CN110535632A - Based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method and system - Google Patents
Based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method and system Download PDFInfo
- Publication number
- CN110535632A CN110535632A CN201910591318.4A CN201910591318A CN110535632A CN 110535632 A CN110535632 A CN 110535632A CN 201910591318 A CN201910591318 A CN 201910591318A CN 110535632 A CN110535632 A CN 110535632A
- Authority
- CN
- China
- Prior art keywords
- key
- message
- service station
- customer end
- authentication code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
This application involves it is a kind of based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method and system, in the application, customer end A, service station and customer end B are equipped with key card, key is stored using key card, a possibility that key card is independent hardware device, steals key by Malware or malicious operation substantially reduces.
Description
Technical field
This application involves safety communication technology field, more particularly to based on unsymmetrical key pond to and DH agreement quantum
Communication service station AKA cryptographic key negotiation method and system.
Background technique
The Internet of rapid development brings huge convenience to people's lives, work, and people can be sitting in family
It sent and received e-mail, made a phone call by Internet, carrying out the activities such as shopping online, bank transfer.Internet message safety simultaneously
It is increasingly becoming a potential huge problem.In general internet message is faced with following several security risks: internet message
It is stolen, message is tampered, attacker palms off message, malicious sabotage etc..
Wherein authentication is a kind of means of one of protection people's internet message.Authentication is also referred to as " identity
Verifying " or " identity identification ", refer to the process of confirmation operation person's identity in computer and computer network system, so that it is determined that
Whether the user has access and access right to certain resource, and then enables the access strategy of computer and networks system
It reliably and efficiently executes, prevents attacker from palming off the access authority that legitimate user obtains resource, guarantee the peace of system and data
Entirely, and authorization visitor legitimate interests.
And currently ensure that authentication successfully mainly relies on cryptographic technique, and in field of cryptography of today, it is main
Will there are two types of cryptographic system, first is that symmetric key cryptosystem, i.e. encryption key and decruption key use it is same.The other is
Public key cryptosystem, i.e. encryption key and decruption key difference, one of them can be disclosed.Current most identity is recognized
Card relies primarily on public key cryptography system using algorithm.
The encryption key pair (public key) and decryption key (private key) that Public Key Cryptographic Systems uses are different.Due to encryption
Key be it is disclosed, the distribution of key and management are just very simple, and Public Key Cryptographic Systems can also be easily carried out number
Signature.
Since public key encryption comes out, scholars propose many kinds of public key encryption methods, their safety is all base
In complicated difficult math question.Classified according to the difficult math question being based on, have following three classes system be presently believed to be safety and
It is effective: big integer factorization system (representative to have RSA), Discrete log systems (representative to have DSA) and ellipse from
It dissipates Logarithmic system (ECC).
But with the development of quantum computer, classical asymmetric-key encryption algorithm will be no longer safe, no matter encryption and decryption
Or private key can be calculated in key exchange method, quantum computer by public key, therefore currently used asymmetric close
Key will become cannot withstand a single blow in the quantum epoch.Quantum key distribution equipment QKD can ensure that the key of negotiation can not be acquired at present.
But QKD is mainly used for quantum main line, ustomer premises access equipment to quantum communications service station is still classic network, therefore by non-right
Claim algorithm it is difficult to ensure that authentication procedures safety.
At present in the AKA mechanism (full name " Authentication of one of the more commonly used method for authenticating of mobile communication field
And Key Agreement ", i.e. authentication and key agreement.) can be achieved symmetric key negotiation and distribution.But recognize in calculating
Key on syndrome vector is fixed, and there are certain risks, but if using a large amount of pool of symmetric keys again to quantum communications service
There is biggish storage burden at station.
Problem of the existing technology:
1. using pool of symmetric keys between quantum communications service station and quantum key card, capacity is huge, to quantum communications
The key storage in service station brings pressure;
2. quantum communications service station, which has to encrypt key, to be stored in commonly since pool of symmetric keys key capacity is huge
In storage medium such as hard disk, and it can not be stored in the key card in quantum communications service station;
3. causing trouble to cipher key backup since pool of symmetric keys key capacity is huge.
Summary of the invention
Based on this, it is necessary in view of the above technical problems, provide based on unsymmetrical key pond to and DH agreement quantum it is logical
Telecommunications services station AKA cryptographic key negotiation method and system.
This application discloses based on unsymmetrical key pond to and DH agreement the quantum communications service station key agreement side AKA
Method is implemented in customer end A, and the quantum communications service station AKA cryptographic key negotiation method includes:
Acquisition generated after the first random parameter that customer end B generates the second random parameter, the first intermediate parameters and
First key, the first key are generated using the first private key of customer end A and the first public key of service station according to DH agreement;Generate the
One message, the first message include the first intermediate parameters, the device parameter of customer end A, the device parameter in service station and institute
State the second random parameter;At least part content of the first message encrypts using first key and makes the first authentication code;
The first message comprising first authentication code is sent to the customer end B;
The 4th message comprising network authentication token from customer end B is obtained, the network authentication token is by the clothes
Business station is obtained using vector cipher key calculation, and the vector key is raw using first intermediate parameters and the first private key of service station
At;It generates the vector key and the message authentication code in Ciphering Key is calculated, authenticate response, confidentiality key and complete
Whole property key;After comparing message authentication code and the network authentication token and passing through, answered using the Integrity Key and certification
Answer and generate the 4th authentication code, generate the 5th message, the certification response that the 5th message encrypt including the use of confidentiality key with
4th authentication code;The 5th message is sent to customer end B;
The 6th message from customer end B is obtained, the 6th message is recognized including the use of the 5th that confidentiality key encrypts
Demonstrate,prove code and comparing result;5th authentication code is to be generated by customer end B using Integrity Key and comparing result, the comparison
The result is that generating after the certification response of the response of customer end B comparative certification and customer end B storage, comparing result is decrypted and reads,
If comparing result is that very, trusting confidentiality key is session key, trust Integrity Key is authentication key.
Disclosed herein as well is based on unsymmetrical key pond to and DH agreement the quantum communications service station key agreement side AKA
Method is implemented in service station, and the quantum communications service station AKA cryptographic key negotiation method includes:
The second message from customer end B is obtained, the second message includes first message, the device parameter of customer end B,
First random parameter, the second intermediate parameters and third random parameter;At least part content of the second message utilizes the
Two keys encrypt and make the second authentication code;The first message includes the first intermediate parameters, the device parameter of customer end A, clothes
The device parameter and the second random parameter at business station;At least part content of the first message is encrypted simultaneously using first key
Make the first authentication code;Wherein, second random parameter, the first intermediate parameters are generated by the customer end A, and described first is close
Key is generated using the first private key of customer end A and the first public key of service station according to DH agreement by customer end A, and second key utilizes
The first private key of customer end B and the second public key of service station are generated according to DH agreement, second random parameter and the first intermediate parameters
It is generated by the customer end A, the third random parameter, the first random parameter and the second intermediate parameters are by the customer end B
It generates;
Decrypt and successively verify second authentication code, after the first authentication code, generation vector key, the 4th random parameter with
And third key, the vector key are generated using first intermediate parameters and the first private key of service station, the third key
It is generated using the second private key of service station and second intermediate parameters according to DH agreement;Using the vector key generate certification to
Amount, the Ciphering Key include message authentication code, authenticate response, confidentiality key, Integrity Key and network authentication token;
Third message is generated, the third message includes the 4th random parameter, Ciphering Key;In at least part of the third message
Hold and encrypts using third key and make third authentication code;The third comprising third authentication code is sent to the customer end B
Message;
The Ciphering Key is used to complete AKA authentication for the customer end A and customer end B.
Disclosed herein as well is based on unsymmetrical key pond to and DH agreement the quantum communications service station key agreement side AKA
Method is implemented in customer end B, and the quantum communications service station AKA cryptographic key negotiation method includes:
The first random parameter is generated, and first random parameter is sent to customer end A;
The first message from the customer end A is obtained, the first message includes the first intermediate parameters, customer end A
Device parameter, the device parameter in service station and the second random parameter;At least part content of the first message utilizes the
One key encrypts and makes the first authentication code;Wherein, second random parameter, the first intermediate parameters are given birth to by the customer end A
At the first key is generated using the first private key of customer end A and the first public key of service station according to DH agreement by customer end A;Solution
The second intermediate parameters, third random parameter and the second key are generated after close, second key is private using customer end B first
Key and the second public key of service station are generated according to DH agreement, generate second message, and the second message includes the first message, visitor
The device parameter of family end B, first random parameter, the second intermediate parameters and third random parameter;The second message
At least part content encrypts using the second key and makes the second authentication code;Send to service station includes second authentication code
The second message;
The third message from service station is obtained, the third message includes the 4th random parameter, Ciphering Key;Described
At least part content of three message encrypts using third key and makes third authentication code;The third key is by the service
It stands and is generated using the second private key of service station and second intermediate parameters according to DH agreement, the Ciphering Key is by the service station
It is generated using vector key and includes message authentication code, authenticate response, confidentiality key, Integrity Key and network authentication enable
Board;The vector key is generated using first intermediate parameters and the first private key of service station;It decrypts and verifies third authentication code
After parse and store the Ciphering Key, generate the 4th message comprising network authentication token and be simultaneously sent to the 4th message
Customer end A;
The 5th message from customer end A is obtained, the 5th message is answered including the use of the certification that confidentiality key encrypts
It answers, the 4th authentication code;Wherein the 4th authentication code is generated by customer end A using Integrity Key and certification response, wherein certification is answered
It answers, confidentiality key, Integrity Key is generated by customer end A using vector key;Comparative certification response and storage after decryption
Certification response simultaneously generates comparing result, and trusting confidentiality key if the certification response of certification response sum is equal is session key,
Trust Integrity Key is authentication key;The 5th authentication code is generated using comparing result and Integrity Key;The 6th message is generated,
The 5th authentication code and comparing result that 6th message is encrypted including the use of confidentiality key;6th message is sent to
Customer end A.
Disclosed herein as well is based on unsymmetrical key pond to and DH agreement the quantum communications service station key agreement side AKA
Method, the quantum communications service station AKA cryptographic key negotiation method include:
Customer end B generates the first random parameter, and first random parameter is sent to customer end A;
Customer end A acquisition generates the second random parameter, the first centre ginseng after the first random parameter that customer end B generates
Several and first key, the first key are generated using the first private key of customer end A and the first public key of service station according to DH agreement;
Generate first message, the first message include the first intermediate parameters, the device parameter of customer end A, service station device parameter
And second random parameter;At least part content of the first message, which is encrypted using first key and makes first, recognizes
Demonstrate,prove code;The first message comprising first authentication code is sent to the customer end B;
Customer end B obtains the first message, and the second intermediate parameters, third random parameter and second are generated after decryption
Key, second key are generated according to DH agreement using the first private key of customer end B and the second public key of service station, generate second and disappear
Breath, the second message include the first message, the device parameter of customer end B, first random parameter, the second centre ginseng
Several and third random parameter;At least part content of the second message encrypts using the second key and makes the second certification
Code;The second message comprising second authentication code is sent to service station;
Service station obtains second message, and decryption simultaneously successively verifies second authentication code, after the first authentication code, generates vector
Key, the 4th random parameter and third key, the vector key are private using first intermediate parameters and service station first
Key generates, and the third key is generated using the second private key of service station and second intermediate parameters according to DH agreement;Using institute
It states vector key and generates Ciphering Key, the Ciphering Key includes message authentication code, authenticates response, confidentiality key, integrality
Key and network authentication token;Third message is generated, the third message includes the 4th random parameter, Ciphering Key;It is described
At least part content of third message encrypts using third key and makes third authentication code;It sends and wraps to the customer end B
The third message of the authentication code containing third;
Customer end B obtains the third message, decrypts and parse and store after verifying third authentication code the Ciphering Key,
It generates the 4th message comprising network authentication token and the 4th message is sent to customer end A;
Customer end A obtains the 4th message, generates the vector key and disappearing in Ciphering Key is calculated
Authentication code is ceased, response, confidentiality key and Integrity Key are authenticated;Compare message authentication code and the network authentication token simultaneously
By rear, the 4th authentication code is generated using the Integrity Key and certification response, generates the 5th message, the 5th message package
Include the certification response using the encryption of confidentiality key and the 4th authentication code;The 5th message is sent to customer end B;
Customer end B obtains the 5th message, the certification response of comparative certification response and storage and generates comparison after decryption
As a result, trusting confidentiality key if the certification response of certification response sum is equal is session key, trusting Integrity Key is to recognize
Demonstrate,prove key;The 5th authentication code is generated using comparing result and Integrity Key;The 6th message is generated, the 6th message includes benefit
The 5th authentication code and comparing result encrypted with confidentiality key;6th message is sent to customer end A;
Customer end A obtains the 6th message, decrypts and read comparing result, if comparing result is very, to trust secrecy
Property key be session key, trusts Integrity Key be authentication key.
Preferably, the service station includes service station Qa and service station Qb, and the customer end A is the son of the service station Qa
Equipment, the customer end B are the sub- equipment of the service station Qb;
The service station Qb obtains the second message from customer end B, wherein the second key utilizes visitor by the customer end B
Family end the first private key of B and the first public key of service station Qb are generated according to DH agreement;The first message further includes setting for service station Qa
Standby parameter, the first key are raw according to DH agreement using the first private key of customer end A and the first public key of service station Qa by customer end A
At;Decrypt and verify after the second authentication code first stop is obtained the service station Qa coded communication between key, generate between first stop
Message, message includes the device parameter of service station Qb, the first message and the first random parameter between the first stop;It utilizes
Message encryption between the first stop is sent to service station Qa by key between the first stop;
After service station Qa is obtained, decrypted and verify first authentication code, the first intermediate parameters and service station Qa are utilized
First private key generates vector key, and the vector key is for generating the Ciphering Key, with the service station Qb coded communication
Key between second station is obtained, message between the second station comprising the Ciphering Key is generated, using key between second station by described the
Message encryption is sent to the service station Qb between two stations;
After service station Qb is obtained, decrypted and verify, the 4th random parameter is generated, the second intermediate parameters, service station Qb are utilized
First private key generates the 5th key, generates the 7th message, and the 7th message includes disappearing between the 4th random parameter and second station
Breath, wherein at least part of the 7th message is encrypted using the 5th key;The 7th message is sent to the customer end B;
7th message is used to complete AKA authentication for the customer end A and customer end B.
Preferably, the customer end A and customer end B are configured with client key card, storage in the client key card
There is service station public key pond, itself client public key and client private key;The service station is configured with service station key card, described
Client public key pond and service station private key pond including each client public key are stored in the key card of service station.
Disclosed herein as well is a kind of client device, including memory and processor, the memory is stored with calculating
Machine program, the processor realize quantum communications service station AKA described in above-mentioned technical proposal when executing the computer program
The step of cryptographic key negotiation method.
Disclosed herein as well is a kind of service station equipment, including memory and processor, the memory is stored with calculating
Machine program, the processor realize quantum communications service station AKA described in above-mentioned technical proposal when executing the computer program
The step of cryptographic key negotiation method.
Disclosed herein as well is a kind of client device, including memory and processor, the memory is stored with calculating
Machine program, the processor realize quantum communications service station AKA described in above-mentioned technical proposal when executing the computer program
The step of cryptographic key negotiation method.
Disclosed herein as well is based on unsymmetrical key pond to and DH agreement quantum communications service station AKA key agreement system
System, including memory and processor, the memory are stored with computer program, and the processor executes the computer program
The step of quantum communications service station AKA cryptographic key negotiation method described in Shi Shixian above-mentioned technical proposal;The customer end A and client
Hold B to be configured with client key card, be stored with service station public key pond in the client key card, the client public key of itself and
Client private key;The service station is configured with service station key card, is stored in the service station key card including each client
The client public key pond and service station private key pond of public key.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station AKA key agreement system
System, including memory and processor, the memory are stored with computer program, and the processor executes the computer journey
The step of quantum communications service station AKA cryptographic key negotiation method described in above-mentioned technical proposal is realized when sequence;The customer end A and visitor
Family end B is configured with client key card, is stored with service station public key pond, the client public key of itself in the client key card
And client private key;The service station is configured with service station key card, is stored in the service station key card including each client
Hold the client public key pond and service station private key pond of public key.
Key card in the application is combined with cryptological technique, hardware security isolation technology, quantum physics technology and (takes
Carry quantum random number generator in the case where) authentication and encryption and decryption product.The embedded chip and operating system of key card
The functions such as secure storage and the cryptographic algorithm of key can be provided.Since it is with independent data-handling capacity and good peace
Quan Xing, key card become the safety barrier of private key and pool of keys.Each key card can have hardware PIN code protection, PIN code and
Hardware constitutes two necessary factors that user uses key card, i.e., so-called " double factor authentication ", and user only has while obtaining guarantor
The key card and user's PIN code for having deposited relevant authentication information, just can be with login system.Even if the PIN code of user is leaked, as long as
The key card that user holds is not stolen, and the identity of legitimate user would not be counterfeit;If the key card of user is lost, pick up
Person also cannot counterfeit the identity of legitimate user due to not knowing user's PIN code.In short, key card makes the top-secret information such as key
It is not appeared in the disk and memory of host with plaintext version, so as to which the safety of top-secret information is effectively ensured.
Each member is equipped with key card, stores key using key card, and key card is independent hardware device, by malice
A possibility that software or malicious operation steal key substantially reduces.Meanwhile each member utilizes random number in conjunction with described non-right
The public key of each member needed for claiming pool of keys to extract, and the public key of each member is stored in key card, guarantees that quantum computer can not
Client public key is obtained, and then is unable to get corresponding private key, therefore reduces and risk is cracked by quantum computer.
Quantum communications service station as message center is without storing multiple large capacity pool of symmetric keys, it is only necessary to store client
Public key pond is held, the memory space in quantum communications service station is greatly saved, is also provided convenience for cipher key backup.
Detailed description of the invention
Fig. 1 is the pool of keys distribution schematic diagram of service station key card in the application;
Fig. 2 is the pool of keys distribution schematic diagram of client key card in the application;
Fig. 3 is that customer end A and customer end B are located at the AKA authorizing procedure figure under the same service station Q in embodiment 1;
Fig. 4 is that customer end A and customer end B are located at the authentication stream of the AKA under service station QA and service station QB in embodiment 2
Cheng Tu.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not
For limiting the application.Wherein the service station in the application is quantum communications service station in the case where not doing specified otherwise,
Each title in the application is subject to letter and number and is combined, such as device parameter IDA, facility information IDA, identification parameters IDA,
IDA indicates same meaning, i.e. device parameter IDA below;Such as authentication key AK2, message authentication key AK2, information are recognized again
Key A K2 is demonstrate,proved, AK2 hereinafter indicates same meaning, and authentication authorization and accounting key A K2, remaining title is similarly.
This application discloses based on unsymmetrical key pond to and DH agreement the quantum communications service station key agreement side AKA
Method is implemented in customer end A, and the quantum communications service station AKA cryptographic key negotiation method includes:
Acquisition generated after the first random parameter that customer end B generates the second random parameter, the first intermediate parameters and
First key, the first key are generated using the first private key of customer end A and the first public key of service station according to DH agreement;Generate the
One message, the first message include the first intermediate parameters, the device parameter of customer end A, the device parameter in service station and institute
State the second random parameter;At least part content of the first message encrypts using first key and makes the first authentication code;
The first message comprising first authentication code is sent to the customer end B;
The 4th message comprising network authentication token from customer end B is obtained, the network authentication token is by the clothes
Business station is obtained using vector cipher key calculation, and the vector key is raw using first intermediate parameters and the first private key of service station
At;It generates the vector key and the message authentication code in Ciphering Key is calculated, authenticate response, confidentiality key and complete
Whole property key;After comparing message authentication code and the network authentication token and passing through, answered using the Integrity Key and certification
Answer and generate the 4th authentication code, generate the 5th message, the certification response that the 5th message encrypt including the use of confidentiality key with
4th authentication code;The 5th message is sent to customer end B;
The 6th message from customer end B is obtained, the 6th message is recognized including the use of the 5th that confidentiality key encrypts
Demonstrate,prove code and comparing result;5th authentication code is to be generated by customer end B using Integrity Key and comparing result, the comparison
The result is that generating after the certification response of the response of customer end B comparative certification and customer end B storage, comparing result is decrypted and reads,
If comparing result is that very, trusting confidentiality key is session key, trust Integrity Key is authentication key.
Disclosed herein as well is based on unsymmetrical key pond to and DH agreement the quantum communications service station key agreement side AKA
Method is implemented in service station, and the quantum communications service station AKA cryptographic key negotiation method includes:
The second message from customer end B is obtained, the second message includes first message, the device parameter of customer end B,
First random parameter, the second intermediate parameters and third random parameter;At least part content of the second message utilizes the
Two keys encrypt and make the second authentication code;The first message includes the first intermediate parameters, the device parameter of customer end A, clothes
The device parameter and the second random parameter at business station;At least part content of the first message is encrypted simultaneously using first key
Make the first authentication code;Wherein, second random parameter, the first intermediate parameters are generated by the customer end A, and described first is close
Key is generated using the first private key of customer end A and the first public key of service station according to DH agreement by customer end A, and second key utilizes
The first private key of customer end B and the second public key of service station are generated according to DH agreement, second random parameter and the first intermediate parameters
It is generated by the customer end A, the third random parameter, the first random parameter and the second intermediate parameters are by the customer end B
It generates;
Decrypt and successively verify second authentication code, after the first authentication code, generation vector key, the 4th random parameter with
And third key, the vector key are generated using first intermediate parameters and the first private key of service station, the third key
It is generated using the second private key of service station and second intermediate parameters according to DH agreement;Using the vector key generate certification to
Amount, the Ciphering Key include message authentication code, authenticate response, confidentiality key, Integrity Key and network authentication token;
Third message is generated, the third message includes the 4th random parameter, Ciphering Key;In at least part of the third message
Hold and encrypts using third key and make third authentication code;The third comprising third authentication code is sent to the customer end B
Message;
The Ciphering Key is used to complete AKA authentication for the customer end A and customer end B.
Disclosed herein as well is based on unsymmetrical key pond to and DH agreement the quantum communications service station key agreement side AKA
Method is implemented in customer end B, and the quantum communications service station AKA cryptographic key negotiation method includes:
The first random parameter is generated, and first random parameter is sent to customer end A;
The first message from the customer end A is obtained, the first message includes the first intermediate parameters, customer end A
Device parameter, the device parameter in service station and the second random parameter;At least part content of the first message utilizes the
One key encrypts and makes the first authentication code;Wherein, second random parameter, the first intermediate parameters are given birth to by the customer end A
At the first key is generated using the first private key of customer end A and the first public key of service station according to DH agreement by customer end A;Solution
The second intermediate parameters, third random parameter and the second key are generated after close, second key is private using customer end B first
Key and the second public key of service station are generated according to DH agreement, generate second message, and the second message includes the first message, visitor
The device parameter of family end B, first random parameter, the second intermediate parameters and third random parameter;The second message
At least part content encrypts using the second key and makes the second authentication code;Send to service station includes second authentication code
The second message;
The third message from service station is obtained, the third message includes the 4th random parameter, Ciphering Key;Described
At least part content of three message encrypts using third key and makes third authentication code;The third key is by the service
It stands and is generated using the second private key of service station and second intermediate parameters according to DH agreement, the Ciphering Key is by the service station
It is generated using vector key and includes message authentication code, authenticate response, confidentiality key, Integrity Key and network authentication enable
Board;The vector key is generated using first intermediate parameters and the first private key of service station;It decrypts and verifies third authentication code
After parse and store the Ciphering Key, generate the 4th message comprising network authentication token and be simultaneously sent to the 4th message
Customer end A;
The 5th message from customer end A is obtained, the 5th message is answered including the use of the certification that confidentiality key encrypts
It answers, the 4th authentication code;Wherein the 4th authentication code is generated by customer end A using Integrity Key and certification response, wherein certification is answered
It answers, confidentiality key, Integrity Key is generated by customer end A using vector key;Comparative certification response and storage after decryption
Certification response simultaneously generates comparing result, and trusting confidentiality key if the certification response of certification response sum is equal is session key,
Trust Integrity Key is authentication key;The 5th authentication code is generated using comparing result and Integrity Key;The 6th message is generated,
The 5th authentication code and comparing result that 6th message is encrypted including the use of confidentiality key;6th message is sent to
Customer end A.
Disclosed herein as well is based on unsymmetrical key pond to and DH agreement the quantum communications service station key agreement side AKA
Method, the quantum communications service station AKA cryptographic key negotiation method include:
Customer end B generates the first random parameter, and first random parameter is sent to customer end A;
Customer end A acquisition generates the second random parameter, the first centre ginseng after the first random parameter that customer end B generates
Several and first key, the first key are generated using the first private key of customer end A and the first public key of service station according to DH agreement;
Generate first message, the first message include the first intermediate parameters, the device parameter of customer end A, service station device parameter
And second random parameter;At least part content of the first message, which is encrypted using first key and makes first, recognizes
Demonstrate,prove code;The first message comprising first authentication code is sent to the customer end B;
Customer end B obtains the first message, and the second intermediate parameters, third random parameter and second are generated after decryption
Key, second key are generated according to DH agreement using the first private key of customer end B and the second public key of service station, generate second and disappear
Breath, the second message include the first message, the device parameter of customer end B, first random parameter, the second centre ginseng
Several and third random parameter;At least part content of the second message encrypts using the second key and makes the second certification
Code;The second message comprising second authentication code is sent to service station;
Service station obtains second message, and decryption simultaneously successively verifies second authentication code, after the first authentication code, generates vector
Key, the 4th random parameter and third key, the vector key are private using first intermediate parameters and service station first
Key generates, and the third key is generated using the second private key of service station and second intermediate parameters according to DH agreement;Using institute
It states vector key and generates Ciphering Key, the Ciphering Key includes message authentication code, authenticates response, confidentiality key, integrality
Key and network authentication token;Third message is generated, the third message includes the 4th random parameter, Ciphering Key;It is described
At least part content of third message encrypts using third key and makes third authentication code;It sends and wraps to the customer end B
The third message of the authentication code containing third;
Customer end B obtains the third message, decrypts and parse and store after verifying third authentication code the Ciphering Key,
It generates the 4th message comprising network authentication token and the 4th message is sent to customer end A;
Customer end A obtains the 4th message, generates the vector key and disappearing in Ciphering Key is calculated
Authentication code is ceased, response, confidentiality key and Integrity Key are authenticated;Compare message authentication code and the network authentication token simultaneously
By rear, the 4th authentication code is generated using the Integrity Key and certification response, generates the 5th message, the 5th message package
Include the certification response using the encryption of confidentiality key and the 4th authentication code;The 5th message is sent to customer end B;
Customer end B obtains the 5th message, the certification response of comparative certification response and storage and generates comparison after decryption
As a result, trusting confidentiality key if the certification response of certification response sum is equal is session key, trusting Integrity Key is to recognize
Demonstrate,prove key;The 5th authentication code is generated using comparing result and Integrity Key;The 6th message is generated, the 6th message includes benefit
The 5th authentication code and comparing result encrypted with confidentiality key;6th message is sent to customer end A;
Customer end A obtains the 6th message, decrypts and read comparing result, if comparing result is very, to trust secrecy
Property key be session key, trusts Integrity Key be authentication key.
In one embodiment, the service station includes service station Qa and service station Qb, and the customer end A is the service station
The sub- equipment of Qa, the customer end B are the sub- equipment of the service station Qb;
The service station Qb obtains the second message from customer end B, wherein the second key utilizes visitor by the customer end B
Family end the first private key of B and the first public key of service station Qb are generated according to DH agreement;The first message further includes setting for service station Qa
Standby parameter, the first key are raw according to DH agreement using the first private key of customer end A and the first public key of service station Qa by customer end A
At;Decrypt and verify after the second authentication code first stop is obtained the service station Qa coded communication between key, generate between first stop
Message, message includes the device parameter of service station Qb, the first message and the first random parameter between the first stop;It utilizes
Message encryption between the first stop is sent to service station Qa by key between the first stop;
After service station Qa is obtained, decrypted and verify first authentication code, the first intermediate parameters and service station Qa are utilized
First private key generates vector key, and the vector key is for generating the Ciphering Key, with the service station Qb coded communication
Key between second station is obtained, message between the second station comprising the Ciphering Key is generated, using key between second station by described the
Message encryption is sent to the service station Qb between two stations;
After service station Qb is obtained, decrypted and verify, the 4th random parameter is generated, the second intermediate parameters, service station Qb are utilized
First private key generates the 5th key, generates the 7th message, and the 7th message includes disappearing between the 4th random parameter and second station
Breath, wherein at least part of the 7th message is encrypted using the 5th key;The 7th message is sent to the customer end B;
7th message is used to complete AKA authentication for the customer end A and customer end B.
In one embodiment, the customer end A and customer end B are configured with client key card, the client key card
It is inside stored with service station public key pond, itself client public key and client private key;The service station is configured with service station key
Block, is stored with client public key pond and service station private key pond including each client public key in the service station key card.
Disclosed herein as well is a kind of client device, including memory and processor, the memory is stored with calculating
Machine program, the processor realize quantum communications service station AKA described in above-mentioned technical proposal when executing the computer program
The step of cryptographic key negotiation method.
Disclosed herein as well is a kind of service station equipment, including memory and processor, the memory is stored with calculating
Machine program, the processor realize quantum communications service station AKA described in above-mentioned technical proposal when executing the computer program
The step of cryptographic key negotiation method.
Disclosed herein as well is a kind of client device, including memory and processor, the memory is stored with calculating
Machine program, the processor realize quantum communications service station AKA described in above-mentioned technical proposal when executing the computer program
The step of cryptographic key negotiation method.
Disclosed herein as well is based on unsymmetrical key pond to and DH agreement quantum communications service station AKA key agreement system
System, including memory and processor, the memory are stored with computer program, and the processor executes the computer program
The step of quantum communications service station AKA cryptographic key negotiation method described in Shi Shixian above-mentioned technical proposal;The customer end A and client
Hold B to be configured with client key card, be stored with service station public key pond in the client key card, the client public key of itself and
Client private key;The service station is configured with service station key card, is stored in the service station key card including each client
The client public key pond and service station private key pond of public key.
In the specific implementation scenario, each parameter has various actual expression ways.Such as first random parameter can be expressed as
True random number R0, the second random parameter can be expressed as true random number R1, and so on;First intermediate parameters can be expressed as truly random
Number xa, the second conscientious parameter can be expressed as true random number xb;First key can be expressed as key K1, and the second key can be expressed as close
Key K2, analogized with secondary;Parameters are substantially the character string that equipment generates, and different works are only played during AKA
With being distinguish in order to facilitate understanding.
It is illustrated below according to implementation process specific in usage scenario:
1 customer end A of embodiment and customer end B are located under the same service station Q
System explanation
The scene of the present embodiment is as shown in figure 4, in this figure, including customer end A, customer end B and quantum communications service station Q,
Referred to as service station Q.Customer end A and customer end B are equipped with client key card, and quantum communications service station Q is close equipped with service station
Key card.Above-mentioned key card is same a batch of key card that the same Key Management server is issued.If the ID of customer end A is
IDA, corresponding public key are PKA, and corresponding private key is SKA;If the ID of customer end B is IDB, corresponding public key is PKB, corresponding
Private key is SKB.
Client and the process of quantum communications service station arranging key are as follows:
Client or quantum communications service station combine specific unsymmetrical key pointer according to key indicator random number rand
Function Fp obtains corresponding unsymmetrical key pointer P, by unsymmetrical key pond pointer P from the service station public key pond in key card
Or it is extracted in the private key pond of service station and obtains corresponding public and private key.
Step 1: customer end B initiates the ID authentication request with customer end A
Customer end B generates a true random number R0 according to the randomizer in local key card.If M0=R0, client
Hold B by M0 as ID authentication request is sent to customer end A.
Step 2: customer end A responds request
After customer end A receives, it is truly random that random number generation two is generated according to the randomizer in local key card
Number xa and R1, wherein the size of xa is in range [1, p-1].Xa=g is obtained by calculation in customer end Axamod p.Customer end A
Public key PKQ1 is taken out from the service station public key pond of local key card by R1, this process please refers to cipher key agreement process above.
Customer end A takes out own private key SKA and public key PKQ1 carries out that K1=PKQ1 is calculatedSKAmod p.Customer end A splits K1
For encryption key EK1 and message authentication key AK1.If M1_0=Xa, customer end A is using message authentication key AK1 to M1_0 | |
R0 carries out message authentication and MAC (M1_0 | | R0, AK1) is calculated.MAC (m, k) is indicated using m as message, using k as the message of key
Authentication code.Customer end A is using encryption key EK1 to M1_0 | | MAC (M1_0 | | R0, AK1) encryption obtain M1_0 | | MAC (M1_0
||R0,AK1)}EK1。
Customer end A is packaged message and obtains M1, is represented by M1=IDA | | IDQ | | R1 | | M1_0 | | MAC (M1_0 | | R0,
AK1)}EK1.M1 is sent to customer end B by customer end A.
Step 3: customer end B requests Ciphering Key to quantum communication service station Q
Customer end B receives and parses to obtain IDA, IDQ, R1 and { M1_0 | | MAC (M1_0 | | R0, AK1) } to message after message
EK1.Customer end B generates random number according to the randomizer in local key card and generates two true random numbers xb and R2,
The size of middle xb is in range [1, p-1].Customer end B takes out public key from the service station public key pond of local key card by R2
PKQ2, this process please refer to cipher key agreement process above.Customer end B takes out own private key SKB and public key PKQ2 calculate
To K2=PKQ2SKBmod p.K2 is split as encryption key EK2 and message authentication key AK2 by customer end B.Customer end B calculates
Obtain Xb=gxbmod p.If M2_0=M1 | | IDB | | R0 | | Xb, customer end B carry out M2_0 using message authentication key AK2
MAC (M2_0, AK2) is calculated in message authentication.Customer end B is using encryption key EK2 to M2_0 | | MAC (M2_0, AK2) is encrypted
Obtain M2_0 | | MAC (M2_0, AK2) } EK2.
Customer end B is packaged message and obtains M2, is represented by M2=IDB | | R2 | | M2_0 | | and MAC (M2_0, AK2) } EK2.
Ciphering Key request M2 is sent to quantum service station Q by customer end B.
Step 4: quantum communications service station Q return authentication vector
Service station Q receives parsing after message and obtains IDB, R2 and { M2_0 | | MAC (M2_0, AK2) } EK2.Service station Q according to
R2 takes out private key SKQ2 from local key card service station private key pond, this process please refers to cipher key agreement process above.Service station Q
The corresponding public key PKB of customer end B is taken out from client public key pond according to IDB.K2=PKB is calculated in service station QSKQ2 mod
p.K2 is split as encryption key EK2 and message authentication key AK2 by service station Q.
Service station Q decrypts to obtain M2_0 and MAC (M2_ using encryption key EK2 to { M2_0 | | MAC (M2_0, AK2) } EK2
0, AK2) it and using message authentication key to message authentication code verifies.If the verification passes, then it carries out in next step, otherwise,
AKA failed authentication.
After being verified, service station Q parsing M2_0 obtains M1 | | IDB | | R0 | | Xb.Service station Q is according to the IDA in M2_0
Obtaining customer end A with IDQ information is the device end in itself group.
Service station Q parsing M1 obtains IDA, IDQ, R1, R0 and { M1_0 | | MAC (M1_0 | | R0, AK1) } EK1.Service station Q
Private key SKQ1 is taken out from local key card service station private key pond according to R1, this process please refers to cipher key agreement process above, and
The corresponding public key PKA of customer end A is taken out from local key card client public key pond according to IDA.K1=is calculated in service station Q
PKASKQ1mod p.K1 is split as encryption key EK1 and message authentication key AK1 by service station Q.Service station Q utilizes EK1 pairs
{ M1_0 | | MAC (M1_0 | | R0, AK1) } EK1 decrypts to obtain M1_0 and MAC (M1_0 | | R0, AK1), and using AK1 to MAC
(M1_0 | | R0, AK1) carry out information authentication.
After being verified, service station Q generates a true random number Ra, root according to the randomizer in local key card
Private key SKQa is taken out from local key card service station private key pond according to Ra.Key K=Xa is calculated in service station QSKQa mod p。
Key K is calculated for vector below.The calculating of following Ciphering Key refers to AKA authentication techniques.
Calculate message authentication code (MAC): MAC=F1K(Xa||Ra||AMF);
Calculate desired certification response (XRES): XRES=F2K(Xa||Ra);
Computational security key (CK): CK=F3K(Xa||Ra);
Calculation of integrity key (IK): IK=F4K(Xa||Ra);
Network authentication token (AUTN): AUTN=Ra | | AMF | | MAC;
Integration obtains Ciphering Key AV=XRES | | CK | | IK | | AUTN.
Service station Q generates random number according to the randomizer in local key card and generates a true random number R3.Clothes
Business station Q takes out private key SKQ3 according to R3 from local key card service station private key pond, this process please refers to key agreement mistake above
Journey.K3=Xb is obtained by calculation in service station QSKQ3mod p.K3 is split as encryption key EK3 and message authentication by service station Q
Key A K3.
Service station Q carries out message authentication algorithm to Ciphering Key AV and obtains message authentication code MAC (AV, AK3).Service station Q
Using encryption key EK3 to AV | | MAC (AV, AK3) encryption obtains { AV | | MAC (AV, AK3) } EK3 and by M3=R3 | | AV | |
MAC (AV, AK3) } EK3 is sent to customer end B.
Step 5: customer end B initiates authentication challenge
After customer end B receives, public key PKQ3 is taken out from local key card service station public key pond according to R3, this process please join
It is admitted to literary cipher key agreement process.K3=PKQ3 is obtained by calculation in customer end Bxbmod p.K3 is split as encrypting close by customer end B
Key EK3 and message authentication key AK3.Customer end B decrypts to obtain AV using EK3 to { AV | | MAC (AV, AK3) } EK3 | | MAC
(AV, AK3), and message authentication code MAC (AV, AK3) is verified using AK3.After being verified, customer end B parsing AV is obtained
To XRES | | CK | | IK | | AUTN, and by XRES | | CK | | IK is retained in local secure storage region.If M4=AUTN, and by M4
It is sent to customer end A.
Step 6: customer end A return authentication response
After customer end A receives, public key PKQa is taken out from local key card service station public key pond according to Ra, this process please join
It is admitted to literary cipher key agreement process.K=PKQa is calculated in customer end Axamod p.Customer end A carries out calculating below using K.
XMAC=F1K(Xa||Ra||AMF);
RES=F2K(Xa||Ra);
CK=F3K(Xa||Ra);
IK=F4K(Xa||Ra);
Customer end A compares the MAC in XMAC and AUTN, if identical, carries out in next step;Otherwise, authentication is lost
It loses.After verification passes through, customer end A carries out message authentication algorithm to RES using IK and obtains message authentication code MAC (RES, IK), and
Using CK to RES | | MAC (RES, IK) encryption obtains { RES | | MAC (RES, IK) } CK.If M5=RES | | MAC (RES, IK) }
CK.M5 is sent to customer end B by customer end A.
Step 7: the certification response of customer end B verifying customer end A
After customer end B receives, RES is obtained using CK decryption M5 | | MAC (RES, IK), and using IK to message authentication code
MAC (RES, IK) is verified.If the verification passes, whether customer end B verifying RES and local XRES are equal.If verifying
Pass through, then REP=OK;Conversely, then REP=FAIL.
Customer end B carries out message authentication algorithm to REP using IK and obtains message authentication code MAC (REP, IK), and utilizes CK
To REP | | MAC (REP, IK) encryption obtains M6, is represented by M6={ REP | | MAC (REP, IK) } CK.Customer end B sends M6
To customer end A.Customer end A parses authenticating result REP after decrypting and authenticate using CK and IK.
Authentication terminates, and customer end A and customer end B obtain session key i.e. encryption key CK and message authentication key IK.
2 customer end A of embodiment and customer end B are located under service station QA and service station QB
System explanation
The scene of the present embodiment as shown in figure 3, in this figure, including customer end A, customer end B, quantum communications service station QA and
Quantum communications service station QB, referred to as service station QA and service station QB.Customer end A and customer end B are equipped with client key card,
Quantum communications service station QA and quantum communications service station QB is furnished with service station key card.Above-mentioned customer end A belongs to quantum communications
Service station QA, customer end B belong to quantum communications service station QB.If the ID of customer end A is IDA, corresponding public key is PKA, right
The private key answered is SKA;If the ID of customer end B is IDB, corresponding public key is PKB, and corresponding private key is SKB.
Client and the process of quantum communications service station arranging key are as follows:
Client or quantum communications service station combine specific unsymmetrical key pointer according to key indicator random number rand
Function Fp obtains corresponding unsymmetrical key pointer P, by unsymmetrical key pond pointer P from the service station public key pond in key card
Or it is extracted in the private key pond of service station and obtains corresponding public key or private key.
Step 1: customer end B initiates the ID authentication request with customer end A
Customer end B generates random number according to the randomizer in local key card and generates a true random number R0.If
M0=R0, customer end B is by M0 as ID authentication request is sent to customer end A.
Step 2: customer end A responds request
After customer end A receives, two true random numbers xa and R1 are generated according to the randomizer in local key card,
The size of middle xa is in range [1, p-1].Xa=g is obtained by calculation in customer end Axamod p.Customer end A passes through R1 from local
Public key PKQA1 is taken out in the service station public key pond of key card, this process please refers to cipher key agreement process above.Customer end A is taken out
Own private key SKA and public key PKQA1 carry out that K1=PKQA1 is calculatedSKAmod p.K1 is split as encryption key by customer end A
EK1 and message authentication key AK1.If M1_0=Xa, customer end A is using message authentication key AK1 to M1_0 | | R0 carries out message
Authentication calculations obtain MAC (M1_0 | | R0, AK1).MAC (m, k) is indicated using m as message, using k as the message authentication code of key.Visitor
Family end A is using encryption key EK1 to M1_0 | | MAC (M1_0 | | R0, AK1) encryption obtain M1_0 | | MAC (M1_0 | | R0,
AK1)}EK1。
Customer end A is packaged message and obtains M1, is represented by M1=IDA | | IDQA | | R1 | | M1_0 | | MAC (M1_0 | | R0,
AK1)}EK1.M1 is sent to customer end B by customer end A.
Step 3: customer end B requests Ciphering Key to quantum communication service station QB
Customer end B receives and parses to obtain IDA, IDQA, R1 and { M1_0 | | MAC (M1_0 | | R0, AK1) } to message after message
EK1.Customer end B generates random number according to the randomizer in local key card and generates two true random numbers xb and R2,
The size of middle xb is in range [1, p-1].Customer end B takes out public key from the service station public key pond of local key card by R2
PKQB2, this process please refer to cipher key agreement process above.Customer end B is taken out own private key SKB and public key PKQB2 and is calculated
Obtain K2=PKQB2SKBmod p.K2 is split as encryption key EK2 and message authentication key AK2 by customer end B.Customer end B meter
Calculation obtains Xb=gxbmod p.If M2_0=M1 | | IDB | | R0 | | Xb, customer end B using message authentication key AK2 to M2_0 into
MAC (M2_0, AK2) is calculated in row message authentication.Customer end B is using encryption key EK2 to M2_0 | | MAC (M2_0, AK2) adds
It is close to obtain { M2_0 | | MAC (M2_0, AK2) } EK2.
Customer end B is packaged message and obtains M2, is represented by M2=IDB | | R2 | | M2_0 | | and MAC (M2_0, AK2) } EK2.
Ciphering Key request M2 is sent to quantum service station QB by customer end B.
Step 4: quantum communications service station QB requests quantum communication service station QA
Service station QB receives parsing after message and obtains IDB, R2 and { M2_0 | | MAC (M2_0, AK2) } EK2.Service station QB root
Private key SKQB2 is taken out from local key card service station private key pond according to R2, this process please refers to cipher key agreement process above.Service
The QB that stands takes out the corresponding public key PKB of customer end B according to IDB from client public key pond.K2=is calculated in service station QB
PKBSKQB2mod p.K2 is split as encryption key EK2 and message authentication key AK2 by service station QB.
Service station QB decrypts to obtain M2_0 and MAC using encryption key EK2 to { M2_0 | | MAC (M2_0, AK2) } EK2
(M2_0, AK2) and message authentication code is verified using message authentication key.If the verification passes, then it carries out in next step, it is no
Then, AKA failed authentication.
After being verified, service station QB parsing M2_0 obtains M1 | | IDB | | R0 | | Xb.Service station QB passes through with service station QA
Quantum key distribution negotiates to obtain encryption key EK3 ' and message authentication key AK3 '.If M3 '=IDQB | | M1 | | R0, service station
QB utilizes AK3 ' to carry out message authentication to M3 ' and MAC (M3 ', AK3 ') is calculated.Service station QB is right using encryption key EK3 '
M3 ' | | MAC (M3 ', AK3 ') encryption obtains { M3 ' | | MAC (M3 ', AK3 ') } EK3 '.
{ M3 ' | | MAC (M3 ', AK3 ') } EK3 ' is sent to service station QA according to the IDQA information in M2_0 by service station QB.
Step 5: quantum communications service station QA return authentication vector
After service station QA is received, { M3 ' | | MAC (M3 ', AK3 ') } EK3 ' decryption is obtained using obtained EK3 ' is negotiated
M3 ' | | MAC (M3 ', AK3 '), and utilize AK3 ' verifying message authentication code MAC (M3 ', AK3 ').After being verified, service station QA
Parsing M3 ' obtains IDQB, IDA, IDQA, R1, R0 and { M1_0 | | MAC (M1_0 | | R0, AK1) } EK1.Service station QA according to R1 from
Private key SKQA1 is taken out in local key card service station private key pond, this process please refers to cipher key agreement process above, and according to IDA
The corresponding public key PKA of customer end A is taken out from local key card client public key pond.K1=PKA is calculated in service station QASKQA1
mod p.K1 is split as encryption key EK1 and message authentication key AK1 by service station QA.Service station QA using EK1 to M1_0 | |
MAC (M1_0 | | R0, AK1) } EK1 decrypts to obtain M1_0 and MAC (M1_0 | | R0, AK1), and using AK1 to MAC (M1_0 | | R0,
AK1 information authentication) is carried out.
After being verified, service station QA generates a true random number Ra according to the randomizer in local key card,
Private key SKQAa is taken out from local key card service station private key pond according to Ra.Key K=Xa is calculated in service station QASKQAa
mod p.Key K is calculated for vector below.The calculating of following Ciphering Key refers to AKA authentication techniques.
Calculate message authentication code (MAC): MAC=F1K(Xa||Ra||AMF);
Calculate desired certification response (XRES): XRES=F2K(Xa||Ra);
Computational security key (CK): CK=F3K(Xa||Ra);
Calculation of integrity key (IK): IK=F4K(Xa||Ra);
Network authentication token (AUTN): AUTN=Ra | | AMF | | MAC;
Integration obtains Ciphering Key AV=M4 '=XRES | | CK | | IK | | AUTN.Service station QA and service station QB negotiate
To encryption key EK4 ' and message authentication key AK4 '.Service station QA carries out message authentication algorithm to M4 ' and obtains message authentication code
MAC (M4 ', AK4 ').Service station QA is using encryption key EK4 ' to M4 ' | | MAC (M4 ', AK4 ') encryption obtain M4 ' | | MAC
(M4 ', AK4 ') } EK4 ' and it is sent to service station QB.
Step 6: quantum communications service station QB forwards Ciphering Key
After service station QB is received, EK4 ' is utilized to obtain M4 ' to { M4 ' | | MAC (M4 ', AK4 ') } EK4 ' decryption | | MAC
(M4 ', AK4 '), and message authentication code MAC (M4 ', AK4 ') is verified using AK4 '.After being verified, service station QB root
Random number, which is generated, according to the randomizer in local key card generates a true random number R3.Service station QB is according to R3 from local
Private key SKQB3 is taken out in the private key pond of key card service station, this process please refers to cipher key agreement process above.Service station QB passes through meter
Calculation obtains K5=XbSKQB3mod p.K5 is split as encryption key EK5 and message authentication key AK5 by service station QB.
Service station QB carries out message authentication algorithm to M4 ' and obtains message authentication code MAC (M4 ', AK5).Service station QB is utilized
Encryption key EK5 is to M4 ' | | MAC (M4 ', AK5) encryption obtains { M4 ' | | MAC (M4 ', AK5) } EK5 and by M5 '=R3 | | { M4 '
| | MAC (M4 ', AK5) } EK5 is sent to customer end B.
Step 7: customer end B initiates authentication challenge
After customer end B receives, public key PKQB3 is taken out from local key card service station public key pond according to R3, this process is asked
With reference to cipher key agreement process above.K5=PKQB3 is obtained by calculation in customer end Bxbmod p.K5 is split as adding by customer end B
Key EK5 and message authentication key AK5.Customer end B decrypts to obtain M4 ' using EK5 to { M4 ' | | MAC (M4 ', AK5) } EK5 |
| MAC (M4 ', AK5), and message authentication code MAC (M4 ', AK5) is verified using AK5.After being verified, customer end B solution
Analysis M4 ' obtains XRES | | CK | | IK | | AUTN, and by XRES | | CK | | IK is retained in local secure storage region.If M6 '=
AUTN, and customer end A is sent by M6 '.
Step 8: customer end A return authentication response
After customer end A receives, public key PKQAa is taken out from local key card service station public key pond according to Ra, this process is asked
With reference to cipher key agreement process above.K=PKQAa is calculated in customer end Axamod p.Customer end A carries out meter below using K
It calculates.
XMAC=F1K(Xa||Ra||AMF);
RES=F2K(Xa||Ra);
CK=F3K(Xa||Ra);
IK=F4K(Xa||Ra);
Customer end A compares the MAC in XMAC and AUTN, if identical, carries out in next step;Otherwise, authentication is lost
It loses.After verification passes through, customer end A carries out message authentication algorithm to RES using IK and obtains message authentication code MAC (RES, IK), and
Using CK to RES | | MAC (RES, IK) encryption obtains { RES | | MAC (RES, IK) } CK.If M7=RES | | MAC (RES, IK) }
CK.M7 is sent to customer end B by customer end A.
Step 9: the certification response of customer end B verifying customer end A
After customer end B receives, RES is obtained using CK decryption M7 | | MAC (RES, IK), and using IK to message authentication code
MAC (RES, IK) is verified.If the verification passes, whether customer end B verifying RES and local XRES are equal.If verifying
Pass through, then REP=OK;Conversely, then REP=FAIL.
Customer end B carries out message authentication algorithm to REP using IK and obtains message authentication code MAC (REP, IK), and utilizes CK
To REP | | MAC (REP, IK) encryption obtains M8, is represented by M8={ REP | | MAC (REP, IK) } CK.Customer end B sends M8
To customer end A.Customer end A parses authenticating result REP after decrypting and authenticate using CK and IK.
Authentication terminates, and customer end A and customer end B obtain session key i.e. encryption key CK and message authentication key IK.
Specific restriction about customer end A equipment, customer end B equipment, service station Q equipment and system may refer to above
In restriction for quantum communications service station authentication method, details are not described herein.Modules in above-mentioned each equipment can be complete
Portion or part are realized by software, hardware and combinations thereof.Above-mentioned each module can be embedded in the form of hardware or independently of calculating
In processor in machine equipment, it can also be stored in a software form in the memory in computer equipment, in order to processor
It calls and executes the corresponding operation of the above modules.
In one embodiment, a kind of computer equipment is provided, which can be service station Q, inside
Structure chart can be as shown in Figure 1.The computer equipment includes processor, the memory, network interface connected by system bus
And database.Wherein, the processor of the computer equipment is for providing calculating and control ability.The memory of the computer equipment
Including non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system, computer program sum number
According to library.The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium.The meter
The database for calculating machine equipment is used to store the related data of authentication.The network interface of the computer equipment is used for and outside
Terminal passes through network connection communication.When the computer program is executed by processor with realize it is a kind of based on unsymmetrical key pond to
The quantum communications service station AKA cryptographic key negotiation method of DH agreement.
Wherein implement according in the available claim of conclusion of the specific steps of technical solution disclosed above in visitor
Family end A based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method, implement in service station
Based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method and implement in customer end B
Based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method, therefore repeat no more.
It will be understood by those skilled in the art that structure shown in Fig. 1, only part relevant to application scheme is tied
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer
In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein,
To any reference of memory, storage, database or other media used in each embodiment provided herein,
Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include
Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms,
Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing
Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM
(RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment
In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance
Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art
It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application
Range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.
Claims (10)
1. based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method, implement in client
A, which is characterized in that the quantum communications service station AKA cryptographic key negotiation method includes:
Acquisition generates the second random parameter, the first intermediate parameters and first after the first random parameter that customer end B generates
Key, the first key are generated using the first private key of customer end A and the first public key of service station according to DH agreement;First is generated to disappear
Breath, the first message include the first intermediate parameters, the device parameter of customer end A, the device parameter in service station and described the
Two random parameters;At least part content of the first message encrypts using first key and makes the first authentication code;To institute
It states customer end B and sends the first message comprising first authentication code;
The 4th message comprising network authentication token from customer end B is obtained, the network authentication token is by the service station
It is obtained using vector cipher key calculation, the vector key is generated using first intermediate parameters and the first private key of service station;It is raw
At the vector key and the message authentication code in Ciphering Key is calculated, authenticates response, confidentiality key and integrality
Key;After comparing message authentication code and the network authentication token and passing through, utilize the Integrity Key and certification response raw
At the 4th authentication code, the 5th message, the certification response and the 4th that the 5th message is encrypted including the use of confidentiality key are generated
Authentication code;The 5th message is sent to customer end B;
Obtain the 6th message from customer end B, the 5th authentication code that the 6th message is encrypted including the use of confidentiality key
And comparing result;5th authentication code is to be generated by customer end B using Integrity Key and comparing result, the comparing result
It is the certification response generation later of the response of customer end B comparative certification and customer end B storage, comparing result is decrypted and read, if right
It is that very, then trusting confidentiality key is session key than result, trust Integrity Key is authentication key.
2. based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method, implement in service station,
It is characterized in that, the quantum communications service station AKA cryptographic key negotiation method includes:
The second message from customer end B is obtained, the second message includes first message, the device parameter of customer end B, and first
Random parameter, the second intermediate parameters and third random parameter;At least part content of the second message is close using second
Key encrypts and makes the second authentication code;The first message includes the first intermediate parameters, the device parameter of customer end A, service station
Device parameter and the second random parameter;At least part content of the first message is encrypted and is made using first key
First authentication code;Wherein, second random parameter, the first intermediate parameters are generated by the customer end A, the first key by
Customer end A is generated using the first private key of customer end A and the first public key of service station according to DH agreement, and second key utilizes client
The first private key of B and the second public key of service station is held to be generated according to DH agreement, second random parameter and the first intermediate parameters are by institute
Customer end A generation is stated, the third random parameter, the first random parameter and the second intermediate parameters are generated by the customer end B;
It decrypts and successively verifies second authentication code, after the first authentication code, generation vector key, the 4th random parameter and the
Three keys, the vector key are generated using first intermediate parameters and the first private key of service station, and the third key utilizes
The second private key of service station and second intermediate parameters are generated according to DH agreement;Ciphering Key is generated using the vector key,
The Ciphering Key includes message authentication code, authenticates response, confidentiality key, Integrity Key and network authentication token;It is raw
At third message, the third message includes the 4th random parameter, Ciphering Key;At least part content of the third message
It is encrypted using third key and makes third authentication code;The third comprising third authentication code is sent to the customer end B to disappear
Breath;
The Ciphering Key is used to complete AKA authentication for the customer end A and customer end B.
3. based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method, implement in client
B, which is characterized in that the quantum communications service station AKA cryptographic key negotiation method includes:
The first random parameter is generated, and first random parameter is sent to customer end A;
The first message from the customer end A is obtained, the first message includes the first intermediate parameters, the equipment of customer end A
Parameter, the device parameter in service station and the second random parameter;At least part content of the first message is close using first
Key encrypts and makes the first authentication code;Wherein, second random parameter, the first intermediate parameters are generated by the customer end A, institute
It states first key and is generated using the first private key of customer end A and the first public key of service station according to DH agreement by customer end A;It is raw after decryption
At the second intermediate parameters, third random parameter and the second key, second key utilize the first private key of customer end B and clothes
Business the second public key of station is generated according to DH agreement, generates second message, the second message includes the first message, customer end B
Device parameter, first random parameter, the second intermediate parameters and third random parameter;At least the one of the second message
Partial content encrypts using the second key and makes the second authentication code;It sends to service station comprising described in second authentication code
Second message;
The third message from service station is obtained, the third message includes the 4th random parameter, Ciphering Key;The third disappears
At least part content of breath encrypts using third key and makes third authentication code;The third key is by the service station benefit
It is generated with the second private key of service station and second intermediate parameters according to DH agreement, the Ciphering Key is utilized by the service station
Vector key generates and includes message authentication code, authenticates response, confidentiality key, Integrity Key and network authentication token;
The vector key is generated using first intermediate parameters and the first private key of service station;It decrypts and is solved after verifying third authentication code
The Ciphering Key is analysed and stored, the 4th message comprising network authentication token is generated and the 4th message is sent to client
Hold A;
Fiveth message of the acquisition from customer end A, the certification response that the 5th message is encrypted including the use of confidentiality key, the
Four authentication codes;Wherein the 4th authentication code is generated by customer end A using Integrity Key and certification response, wherein authenticating response, is protected
Close property key, Integrity Key are generated by customer end A using vector key;The certification of comparative certification response and storage is answered after decryption
Comparing result is answered and generates, trusting confidentiality key if the certification response of certification response sum is equal is session key, has been trusted
Whole property key is authentication key;The 5th authentication code is generated using comparing result and Integrity Key;Generate the 6th message, described
The 5th authentication code and comparing result that six message are encrypted including the use of confidentiality key;6th message is sent to client
A。
4. based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method, which is characterized in that institute
Stating quantum communications service station AKA cryptographic key negotiation method includes:
Customer end B generates the first random parameter, and first random parameter is sent to customer end A;
Customer end A acquisition generated after the first random parameter that customer end B generates the second random parameter, the first intermediate parameters with
And first key, the first key are generated using the first private key of customer end A and the first public key of service station according to DH agreement;It generates
First message, the first message include the first intermediate parameters, the device parameter of customer end A, service station device parameter and
Second random parameter;At least part content of the first message encrypts using first key and makes the first certification
Code;The first message comprising first authentication code is sent to the customer end B;
Customer end B obtains the first message, and the second intermediate parameters, third random parameter and the second key are generated after decryption,
Second key is generated using the first private key of customer end B and the second public key of service station according to DH agreement, and second message, institute are generated
Stating second message includes the first message, the device parameter of customer end B, first random parameter, the second intermediate parameters with
And third random parameter;At least part content of the second message encrypts using the second key and makes the second authentication code;
The second message comprising second authentication code is sent to service station;
Service station obtains second message, and decryption simultaneously successively verifies second authentication code, after the first authentication code, it is close to generate vector
Key, the 4th random parameter and third key, the vector key utilize the first private key of first intermediate parameters and service station
It generates, the third key is generated using the second private key of service station and second intermediate parameters according to DH agreement;Using described
Vector key generates Ciphering Key, and the Ciphering Key includes message authentication code, authenticates response, confidentiality key, integrality is close
Key and network authentication token;Third message is generated, the third message includes the 4th random parameter, Ciphering Key;Described
At least part content of three message encrypts using third key and makes third authentication code;Include to customer end B transmission
The third message of third authentication code;
Customer end B obtains the third message, decrypts and parse and store after verifying third authentication code the Ciphering Key, generates
4th message is simultaneously sent to customer end A by the 4th message comprising network authentication token;
Customer end A obtains the 4th message, generates the vector key and the message in Ciphering Key is calculated and recognize
Code is demonstrate,proved, response, confidentiality key and Integrity Key are authenticated;Comparison message authentication code and the network authentication token simultaneously passes through
Afterwards, the 4th authentication code is generated using the Integrity Key and certification response, generates the 5th message, the 5th message includes benefit
The certification response encrypted with confidentiality key and the 4th authentication code;The 5th message is sent to customer end B;
Customer end B obtains the 5th message, the certification response of comparative certification response and storage and generates comparing result after decryption,
Trusting confidentiality key if the certification response of certification response sum is equal is session key, and trusting Integrity Key is that certification is close
Key;The 5th authentication code is generated using comparing result and Integrity Key;The 6th message is generated, the 6th message is including the use of guarantor
The 5th authentication code and comparing result of close property key encryption;6th message is sent to customer end A;
Customer end A obtains the 6th message, decrypts and read comparing result, if comparing result is very, it is close to trust confidentiality
Key is session key, and trust Integrity Key is authentication key.
5. such as the described in any item quantum communications service station AKA cryptographic key negotiation methods of Claims 1-4, which is characterized in that described
Service station includes service station Qa and service station Qb, and the customer end A is the sub- equipment of the service station Qa, and the customer end B is
The sub- equipment of the service station Qb;
The service station Qb obtains the second message from customer end B, wherein the second key utilizes client by the customer end B
The first private key of B and the first public key of service station Qb are generated according to DH agreement;The first message further includes the equipment ginseng of service station Qa
Number, the first key are generated using the first private key of customer end A and the first public key of service station Qa according to DH agreement by customer end A;
Decrypt and verify after the second authentication code first stop is obtained the service station Qa coded communication between key, generate and disappear between first stop
It ceases, message includes the device parameter of service station Qb, the first message and the first random parameter between the first stop;Using institute
It states between first stop key and message encryption between the first stop is sent to service station Qa;
After service station Qa is obtained, decrypted and verify first authentication code, the first intermediate parameters and service station Qa first are utilized
Private key generates vector key, and the vector key is obtained for generating the Ciphering Key with the service station Qb coded communication
Key between second station generates message between the second station comprising the Ciphering Key, using key between second station by the second station
Between message encryption be sent to the service station Qb;
After service station Qb is obtained, decrypted and verify, the 4th random parameter is generated, the second intermediate parameters, service station Qb first are utilized
Private key generates the 5th key, generates the 7th message, and the 7th message includes message between the 4th random parameter and second station,
Described in the 7th message at least part utilize the 5th key encryption;The 7th message is sent to the customer end B;
7th message is used to complete AKA authentication for the customer end A and customer end B.
6. such as the described in any item quantum communications service station AKA cryptographic key negotiation methods of Claims 1-4, which is characterized in that described
Customer end A and customer end B are configured with client key card, are stored with service station public key pond in the client key card, itself
Client public key and client private key;The service station is configured with service station key card, storage in the service station key card
There are client public key pond and service station private key pond including each client public key.
7. a kind of client device, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station AKA key agreement described in claim 1 when executing the computer program
The step of method.
8. a kind of service station equipment, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station AKA key agreement described in claim 2 when executing the computer program
The step of method.
9. a kind of client device, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station AKA key agreement described in claim 3 when executing the computer program
The step of method.
10. based on unsymmetrical key pond to and DH agreement quantum communications service station AKA key agreement system, including memory and
Processor, the memory are stored with computer program, which is characterized in that the processor executes real when the computer program
The step of quantum communications service station AKA cryptographic key negotiation method described in existing claim 4;The customer end A and customer end B configuration
There is client key card, service station public key pond is stored in the client key card, itself client public key and client
Private key;The service station is configured with service station key card, is stored in the service station key card including each client public key
Client public key pond and service station private key pond.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910591318.4A CN110535632B (en) | 2019-07-02 | 2019-07-02 | Quantum communication service station AKA key negotiation method and system based on asymmetric key pool pair and DH protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910591318.4A CN110535632B (en) | 2019-07-02 | 2019-07-02 | Quantum communication service station AKA key negotiation method and system based on asymmetric key pool pair and DH protocol |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110535632A true CN110535632A (en) | 2019-12-03 |
CN110535632B CN110535632B (en) | 2023-09-05 |
Family
ID=68659607
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910591318.4A Active CN110535632B (en) | 2019-07-02 | 2019-07-02 | Quantum communication service station AKA key negotiation method and system based on asymmetric key pool pair and DH protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110535632B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111314856A (en) * | 2020-02-13 | 2020-06-19 | 广州爱浦路网络技术有限公司 | Hierarchical examination and tracking device and method for 5G user position information service |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110167272A1 (en) * | 2010-01-06 | 2011-07-07 | Kolesnikov Vladimir Y | Secure Multi-UIM aka key exchange |
CN108599925A (en) * | 2018-03-20 | 2018-09-28 | 如般量子科技有限公司 | A kind of modified AKA identity authorization systems and method based on quantum communication network |
CN108599926A (en) * | 2018-03-20 | 2018-09-28 | 如般量子科技有限公司 | A kind of HTTP-Digest modified AKA identity authorization systems and method based on pool of symmetric keys |
CN108718237A (en) * | 2018-03-20 | 2018-10-30 | 如般量子科技有限公司 | A kind of modified AKA identity authorization systems and method based on pool of symmetric keys |
CN109450623A (en) * | 2018-10-16 | 2019-03-08 | 如般量子科技有限公司 | Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond |
-
2019
- 2019-07-02 CN CN201910591318.4A patent/CN110535632B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110167272A1 (en) * | 2010-01-06 | 2011-07-07 | Kolesnikov Vladimir Y | Secure Multi-UIM aka key exchange |
CN108599925A (en) * | 2018-03-20 | 2018-09-28 | 如般量子科技有限公司 | A kind of modified AKA identity authorization systems and method based on quantum communication network |
CN108599926A (en) * | 2018-03-20 | 2018-09-28 | 如般量子科技有限公司 | A kind of HTTP-Digest modified AKA identity authorization systems and method based on pool of symmetric keys |
CN108718237A (en) * | 2018-03-20 | 2018-10-30 | 如般量子科技有限公司 | A kind of modified AKA identity authorization systems and method based on pool of symmetric keys |
CN109450623A (en) * | 2018-10-16 | 2019-03-08 | 如般量子科技有限公司 | Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111314856A (en) * | 2020-02-13 | 2020-06-19 | 广州爱浦路网络技术有限公司 | Hierarchical examination and tracking device and method for 5G user position information service |
CN111314856B (en) * | 2020-02-13 | 2020-12-15 | 广州爱浦路网络技术有限公司 | Hierarchical examination and tracking device and method for 5G user position information service |
Also Published As
Publication number | Publication date |
---|---|
CN110535632B (en) | 2023-09-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10516527B1 (en) | Split-key based cryptography system for data protection and synchronization across multiple computing devices | |
Tsai | Efficient multi-server authentication scheme based on one-way hash function without verification table | |
US5491752A (en) | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens | |
US6073237A (en) | Tamper resistant method and apparatus | |
CN109379387B (en) | Safety certification and data communication system between Internet of things equipment | |
CN109361668A (en) | A kind of data trusted transmission method | |
CN108494551A (en) | Processing method, system, computer equipment and storage medium based on collaboration key | |
CN108418691A (en) | Dynamic network identity identifying method based on SGX | |
Chen et al. | Attack, solution and verification for shared authorisation data in TCG TPM | |
CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
CN108471352A (en) | Processing method, system, computer equipment based on distributed private key and storage medium | |
CN108809633B (en) | Identity authentication method, device and system | |
CN110138548A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system | |
CN110493177A (en) | Based on unsymmetrical key pond to and sequence number quantum communications service station AKA cryptographic key negotiation method and system | |
CN108599926A (en) | A kind of HTTP-Digest modified AKA identity authorization systems and method based on pool of symmetric keys | |
CN1808975B (en) | System and method of preventing network account from stolen | |
CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system | |
Khan et al. | Offline OTP based solution for secure internet banking access | |
US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
CN110176989A (en) | Quantum communications service station identity identifying method and system based on unsymmetrical key pond | |
CN103944721A (en) | Method and device for protecting terminal data security on basis of web | |
US20130166911A1 (en) | Implementation process for the use of cryptographic data of a user stored in a data base | |
CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
CN110535632A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method and system | |
CN114553557B (en) | Key calling method, device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |