CN110690960A - Routing service method and device of relay node - Google Patents

Routing service method and device of relay node Download PDF

Info

Publication number
CN110690960A
CN110690960A CN201910819447.4A CN201910819447A CN110690960A CN 110690960 A CN110690960 A CN 110690960A CN 201910819447 A CN201910819447 A CN 201910819447A CN 110690960 A CN110690960 A CN 110690960A
Authority
CN
China
Prior art keywords
node
virtual
relay node
relay
routing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910819447.4A
Other languages
Chinese (zh)
Other versions
CN110690960B (en
Inventor
陈晖�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Liangan Block Chain Technology Co Ltd
Original Assignee
Chengdu Liangan Block Chain Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Liangan Block Chain Technology Co Ltd filed Critical Chengdu Liangan Block Chain Technology Co Ltd
Priority to CN201910819447.4A priority Critical patent/CN110690960B/en
Publication of CN110690960A publication Critical patent/CN110690960A/en
Application granted granted Critical
Publication of CN110690960B publication Critical patent/CN110690960B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/29Repeaters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/70Photonic quantum communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The invention provides a routing service method of a relay node, which comprises the following steps: selecting m nodes which are associated with n relay links and adjacent to the relay node, respectively negotiating a shared key by the relay node and two associated adjacent nodes for each relay link, calculating an exclusive or value of the two shared keys and creating an identifier; or the relay node negotiates a shared key with each node in m adjacent nodes respectively, selects two associated shared keys from the m shared keys for each relay link, calculates the exclusive or value of the two shared keys and creates an identifier; the relay node sends the n exclusive-or values and the corresponding identifiers thereof to the target receiver. The invention also provides a relay node function virtualization device, which comprises: the system comprises a transceiver, a data processing unit and a node virtualization unit. The invention can solve the problem of the routing concurrency conflict of the relay node and the problem of the safety management of the relay node, and has good application and popularization prospects.

Description

Routing service method and device of relay node
Technical Field
The invention relates to the technical field of relay node systems of quantum networks and application, in particular to a routing service method and a routing service device of a relay node.
Background
Due to the lack of practical, non-landing quantum communication relay technology, quantum trusted relay technology is typically employed in Quantum Key Distribution (QKD) networks. However, in the disclosed quantum trusted relay scheme, the quantum trusted relay has bottleneck problems of relay link concurrency conflict, large delay and the like, and because the relayed quantum key falls to the ground of the quantum relay node, the security is based on the security and the credibility of all quantum relay nodes participating in the trusted relay. That is, on the one hand, the quantum relay node has the problems of concurrent conflict, large delay and the like of the quantum relay link, and on the other hand, the security management difficulty of the quantum relay node is large. In order to solve the above problems, it is an effective innovative solution to virtualize or electronize the function of the quantum relay node.
Disclosure of Invention
The invention provides a routing service method of a relay node, which comprises the following steps: a relay node in a target network receives a virtualization instruction, and m adjacent nodes which are associated with n relay links indicated by the virtualization instruction and are adjacent to the relay node are selected (wherein n is an integer larger than 0, and m is an integer larger than 1); executing: for each relay link, a relay node and two associated adjacent nodes respectively negotiate a shared key group, calculate the exclusive or value of the two shared key groups and create a corresponding identifier; or, performing: the relay node negotiates a shared key group with each node in the m adjacent nodes respectively, selects two corresponding shared key groups from the m shared key groups for each relay link, calculates the exclusive or value of the two shared key groups and creates corresponding identifiers; the relay node sends the n xor values and their corresponding identifiers to the destination receiver indicated by the virtualization instruction (for convenience, the xor values are hereinafter referred to as a virtual node routing state data, the identifiers are hereinafter referred to as virtual node routing state identifiers, and the xor values and their identifiers are hereinafter referred to as a virtual node routing state), wherein the destination network includes, but is not limited to, any of the following options: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet; the virtual node routing state identification includes but is not limited to: global identification, and route identification of a previous associated neighboring node and a next associated neighboring node connecting the current relay node and the current relay node (or, the current relay node identification, the identification of the first neighboring node, and the identification of the second neighboring node).
Optionally, the method further includes: after the n virtual node routing states are completed, destroying all shared key groups used for creating the n virtual node routing states, or, after all virtual node routing state data needing to participate in calculation of one shared key group are completed, destroying the shared key group.
Optionally, the method further includes: a node identifier is created for the n virtual node routing states (for convenience, the n virtual node routing states and their corresponding node identifiers are hereinafter referred to as a virtual relay node state, and the node identifiers are referred to as virtual relay node state identifiers), or, further, the n virtual node routing states and their node identifiers are packaged as a data file.
Optionally, the method further comprises any one or both of: (1) before a virtual node routing state is established, a global identification is obtained, and the method for obtaining the global identification comprises the steps of determining the current global identification according to a virtualization instruction issued by a network controller or determining the current global identification according to the last global identification; (2) before the virtual node routing state is created, the target relay node and the associated adjacent node confirm the negotiated shared key packet and the global identifier of the virtual node routing state used for creation, and if the associated adjacent node of the target relay node is the relay node or the virtual relay node, the target relay node and the associated adjacent node respectively use the negotiated shared key packet for creating the virtual node routing state with the same global identifier.
Optionally, the method further includes: the relay node reports topology information of the relay node to a network controller or a target receiver and receives a virtualization instruction issued by the network controller or the target receiver, wherein the topology information includes: the identification of the relay node, the link state between the relay node and each associated adjacent node; the virtualization instructions are used to indicate any one or more of the following: the method comprises the steps of relay link information, a data format of a shared key packet, a data structure of a virtual node routing state, a global identification, an identification of a target receiving party and a data transmission mode, wherein the relay link information comprises the number of relay links and associated relay nodes, and the global identification is used for distinguishing different relay links.
Optionally, the method further includes: and performing identity authentication with the associated adjacent node or/and the network controller, wherein the identity authentication comprises: CA certificate based authentication or initial root key based authentication.
Optionally, the method further includes: storing the routing states of the n virtual nodes (or storing the states of the virtual relay nodes); the storing comprises any one or more of the following options: the method comprises the following steps of local storage, cloud storage and server side storage, wherein the local storage method comprises the following steps: storing the virtual node routing state (or virtual relay node state) in a memory of the relay node device (wherein the memory includes but is not limited to a local memory or a network storage space), and sending a virtual node routing state identification (or virtual relay node state identification) to the server;
the cloud storage method comprises the following steps: storing a virtual node routing state (or a virtual relay node state) on a cloud storage space; the server-side storage comprises: the virtual node routing state (or virtual relay node state) is sent to one or more servers for storage.
The invention also provides a routing service device of the relay node, which includes but is not limited to:
the transceiver is used for reporting the topology information of the quantum relay node to a network controller or a server and receiving a virtualization instruction sent by the network controller or the server;
a data processing unit configured to negotiate a shared key packet with a neighboring node, and further configured to perform: selecting m neighbor nodes associated with the n relay links indicated by the virtualization instruction and adjacent to the relay node (where n is an integer greater than 0 and m is an integer greater than 1); further, performing: for each relay link, the relay node negotiates a shared key with two associated neighboring nodes, calculates an exclusive or value of the two shared keys and creates a corresponding identifier, or performs: the relay node negotiates a shared key with each node in the m adjacent nodes respectively, selects two associated shared keys from the m shared keys for each relay link, calculates the exclusive or value of the two shared keys and creates a corresponding identifier;
the node virtualization unit is used for creating a virtual node routing state or/and a virtual relay node state, and is used for storing and outputting the virtual node routing state and/or the virtual relay node state;
wherein, the virtual node routing state comprises: the exclusive or value and its corresponding identification of the shared key packet between the target relay node and two associated neighboring nodes; the virtual relay node states include: a part of or all virtual node routing states of target relay nodes associated with the n relay links and corresponding identifiers of the virtual node routing states; the virtualization instructions are for indicating any one or more of the following: the method comprises the following steps that relay link information, a data format of a shared key, a data structure of a virtual node routing state, a global identifier, an identifier of a target receiver and a data transmission mode are obtained; topology information includes, but is not limited to: an identification of the relay node, a link status between the relay node and each associated neighboring node.
Optionally, the apparatus further comprises: the QKD module is used for negotiating a shared quantum key with an adjacent quantum node and inputting the shared quantum key into the data processing unit; the QKD module includes: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node; wherein the QKD receiver or/and transmitter includes any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
Optionally, the apparatus further comprises any one or more of the following units:
the storage unit is used for storing the routing state of the virtual node and/or the state of the virtual relay node;
the identity authentication module is used for authentication of the relay node virtualization application device accessing to the quantum network and identity authentication between the relay node virtualization application device and the associated adjacent node or/and the server, wherein the authentication comprises the following steps: authentication based on CA certificate, authentication based on initial root key; the password management module is used for encrypting and decrypting data, digitally signing and calculating an integrity check value;
the access control module is used for identifying the received control instruction and the received virtualization instruction, responding to a legal instruction or rejecting an illegal instruction, wherein the identification method comprises the following steps: verifying the digital signature of the received instruction, if the digital signature passes the verification, judging the digital signature as a legal instruction, and otherwise, judging the digital signature as an illegal instruction;
the illegal starting-up protection module is used for automatically destroying all cache data if the system is illegally started up or the case is illegally started;
the private key protection module is used for protecting the initial root key or/and the private key for digital signature from being illegally accessed or exported;
and the virtual mapping module of the relay node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the state of the virtual relay node to the server and a receiver indicated by the virtualization instruction of the server according to the virtualization instruction of the network controller or the server.
Optionally, the apparatus further includes a logic isolation module, where the logic isolation module divides the relay node virtualization application apparatus into a security domain unit and a public domain unit; wherein the security domain unit comprises: the data processing unit optionally further comprises a QKD module or/and a password management module; the disclosure domain unit includes: a transceiver and a node virtualization module.
Compared with the conventional QKD node for the trusted relay and the application method, the method has the following remarkable innovativeness and practicability: the invention virtualizes or electronizes the relay node function, separates the relay service and the relay link, and can solve the problems of the scale relay route concurrency conflict and the relay delay existing in the target network; the relay node in the invention does not store the key, thereby reducing the safety management risk of the node and having good application and popularization prospects.
Drawings
Fig. 1 is a schematic diagram of a routing service method of a relay node according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating another method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a shared key group identifier according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a virtual node routing state identifier according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a virtual relay node status identifier according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a relay node application provided in the embodiment of the present invention;
fig. 8 is a schematic diagram of a virtual relay node state according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a routing service apparatus of a relay node according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention and some terms and meanings thereof will be described below.
(1) Target networks to which embodiments of the present invention are applicable include, but are not limited to, any of the following networks: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet, other networks which adopt a point-to-point single-hop landing forwarding mode for relay transmission; accordingly, the relay node and the adjacent target node in the embodiments of the present invention include, but are not limited to, any one or more of the following nodes: quantum relay nodes, quantum service nodes (or quantum access nodes), virtual quantum relay nodes, virtual quantum service nodes. The relay node in the embodiment of the present invention is suitable for, but not limited to, a relay node that accesses a target network through an optical fiber interface and a wireless interface (or a free space interface).
(2) The virtualization in the embodiment of the invention is the electronization or instantiation of the relay node function, and the electronized or instantiated data can be used by being separated from the physical network to which the relay node belongs.
(3) The relay node of the embodiment of the invention is a node used as a relay in a target network, or a node which has at least two adjacent nodes on one or more relay links and is used as a relay, wherein the relay node does not store a key which is negotiated between the relay node and the adjacent nodes and is used for function virtualization of the relay node; serving nodes (or access nodes) refer to other nodes in the target network that are not used for relaying or are not used directly for relaying (in some possible designs, serving nodes may be used for relaying through virtual nodes); in addition, for a specific embodiment of the present invention, the corresponding target network includes the relay node and the serving node included in the above embodiment.
(4) The communication channels involved in embodiments of the invention for quantum networks include quantum channels and conventional communication network channels, wherein conventional communication network channels are employed for other communication processes except that quantum key distribution between adjacent quantum nodes (an adjacent quantum node refers to two nodes capable of point-to-point QKD or quantum communication) requires occupation of a quantum channel or link, and include, but are not limited to, one or more of wired communication and wireless/mobile/satellite communication channels.
(5) The terms "virtual node routing status", "virtual relay node status", etc. used in the present invention are only used for marking the corresponding data or file, and are not used for limiting the corresponding data or file, and all schemes that are merely replacing names and have no substantive difference belong to the protection scope of the present invention.
(6) The shared key packet in the present invention is shared key data of a certain data length. Because different application systems have different requirements on the length of the shared key and the rate of the point-to-point QKD link has a certain difference, the invention does not specially limit the data length of the shared key packet; it is obvious that the data length refers to counting by the same data unit (e.g., bit, byte). In practice, the data length of the shared key packet (e.g., 2048 bits, 100 kbytes, 10 mbytes, 1 gbyte, or any other data length that meets the requirements of the system) may be determined according to the rate of encoding of the QKD system in actual use, the specific requirements of the application system, or future industry standard requirements. It should be clear that the shared key packet has the same data format (including but not limited to data type, data length, and data read/write sequence) for each application process of the same embodiment.
(7) The global identifier in the embodiment of the invention is an identifier which is kept consistent by all nodes in a target network, namely, before the virtual node routing state is established, a target relay node and an adjacent target node confirm the negotiated shared key group and the global identifier of the virtual node routing state used for establishment, the target relay node and the adjacent target relay node respectively use the negotiated shared key group for establishing the virtual node routing state or/and the virtual relay node state with the same global identifier, and the group identifier of the corresponding shared key group stored by the adjacent target service node is consistent with the global identifier; the global identifier may be used to distinguish different target networks, may also be used to distinguish different embodiments in the target network, may adopt a global number unified over the whole network, and may also adopt an identifier combining the target network identifier and the global number.
In order to make the technical solutions and advantages of the present invention clearer, the present invention is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a schematic diagram of a routing service method of a relay node according to an embodiment of the present invention, which includes the following steps:
s101: receiving a virtualization instruction issued by a network controller, and selecting m adjacent nodes which are associated with n relay links indicated by the virtualization instruction and adjacent to the relay node (wherein n is an integer greater than 0, and m is an integer greater than 1; it should be noted that an adjacent node is an adjacent node which can normally distribute quantum keys with a target relay node, and if a quantum key distribution link between the relay node and a certain adjacent node is abnormal or broken, the adjacent quantum node is not used as a target quantum node adjacent to the relay node);
s102: for each relay link, a relay node and two associated adjacent nodes respectively negotiate a shared key group, calculate the exclusive or value of the two shared key groups and create a corresponding identifier; or, the relay node negotiates a shared key group with each node of the m adjacent nodes, selects two associated shared key groups from the m shared key groups for each relay link, calculates an exclusive or value of the two shared key groups, and creates a corresponding identifier;
s103: the relay node sends the n xor values and their corresponding identifiers to the intended recipients indicated by the virtualization instruction (for convenience, the xor values are hereinafter referred to as a virtual node routing state data, the identifiers are hereinafter referred to as virtual node routing state identifiers, and the xor values and their identifiers are hereinafter referred to as a virtual node routing state).
Further, the embodiment further includes destroying all shared key packets used for creating the n virtual node routing states after the n virtual node routing states are completed, or destroying the shared key packets after all virtual node routing state data that one shared key packet needs to participate in the calculation are completed.
Further, in a possible design, a node identifier is created for the n virtual node routing states (for convenience, the n virtual node routing states and their corresponding node identifiers are hereinafter referred to as a virtual relay node state, and the node identifiers are referred to as virtual relay node state identifiers); or, further, the routing states of the n virtual nodes and the node identifications thereof are encapsulated into a data file, the data file includes but is not limited to a data list file or a database file, and a certain required routing state or routing states of some virtual nodes can be quickly acquired by accessing the data file.
In the above embodiment, the step S102 of negotiating a shared key group may adopt a real-time sharing method or a pre-caching method; the real-time sharing method comprises the following steps: the relay node negotiates a certain amount of shared quantum keys with adjacent target nodes, and the certain amount of shared quantum keys are used as a shared quantum key group; alternatively, as shown in fig. 2, an exemplary method for negotiating a shared quantum key packet according to an embodiment of the present invention includes:
s201: the target node negotiates a certain amount of shared quantum keys with adjacent target nodes;
s202: the target node and the adjacent target node respectively divide the shared quantum key into one or more groups by adopting the same data format, and carry out randomness test on each group by adopting the same randomness test method;
s203: taking a group passing the randomness test as a shared quantum key group and creating a group identifier;
the precaching method includes (as shown in fig. 3, another schematic diagram of a method for negotiating a shared quantum key packet according to an embodiment of the present invention):
s301: the target node negotiates a certain amount of shared quantum keys with adjacent target nodes;
s302: respectively dividing the shared quantum key into one or more groups by adopting the same data format, performing randomness test on each group by adopting the same randomness test method, caching each group which passes the randomness test and respectively creating a group identifier;
s303: and negotiating with the adjacent target nodes to respectively select one packet with the same or identical packet number from the cached packets as a shared quantum key packet.
The negotiating a quantum of shared quantum keys includes, but is not limited to: and negotiating keys with a plurality of adjacent target nodes in sequence, or simultaneously negotiating keys with a plurality of adjacent target nodes, or negotiating keys with corresponding adjacent target nodes according to a virtualization instruction, wherein the negotiated keys can occupy the whole bandwidth of the key negotiation channel or only occupy part of the bandwidth of the whole key negotiation channel.
In one possible design, the negotiating a shared key packet may further include a consistency check, where the consistency check includes: respectively calculating a data abstract or a Hash value of a shared quantum key group by the relay node and the adjacent target node, if the two data abstracts or Hash values are different, the two data abstracts or Hash values cannot pass consistency check, and renegotiating; otherwise, passing consistency check and successfully negotiating a shared quantum key packet.
Further, on the basis of the embodiment shown in fig. 1, a new embodiment is obtained by adding any one or more of the following steps:
(A1) before a virtual node routing state is established, a global identifier is obtained, and the method for obtaining the global identifier comprises the steps of determining the current global identifier according to a virtualization instruction of a network controller or determining the current global identifier according to the last global identifier;
(A2) before the virtual node routing state is established, the target relay node and the adjacent target node confirm the negotiated shared key group and the global identifier of the virtual node routing state used for establishment, and the target relay node and the adjacent target relay node respectively use the negotiated shared key group for establishing the virtual node routing state with the same global identifier;
(A3) creating a virtual relay node, wherein the virtual relay node is used for storing and outputting management of a virtual node routing state or/and a virtual relay node state, and sending the virtual node routing state or the virtual relay node state to a server or a target receiving party indicated by the server instruction according to the instruction of the server;
(A4) adding identity authentication, namely, performing identity authentication with a neighboring target node or/and a server, wherein the identity authentication comprises: CA certificate-based authentication or initial root key-based authentication;
(A5) the target relay node reports topology information of the relay node to a network controller or a server, where the topology information includes but is not limited to: the identification of the target relay node, and the link state between the target relay node and each adjacent target node; (a6) the target relay node receives a virtualization instruction issued by the network controller or the server, where the virtualization instruction is used to indicate any one or more of the following: the method comprises the steps of relay link information, a data format of a shared key packet, a data structure of a virtual node routing state, a global identification, an identification of a target receiver and a data transmission mode, wherein the relay link information comprises but is not limited to the number of relay links and associated relay nodes, and the global identification is used for distinguishing different relay links. It is clear that, the global identifier may be used to distinguish different target networks and different embodiments in the target network, and may adopt a global number unified over the whole network, or adopt an identifier combining the target network identifier and the global number; the data structure of the virtual node routing state comprises the content of the virtual node routing state identifier and the ordering relation thereof adopted in one embodiment; the identification of the target receiver is used for determining the receiver; the data transmission mode is used for determining whether an encryption mode or a non-encryption mode is adopted.
It is obvious that a new embodiment having the same application properties as the method of the invention can be obtained by recombining the above-described method steps. Therefore, methods based on simple combinations of the above method steps and content adaptation fall within the scope of the present invention.
The shared quantum key packet in the above embodiment includes but is not limited to: group identification, shared quantum key data (shared quantum key with group length); the shared quantum key grouping identification can adopt: grouping number, ID of current relay node, and ID of adjacent target node; equivalently, the current relay node ID and the adjacent target node ID may be replaced with the link identifications of the current relay node and the adjacent target node; wherein, the ID can also adopt other identifiers which can uniquely identify the corresponding nodes; the packet number may be a local number or a global number, in which case, when a certain shared quantum key packet is used to create a virtual node routing state, the corresponding local number is changed to the global number of the corresponding virtual node routing state. On the basis of the data structure of the shared quantum key packet, a new quantum key packet embodiment can be obtained by adding any one or more of the following content options: data format, check information and time stamp, wherein the check information can be data digest (or Hash value) or MAC code of the shared quantum key packet; the content of the data format includes, but is not limited to, any one or any plurality of the following: data type (e.g., using binary, 16-ary storage), data length, and data read and write order.
Further, as an example, fig. 4 shows a schematic diagram of a data structure of a shared key packet according to one possible embodiment of the present invention, that is, the data structure includes: grouping number, current relay node ID, adjacent node ID, data length, check information and quantum key data; the data length may be the data length of the quantum key data, or the data length of the entire shared quantum key packet; the check information may be a quantum key data digest (or Hash value) or a MAC code.
The virtual node routing state in the above embodiments includes, but is not limited to: virtual node routing state identification, virtual node routing state data (i.e., the exclusive or value of the shared quantum key packet between the current relay node and the two adjacent destination nodes). Fig. 5 is a schematic diagram of a virtual node routing state identifier provided in an embodiment of the present invention, where the content of the virtual node routing state identifier includes, but is not limited to: global number, current relay node ID1, neighbor node ID2, neighbor node ID3 (or link identifications of last and next neighbor target nodes connecting the current relay node with the current relay node).
The content of the virtual relay node status identifier in the above embodiment includes (as shown in fig. 6, which is a schematic diagram of a virtual relay node status identifier provided in the embodiment of the present invention): global number, current relay node ID1, number of virtual node routing states, where the number of virtual node routing states can be calculated from the number of neighboring destination nodes, and therefore the number of virtual node routing states can be replaced with the number of neighboring destination nodes and a new embodiment is obtained.
On the basis of the embodiments shown in fig. 5 and 6, a number of new embodiments can be obtained by adding any one or any number of the following options:
the local identification is used for distinguishing a plurality of virtual node routing states with the same global identification or/and distinguishing a plurality of virtual relay node states with the same global identification;
checking information, wherein the checking information is used for checking the integrity of the routing state data of the virtual node or/and the routing state of the virtual node, and includes but is not limited to a data abstract, a Hash value or an MAC code of corresponding data;
digitally signing, namely digitally signing the routing state of the virtual node or/and the state of the virtual relay node by adopting a digital signature algorithm;
the timestamp is used for recording the creation time of the routing state of the virtual node or/and the state of the virtual relay node;
the data digest (or Hash value) of the current virtual node routing state or/and the virtual relay node state, the data digest (or Hash value) of the last virtual node routing state or/and the virtual relay node state, or the data digest (or Hash value) of the current and last virtual node routing states or/and the virtual relay node state.
Further, in one possible design, the above-described private key for digital signature cannot be illegally accessed or derived.
Further, in a possible design, the relay node in the above embodiment stores the n virtual node routing statuses, or/and stores the virtual relay node statuses; storage includes, but is not limited to, any one or more of the following options: local storage, cloud storage and server storage; the local storage method includes but is not limited to: storing the virtual node routing state or/and the virtual relay node state in a memory of the relay node device (wherein the memory comprises but is not limited to a local memory or a network memory space), and sending the virtual node routing state identification or/and the virtual relay node state identification to the server; cloud storage methods include, but are not limited to: storing a virtual node routing state (or virtual node routing state data) or/and a virtual relay node state on a cloud storage space; server-side storage includes, but is not limited to: and sending the routing state of the virtual node or/and the state of the virtual relay node to one or more servers for storage.
The sending or outputting in the above embodiments includes, but is not limited to, any one or both of the following options: real-time output and passive response output; among these, real-time output includes but is not limited to: outputting the created virtual node routing state or/and the virtual relay node state to a memory of the relay node equipment or/and a third party server or/and a target receiver indicated by the virtualization instruction in real time; passive response outputs include, but are not limited to: and outputting the virtual node routing state or/and the virtual relay node state with the specific number to a memory of the relay node device or/and a third party server or/and a target receiver indicated by the virtualization instruction according to the virtualization instruction.
Further, in one possible design, the sending or outputting in the above embodiment is an encrypted transmission, including, but not limited to, any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
The target recipient in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The method of the present invention is further described below with respect to a relay node having 4 neighboring nodes (e.g., a relay node application diagram provided in the embodiment of the present invention shown in fig. 7, the relay node R has 4 neighboring nodes A, B, C and D). As shown in fig. 8, assuming that one virtualization instruction indicates target neighboring nodes A, B and C associated with 2 relay links (e.g., 2 relay links need to employ routes a-R-B and a-R-C, as an example), then relay nodes R and A, B and C negotiate and employ shared quantum key grouping Kra (or negotiate two different shared quantum key groupings Kra1 and Kra2), Krb and Krc, respectively, using the methods described above; generating 2 virtual node routing states (a virtual relay node state diagram provided by the embodiment of the present invention shown in fig. 8 and including virtual node routing states VRS0 and VRS1) based on the above-mentioned shared quantum key packet, wherein the virtual relay node state identifiers (i.e., the node identifiers in fig. 8) include an ID identifier 801 (i.e., ID _ R) of the target relay node, a global number 802 (i.e., 000123), a number 803 (i.e., 2) of virtual node routing states, a data length 804 (i.e., 2 × 1MB, a data length of each virtual node routing state being 1MB), a data type 805 (i.e., 16-ary), and the virtual node routing states (i.e., the state data in fig. 8) include an ID identifier 806 of the target relay node, an ID identifier 807 of the first neighboring node, an ID identifier 808 of the second neighboring node, virtual node routing state data 809, a data digest 810, and a data digest 810, 810 of the virtual node routing states, And part number 811.
The specific process comprises the following steps: the relay node R negotiates a shared key group with A, B and C respectively by adopting a real-time sharing method or a pre-caching method, wherein the real-time sharing method comprises the following steps: negotiating a shared key with an adjacent node in real time, and processing the shared key into a shared key group by adopting a key preprocessing method, for example: negotiating a 1MB key, and taking the key as a shared key group after creating a group identifier and integrity check information; the pre-caching method comprises the following steps: negotiating with the adjacent node about the shared key, processing the shared key into one or more shared key groups by using a key preprocessing method, caching the shared key groups, and negotiating with the adjacent node about selecting one shared key group with the same group number from the cached shared key groups. For example: negotiating a 10MB key at a time, dividing the key into 10 groups, respectively carrying out randomness tests, and respectively creating a group identifier and integrity check information for each group passing the randomness tests;
obtaining a global number of a current virtual node routing state (802 in fig. 8), R and A, B, C each negotiate a shared quantum key packet (Kra, Krb, and Krc, respectively), R each negotiates with A, B, C a shared quantum key packet (e.g., 802 in fig. 8), R creates 2 virtual node routing states (i.e., VRS0, VRS1, wherein VRS0 ═ 0, ID _ R, ID _ a, ID _ B, Kra ⊕ Krb, Hash (Kra ⊕ Krb), VRS1 ═ 1, ID _ R, ID _ a, ID _ C, Kra ⊕ Krc, Hash destruction Kra ⊕ Krc), Kra, Krb, and Krc, R sends VRS0 and VRS1 to a target receiver indicated by the virtualization instruction, optionally, R encapsulates the VRS0 and the virtual node 1 as a virtual data file, and further encapsulates the VRS1 as a virtual node data file.
In one possible design, the virtual relay node state shown in fig. 8 may be packaged as a database file, from which global number 802 and local number 811 may uniquely determine a virtual node routing state.
In one possible design, if the relay node negotiates a shared key packet with two associated neighboring nodes for each of the relay links (e.g., using Kra1 and Kra2, Krb, and Krc as described above), calculates an exclusive-or value of the two shared key packets, and creates a corresponding identifier, the virtual node routing state data for the corresponding VRS0 is Kra1 ⊕ Krb, and the virtual node routing state data for the VRS1 is Kra2 ⊕ Krc.
Optionally, in one possible design, the following steps are added: and creating a virtual relay node of R, wherein the virtual relay node is used for storing and outputting management of the routing state of the virtual node and the state of the virtual relay node, and sending the routing state of the virtual node or the state of the virtual relay node with a specific number to the server or a target receiver indicated by the server instruction according to the instruction of the server.
Although the present invention has described the data structure of the above-mentioned shared key packet and virtual node routing state (which may include content options of the target data and its identification and its ordering, data type, data length, etc.), it is contemplated that the elements or variables in the above-mentioned data structure may be randomly combined and do not significantly affect the application performance; in addition, it is obvious that if a certain element or variable (for example, a storage type, a data length) in a certain data structure is used as a global variable, the corresponding data format may not include the variable, and therefore, the present invention does not specifically limit the position ordering relationship of the element or variable in the data structure, nor does it limit the implementation manner of the certain element or variable; in addition, with similar considerations, the present invention does not specifically limit the position ordering relationship of elements or variables in the data format, nor the implementation of a certain element or variable. Methods obtained by randomly combining or adjusting the positions of the elements in the data structure also fall within the scope of the present invention. Obviously, some content options in the above virtual node routing state (or virtual node routing state) identification can be used as part of the corresponding virtual node routing state (or virtual node routing state) data in possible designs, and such similar possible designs fall within the scope of the present invention.
Fig. 9 is a schematic diagram illustrating a routing service device of a relay node according to an embodiment of the present invention, where the routing service device includes: a transceiver: including various interface modules, such as the transceiver shown in fig. 9 may include interface module 901, interface module 902, interface module 903, and so on; the interface module 901 is configured to report topology information of the quantum relay node to the vector subnetwork controller 906 and receive a virtualization instruction issued by the quantum network controller; the interface module 902 is configured to send a virtual node routing status or/and a virtual relay node status to the virtualization server 907; the interface module 903 is used to negotiate a shared key packet with the adjacent quantum node 908;
the data processing unit 904: for selecting m neighboring nodes (where n is an integer greater than 0 and m is an integer greater than 1) associated with the n relay links indicated by the virtualization instruction and neighboring the relay node, for negotiating a shared key packet with a neighboring target node through the interface module 903; optionally, also for obtaining the quantum key from the quantum key distribution unit 909; further, performing: for each relay link, the relay node negotiates a shared key with two associated neighboring nodes, calculates an exclusive or value of the two shared keys and creates a corresponding identifier, or performs: the relay node negotiates a shared key with each of the m adjacent nodes, selects two associated shared keys from the m shared keys for each relay link, calculates an exclusive or value of the two shared keys and creates a corresponding identifier, and sends the identifier to the node virtualization unit 905;
a node virtualization unit 905, configured to manage storage and output of a virtual node routing state or/and a virtual relay node state; wherein, the virtual node routing state comprises: the exclusive or value and the corresponding identification of the shared key group between the target relay node and two adjacent target nodes; the virtual relay node states include: routing states of part or all of virtual nodes of the target relay node and corresponding identifications of the virtual nodes; the virtualization instructions are for indicating any one or more of the following: the method includes the steps of relaying link information, data format of a shared key, data structure of a virtual node routing state, global identification, identification of a target receiver and a data transmission mode, wherein topology information includes but is not limited to: the identification of the relay node, and the link state between the relay node and each adjacent target node; the virtualization server may include any one or more of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device. In one possible design, the virtualization server 907 and the quantum network controller 906 may be an integrated device.
Optionally, a quantum key distribution unit 909 (abbreviated as QKD module) is further included in a possible design, and the QKD module is configured to negotiate a shared quantum key with an adjacent quantum node and input the shared quantum key into the data processing unit; the QKD module includes: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node; wherein the QKD receiver or/and transmitter includes any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
Optionally, a new embodiment is obtained by adding any one or any more of the following units in the above embodiment:
(B1) the storage unit is used for storing the routing state of the virtual node and/or the state of the virtual relay node;
(B2) the identity authentication module is used for authentication of the relay node virtualization application device accessing to the quantum network and identity authentication between the relay node virtualization application device and an adjacent target node or/and a server, wherein the authentication comprises: authentication based on CA certificate, authentication based on initial root key;
(B3) the password management module is used for data encryption and decryption (including data encryption and decryption by adopting a symmetric password algorithm, data encryption and decryption by adopting an asymmetric password algorithm, and data encryption and decryption by adopting a tunnel mode or a transmission mode of VPN), digital signature and calculation of an integrity check value;
(B4) an access control module, configured to identify a received control command and a service request command, and respond to a legal command or reject an illegal command, where the identification method includes: verifying the digital signature of the received instruction, if the digital signature passes the verification, judging the digital signature as a legal instruction, and otherwise, judging the digital signature as an illegal instruction;
(B5) the illegal starting-up protection module is used for automatically destroying all cache data if the system is illegally started up or the case is illegally started;
(B6) the private key protection module is used for protecting the initial root key or/and the private key for digital signature from being illegally accessed or exported;
(B7) and the virtual mapping module of the relay node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the state of the virtual relay node with a specific number to a server and a target receiver indicated by the server instruction according to the instruction of a quantum network controller or the server.
In one possible design, the system further comprises a logic isolation module, wherein the logic isolation module divides the relay node virtualization application device into security domain unit open domain units; wherein the security domain unit comprises: the data processing unit optionally further comprises a QKD module or/and a password management module; the disclosure domain unit includes: a transceiver and a node virtualization module.
Further, in one possible design, the transceiver further includes: and the 5G mobile communication module is used for sending the virtual relay node state to the server or a target receiver indicated by the server instruction. In another possible design, the transceiver may also employ other wireless communication modes (including, but not limited to, mobile communication network-based communication, communication satellite channel-based communication, WIFI network-based communication) and be used to transmit the virtual relay node status to the server or the intended recipient indicated by the server instructions.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus (or system), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (or systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the invention has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the invention. Accordingly, the specification and figures are merely exemplary of the invention as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the invention. It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (16)

1. A routing service method of a relay node is characterized by comprising the following steps: a relay node in a target network receives a virtualization instruction, selects m adjacent nodes which are associated with n relay links indicated by the virtualization instruction and are adjacent to the relay node (wherein n is an integer greater than 0, and m is an integer greater than 1), and executes: for each relay link, the relay node negotiates a shared key group with two associated neighboring nodes, calculates an exclusive or value of the two shared key groups and creates a corresponding identifier, or performs: the relay node negotiates a shared key group with each of the m neighboring nodes, selects two associated shared key groups from the m shared key groups for each relay link, calculates an exclusive-or value of the two shared key groups and creates a corresponding identifier, the relay node transmits the n exclusive-or values and the corresponding identifiers to a target recipient indicated by the virtualization instruction (for convenience, hereinafter, the exclusive-or value is referred to as a virtual node routing state data, the identifier is referred to as a virtual node routing state identifier, and the exclusive-or value and the identifier thereof are referred to as a virtual node routing state),
wherein the target network comprises any one of the following options: quantum key distribution networks, quantum communication networks, quantum sensing networks, quantum secure internets,
the virtual node routing state identification comprises: global identification, and route identification of a previous associated neighboring node and a next associated neighboring node connecting the current relay node and the current relay node (or, the current relay node identification, the identification of the first neighboring node, and the identification of the second neighboring node).
2. The routing service method of a relay node according to claim 1, comprising: and after the routing states of the n virtual nodes are finished, destroying all shared key groups used for creating the routing states of the n virtual nodes, or destroying the shared key groups after all virtual node routing state data needing to participate in calculation of one shared key group are finished.
3. The routing service method of a relay node according to claim 1 or 2, comprising: creating node identifiers for the n virtual node routing states (for convenience, the n virtual node routing states and their corresponding node identifiers are hereinafter referred to as a virtual relay node state, and the node identifiers are referred to as virtual relay node state identifiers), or, further, encapsulating the n virtual node routing states and their node identifiers as a data file, wherein the contents of the node identifiers include: an identification of a current relay node, a global identification, a number of virtual node routing states, or a number of associated neighboring nodes.
4. A routing service method for a relay node according to claim 1, 2 or 3, characterized in that it comprises any one or both of the following: (1) before creating a virtual node routing state, obtaining a global identifier, wherein the method for obtaining the global identifier comprises the steps of determining the current global identifier according to a virtualization instruction or determining the current global identifier according to the last global identifier, (2) before creating the virtual node routing state, confirming the negotiated shared key packet and the global identifier of the virtual node routing state used by the negotiated shared key packet by a target relay node and an associated adjacent node, and if the associated adjacent node of the target relay node is a relay node or a virtual relay node, using the negotiated shared key packet for creating the virtual node routing state with the same global identifier by the target relay node and the associated adjacent node respectively.
5. The routing service method of the relay node according to claim 1, 2, 3 or 4, comprising: the relay node reports topology information of the relay node to a network controller or a target receiver and receives a virtualization instruction issued by the network controller or the target receiver, wherein the topology information comprises: an identification of the relay node, a link status between the relay node and each associated neighboring node.
6. The routing service method of the relay node according to claim 1 or 5, wherein the virtualization instruction is used for indicating any one or more of the following: the method comprises the steps of relay link information, a data format of a shared key packet, a data structure of a virtual node routing state, a global identification, an identification of a target receiving party and a data transmission mode, wherein the relay link information comprises the number of relay links and associated relay nodes, and the global identification is used for distinguishing different relay links.
7. The routing service method of a relay node according to claim 1, wherein the method of negotiating a shared key packet comprises any one or both of the following methods: a real-time sharing method, a pre-caching method, wherein,
the real-time sharing method comprises the following steps: the relay node negotiates a certain amount of shared secret keys with adjacent nodes in real time and creates a grouping identification, the certain amount of shared secret keys and the grouping identification thereof are used as a shared secret key grouping, or further, the relay node and the adjacent nodes adopt the same data format to respectively divide the shared secret keys into one or more groups, adopt the same randomness test method to carry out randomness test on each group, create a grouping identification for a group passing the randomness test, and use the group and the grouping identification thereof as a shared secret key grouping,
the pre-caching method comprises the following steps: the method comprises the steps that a relay node negotiates a certain amount of shared keys with associated adjacent nodes, the shared keys are respectively divided into one or more groups by adopting the same data format, randomness test is carried out on each group by adopting the same randomness test method, each group passing the randomness test is cached and group identifications are respectively created, and the relay node negotiates with the adjacent nodes to respectively select one group with the same or same group number and the group identification thereof from the cached groups as a shared key group, wherein the negotiating of the certain amount of shared keys comprises the following steps: the shared key identifier includes: the method comprises the steps of sharing a key number, and link identifications of a current relay node and an associated adjacent node (or identifications of the current relay node and the associated adjacent node), wherein the key number is a local number or a global identification, and in the case of adopting the local number, after a certain shared key is used for creating a virtual routing state, the corresponding local number is changed into the global identification of the corresponding virtual routing state.
8. The routing service method of a relay node according to claim 1 (or 3), wherein the content of the virtual node routing state identifier (or virtual relay node state identifier) further comprises any one or more of the following:
identification of the target network, for distinguishing between different target networks,
a local identification for distinguishing between multiple virtual node routing states having the same global identification (or for distinguishing between multiple virtual relay node states having the same global identification),
checking information for checking the integrity of the virtual node routing state data or/and the virtual node routing state, including a data digest of the corresponding data, or a Hash value, or a MAC code,
a digital signature for digitally signing the virtual node routing state (or the virtual relay node state) using a digital signature algorithm,
a timestamp for recording a creation time of a virtual node routing state (or a virtual relay node state),
a data digest (or Hash value) of the current virtual node routing state (or virtual relay node state), a data digest (or Hash value) of the last virtual node routing state (or virtual relay node state), or a data digest (or Hash value) of the current and last virtual node routing states (or virtual relay node states).
9. The routing service method of a relay node according to claim 8, wherein the private key for digital signature cannot be illegally accessed or derived.
10. The routing service method of a relay node according to claim 1, wherein the sending includes any one or both of the following options: real-time output, passive response output, wherein,
the real-time output comprises the following steps: outputting the created virtual node routing state to a memory of the relay node device or/and a third party server or/and an object receiver indicated by the virtualization instruction in real time,
the passive response output includes: and outputting the routing state of the virtual node with the specific number to a memory of the relay node device or/and a third party server or/and a target receiver indicated by the virtualization instruction according to the virtualization instruction.
11. The routing service method of a relay node according to claim 10, wherein the sending or outputting comprises: an encrypted transmission comprising any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
12. The routing service method of a relay node according to claim 1 (or 3), comprising: storing the n virtual node routing states (or storing the virtual relay node states), wherein the storing includes any one or more of the following options: the method comprises the following steps of local storage, cloud storage and server side storage, wherein the local storage method comprises the following steps: storing the virtual node routing state (or virtual relay node state) in a memory of the relay node device (where the memory includes, but is not limited to, local memory or network storage space), sending a virtual node routing state identification (or virtual relay node state identification) to the server,
the cloud storage method comprises the following steps: storing virtual node routing state (or virtual relay node state) on the cloud storage space,
the server-side storage comprises: the virtual node routing state (or virtual relay node state) is sent to one or more servers for storage.
13. A routing service apparatus of a relay node, comprising:
a transceiver for reporting the topology information of the quantum relay node to a network controller or a server, for receiving a virtualization instruction issued by the network controller or the server,
a data processing unit for negotiating a shared key packet with the associated neighboring node, for performing: selecting m neighbor nodes associated with the n relay links indicated by the virtualization instruction and neighboring the relay node (where n is an integer greater than 0 and m is an integer greater than 1), and further performing: for each relay link, the relay node negotiates a shared key with two associated neighboring nodes, calculates an exclusive or value of the two shared keys and creates a corresponding identifier, or performs: the relay node negotiates a shared key with each node of the m adjacent nodes respectively, selects two associated shared keys from the m shared keys for each relay link, calculates an exclusive-or value of the two shared keys and creates a corresponding identifier,
a node virtualization unit for creating a virtual node routing state or/and a virtual relay node state for storage and output management of the virtual node routing state and/or the virtual relay node state,
wherein, the virtual node routing state comprises: the xor value of the shared key packet between the target relay node and the two associated neighboring nodes and their respective identities,
the virtual relay node states include: some or all of the virtual node routing states of the target relay nodes associated with the n relay links and their corresponding identities,
the virtualization instructions are for indicating any one or more of the following: relay link information, data format of shared key, data structure of virtual node routing state, global identification, identification of target receiver, data transmission mode,
the topology information includes: an identification of the relay node, a link status between the relay node and each associated neighboring node.
14. The routing service apparatus of a relay node according to claim 13, comprising: a QKD module for negotiating a shared quantum key with an adjacent quantum node and inputting the shared quantum key to a data processing unit, wherein the QKD module comprises: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node, the QKD receivers or/and transmitters including any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
15. The routing service device of a relay node according to claim 13 or 14, further comprising any one or any plurality of the following units:
a storage unit for storage of virtual node routing states and/or virtual relay node states,
the identity authentication module is used for authentication of the relay node virtualization application device accessing to the quantum network and identity authentication between the relay node virtualization application device and the associated adjacent node or/and the server, wherein the authentication comprises the following steps: CA certificate based authentication, initial root key based authentication,
a password management module used for data encryption and decryption, digital signature and integrity check value calculation,
the access control module is used for identifying the received control instruction and the received virtualization instruction, responding to a legal instruction or rejecting an illegal instruction, wherein the identification method comprises the following steps: verifying the digital signature of the received instruction, if the received instruction passes the verification, judging the received instruction to be a legal instruction, otherwise, judging the received instruction to be an illegal instruction,
the illegal starting-up protection module is used for automatically destroying all cache data if the system is illegally started up or the case is illegally started up,
a private key protection module for protecting the initial root key or/and a private key for digital signature from being illegally accessed or derived,
and the virtual mapping module of the relay node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the state of the virtual relay node to the server and a receiver indicated by the virtualization instruction of the server according to the virtualization instruction of the network controller or the server.
16. The routing service apparatus of a relay node according to claim 13, wherein the transceiver further comprises: and the wireless communication module is used for sending the virtual node routing state or the virtual relay node state to a server or a receiver indicated by the server instruction, wherein the wireless communication comprises communication based on a mobile communication network, communication based on a communication satellite channel and communication based on a WIFI network.
CN201910819447.4A 2019-09-01 2019-09-01 Routing service method and device of relay node Active CN110690960B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910819447.4A CN110690960B (en) 2019-09-01 2019-09-01 Routing service method and device of relay node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910819447.4A CN110690960B (en) 2019-09-01 2019-09-01 Routing service method and device of relay node

Publications (2)

Publication Number Publication Date
CN110690960A true CN110690960A (en) 2020-01-14
CN110690960B CN110690960B (en) 2022-02-22

Family

ID=69107655

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910819447.4A Active CN110690960B (en) 2019-09-01 2019-09-01 Routing service method and device of relay node

Country Status (1)

Country Link
CN (1) CN110690960B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113079081A (en) * 2020-09-25 2021-07-06 支付宝(杭州)信息技术有限公司 Message transmission method and device
US20210266147A1 (en) * 2020-02-26 2021-08-26 International Business Machines Corporation Initializing a local key manager for providing secure data transfer in a computing environment
CN114900293A (en) * 2022-05-06 2022-08-12 浙江九州量子信息技术股份有限公司 Quantum key global relay method and system based on scheduling center
US11824974B2 (en) 2020-02-26 2023-11-21 International Business Machines Corporation Channel key loading in a computing environment

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110243331A1 (en) * 2008-12-10 2011-10-06 Nec Corporation Shared random numbers management method and management system in secret communication network
US20160248581A1 (en) * 2015-01-08 2016-08-25 Alibaba Group Holding Limited Quantum key distribution system, method and apparatus based on trusted relay
US20160315768A1 (en) * 2015-04-22 2016-10-27 Alibaba Group Holding Limited Method, apparatus, and system for cloud-based encryption machine key injection
CN107171792A (en) * 2017-06-05 2017-09-15 北京邮电大学 A kind of virtual key pond and the virtual method of quantum key resource
US20180109377A1 (en) * 2016-10-14 2018-04-19 Alibaba Group Holding Limited Method and system for data security based on quantum communication and trusted computing
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN108270555A (en) * 2016-12-30 2018-07-10 山东量子科学技术研究院有限公司 A kind of relaying cipher key transmission methods
CN108768629A (en) * 2018-05-24 2018-11-06 中国科学院信息工程研究所 A kind of credible relaying quantum communications method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110243331A1 (en) * 2008-12-10 2011-10-06 Nec Corporation Shared random numbers management method and management system in secret communication network
US20160248581A1 (en) * 2015-01-08 2016-08-25 Alibaba Group Holding Limited Quantum key distribution system, method and apparatus based on trusted relay
US20160315768A1 (en) * 2015-04-22 2016-10-27 Alibaba Group Holding Limited Method, apparatus, and system for cloud-based encryption machine key injection
US20180109377A1 (en) * 2016-10-14 2018-04-19 Alibaba Group Holding Limited Method and system for data security based on quantum communication and trusted computing
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN108270555A (en) * 2016-12-30 2018-07-10 山东量子科学技术研究院有限公司 A kind of relaying cipher key transmission methods
CN107171792A (en) * 2017-06-05 2017-09-15 北京邮电大学 A kind of virtual key pond and the virtual method of quantum key resource
CN108768629A (en) * 2018-05-24 2018-11-06 中国科学院信息工程研究所 A kind of credible relaying quantum communications method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
池亚平等: "量子保密通信网络组网技术研究进展", 《北京电子科技学院学报》 *
马彰超等: "软件定义的量子密钥分发网络技术研究", 《邮电设计技术》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210266147A1 (en) * 2020-02-26 2021-08-26 International Business Machines Corporation Initializing a local key manager for providing secure data transfer in a computing environment
US11652616B2 (en) * 2020-02-26 2023-05-16 International Business Machines Corporation Initializing a local key manager for providing secure data transfer in a computing environment
US11824974B2 (en) 2020-02-26 2023-11-21 International Business Machines Corporation Channel key loading in a computing environment
CN113079081A (en) * 2020-09-25 2021-07-06 支付宝(杭州)信息技术有限公司 Message transmission method and device
US11924276B2 (en) 2020-09-25 2024-03-05 Alipay (Hangzhou) Information Technology Co., Ltd. Methods and apparatuses for transmitting messages
CN114900293A (en) * 2022-05-06 2022-08-12 浙江九州量子信息技术股份有限公司 Quantum key global relay method and system based on scheduling center

Also Published As

Publication number Publication date
CN110690960B (en) 2022-02-22

Similar Documents

Publication Publication Date Title
CN110690928B (en) Quantum relay link virtualization method and device
CN110690960B (en) Routing service method and device of relay node
CN110690962B (en) Application method and device of service node
CN110661620B (en) Shared key negotiation method based on virtual quantum link
CN110690961B (en) Quantum network function virtualization method and device
CN110677241B (en) Quantum network virtualization architecture method and device
CN107567704B (en) Network path pass authentication using in-band metadata
US11804967B2 (en) Systems and methods for verifying a route taken by a communication
CN110581763B (en) Quantum key service block chain network system
CN112367163B (en) Quantum network virtualization method and device
CN101300806B (en) System and method for processing secure transmissions
CN112865964A (en) Quantum key distribution method, equipment and storage medium
CN113193957B (en) Quantum key service method and system separated from quantum network
CN110690964B (en) Quantum service block chain creation method and application system
CN107078898A (en) A kind of method that the private interconnection of safety is set up on multi-path network
EP4258593A1 (en) Ota update method and apparatus
CN110557253B (en) Relay route acquisition method, device and application system
CN114142995B (en) Key security distribution method and device for block chain relay communication network
CN113193958B (en) Quantum key service method and system
CN112367160A (en) Virtual quantum link service method and device
CN112367124B (en) Quantum relay node virtualization method and device
CN112367161A (en) Relay node function virtualization method and device
CN112367162A (en) Application method and device of quantum relay node
CN114143038A (en) Key secure distribution method and device for block chain relay communication network
Qin et al. Research on secured communication of intelligent connected vehicle based on digital certificate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant