication of the service station QB.
The application discloses a quantum communication service station key agreement method based on an asymmetric key pool pair and QKD, wherein a participant comprises a client A, a service station QB and a service station QA, the client A is a sub-device of the service station QA, and the quantum communication service station key agreement method is implemented in the service station QA and comprises the following steps:
receiving a message M2 from a service station QB, the message M2 comprising a KID, parameter Kreq encrypted message M1; the KID is a key parameter carried by a key KQ obtained by a service station QB and a service station QA through QKD negotiation, the key KQ comprises the parameter Kreq and a parameter KS, the message M1 is generated by a client A, and the message M1 comprises a parameter X generated by the client A according to a random number X;
obtaining a parameter Kreq and a parameter KS according to the received KID, decrypting by using the parameter Kreq to obtain a message M1, obtaining a parameter X according to the message M1, calculating by using the parameter X and a random number Y generated by a host side to obtain a key KAQ, generating a parameter Y according to the random number Y, generating an authentication message MT and a session ID, and manufacturing a ticket TA, wherein the ticket TA comprises the parameter Y and the authentication message MT encrypted by using the key KAQ, and the authentication message MT comprises the parameter KS;
Transmitting a message M3 to the service station QB, the message M3 including an encrypted ticket TA and an encrypted session ID; the session ID is used for a service station QB to forward a bill TA to a client A after passing verification, a parameter Y in the bill TA is used for the client A to generate a key KAQ in combination with a random number x of a host side, and the authentication message MT is used for the client A to confirm that a parameter KS is a negotiation key KS between the client A and the service station QB after passing verification; the parameter KS is used for the client A to generate a message authentication code MACAQ, and the message authentication code MACAQ is used for the service station QB to verify that the parameter KS is a negotiation key KS between the client A after passing verification;
receiving a message M6 from a service station QB, said message M6 comprising a cryptographic signature and a message authentication code MACQB; the encryption signature SIGNA is generated by the client A according to the parameter X and the parameter Y; the message authentication code MACQB is generated by the service station QB;
and finishing authentication of the client A according to the encrypted signature SIGNA, and finishing authentication of the service station QB according to the message authentication code MACQB.
The application discloses a quantum communication service station key agreement method based on an asymmetric key pool pair and QKD, wherein a participant comprises a client A, a service station QB and a service station QA, the client A is a sub-device of the service station QA, and the quantum communication service station key agreement method comprises the following steps:
The client A generates a parameter X according to the random number X, and sends a message M1 to the service station QB, wherein the message M1 comprises a device parameter IDA of the client A and encrypts the parameter X;
the service station QB receives a message M1 from the client A, finds the service station QA according to the IDA, and obtains a key KQ with a key parameter KID through QKD negotiation with the service station QA, wherein the key KQ comprises a parameter Kreq and a parameter KS, and sends a message M2 to the service station QA, and the message M2 comprises the KID and the message M1 encrypted by the parameter Kreq;
the service station QA receives a message M2 from the service station QB, obtains a parameter Kreq and a parameter KS according to the received KID, obtains a message M1 after decryption by the parameter Kreq, obtains a parameter X according to the message M1, calculates by using the parameter X and a random number Y generated by a user side to obtain a key KAQ, generates a parameter Y according to the random number Y, generates an authentication message MT and a session ID, and makes a ticket TA, wherein the ticket TA comprises the parameter Y and the authentication message MT encrypted by the key KAQ, the authentication message MT comprises a parameter KS, and sends a message M3 to the service station QB, and the message M3 comprises the encrypted ticket TA and the encrypted session ID;
the service station QB receives a message M3 from the service station QA, verifies the received session ID, and sends a message M4 to the client A after the verification is passed, wherein the message M4 comprises a bill TA;
The client A receives a message M4 from a service station QB, generates a key KAQ according to a parameter Y in a received ticket TA and a random number X of a self party, decrypts the key KAQ to obtain an authentication message MT, verifies the authentication message MT to pass through, confirms that the parameter KS is a negotiation key KS between the authentication message MT and the service station QB, generates a message authentication code MACAQ according to the parameter KS, generates an encryption signature SIGNA according to the parameter X and the parameter Y, and sends a message M5 to the service station QB, wherein the message M5 comprises the message authentication code MACAQ and the encryption signature SIGNA;
the service station QB receives a message M5 from the client A, verifies the received message authentication code MACAQ, confirms that the parameter KS is a negotiation key KS with the client A after verification is passed, generates the message authentication code MACQB, and sends a message M6 to the service station QA, wherein the message M6 comprises an encrypted signature SIGNA and the message authentication code MACQB;
the service station QA receives the message M6 from the service station QB, completes authentication of the client a according to the encrypted signature sign, and completes authentication of the service station QB according to the message authentication code MACQB.
Further, the service station QA and the service station QB are respectively configured with a service station key card, and a client public key pool and a service station private key pool are stored in the service station key card; the client A is configured with a client key fob, and a server public key pool, a client public key and a client private key are stored in the client key fob.
Further, the calculating the key KAQ includes:
generating a random number X, and according to x=g x Calculating to obtain a parameter X;
generating a random number Y, and according to y=g y Calculating to obtain a parameter Y;
according to kaq=y x =X y The key KAQ is calculated.
Further, the negotiation key KS is split into a parameter KSE and a parameter KSA, wherein the parameter KSE is used as a key for encrypting and decrypting a message in the session of the client a and the service station QB, and the parameter KSA is used as a key for authenticating the message in the session of the client a and the service station QB.
The application also discloses a computer device comprising a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the quantum communication service station key negotiation method based on the asymmetric key pool pair and QKD when executing the computer program.
The quantum communication service station key negotiation system comprises a client A, a service station QB and a service station QA, wherein the client A is a piece of equipment of the service station QA, the service station QA and the service station QB are respectively provided with a service station key fob, and the service station key fob stores a client public key pool and a service station private key pool; the client A is configured with a client key card, and a server public key pool, a client public key and a client private key are stored in the client key card;
The client A, the service station QB and the service station QA realize the quantum communication service station key negotiation method based on the asymmetric key pool pair and the QKD through a communication network.
The quantum communication service station key negotiation method, system and equipment based on the asymmetric key pool pair and the QKD improve the authentication flow based on the symmetric key algorithm, so that data in the authentication flow are encrypted, and the key is obtained by the asymmetric key negotiation algorithm. The key obtained by the asymmetric key negotiation algorithm can only be decrypted by both parties of the asymmetric key negotiation algorithm, and any other person can not decrypt the key. In addition, because the negotiation parameters of the asymmetric key negotiation algorithm are encrypted by the key obtained by the asymmetric key negotiation algorithm through the pre-configured key, namely, any opponent cannot guess the plaintext before encryption, the quantum computer cannot acquire the negotiation data of the asymmetric key negotiation algorithm, and therefore the asymmetric encryption mode has the characteristic of quantum computation resistance.
And each client can communicate with a plurality of quantum communication service stations, and the client and the quantum communication service stations except the quantum communication service station affiliated to the client can respectively acquire a session key through key negotiation. Therefore, for the client, only a key pool between the client and the quantum communication service station affiliated to the client is maintained, and the key pool between the client and other large number of quantum communication service stations is not required to be preset, so that the key management flow is greatly simplified.
Drawings
FIG. 1 is a schematic diagram of key pool distribution of a server key fob of the present application;
FIG. 2 is a schematic diagram of key pool distribution of a client key fob of the present application;
FIG. 3 is a schematic diagram of the structure in an embodiment;
fig. 4 is an authentication flow chart in an embodiment.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
It should be understood that the steps are not strictly limited to the order of execution unless explicitly recited in the present application, and the steps may be executed in other orders. Moreover, at least some of the steps may comprise a plurality of sub-steps or phases, which are not necessarily performed at the same time, but may be performed at different times, nor does the order in which the sub-steps or phases are performed necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the other steps or phases.
In one embodiment, a method for negotiating a quantum communication service station key based on an asymmetric key pool pair and QKD is provided, wherein a participant includes a client a, a service station QB and a service station QA, the client a is a sub-device of the service station QA, and the method for negotiating a quantum communication service station key includes:
the client A generates a parameter X according to the random number X, and sends a message M1 to the service station QB, wherein the message M1 comprises a device parameter IDA and an encryption parameter X of the client A;
the service station QB receives the message M1 from the client A, finds the service station QA according to IDA, and negotiates with the service station QA through QKD to obtain a key KQ with a key parameter KID, wherein the key KQ comprises a parameter Kreq and a parameter KS, and sends a message M2 to the service station QA, and the message M2 comprises the KID and the message M1 encrypted by the parameter Kreq;
the service station QA receives a message M2 from the service station QB, obtains a parameter Kreq and a parameter KS according to the received KID, obtains a message M1 after decryption by the parameter Kreq, obtains a parameter X according to the message M1, calculates by using the parameter X and a random number Y generated by a user side to obtain a key KAQ, generates a parameter Y according to the random number Y, generates an authentication message MT and a session ID, and makes a ticket TA, wherein the ticket TA comprises the parameter Y and the authentication message MT encrypted by the key KAQ, the authentication message MT comprises the parameter KS, and sends a message M3 to the service station QB, and the message M3 comprises the encrypted ticket TA and the encrypted session ID;
The service station QB receives a message M3 from the service station QA, verifies the received session ID, and sends a message M4 to the client A after the verification is passed, wherein the message M4 comprises a bill TA;
the client A receives a message M4 from the service station QB, generates a key KAQ according to a parameter Y in the received ticket TA and a random number X of a self party, decrypts the key KAQ to obtain an authentication message MT, verifies the authentication message MT to pass through, and confirms the parameter KS as a negotiation key KS between the authentication message MT and the service station QB, generates a message authentication code MACAQ according to the parameter KS, generates an encryption signature SIGNA according to the parameter X and the parameter Y, and sends a message M5 to the service station QB, wherein the message M5 comprises the message authentication code MACAQ and the encryption signature SIGNA;
the service station QB receives the message M5 from the client A, verifies the received message authentication code MACAQ, confirms the parameter KS as a negotiation key KS with the client A after verification is passed, generates the message authentication code MACQB, and sends a message M6 to the service station QA, wherein the message M6 comprises an encrypted signature SIGNA and the message authentication code MACQB;
the service station QA receives the message M6 from the service station QB, completes authentication of the client a according to the encrypted signature sign, and completes authentication of the service station QB according to the message authentication code MACQB.
The data in the authentication flow of the embodiment is encrypted, the key is obtained by the asymmetric key negotiation algorithm, the key obtained by the asymmetric key negotiation algorithm can only be decrypted by both parties of the asymmetric key negotiation algorithm, and any other person can not decrypt the key. In this embodiment, the client and the quantum communication service station other than the quantum communication service station affiliated to the own party can respectively obtain the session key through key negotiation. Therefore, for the client, only a key pool between the client and the quantum communication service station affiliated to the client is maintained, and the key pool between the client and other large number of quantum communication service stations is not required to be preset, so that the key management flow is greatly simplified.
To further illustrate the workflow of each party in the key agreement process, a quantum communication service station key agreement method based on an asymmetric key pool pair and QKD is described below by way of implementation on a single side.
In one embodiment, a method for negotiating a quantum communication service station key based on an asymmetric key pool pair and QKD is provided, a participant includes a client a, a service station QB and a service station QA, the client a is a sub-device of the service station QA, and the method for negotiating a quantum communication service station key is implemented in the client a, and includes:
Generating a parameter X according to the random number X;
transmitting a message M1 to the service station QB, the message M1 comprising the device parameter IDA and the encryption parameter X of the client a; the IDA is used for the service station QB to find the service station QA and obtain a parameter KS through key negotiation with the service station QA, the message M1 is used for the service station QA to obtain a parameter X, the parameter X is used for the service station QA to calculate and obtain a key KAQ according to a random number Y generated by a host, and the random number Y is used for the service station QA to generate a parameter Y;
receiving a message M4 from a service station QB, the message M4 comprising a ticket TA, the ticket TA being generated by the service station QA, the ticket TA comprising a parameter Y and an authentication message MT encrypted with a key KAQ generated by the service station QA, the authentication message MT comprising a parameter KS;
generating a key KAQ according to a parameter Y in the received ticket TA and a random number X of a self party, decrypting by using the key KAQ to obtain an authentication message MT, verifying the authentication message MT, confirming that the parameter KS is a negotiation key KS between the authentication message MT and a service station QB, generating a message authentication code MACAQ according to the parameter KS, and generating an encryption signature SIGNA according to the parameter X and the parameter Y;
transmitting a message M5 to the service station QB, the message M5 comprising a message authentication code MACAQ and an encrypted signature; the message authentication code MACAQ is used for the service station QB to verify that the passing confirmation parameter KS is a negotiation key KS between the service station QB and the client A and generate the message authentication code MACQB; the encrypted signature sign is used for the service station QA to finish authentication of the client a, and the message authentication code MACQB is used for the service station QA to finish authentication of the service station QB.
In one embodiment, a method for negotiating a quantum communication service station key based on an asymmetric key pool pair and QKD is provided, wherein a participant includes a client a, a service station QB and a service station QA, the client a is a sub-device of the service station QA, and the method for negotiating a quantum communication service station key is implemented in the service station QB and includes:
receiving a message M1 from a client a, the message M1 comprising a device parameter IDA and an encrypted parameter X of the client a; the parameter X is generated by the client A according to the random number X;
finding a service station QA according to the IDA, and negotiating with the service station QA through QKD to obtain a key KQ with a key parameter KID, wherein the key KQ comprises a parameter Kreq and a parameter KS;
transmitting a message M2 to the service station QA, the message M2 including a KID, parameter Kreq encrypted message M1; the KID is used for the service station QA to obtain a parameter Kreq and a parameter KS, the message M1 is used for the service station QA to obtain a parameter X, the parameter X is used for the service station QA to calculate and obtain a key KAQ according to a random number Y generated by the own party, and the random number Y is used for the service station QA to generate a parameter Y;
receiving a message M3 from a service station QA, the message M3 including an encrypted ticket TA and an encrypted session ID; the ticket TA is generated by the service station QA, the ticket TA comprises a parameter Y generated by the service station QA and an authentication message MT encrypted by a key KAQ generated by the service station QA, a session ID is generated by the service station QA, and the authentication message MT comprises a parameter KS;
Verifying the received session ID, and after the verification is passed, sending a message M4 to the client A, wherein the message M4 comprises a ticket TA; the parameter Y in the ticket TA is used for the client A to combine the own random number x to generate a key KAQ, and the authentication message MT is used for the client A to confirm that the parameter KS is a negotiation key KS between the client A and the service station QB after verification is passed;
receiving a message M5 from a client a, the message M5 comprising a message authentication code MACAQ and an encrypted signature sign; the message authentication code MACAQ is generated by the client A according to the parameter KS, and the encrypted signature SIGNA is generated by the client A according to the parameter X and the parameter Y;
verifying the received message authentication code MACAQ, confirming that the parameter KS is a negotiation key KS between the client A after the verification is passed, and generating a message authentication code MACAQ;
transmitting a message M6 to the service station QA, the message M6 comprising a cryptographic signature and a message authentication code MACQB; the encrypted signature sign is used for the service station QA to finish authentication of the client a, and the message authentication code MACQB is used for the service station QA to finish authentication of the service station QB.
In one embodiment, a method for negotiating a quantum communication service station key based on an asymmetric key pool pair and QKD is provided, wherein a participant includes a client a, a service station QB and a service station QA, the client a is a sub-device of the service station QA, and the method for negotiating a quantum communication service station key is implemented in the service station QA and includes:
Receiving a message M2 from the service station QB, the message M2 comprising a KID, parameter Kreq encrypted message M1; the KID is a key parameter carried by a key KQ obtained by the service station QB and the service station QA through QKD negotiation, the key KQ comprises a parameter Kreq and a parameter KS, a message M1 is generated by a client A, and the message M1 comprises a parameter X generated by the client A according to a random number X;
obtaining a parameter Kreq and a parameter KS according to the received KID, decrypting by using the parameter Kreq to obtain a message M1, obtaining a parameter X according to the message M1, calculating by using the parameter X and a random number Y generated by a user to obtain a key KAQ, generating a parameter Y according to the random number Y, generating an authentication message MT and a session ID, and manufacturing a ticket TA, wherein the ticket TA comprises the parameter Y and the authentication message MT encrypted by using the key KAQ, and the authentication message MT comprises the parameter KS;
transmitting a message M3 to the service station QB, the message M3 including the encrypted ticket TA and the encrypted session ID; the session ID is used for allowing the service station QB to verify and pass the ticket TA, the parameter Y in the ticket TA is used for allowing the client A to generate a secret key KAQ in combination with the own random number x, and the authentication message MT is used for allowing the client A to verify and pass the ticket TA, and then confirm that the parameter KS is a negotiation secret key KS between the client A and the service station QB; the parameter KS is used for the client A to generate a message authentication code MACAQ, and the message authentication code MACAQ is used for the service station QB to verify that the parameter KS is a negotiation key KS between the client A after passing verification;
Receiving a message M6 from a service station QB, the message M6 comprising a cryptographic signature and a message authentication code MACQB; the encryption signature SIGNA is generated by the client A according to the parameter X and the parameter Y; the message authentication code MACQB is generated by the service station QB;
and finishing authentication of the client A according to the encrypted signature SIGNA, and finishing authentication of the service station QB according to the message authentication code MACQB.
In another embodiment, the service station QA and the service station QB are respectively configured with a service station key fob, and a client public key pool and a service station private key pool are stored in the service station key fob; the client A is configured with a client key fob, and a server public key pool, a client public key and a client private key are stored in the client key fob.
In this embodiment, the client only needs to maintain the key pool with the quantum communication service stations affiliated to the client, and does not need to preset the key pool with other large number of quantum communication service stations, thereby greatly simplifying the key management flow.
In another embodiment, calculating the key KAQ includes:
generating a random number X, and according to x=g x Calculating to obtain a parameter X;
generating a random number Y, and according to y=g y Calculating to obtain a parameter Y;
according to kaq=y x =X y The key KAQ is calculated.
In this embodiment, the key is obtained by using the asymmetric key negotiation algorithm, and the key can only be decrypted by both parties of the asymmetric key negotiation algorithm, and cannot be decrypted by any other party, so that the security of key negotiation is significantly improved.
In another embodiment, the negotiation key KS is split into a parameter KSE and a parameter KSA, where the parameter KSE is a key for encrypting and decrypting a message during a session between the client a and the service station QB, and the parameter KSA is a key for authenticating a message during a session between the client a and the service station QB.
In this embodiment, the client and the quantum communication service stations other than the quantum communication service station affiliated to the own party can interact through the session key obtained after the key negotiation, so that a key pool between the client and the quantum communication service stations in other large quantities does not need to be preset, and the key management flow is greatly simplified.
The implementation scene of the method is that any 1 object A and a quantum communication service station are mutually authenticated under an asymmetric key pool system. Each object in the key pool system has a key fob, can store keys with large data volume, and also has the capability of processing information. In the present application, there are algorithms in the local system of both the object a and the quantum communication service station that are correspondingly required.
The description of key fobs can be found in the patent application No. 201610843210.6. In the case of a mobile terminal, the key fob is preferably a key SD card; in the case of a fixed terminal, the key fob is preferably a key usb key or a host key fob.
The mechanism of issuance of the key fob is similar as compared to the document of patent application No. 201610843210.6. The key card issuer of the present application is the master of the key card, typically the management of a group, such as the management of a business or institution; the issuer of the key fob is a member managed by the master of the key fob, typically a staff of a certain enterprise or business. The client first applies for an account opening to the principal of the key fob. When the client registers for approval, a key fob (with a unique key fob ID) will be obtained. The key fob stores customer registration information. The public key pools in the client key fobs under the same quantum communication service station are all downloaded from the same key management server, and the public key pools stored in each client key fobs issued by the public key fobs are completely consistent. Preferably, the key pool size stored in the key fob may be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G, and so on.
The key fob is developed from the smart card technology and is an identity authentication and encryption and decryption product combining cryptography technology, hardware security isolation technology and quantum physics technology (in the case of carrying a quantum random number generator). The embedded chip and the operating system of the key fob can provide the functions of secure storage of keys, cryptographic algorithms, and the like. Because of its independent data processing capability and good security, the key fob becomes a secure carrier for private keys and key pools. Each key fob is protected by a hardware PIN code, which constitutes two necessary factors for the user to use the key fob. In other words, "two-factor authentication", a user can log in to the system only by acquiring the key fob and the user PIN code, which have stored the relevant authentication information, at the same time. Even if the PIN code of the user is revealed, the identity of the legal user cannot be imitated as long as the key fob held by the user is not stolen; if the key fob of the user is lost, the pick-up cannot impersonate the identity of the legitimate user because the user PIN code is not known. In a word, the key fob makes the secret information such as the key not appear in the disk and the memory of the host in a plaintext form, thereby effectively ensuring the safety of the secret information.
In this application, the key fob is divided into a server key fob and a client key fob. The key area structure of the server key card is shown in fig. 1, and a client public key pool and a server private key pool are mainly stored. The key zone structure of the client key fob is shown in fig. 2, and mainly stores a public key pool of a service station and a pair of public and private key pairs. The key fob is issued by a key management server.
The key management server may select a signature algorithm and Diffie-Hellman algorithm before issuing the key fob. The key management server generates a corresponding number of numbers meeting the algorithm specification as a private key and a public key according to the number of clients. The key management server generates a corresponding number of IDs, selects a corresponding number of public and private key pairs, combines the public key and the IDs to obtain an ID/public key, and writes the ID/public key into the same file to form a public key pool file, namely the public key pool of the client. Meanwhile, the key management server writes the corresponding private key into the file in the same way to form a private key pool file, namely a client private key pool. The ID of each private key in the client private key pool is the same as the ID of the corresponding public key in the client public key pool. The key management server again generates a large number of numbers meeting the algorithm specification as private and public keys. The key management server writes the public and private keys into two files to form a service station public key pool and a service station private key pool. The public key in the service station public key pool corresponds to the private key in the same position in the service station private key pool. The key management server defines the first key fob issued as a service station key fob and writes the service station private key pool and client public key pool and associated algorithm parameters to the key zone of the key fob. The key cards issued by the key management server subsequently are all client-side key cards. The key management server randomly selects an unassigned ID to be assigned to the key fob, and writes the public and private keys of the client public key pool and the client private key Chi Quxiang with the ID into the key area of the key fob together with the service station public key pool, and writes the relevant parameters into the key fob.
The random numbers in the present application are true random numbers, and are preferably quantum random numbers.
Unless specifically stated otherwise, the names in the present application are based on a combination of letters and numbers, such as QB, service station QB, quantum communication service station QB, hereinafter, refer to the same meaning, namely quantum communication service station QB; in the following, IDA, the device parameter IDA means the same meaning, i.e. the device parameter IDA; the other names are the same. And the message M1, the random number y, and other expressions M1, y are only for convenience of distinguishing and describing, and there is no additional limitation on the parameters, such as QB of the quantum communication service station, QB of the client a, a; for example, the ticket TA and the MACAQ in the message authentication code MACAQ; and the other is the same.
Example 1
System description
The scenario of this embodiment is shown in fig. 3, in which a client a, a quantum communication service station QA, and a quantum communication service station QB, simply referred to as service station QA and service station QB are included. QA and QB are provided with respective key management servers. QA and QB have QKD channels. The client a is provided with a client key fob, and the quantum communication service station QA and the quantum communication service station QB are provided with a service station key fob. The client a is assigned to the quantum communication service station QA, that is, the key fob of a is issued by the key management server of QA, and the client a shares the asymmetric key pool pair with the service station QA.
According to the Diffie-Hellman protocol, a large prime number p and a number g are defined, g is the primitive root of modulo p, and g and p are parameters of the Diffie-Hellman protocol. Taking the client A and the service station QA as examples, the client A generates a true random large integer SKA as the DH private key of the client A according to the matched key fob, and the DH private key is calculatedCalculating DH public key PKA=g SKA mod p. The service station QA generates a true random large integer SKQAi (i epsilon {1,2, … …, m }) according to the matched key fob as the DH private key of the service station QA, and obtains the DH public key PKQAi=g through calculation SKA mod p(i∈{1,2,……,m})。
According to the Diffie-Hellman protocol, PKQAi SKA mod p=PKA SKA mod p. Hereinafter, the part of mod p is omitted, using PKQAi SKA Refer to PKQAi SKA mod p, the remainder are the same.
The embodiment realizes the identity authentication and key negotiation between the client A and the service station QB. The specific flow is shown in fig. 4, and the text is described as follows:
step 1: client a initiates a negotiation key request to service station QB.
The client A generates a random number NA and a random number X according to a random number generator in the matched key fob, and calculates X=g x . Using NA in combination with a pointer function to obtain a pointer PA, extracting PKQA from a public key pool of a service station by using the pointer PA, and calculating ka=pkqa SKA . Signature (X, SKA) is obtained by signing X with private key SKA, X and its signature are encrypted with KA and sent as message M1 together with IDA and NA to the service station QB. M1 may be represented as IDA NA X SIGN (X, SKA) KA.
Step 2: the service station QB transmits a key negotiation request to the service station QA.
After receiving M1, the service station QB negotiates with the service station QA by QKD to obtain a key KQ with KID, which can be expressed as Kreq+Kresp+KS+Kmac. The service station QB generates a random number NQB from a random number generator in the matched key fob, along with IDQB, M1 as m2_0, which may be denoted as IDQB NQB M1. The message authentication code MAC (m2_0, kreq) is calculated for m2_0 using Kreq. Where MAC (m, k) denotes a message authentication code with m as the message and k as the key. The m2_0 and its message authentication code are encrypted using Kreq and sent as message M2 together with KID to the service station QA. M2 may be represented as kid| { m2_0|mac (m2_0, kreq) } Kreq.
Step 3: the service station QA makes a time and transmits to the service station QB.
After receiving M2, the service station QA finds KQ according to the KID.And (3) obtaining M2-0 by using Kreq solution, and after verifying the message authentication code, enabling the session ID of the key negotiation, namely SESSID=IDQB|| NQB |IDA|NA. The service station QA uses NA to combine with the pointer function to obtain a pointer PA, extracts SKQA from a private key pool of the service station through the pointer PA, extracts public key PKA of the client A according to IDA, and calculates KA=PKA SKQA . And decrypting by using KA to obtain X and signature thereof. After verifying the signature using PKA, generating a random number Y from a random number generator in the matched key fob, calculating y=g y . According to X, g x Kaq=x is calculated y
The server QA generates a random number NQA from a random number generator in the matched key fob, obtains a pointer PQA by combining the NQA with a pointer function, and extracts SKQQA from the server private key pool by the PQA. Calculation kqa=pka SKQQA . The Y is signed using SKQQA to obtain SIGN (Y, SKQQA), and then the Y and its signature are encrypted using KQA. Using SKQQA to MT (metal oxide semiconductor) using SKQQA to MT Y and X are signed to give SIGN (MT Y X, SKQQA), this signature is encrypted using KAQ. Together with NQA as ticket TA, TA can be expressed as
NQA||{Y||SIGN(Y,SKQQA)}KQA||{MT||SIGN(MT||Y||X,SKQQA)}KAQ。
Let m3_0=setssid: NQA TA. The message authentication code is calculated for m3_0 using Kresp to obtain MAC (m3_0, kresp), and m3_0 and its message authentication code are encrypted using Kresp and transmitted as M3 together with KID to the service station QB. M3 may be expressed as KID| { M3_0, MAC (M3_0, kresp) } Kresp.
Step 4: the service station QB authenticates QA and forwards the ticket.
After receiving M3, the service station QB finds KQ according to the KID. M3_0 was solved using Kresp. After verifying the message authentication code, it is verified whether NQB in the sesssid is equal to the local NQB, and if so, the service station QA is authenticated.
The service station QB makes a message authentication code MACQA using KS pair NA, NQB, and IDQB, which can be expressed as macqa=mac (NA NQB IDQB, KS). The sesssid, TA and MACQA component M4 is sent to client a. M4 may be represented as sesssid TA MACQA.
Step 5: the client a will perform two-way message authentication with the service station QB after authenticating NA.
After receiving M4, the client a obtains a pointer PQA by using NQA in combination with a pointer function, and extracts PKQQA from the public key pool of the server through PQA. Calculation of KQA = PKQQA SKA . After decrypting TA using KQA, Y and its signature are obtained. After verifying the signature SIGN (Y, SKQQA) using PKQQA, kaq=y is calculated x . After decrypting TA by KAQ, obtaining MT and signature SIGN (MT Y X, SKQQA) thereof, and after verifying the signature by PKQQA, verifying whether NA in MT is equal to local NA. If equal, client A verifies the passing of service station QA.
KS was obtained from MT. MACQA was verified using KS. After the verification is passed, that is, the client a verifies the service station QB, and confirms that the negotiation key is KS.
Client a uses KS pair NA and NQB to make a message authentication code MACAQ, which may be expressed as macaq=mac (na||nqb, KS). Signature NA, NQA, X, Y is signed using SKA (NA NQA X Y, SKA) and encrypting this signature using KAQ to obtain SIGN. SESSID, MACAQ and SIGNA are sent as M5 to the service station QB. M5 may be represented as sesssid macaqsign.
Step 6: the service station QB authenticates the client a and sends a message authentication code to the service station QA.
After receiving the M5, the service station QB calculates MACAQ 'by using the KS pair NA and the NQB, compares the MACAQ' with the MACAQ, completes the message authentication of the client A if the two are equal, and confirms that the negotiation key is KS.
The service station QB uses Kmac to make a message authentication code MACQB for NQB, NQA, which may be expressed as macqb=mac (NQB |nqa, kmac). MACQB is sent to the service station QA as M6 together with SESSID, KID, SIGNA. M6 may be represented as sesssid KID MACQB sign.
After receiving the M6, the service station QA verifies the MACQB by using the Kmac, and after the verification is passed, the authentication of the service station QB is completed. Decrypting the SIGNA using KAQ yields SIGN (NA nQA X Y, SKA). The signature is verified using the public key PKA of the client. And after the verification is passed, the authentication of the client A is completed. To this end, the completion of session establishment of a and QB is confirmed, and the event is recorded.
The client a and the service station QB can use the key KS to encrypt and decrypt the message and authenticate the message. Preferably, KS is split into KSE and KSA, which serve as message encryption and decryption and message authentication keys, respectively.
This embodiment can be considered as directed to the respective embodiments described above for each step, and can also be considered as a combination of the respective embodiments described above for all steps.
In this embodiment, the key fob used is a stand-alone hardware isolated device. The public key, the private key and other related parameters are stored in a data security area in the key fob, so that the possibility of stealing the key by malicious software or malicious operation is greatly reduced, and the key cannot be acquired and cracked by a quantum computer. Because the classical network does not involve the transmission of public and private keys and algorithm parameters, the risk of cracking the asymmetric key is low, and in addition, the QKD is adopted between the service stations for encrypting and transmitting the message, so that the safety of the message is greatly ensured. The key fob ensures the communication safety of both communication parties in the group, and greatly improves the safety of identity authentication.
Meanwhile, the asymmetric key pool solves the problem that the symmetric key pool brings key storage pressure to the quantum communication service station, and reduces storage cost. For example, the size of the symmetric key pool of the original user is 1G, the number of users is N, the quantum communication service station needs to store the key pool of N G, and if the asymmetric key pool is stored, the size of the client storage key pool is also 1G, and the quantum communication service station also only needs to store the key pool with the size of 1G.
Meanwhile, the authentication process based on the symmetric key algorithm is improved, so that data in the authentication process are encrypted, and the key is obtained by the asymmetric key negotiation algorithm. The key obtained by the asymmetric key negotiation algorithm can only be decrypted by both parties of the asymmetric key negotiation algorithm, and any other person can not decrypt the key. And digital signatures are added to the messages between all the clients and the service station, so that the security of the authentication flow is improved. In addition, because the negotiation parameters of the asymmetric key negotiation algorithm are encrypted by the key obtained by the asymmetric key negotiation algorithm through the pre-configured key, namely, any opponent cannot guess the plaintext before encryption, the quantum computer cannot acquire the negotiation data of the asymmetric key negotiation algorithm, namely, the asymmetric encryption mode of the quantum computer has the characteristic of quantum computation resistance.
And each client of the present application may communicate with a plurality of quantum communication service stations. For example, assume that mobile network servers all use quantum communication service stations; when a mobile client roams to a quantum communication service station other than the quantum communication service station affiliated to the own party, the mobile client has no shared secret key with the local quantum communication service station, so that the mobile client can not access to the network to obtain identity authentication. In such a scenario, using the method of the present application, the client and the quantum communication service station other than the quantum communication service station affiliated to the own party may obtain the session key respectively through key agreement. Therefore, for the client, only a key pool between the client and the quantum communication service station affiliated to the client is maintained, and the key pool between the client and other large number of quantum communication service stations is not required to be preset, so that the key management flow is greatly simplified.
In an embodiment, the present application further provides a computer device including a memory and a processor, the memory storing a computer program, the processor implementing the steps of a quantum communication service station key agreement method based on an asymmetric key pool pair and QKD when executing the computer program.
For specific limitations of the computer device, reference may be made to the above limitation of the digital signature method of the quantum communication service station, and no further description is given here. The various modules in the computer devices described above may be implemented in whole or in part in software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
The computer device may be a terminal and its internal structure may include a processor, memory, network interface, display screen and input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes non-volatile storage media, internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements the quantum communication service station digital signature method based on the asymmetric key pool pair. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of each equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
In another embodiment, a quantum communication service station key negotiation system based on an asymmetric key pool pair and QKD is provided, the quantum communication service station key negotiation system includes a client a, a service station QB and a service station QA, the client a is a sub-device of the service station QA, the service station QA and the service station QB are respectively configured with a service station key fob, and a client public key pool and a service station private key pool are stored in the service station key fob; the client A is configured with a client key card, and a service station public key pool, a client public key and a client private key are stored in the client key card;
The method comprises the steps of a quantum communication service station key negotiation method based on an asymmetric key pool pair and QKD, which is realized by a client A, a service station QB and a service station QA through a communication network.
Specific limitations regarding the quantum communication service station key agreement system based on the asymmetric key pool pair and QKD can be found in the above description of the quantum communication service station key agreement method based on the asymmetric key pool pair and QKD, and will not be described in detail herein.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.

Claims (8)

1. The quantum communication service station key negotiation method based on the asymmetric key pool pair and the QKD is characterized in that a participant comprises a client A, a service station QB and a service station QA, wherein the client A is a child device of the service station QA, and the quantum communication service station key negotiation method is implemented in the service station QA and comprises the following steps:
receiving a message M2 from a service station QB, the message M2 comprising a KID, parameter Kreq encrypted message M1; the KID is a key parameter carried by a key KQ obtained by a service station QB and a service station QA through QKD negotiation, the key KQ comprises the parameter Kreq and a parameter KS, the message M1 is generated by a client A, and the message M1 comprises a parameter X generated by the client A according to a random number X;
obtaining a parameter Kreq and a parameter KS according to the received KID, decrypting by using the parameter Kreq to obtain a message M1, obtaining a parameter X according to the message M1, calculating by using the parameter X and a random number Y generated by a host side to obtain a key KAQ, generating a parameter Y according to the random number Y, generating an authentication message MT and a session ID, and manufacturing a ticket TA, wherein the ticket TA comprises the parameter Y and the authentication message MT encrypted by using the key KAQ, and the authentication message MT comprises the parameter KS;
transmitting a message M3 to the service station QB, the message M3 including an encrypted ticket TA and an encrypted session ID; the session ID is used for a service station QB to forward a bill TA to a client A after passing verification, a parameter Y in the bill TA is used for the client A to generate a key KAQ in combination with a random number x of a host side, and the authentication message MT is used for the client A to confirm that a parameter KS is a negotiation key KS between the client A and the service station QB after passing verification; the parameter KS is used for the client A to generate a message authentication code MACAQ, and the message authentication code MACAQ is used for the service station QB to verify that the parameter KS is a negotiation key KS between the client A after passing verification;
Receiving a message M6 from a service station QB, said message M6 comprising a cryptographic signature and a message authentication code MACQB; the encryption signature SIGNA is generated by the client A according to the parameter X and the parameter Y; the message authentication code MACQB is generated by the service station QB;
finishing authentication of the client A according to the encrypted signature SIGNA, and finishing authentication of the service station QB according to the message authentication code MACQB;
the service station QA and the service station QB are respectively configured with a service station key card, and a client public key pool and a service station private key pool are stored in the service station key card; the client A is configured with a client key fob, and a server public key pool, a client public key and a client private key are stored in the client key fob.
2. The quantum communication service station key agreement method based on the asymmetric key pool pair and QKD as recited in claim 1, wherein the calculating the key KAQ includes:
generating a random number X, and according to x=g x Calculating to obtain a parameter X;
generating a random number Y, and according to y=g y Calculating to obtain a parameter Y;
according to kaq=y x =X y The key KAQ is calculated.
3. A quantum communication service station key agreement method based on an asymmetric key pool pair and QKD according to any one of claims 1 to 2, wherein the negotiating key KS is split into a parameter KSE as a key for encryption and decryption of messages at the time of client a and service station QB session and a parameter KSA as a key for authentication of messages at the time of client a and service station QB session.
4. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the quantum communication service station key agreement method based on an asymmetric key pool pair and QKD as claimed in any one of claims 1 to 3.
5. The quantum communication service station key negotiation method based on the asymmetric key pool pair and the QKD is characterized in that a participant comprises a client A, a service station QB and a service station QA, wherein the client A is a child device of the service station QA, and the quantum communication service station key negotiation method comprises the following steps:
the client A generates a parameter X according to the random number X, and sends a message M1 to the service station QB, wherein the message M1 comprises a device parameter IDA of the client A and encrypts the parameter X;
the service station QB receives a message M1 from the client A, finds the service station QA according to the IDA, and obtains a key KQ with a key parameter KID through QKD negotiation with the service station QA, wherein the key KQ comprises a parameter Kreq and a parameter KS, and sends a message M2 to the service station QA, and the message M2 comprises the KID and the message M1 encrypted by the parameter Kreq;
the service station QA receives a message M2 from the service station QB, obtains a parameter Kreq and a parameter KS according to the received KID, obtains a message M1 after decryption by the parameter Kreq, obtains a parameter X according to the message M1, calculates by using the parameter X and a random number Y generated by a user side to obtain a key KAQ, generates a parameter Y according to the random number Y, generates an authentication message MT and a session ID, and makes a ticket TA, wherein the ticket TA comprises the parameter Y and the authentication message MT encrypted by the key KAQ, the authentication message MT comprises a parameter KS, and sends a message M3 to the service station QB, and the message M3 comprises the encrypted ticket TA and the encrypted session ID;
The service station QB receives a message M3 from the service station QA, verifies the received session ID, and sends a message M4 to the client A after the verification is passed, wherein the message M4 comprises a bill TA;
the client A receives a message M4 from a service station QB, generates a key KAQ according to a parameter Y in a received ticket TA and a random number X of a self party, decrypts the key KAQ to obtain an authentication message MT, verifies the authentication message MT to pass through, confirms that the parameter KS is a negotiation key KS between the authentication message MT and the service station QB, generates a message authentication code MACAQ according to the parameter KS, generates an encryption signature SIGNA according to the parameter X and the parameter Y, and sends a message M5 to the service station QB, wherein the message M5 comprises the message authentication code MACAQ and the encryption signature SIGNA;
the service station QB receives a message M5 from the client A, verifies the received message authentication code MACAQ, confirms that the parameter KS is a negotiation key KS with the client A after verification is passed, generates the message authentication code MACQB, and sends a message M6 to the service station QA, wherein the message M6 comprises an encrypted signature SIGNA and the message authentication code MACQB;
the service station QA receives a message M6 from the service station QB, completes the authentication of the client A according to the encrypted signature SIGNA, and completes the authentication of the service station QB according to the message authentication code MACQB;
The service station QA and the service station QB are respectively configured with a service station key card, and a client public key pool and a service station private key pool are stored in the service station key card; the client A is configured with a client key fob, and a server public key pool, a client public key and a client private key are stored in the client key fob.
6. The quantum communication service station key agreement method based on the asymmetric key pool pair and QKD as recited in claim 5, wherein the calculating the key KAQ includes:
generating a random number X, and according to x=g x Calculating to obtain a parameter X;
generating a random number Y, and according to y=g y Calculating to obtain a parameter Y;
according to kaq=y x =X y The key KAQ is calculated.
7. A quantum communication service station key agreement method based on an asymmetric key pool pair and QKD according to any one of claims 5 to 6, wherein the negotiating key KS is split into a parameter KSE as a key for encryption and decryption of messages at the time of client a and service station QB session and a parameter KSA as a key for authentication of messages at the time of client a and service station QB session.
8. The quantum communication service station key negotiation system based on the asymmetric key pool pair and the QKD is characterized by comprising a client A, a service station QB and a service station QA, wherein the client A is a child device of the service station QA, the service station QA and the service station QB are respectively provided with a service station key fob, and the service station key fob stores a client public key pool and a service station private key pool; the client A is configured with a client key card, and a server public key pool, a client public key and a client private key are stored in the client key card;
The client a, the service station QB and the service station QA implement the steps of the quantum communication service station key negotiation method based on the asymmetric key pool pair and QKD as claimed in claim 5 through a communication network.
CN201910554864.0A 2019-06-25 2019-06-25 Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD Active CN110266483B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910554864.0A CN110266483B (en) 2019-06-25 2019-06-25 Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910554864.0A CN110266483B (en) 2019-06-25 2019-06-25 Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD

Publications (2)

Publication Number Publication Date
CN110266483A CN110266483A (en) 2019-09-20
CN110266483B true CN110266483B (en) 2023-06-06

Family

ID=67921297

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910554864.0A Active CN110266483B (en) 2019-06-25 2019-06-25 Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD

Country Status (1)

Country Link
CN (1) CN110266483B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800439B (en) * 2020-12-02 2022-02-08 中国电子科技集团公司第三十研究所 Key management protocol design method and system for secure storage
CN113452687B (en) * 2021-06-24 2022-12-09 中电信量子科技有限公司 Method and system for encrypting sent mail based on quantum security key

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond
CN109495244A (en) * 2018-10-16 2019-03-19 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys
CN109756329A (en) * 2019-01-15 2019-05-14 如般量子科技有限公司 Anti- quantum calculation shared key machinery of consultation and system based on private key pond

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106470104B (en) * 2015-08-20 2020-02-07 阿里巴巴集团控股有限公司 Method, device, terminal equipment and system for generating shared key
CN109889329A (en) * 2019-01-11 2019-06-14 如般量子科技有限公司 Anti- quantum calculation wired home quantum communications method and system based on quantum key card

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond
CN109495244A (en) * 2018-10-16 2019-03-19 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys
CN109756329A (en) * 2019-01-15 2019-05-14 如般量子科技有限公司 Anti- quantum calculation shared key machinery of consultation and system based on private key pond

Also Published As

Publication number Publication date
CN110266483A (en) 2019-09-20

Similar Documents

Publication Publication Date Title
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN109728906B (en) Anti-quantum-computation asymmetric encryption method and system based on asymmetric key pool
CN109064324A (en) Method of commerce, electronic device and readable storage medium storing program for executing based on alliance's chain
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
CN110380845B (en) Quantum secret communication alliance chain transaction method, system and equipment based on group symmetric key pool
CN109921905B (en) Anti-quantum computation key negotiation method and system based on private key pool
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN109918888B (en) Anti-quantum certificate issuing method and issuing system based on public key pool
CN109936456B (en) Anti-quantum computation digital signature method and system based on private key pool
CN109951274B (en) Anti-quantum computing point-to-point message transmission method and system based on private key pool
CN110535626B (en) Secret communication method and system for identity-based quantum communication service station
CN109787758B (en) Anti-quantum computation MQV key agreement method and system based on private key pool and Elgamal
CN109905229B (en) Anti-quantum computing Elgamal encryption and decryption method and system based on group asymmetric key pool
CN109728905B (en) Anti-quantum computation MQV key negotiation method and system based on asymmetric key pool
CN110224816B (en) Anti-quantum computing application system based on key fob and serial number, near-field energy-saving communication method and computer equipment
CN110176989B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN110098925B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and random number
CN110365472B (en) Quantum communication service station digital signature method and system based on asymmetric key pool pair
JP2010231404A (en) System, method, and program for managing secret information
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
CN110519226B (en) Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate
US9641333B2 (en) Authentication methods, systems, devices, servers and computer program products, using a pairing-based cryptographic approach
CN110266483B (en) Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant