CN110690962B - Application method and device of service node - Google Patents

Application method and device of service node Download PDF

Info

Publication number
CN110690962B
CN110690962B CN201910820386.3A CN201910820386A CN110690962B CN 110690962 B CN110690962 B CN 110690962B CN 201910820386 A CN201910820386 A CN 201910820386A CN 110690962 B CN110690962 B CN 110690962B
Authority
CN
China
Prior art keywords
node
virtual
service node
key
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910820386.3A
Other languages
Chinese (zh)
Other versions
CN110690962A (en
Inventor
陈晖�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Liang'an Blockchain Technology Co ltd
Original Assignee
Chengdu Liang'an Blockchain Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Liang'an Blockchain Technology Co ltd filed Critical Chengdu Liang'an Blockchain Technology Co ltd
Priority to CN201910820386.3A priority Critical patent/CN110690962B/en
Publication of CN110690962A publication Critical patent/CN110690962A/en
Application granted granted Critical
Publication of CN110690962B publication Critical patent/CN110690962B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an application method of a service node, which comprises the following steps: the service node negotiates a shared key group with m adjacent nodes respectively; securely storing the m shared key packets; or, creating a virtual relay node, generating a random number packet as a shared key packet, calculating the exclusive or value of any two shared key packets in the (m +1) shared key packets, creating a corresponding identifier, sending the identifier to a target receiver, and safely storing the random number packet; the invention also provides an application device of the service node, which comprises a transceiver, a data processing unit and a safe storage unit. The invention can solve the problems of link concurrency conflict and limited service scale of quantum key service, and has good application and popularization prospect.

Description

Application method and device of service node
Technical Field
The present invention relates to the field of a service node (or quantum access node, the same below) of a quantum network and an application technology, and in particular, to an application method and an application apparatus of a service node.
Background
Due to the lack of practical, non-landing quantum communication relay technology, quantum trusted relay technology is typically employed in Quantum Key Distribution (QKD) networks. However, in the disclosed quantum trusted relay scheme, bottleneck problems such as concurrent conflicts, large delay, inconvenient access of relay links and the like exist, and quantum service nodes have problems of inconvenient access and limited scale when providing quantum key service for other application systems.
Disclosure of Invention
The invention provides an application method and device of a service node. The application method of the service node provided by the invention comprises the following steps: the service node negotiates a shared key group with m adjacent nodes in a target network respectively and creates a group identifier (wherein m is a natural number greater than 0), confirms the negotiated shared key group and the global identifier of the virtual node routing state used for creation with each adjacent node respectively, and updates the identifier of the shared key group to the corresponding global identifier under the condition that the identifier of the shared key group is inconsistent with the corresponding global identifier;
the m shared key groups are stored safely; or, creating a virtual relay node, generating a random number packet, taking m neighboring nodes and the service node as (m +1) neighboring nodes of the virtual relay node, calculating an exclusive-or value of all any two shared key packets in the (m +1) shared key packets and creating corresponding identifiers (for convenience, the exclusive-or value is hereinafter referred to as virtual node routing state data, the identifier is referred to as virtual node routing state identifier, and the exclusive-or value and the corresponding identifier are referred to as a virtual node routing state), and sending the C (m +1,2) exclusive-or values and the identifiers thereof to a server or a target receiver indicated by a virtualization instruction (where C (m +1,2) is a combination number of 2 arbitrarily selected from m +1, the same shall apply hereinafter); and the random number packet and the shared key packet have the same data format, and the packet identifier of the random number packet is consistent with the corresponding global identifier.
Optionally, the method further includes: creating node state identifiers for the C (m +1,2) virtual node routing states (for convenience, the node state identifiers are hereinafter referred to as virtual relay node state identifiers, and the node state identifiers and the corresponding C (m +1,2) virtual node routing states are referred to as a virtual relay node state); or, further, encapsulating the routing states of the C (m +1,2) virtual nodes and node state identifiers thereof into a data file, where the node state identifiers include: an identification of a serving node, a global identification, a number of virtual node routing states, or a number of neighboring nodes.
Optionally, the method further includes: before creating a group identifier, acquiring a global identifier; the above method for acquiring the global identifier includes, but is not limited to: and determining the current global identification according to the virtualization instruction or determining the current global identification according to the last global identification.
Optionally, the method further includes: and after the C (m +1,2) virtual node routing states are created, destroying the corresponding m shared key groups.
Optionally, the method further includes: logical isolation is set between the service node and the virtual relay node, and the virtual relay node cannot read the key data of the service node.
Optionally, the method further includes: if m adjacent nodes of the service node need to be logically isolated, firstly, a plurality of virtual service node units which are logically isolated from each other are created for the m adjacent nodes according to the logical isolation requirement, and then, a corresponding virtual node routing state is created for each virtual service node unit.
Optionally, the method further includes: the service node reports topology information of the service node to a network controller or a server, wherein the topology information comprises: identification of the serving node, link status between the serving node and each neighboring node.
Optionally, the method further includes: the service node receives a virtualization instruction issued by a network controller or a server, wherein the virtualization instruction is used for indicating any one or more of the following contents: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode.
Optionally, the method further includes: and performing identity authentication with the adjacent node or/and the server, wherein the identity authentication comprises: CA certificate based authentication or initial root key based authentication.
Optionally, the method further includes: and distributing the one or more securely stored shared key packets or random number packets to the proxy device of the service node.
Optionally, the method further includes: providing a random key grouping service, comprising the steps of: (1) generating a random number sequence, grouping according to a certain data size, performing randomness test on each group, and caching random key groups passing the randomness test; (2) providing one or more random key groups for an application device, creating an associated identifier, and safely storing the random key groups and the associated identifier; wherein the secure storage comprises: encrypted storage and non-encrypted physical protection storage; the association identifier is used for locating a corresponding random key packet, and the content of the association identifier includes an identifier of the application device, an identifier of the associated service node, and a number of the random key packet.
Optionally, the method further includes: receiving the states of the virtual relay nodes of other relay nodes and the virtual relay nodes, and packaging the states of the virtual relay nodes with the same global identification into a data file (recorded as a virtual network state); or, further, selecting a relay link between any two service nodes, performing an exclusive-or operation on the virtual node routing state data corresponding to each relay node on the relay link in a virtual network state, and using the exclusive-or operation result as a virtual link data between two service nodes.
Optionally, the method further includes: a virtual link service, said virtual link service comprising any one or more of the following options:
the first direct method comprises the following steps: sending an exclusive-or value of a random key packet of an application terminal associated with the service node and a random key packet of another associated application terminal to the two application terminals, respectively;
the second direct method comprises the following steps: the service node calculates the exclusive or value of the shared key packet associated with one virtual link and the virtual link data and obtains a key packet between another service node associated with the virtual link;
the indirect method comprises the following steps: the service node generates a random key packet, calculates the exclusive or value of the shared key packet and the virtual link data associated with a virtual link, and sends the exclusive or value and the exclusive or value of the random key packet to another service node or a third-party server associated with the virtual link;
and (2) an indirect method II: the service node selects a random key group of the application terminal, calculates the exclusive OR value of the shared key group associated with the service node and a virtual link and the virtual link data, and sends the exclusive OR value and the exclusive OR value of the random key group to a third-party server, the application terminal or another service node associated with the virtual link; wherein the virtual link data is an exclusive or value of respective shared key packets of two service nodes associated with the virtual link.
The invention also provides an application device of the service node, which is characterized by comprising the following components:
a transceiver: the vector sub-network controller is used for reporting the topology information of the quantum service node and receiving a virtualization instruction issued by the quantum network controller;
a data processing unit: the system comprises a shared key group used for negotiating with adjacent nodes, confirming the negotiated shared key group and the global identification of the virtual node routing state used for creating with each adjacent node, and updating the identification of the shared key group to the corresponding global identification under the condition that the identification of the shared key group is inconsistent with the corresponding global identification, or further creating a virtual relay node and creating the virtual node routing state;
a secure storage unit: for storing key data;
wherein, the virtual node routing state comprises: the exclusive or value and the corresponding identification of the shared key grouping between the target service node and two adjacent nodes;
the virtualization instructions are for indicating any one or more of the following: global identification, data format of shared key grouping, data structure of virtual node routing state, identification of target receiver and data transmission mode;
The topology information includes: the identification of the service node, and the link state between the service node and each adjacent node;
the key data comprises any one or more of the following: shared key grouping, random number grouping, random key grouping.
Optionally, the application device further includes: a random key service unit for generating a random number sequence, grouping according to a certain data size, performing a randomness test on each group, and caching all random key groups passing the randomness test; and is also used for outputting one or more random key packets and creating corresponding associated identifications; the association identifier is used for locating a corresponding random key packet, and the content of the association identifier includes an identifier of an application device, an identifier of an association service node, and a number of the random key packet.
Optionally, the application device further includes: the QKD module is used for negotiating a shared quantum key with an adjacent quantum node and inputting the shared quantum key into the data processing unit; the QKD module includes: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node; wherein the QKD receiver or/and transmitter includes any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
Optionally, the application device further includes: and the node virtualization unit is used for creating the virtual relay node and the virtual node routing state and/or the virtual relay node state thereof, and storing and outputting the virtual node routing state and/or the virtual relay node state.
Optionally, the application device further includes: a virtual link service unit, configured to provide any one or more of the following services:
the first direct method comprises the following steps: sending an exclusive-or value of a random key packet of an application terminal associated with the service node and a random key packet of another application terminal to the two application terminals, respectively;
the second direct method comprises the following steps: the service node calculates the exclusive or value of the shared key packet associated with one virtual link and the virtual link data and obtains a key packet between another service node associated with the virtual link;
the indirect method comprises the following steps: the service node generates a random key packet, calculates the exclusive OR value of the shared key packet and the virtual link associated with the service node and a virtual link, and sends the exclusive OR value and the exclusive OR value of the random key packet to another service node or a third-party server associated with the virtual link;
And (2) an indirect method II: the service node selects a random key group of the application terminal, calculates the exclusive OR value of the shared key group associated with the service node and a virtual link and the virtual link data, and sends the exclusive OR value and the exclusive OR value of the random key group to a third-party server, the application terminal or another service node associated with the virtual link; wherein the virtual link is an exclusive-or value of respective shared key packets of two service nodes associated with the virtual link.
Optionally, the application device further includes any one or more of the following units:
the storage unit is used for storing the routing state of the virtual node and/or the state of the virtual relay node;
the identity authentication module is used for authentication of accessing the application device of the service node into the quantum network and identity authentication between the application device of the service node and the adjacent node or/and the server, wherein the authentication comprises the following steps: authentication based on CA certificate, authentication based on initial root key;
the password management module is used for data encryption and decryption, digital signature and calculation of integrity check values, and the data encryption and decryption comprise: data encryption and decryption by adopting a symmetric cryptographic algorithm, data encryption and decryption by adopting an asymmetric cryptographic algorithm, and data encryption and decryption by adopting a tunnel mode or a transmission mode of VPN;
An access control module, configured to identify a received control command and a service request command, and respond to a legal command or reject an illegal command, where the identification method includes: verifying the digital signature of the received instruction, if the digital signature passes the verification, judging the received instruction to be a legal instruction, and otherwise, judging the received instruction to be an illegal instruction;
the illegal starting protection module is used for automatically destroying all cache data and stored key data if the device is illegally started or the case is illegally started;
the private key protection module is used for protecting the initial root key or/and the private key for digital signature from being illegally accessed or exported;
and the virtual mapping module of the service node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the state of the virtual relay node to the server and a receiver indicated by the server instruction according to the instruction of a network controller or the server.
Optionally, the application device further comprises a logical isolation module, which partitions the application device of the service node into a security domain unit and a public domain unit, wherein,
The security domain unit includes: the system comprises a data processing unit, a secure storage unit and optionally a QKD module, or/and a password module, or/and a random key grouping service module;
the disclosure domain unit includes: a transceiver and a node virtualization module.
The method and the device can solve the bottleneck problems of relay link concurrency conflict, larger delay, inconvenient access and the like in the public quantum network scheme, and the problems of inconvenient access and limited scale of the quantum service node (or the quantum access node) when providing quantum key service for other application systems. Therefore, the invention has good application and popularization prospects.
Drawings
Fig. 1 is a schematic diagram of an application method of a service node according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an application method of another service node according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a method for providing a random key grouping service according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a virtual link service method according to an embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating another method for negotiating a shared key packet according to an embodiment of the present invention;
Fig. 7 is a schematic diagram of a shared key group identifier according to an embodiment of the present invention;
fig. 8 is a schematic diagram of another shared key group identifier according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a virtual node routing state identifier according to an embodiment of the present invention;
fig. 10 is a schematic diagram of a virtual relay node status identifier according to an embodiment of the present invention;
fig. 11 is a schematic diagram of an application method of a virtual relay node according to an embodiment of the present invention;
fig. 12 is a schematic diagram of a virtual relay node state according to an embodiment of the present invention;
fig. 13 is a schematic diagram of a method for creating a virtual service node unit according to an embodiment of the present invention;
fig. 14 is a schematic diagram of an application apparatus of a service node according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention and some terms and meanings thereof will be described below.
(1) Target networks to which embodiments of the present invention are applicable include, but are not limited to, any of the following networks: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet, other networks which adopt a point-to-point single-hop landing forwarding mode for relay transmission; accordingly, the target nodes in embodiments of the present invention include, but are not limited to, any one or more of the following nodes: quantum relay nodes, quantum service nodes (or quantum access nodes), virtual quantum relay nodes, virtual quantum service nodes. The node in the embodiments of the present invention is applicable to, but not limited to, a node accessing a target network through an optical fiber interface and a wireless interface (or a free space interface).
(2) The service node function virtualization application in the embodiment of the invention is electronization or instantiation of the service node function, and data after electronization or instantiation can be used by being separated from a physical network to which the service node function virtualization application belongs.
(3) The relay node of the embodiment of the invention is a node used as a relay in a target network, or a node which has at least two adjacent nodes on one or more relay links and is used as a relay, wherein the relay node does not store a key which is negotiated between the relay node and the adjacent nodes and is used for creating a virtual node routing state; serving nodes (or referred to as access nodes) refer to other nodes in the target network that are not used for relaying or are not used directly for relaying (in some possible designs, a serving node may be used for relaying through a virtual node); in addition, for a specific embodiment of the present invention, the corresponding target network includes the relay node and the serving node included in the above embodiment.
(4) The communication channels involved in embodiments of the invention directed to quantum networks include quantum channels and traditional communication network channels, wherein traditional communication network channels are employed by other communication processes except that quantum key distribution between adjacent quantum nodes (an adjacent quantum node refers to two nodes capable of point-to-point QKD or quantum communication) requires occupation of the quantum channel or link, including but not limited to one or more of wired communication and wireless/mobile/satellite communication channels.
(5) The terms "virtual node routing status" and "virtual relay node status" used in the embodiments of the present invention are only used for marking corresponding data or files, and are not used for limiting the corresponding data or files, and all schemes that are merely replacing names and have no substantive difference belong to the protection scope of the present invention.
(6) The shared key packet in the embodiment of the invention is shared key data with a certain data length. Because different application systems have different requirements on the length of the shared key and the rate of the point-to-point QKD link has certain difference, the invention does not specifically limit the data length of the shared key packet; it is to be understood that the data length refers to counting in the same data unit (e.g., bit, byte). In practice, the data length of the shared key packet (e.g., 2048 bits, 100 kbytes, 10 mbytes, 1 gbyte, or any other data length that meets the requirements of the system) may be determined according to the QKD system coding rate of the actual application, the specific requirements of the application system, or future industry standard requirements. It should be clear that in the same possible embodiment, the shared secret keys have the same data format (including but not limited to data type, data length, and data read/write sequence).
(7) The global identifier in the embodiment of the invention is an identifier which keeps all nodes in a target network consistent, namely, before the virtual node routing state is established, a service node and an adjacent node confirm a negotiated shared key group and the global identifier of the virtual node routing state used for establishment, and the virtual relay node and the adjacent relay node respectively use the negotiated shared key group for establishing the virtual node routing state or/and the virtual relay node state with the same global identifier; the global identifier may be used to distinguish different target networks, and may also be used to distinguish different embodiments in the target network; the global identifier may adopt a global number unified in the whole network, or may adopt an identifier combining the target network identifier and the global number.
In order to make the technical solutions and advantages of the present invention clearer, the present invention is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a schematic diagram of an application method of a service node according to an embodiment of the present invention, which includes the following steps:
s101: the service node negotiates a shared key group with m adjacent nodes in a target network respectively and creates a group identifier (wherein m is a natural number greater than 0);
S102: confirming the negotiated shared key group and the global identification of the virtual node routing state used by the negotiated shared key group with each adjacent node respectively, and updating the identification of the shared key group to be the corresponding global identification under the condition that the identification of the shared key group is inconsistent with the corresponding global identification;
s103: securely storing the m shared key packets.
Fig. 2 is a schematic diagram of another service node application method provided in the embodiment of the present invention, which includes the following steps:
s201: the service node and m adjacent nodes in the target network respectively negotiate a shared key group and create a group identifier (wherein m is a natural number greater than 0; it needs to be noted that the adjacent nodes are adjacent nodes which can normally distribute quantum keys with the service node, if a quantum key distribution link between the service node and a certain adjacent node is abnormal or broken, the adjacent node is not taken as a target node adjacent to the service node, and the following steps are the same);
s202: confirming the negotiated shared key group and the global identification of the virtual node routing state used for creating with each adjacent node respectively, and updating the identification of the shared key group to the corresponding global identification under the condition that the identification of the shared key group is inconsistent with the corresponding global identification;
S203: creating a virtual relay node, generating a random number packet, using the random number packet as 1 shared key packet between the virtual relay node and a service node, and using m adjacent relay nodes and the service node as (m +1) adjacent nodes of the virtual relay node;
s204: calculating the XOR value of any two shared key groups in the (m +1) shared key groups and creating corresponding identifiers (the m +1 shared quantum key groups can be processed into the combination of C (m +1,2) different two shared key groups, then the XOR value of the two shared key groups in each combination is calculated and the corresponding identifiers are created respectively; for convenience, the XOR value is marked as virtual node routing state data, the identifier is marked as virtual node routing state identifier, and the XOR value and the corresponding identifier are marked as a virtual node routing state); sending the C (m +1,2) xor values and their identifiers to a server or a target receiver indicated by a virtualization instruction (where C (m +1,2) is a combination number of 2 arbitrarily selected from m +1, the same applies below); and storing the random number packet securely; the random number group and the shared key group have the same data format, and the group identification of the random number group is consistent with the corresponding global identification.
The embodiment of the invention shown in fig. 1 and the embodiment of the invention shown in fig. 2 can be used in different application embodiments, respectively.
Further, in a possible design, in the above embodiment, a node state identifier is created for the C (m +1,2) virtual node routing states (for convenience, the node state identifier is referred to as a virtual relay node state identifier, and the node state identifier and its corresponding C (m +1,2) virtual node routing states are referred to as a virtual relay node state), or, further, the C (m +1,2) virtual node routing states and their node state identifiers are packaged into a data file, where the node state identifier includes: the identification of the service node, the global identification, the number of routing states of the virtual nodes or the number of adjacent nodes; the data file includes but is not limited to a data list file, or a database file, and the required routing state of some virtual node or some virtual nodes can be quickly acquired by accessing the data file.
Further, before creating the group identifier, a global identifier is obtained, and the method for obtaining the global identifier includes determining a current global identifier according to the virtualization instruction or determining the current global identifier according to a previous global identifier.
Further, in the above embodiment, after the creation of the C (m +1,2) virtual node routing states is completed, the corresponding m shared key packets are destroyed.
Further, in a possible design, based on the above embodiment, a logical separation is set between the service node and the virtual relay node, and the virtual relay node cannot read the key data of the service node, where the key data includes, but is not limited to, any one or more of the following data: shared key grouping, random number grouping, random key grouping.
Further, in a possible design, if m adjacent nodes of a service node need to be logically isolated, first, a plurality of virtual service node units logically isolated from each other are created for the m adjacent nodes according to the logical isolation requirement, and then, for each virtual service node unit, a corresponding virtual node routing state or/and a virtual relay node state is created by respectively adopting the above method.
Further, in a possible design, in the foregoing embodiment, the service node reports topology information of the service node to a network controller or a server, where the topology information includes but is not limited to: identification of the serving node, link status between the serving node and each neighboring node.
Further, in a possible design, in the foregoing embodiment, the service node receives a virtualization instruction issued by the network controller or the server, where the virtualization instruction is used to indicate any one or more of the following: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode.
Further, in a possible design, in the foregoing embodiment, the serving node performs identity authentication with the neighboring node or/and the server, where the identity authentication includes, but is not limited to: authentication based on a CA certificate or authentication based on an initial root key.
Further, in one possible design, in the above embodiment, one or more of the securely stored shared key packets or random number packets are distributed to the proxy device of the service node.
Further, in a possible design, on the basis of the foregoing embodiment, a random key grouping service is provided, which includes the following steps: (1) generating a random number sequence, grouping according to a certain data size, carrying out randomness test on each group, and caching random key groups passing the randomness test; (2) providing one or more random key groups for an application device, creating an associated identifier, and safely storing the random key groups and the associated identifier; wherein, the secure storage includes but is not limited to: encrypted storage, or unencrypted physically protected storage; the association identifier is used to locate the corresponding random key packet, and the content of the association identifier includes, but is not limited to, the identifier of the application device, the identifier of the associated service node, and the number of the random key packet.
Further, in a possible design, based on the above embodiment, the service node receives the virtual relay node states of other relay nodes and virtual relay nodes, and encapsulates the virtual relay node states with the same global identifier into a data file (denoted as a virtual network state), or further selects a relay link between any two service nodes, performs an exclusive-or operation on the virtual node routing state data corresponding to each relay node on the relay link in one virtual network state, and uses the exclusive-or operation result as one virtual link data between two service nodes.
Further, in a possible design, on the basis of the foregoing embodiment, the service node provides a virtual link service, where the virtual link service includes any one or more of the following options:
direct method A: respectively transmitting an exclusive-or value of one random key packet of the application terminal associated with the service node and one random key packet of the other associated application terminal to the two application terminals;
direct method B: the service node calculates the exclusive or value of the shared key packet associated with one virtual link and the virtual link data and obtains the shared key packet of another service node associated with the virtual link;
An indirect method C: the service node generates a random number packet, calculates the exclusive or value of the shared key packet associated with the service node and a virtual link and the virtual link data, and sends the exclusive or value of the exclusive or value and the random number packet to another service node or a third-party server associated with the virtual link;
an indirect method D: the service node selects a random key group of the application terminal, calculates the exclusive OR value of the shared key group associated with the service node and a virtual link and the virtual link data, and sends the exclusive OR value and the exclusive OR value of the random key group to a third-party server, or the application terminal, or another service node associated with the virtual link; wherein the virtual link data is an exclusive or value of respective shared key packets of two service nodes associated with the virtual link.
For further explanation, fig. 3 is a schematic diagram of a method for providing a random key grouping service according to an embodiment of the present invention, where the method includes:
s301: generating a random number sequence, grouping according to a certain data size, carrying out randomness test on each group, and caching random key groups passing the randomness test;
S302: providing one or more random key packets for the application device and creating an association identifier;
s303: and the random key packet and the associated identification thereof are safely stored.
Fig. 4 is a schematic diagram of a virtual link service method provided by an embodiment of the present invention, in which a service node a securely stores a shared quantum key packet Ka negotiated with an adjacent relay node R1, and provides random key packets Ra _ U1, Ra _ U2, and Ra _ U3 for application terminals U1, U2, and U3, respectively;
for the direct method a in the above embodiment, the service node calculates Ra _ u1 ≧ Ra _ u2, Ra _ u1 ≦ Ra _ u3, or Ra _ u2 ≦ Ra _ u 3;
for the direct method B in the above embodiment, the service node calculates Ka ≦ Kb (assuming that the shared key packet of another service node associated with the corresponding virtual link of Ka is Kb);
for the indirect method C in the above embodiment, the service node calculates: the service node firstly generates a random number packet Rx, calculates Ka ^ Kb ^ Rx (assuming that the shared key packet of another service node related to the corresponding virtual link of Ka is Kb);
for the indirect method D in the above embodiment, the service node calculates: ka ^ Kb ^ Ra _ u1, Ka ^ Kb ^ Ra _ u2, or Ka ^ Kb ^ Ra _ u 3.
In the above embodiment, negotiating a shared key group may adopt a real-time sharing method, or a pre-caching method; the real-time sharing method comprises the following steps: the service node negotiates a certain amount of shared quantum keys with adjacent nodes in real time, and the certain amount of shared quantum keys are used as a shared quantum key group; alternatively, a schematic diagram of a method for negotiating a shared quantum key packet according to an embodiment of the present invention shown in fig. 5 is adopted, where the method includes:
s501: negotiating a certain amount of shared quantum keys with adjacent nodes in real time;
s502: the service node and the adjacent nodes respectively divide the shared quantum key into one or more groups by adopting the same data format, and carry out randomness test on each group by adopting the same randomness test method;
s503: using a packet passing the randomness test as a shared quantum key packet;
the precaching method includes (as shown in fig. 6, another schematic diagram of a method for negotiating a shared quantum key packet according to an embodiment of the present invention):
s601: the service node negotiates a certain amount of shared quantum keys with adjacent target nodes;
s602: respectively dividing the shared quantum key into one or more groups by adopting the same data format, performing randomness test on each group by adopting the same randomness test method, caching each group which passes the randomness test and respectively creating a group identifier;
S603: and negotiating with the adjacent nodes to select a packet with a consistent or same packet number from the cached packets as a shared quantum key packet.
Negotiating a quantum-shared quantum key in the above embodiments includes, but is not limited to: sequentially negotiating with a plurality of adjacent nodes to share the quantum key, or simultaneously negotiating with the plurality of adjacent nodes to share the quantum key, or negotiating with the corresponding adjacent nodes to share the quantum key according to a virtualization instruction; the negotiated quantum key may occupy the whole bandwidth of the quantum key distribution channel or only occupy part of the bandwidth of the whole quantum key distribution channel.
In a possible design, the negotiating a shared quantum key packet may further include: consistency check, wherein the consistency check comprises: respectively calculating a data abstract or a Hash value of a shared quantum key group by the service node and the adjacent target node, if the two data abstracts or Hash values are different, the two data abstracts or Hash values cannot pass consistency check, and renegotiating; otherwise, passing consistency check and successfully negotiating a shared quantum key packet.
It should be understood that the specific use or method of use of any one or more of the following as indicated by the virtualization instructions includes: the global identifier can be used for distinguishing different target networks and different embodiments in the target networks, can adopt a global number unified by the whole network, and can also adopt an identifier combining the target network identifier and the global number; the data format of the shared quantum key packet includes but is not limited to data type, data length and data reading and writing sequence; the data structure of the virtual node routing state comprises the content of the virtual node routing state identifier and the ordering relation thereof adopted in one embodiment; the identification of the target receiver is used for determining the receiver; the data transmission mode is used for determining whether an encryption mode or a non-encryption mode is adopted.
It will be apparent that a new embodiment having the same application properties as the process of the invention can be obtained by recombining the process steps described above. Therefore, methods based on simple combinations of the above method steps and content adjustments fall within the scope of the present invention.
The shared quantum key packet in the above embodiment includes, but is not limited to: group identification, shared quantum key data (shared quantum key with group length); the data structure of the shared quantum key group identifier may adopt a schematic diagram of the shared quantum key group identifier provided by the embodiment of the present invention shown in fig. 7, that is, the group identifier includes: the grouping number, the current service node ID and the adjacent node ID are equivalent, and the current service node ID and the adjacent node ID can be replaced by the link identification of the current service node and the adjacent node; wherein, the ID can also adopt other identifiers which can uniquely identify the corresponding nodes; the packet number may be a local number or a global number, in which case, when a certain shared quantum key packet is used to create a virtual node routing state, the corresponding local number is changed to the global number of the corresponding virtual node routing state.
On the basis of the data structure shown in fig. 7, a new shared quantum key grouping or grouping identification embodiment may be obtained by adding any one or any more of the following content options: data format, check information and time stamp, wherein the check information can be a data digest (or a Hash value) or a MAC code of the shared quantum key packet; the content of the data format includes, but is not limited to, any one or any plurality of the following: data type (e.g., using binary, 16-ary storage), data length, and data read and write order.
Further, as an example, fig. 8 shows a schematic diagram of a data structure of another shared quantum key packet provided by a possible embodiment of the present invention, that is, the data structure includes a packet number, a current service node ID, an adjacent node ID, a data length, check information, and quantum key data; the data length may be the data length of the quantum key data, or the data length of the entire shared quantum key packet; the check information may be a quantum key data digest (or Hash value) or a MAC code.
The virtual node routing state in the above embodiments includes, but is not limited to: virtual node routing state identification, virtual node routing state data (i.e., the exclusive-or value of the shared quantum key packet between the current serving node (or virtual relay node) and the two neighboring nodes). Fig. 9 is a schematic diagram of a virtual node routing state identifier provided in an embodiment of the present invention, where the content of the virtual node routing state identifier includes, but is not limited to: global number, current serving node ID1, neighbor ID2, neighbor ID3 (or, link identifications of the last neighbor and the next neighbor connecting the current serving node with the current serving node).
The content of the virtual relay node status identifier in the above embodiment includes (as shown in fig. 10, which is a schematic diagram of a virtual relay node status identifier provided in the embodiment of the present invention): global number, current serving node ID1, number of virtual node routing states; the number of routing states of the virtual nodes can be obtained by calculating the number of the adjacent nodes, so that the number of routing states of the virtual nodes can be replaced by the number of the adjacent nodes, and a new embodiment is obtained.
On the basis of the embodiments shown in fig. 9 and 10, a plurality of new embodiments can be obtained by adding any one or more of the following options:
an identifier of the target network for distinguishing different target networks;
the local identification is used for distinguishing a plurality of virtual node routing states with the same global identification or/and distinguishing a plurality of virtual relay node states with the same global identification;
checking information, wherein the checking information is used for checking the integrity of the routing state data of the virtual node or/and the routing state of the virtual node, and includes but is not limited to a data abstract, a Hash value or an MAC code of corresponding data;
digitally signing, namely digitally signing the routing state of the virtual node or/and the state of the virtual relay node by adopting a digital signature algorithm;
The timestamp is used for recording the creation time of the routing state of the virtual node or/and the state of the virtual relay node;
the data digest (or Hash value) of the current virtual node routing state or/and the virtual relay node state, the data digest (or Hash value) of the last virtual node routing state or/and the virtual relay node state, or the data digest (or Hash value) of the current and last virtual node routing states or/and the virtual relay node state.
Further, in one possible design, the above-described private key for digital signature cannot be illegally accessed or derived.
The storage in the above embodiments includes, but is not limited to, any one or more of the following options: local storage, cloud storage and server storage; the local storage method includes but is not limited to: storing the virtual node routing state or/and the virtual relay node state in a memory of the node equipment (wherein, the memory comprises but is not limited to a local memory or a network memory space), and sending the virtual node routing state identification or/and the virtual relay node state identification to the server; cloud storage methods include, but are not limited to: storing a virtual node routing state (or virtual node routing state data) or/and a virtual relay node state on a cloud storage space; server-side storage includes, but is not limited to: and sending the routing state of the virtual node or/and the state of the virtual relay node to one or more servers for storage.
The outputting or sending in the above embodiments includes, but is not limited to, any one or both of the following options: real-time output and passive response output; real-time outputs include, but are not limited to: outputting the created virtual node routing state or/and the virtual relay node state to a memory of the service node equipment or/and a third party server or/and a target receiver indicated by a virtualization instruction in real time; passive response outputs include, but are not limited to: and outputting the virtual node routing state or/and the virtual relay node state to a memory of the service node device or/and a third party server or/and a target receiver indicated by the virtualization instruction according to the virtualization instruction.
Further, in one possible design, the output or transmission in the above embodiments may be an encrypted transmission, including, but not limited to, any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
The server in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The target recipient in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The method of the present invention is further described below for a service node with 2 neighboring nodes (fig. 11 is a schematic diagram of an application method of a virtual relay node according to an embodiment of the present invention, in which the service node S, the 2 neighboring nodes B and C, and the virtual relay node VS of the service node S). As shown in fig. 11, it is assumed that the service node S and 2 neighboring nodes B and C respectively use the above-mentioned method to negotiate to use the shared quantum key packets Rsvs and Ksb, and the random number packet Rsvs generated by the service node serves as a shared quantum key packet with the VS; generating C (3,2) =3 virtual node routing states (a virtual relay node state diagram provided by the embodiment of the present invention shown in fig. 12 includes virtual node routing states VRS0, VRS1 and VRS 2) based on the above-mentioned 3 shared quantum key packets, where the virtual relay node state identifiers (i.e., the node identifiers in fig. 12) include an ID identifier 1201 (i.e., ID _ S) of the target serving node, a global number 1202 (i.e., 000123), a number 1203 (i.e., 3) of virtual node routing states, a data length 1204 (i.e., 3 × 1MB, where it is assumed that each virtual node routing state has a data length of 1 MB), and a data type 1205 (i.e., 16-ary), and the virtual node routing states (i.e., the state data in fig. 12) include an ID identifier 1206 of the target serving node, an ID identifier 1207 of the first neighboring node, an ID identifier 1208 of the second neighboring node, and a data length 1208 of the target serving node, Virtual node routing state data 1209, a data digest 1210 of the virtual node routing state, a local number 1211 of the virtual node routing state.
The specific method comprises the following steps: the service node S negotiates a sharing quantum key group with the service nodes B and C respectively by adopting a real-time sharing method or a pre-caching method, wherein the real-time sharing method comprises the following steps: negotiating a shared quantum key with an adjacent node in real time, and processing the shared quantum key into a shared quantum key group by adopting a key preprocessing method, for example: negotiating a 1MB key, and taking the key as a shared quantum key group after creating a group identifier and integrity check information; the pre-caching method comprises the following steps: negotiating with the adjacent node about the shared quantum key, processing the shared quantum key into one or more shared quantum key groups by adopting a key preprocessing method, caching the shared quantum key groups, and negotiating with the adjacent node about selecting one shared quantum key group with the same group number from the cached shared quantum key groups respectively. For example: negotiating a 10MB key at a time, dividing the key into 10 groups, respectively carrying out randomness tests, respectively creating a group identifier and integrity check information for each group passing the randomness tests, and taking the group identifier and the integrity check information as a shared quantum key group after the group identifier and the integrity check information are created; the serving node S again generates a random number packet Rsvs of the same format.
Obtaining a global number (1202 in fig. 12) of a current virtual node routing state, S creates 3 virtual node routing states (i.e., VRS0, VRS1, and VRS2 using Rsvs, Ksb, and Ksc, where VRS0 ═ 0, ID _ S, ID _ VS, ID _ B, Rsvs ≧ Ksb, Hash (Rsvs ≠ Ksb)), and the like), destroys Ksb and Ksc, and securely stores Rsvs; the VRS0, VRS1, and VRS2 are packaged into a virtual node routing state, respectively, and sent to the target recipients indicated by the server or virtualization instructions.
In one possible design, the virtual relay node state shown in fig. 12 may be packaged as a database file, and a virtual node routing state may be uniquely determined by the global number 1202 and the local number 1211 thereof.
In addition, since there is a correlation between VRS0, VRS1, and VRS2, i.e., where the exclusive-or value of any two virtual node routing state data is equal to the third virtual node routing state data, e.g., VRS0 ≦ VRS1 ≦ VRS2, in one possible design, the virtual relay node may create (C (n,1) -1) virtual node routing states. Other possible designs with substantially equivalent application characteristics also fall within the scope of the present invention.
FIG. 13 is a schematic diagram of a method for creating a virtual service node unit according to an embodiment of the present invention, in which the service node QSN, the LAN A including the node QRN1 and QSNx, and the LAN B including the node QRN2 and QSNy need to be logically isolated; the method for creating the virtual service node unit comprises the following steps: the service node QSN, local area network a containing node QRN1 and QSNx are taken as a first destination network and the service node QSN, local area network B containing node QRN2 and QSNy are taken as a second destination network, and then the service node QSN creates a virtual service node element and a corresponding virtual node routing state or/and virtual relay node state for the first destination network and the second destination network, respectively.
In a possible design, if the serving node in the embodiment shown in fig. 1 or fig. 2 is adjacent to one or more other serving nodes, the one or more other adjacent serving nodes may or may not be selected as the adjacent node.
Although the data structures of the above-mentioned shared quantum key grouping, virtual node routing state and virtual relay node state (which may include content options and their ordering of target data and its identifier, data type, data length, etc.) have been described, it is contemplated that elements or variables in the above-mentioned data structures may be randomly combined and do not significantly affect the application performance; in addition, it is obvious that if a certain element or variable (for example, a storage type, a data length) in a certain data structure is used as a global variable, the corresponding data format may not include the variable, and therefore, the present invention does not specifically limit the position ordering relationship of the element or variable in the data structure, nor does it limit the implementation manner of the certain element or variable; in addition, with similar considerations, the present invention does not specifically limit the position ordering relationship of elements or variables in the data format, nor the implementation of a certain element or variable. Methods obtained by randomly combining or adjusting the positions of the elements in the data structure also fall within the scope of the present invention. Obviously, some content options in the above virtual node routing state (or virtual node routing state) identification can be used as part of the corresponding virtual node routing state (or virtual node routing state) data in possible designs, and such similar possible designs fall within the scope of the present invention.
Fig. 14 is a schematic diagram illustrating an application apparatus of a service node according to an embodiment of the present invention, where the application apparatus includes:
a transceiver: including various interface modules, the transceiver shown in fig. 14 includes interface module 1401, interface module 1402, interface module 1403, and interface module 1404; the interface module 1401 is configured to report topology information of the quantum service node to the vector subnetwork controller 1406, and receive a virtualization instruction issued by the quantum network controller; the interface module 1402 is configured to send the virtual node routing status or/and the virtual relay node status to the virtualization server 1407; interface module 1403 is used to negotiate a shared quantum key packet with neighboring quantum node 1408; the interface module 1404 is configured to provide a key traffic service or/and a key agreement service for an application device or a server;
the data processing unit 1405: for negotiating a shared quantum key packet with a neighboring quantum node 1413 via interface module 1403; the router is also used for creating a virtual node routing state; optionally, the method is further configured to create a virtual relay node state or/and create a virtual relay node; optionally, quantum key from QKD unit 1408;
a random key service unit 1406, configured to generate a random number sequence, group the random number sequence according to a certain data size, perform a randomness test on each group, cache all random key groups that pass the randomness test, and output one or more random key groups and create corresponding association identifiers; wherein, the association identifier is used for positioning a corresponding random key group, and the content of the association identifier includes: the identifier of the application device, the identifier of the associated service node, and the number of the random key packet;
A secure storage unit 1407 for storing key data;
a node virtualization unit 1409 for creating a virtual relay node and a virtual node routing status and/or a virtual relay node status thereof, for storage and output management of the virtual node routing status and/or the virtual relay node status;
a virtual link service unit 1410, configured to provide any one or more of the following services:
direct method A: sending an exclusive-or value of a random key packet of an application terminal associated with the service node and a random key packet of another application terminal to the two application terminals, respectively;
direct method B: the service node calculates the exclusive or value of the shared quantum key group associated with one virtual link and the virtual link data and obtains the shared quantum key group of another service node associated with the virtual link;
indirect method C: the service node generates a random number packet, calculates the exclusive or value of the sharing quantum key packet and the virtual link data associated with a virtual link, and sends the exclusive or value and the exclusive or value of the random number packet to another service node or a third-party server associated with the virtual link;
An indirect method D: the method comprises the steps that a service node selects a random key group of an application terminal, calculates an exclusive OR value of a shared quantum key group associated with the service node and a virtual link and data of the virtual link, and sends the exclusive OR value and the exclusive OR value of the random key group to a third-party server or the application terminal or another service node associated with the virtual link, wherein the virtual link is the exclusive OR value of the corresponding shared quantum key group of two service nodes associated with the virtual link;
wherein, the virtual node routing state comprises: the exclusive or value and the corresponding identification of the shared quantum key grouping between the target service node and two adjacent nodes; the virtualization instructions are for indicating any one or more of: global identification, data format of sharing quantum key grouping, data structure of virtual node routing state, identification of a target receiver and data transmission mode; the topology information includes: the identification of the service node, and the link state between the service node and each adjacent node; the key data includes any one or any plurality of the following data: shared quantum key grouping, random number grouping, random key grouping.
The virtualization server may include, but is not limited to, any one or more of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device. In one possible design, the virtualization server 1412 and the quantum network controller 1411 may be an integrated device.
Optionally, a QKD unit 1408 (abbreviated as QKD module) is also included in one possible design, the QKD module being configured to negotiate a shared quantum key with an adjacent quantum node and input the shared quantum key to the data processing unit; the QKD module includes: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node; wherein the QKD receiver or/and transmitter includes any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
In one possible design, any one or more of 1406, 1409, and 1410 above may not be included.
In one possible design, the calculation of the xor values involved in the virtual link service unit described above is handled by the data processing unit.
In one possible design, the data processing unit is further configured to encapsulate the received virtual relay node states of the other quantum relay nodes and the virtual quantum relay node with the same global number as a virtual quantum network state.
Optionally, a new embodiment is obtained by adding any one or any more of the following units in the above embodiment:
(B1) the storage unit is used for storing the routing state of the virtual node and/or the state of the virtual relay node;
(B2) the identity authentication module is used for authentication of the application device of the service node accessing the quantum network and identity authentication between the application device of the service node and the adjacent node or/and the server, wherein the authentication includes but is not limited to: authentication based on CA certificate, authentication based on initial root key;
(B3) the password management module is used for data encryption and decryption (including but not limited to data encryption and decryption by adopting a symmetric password algorithm, data encryption and decryption by adopting an asymmetric password algorithm, and data encryption and decryption by adopting a tunnel mode or a transmission mode of VPN), digital signature and calculation of an integrity check value;
(B4) An access control module, configured to identify a received control command and a service request command, and respond to a legal command or reject an illegal command, where the identification method includes, but is not limited to: verifying the digital signature of the received instruction, if the digital signature passes the verification, judging the digital signature as a legal instruction, and otherwise, judging the digital signature as an illegal instruction;
(B5) the illegal starting-up protection module is used for automatically destroying all cache data if the system is illegally started up or the case is illegally started;
(B6) the private key protection module is used for protecting the initial root key or/and the private key for digital signature from being illegally accessed or exported;
(B7) and the virtual mapping module of the service node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the state of the virtual relay node with a specific number to a server and a target receiver indicated by the server instruction according to the instruction of the quantum network controller or the server.
In a possible design, the system further comprises a logic isolation module, wherein the logic isolation module divides an application device of the service node into security domain unit open domain units; wherein the security domain unit comprises: the data processing unit optionally further comprises a QKD module or/and a password management module; the open domain unit includes: a transceiver and a node virtualization module.
Further, in one possible design, the transceiver further includes: and the 5G mobile communication module is used for sending the virtual relay node state to a server or a target receiving party indicated by the server instruction, and is also used for providing a virtual quantum link service. In another possible design, the transceiver may also employ other wireless communication modes (including but not limited to mobile communication network based communication, communication satellite channel based communication, WIFI network based communication) and be used to transmit the virtual relay node status to the server or the target recipient indicated by the server instructions and provide virtual quantum link services.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus (or system), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (or systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the invention has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the invention. Accordingly, the specification and figures are merely exemplary of the invention as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the invention. It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (27)

1. An application method of a service node, comprising: the service node negotiates a shared key group with m adjacent nodes in a target network respectively and creates group identifications, confirms the negotiated shared key group and the global identifications of the virtual node routing states used by the negotiated shared key group with each adjacent node respectively, updates the identifications of the shared key group to corresponding global identifications when the identifications of the shared key group are inconsistent with the corresponding global identifications, and safely stores m shared key groups,
creating a virtual relay node, generating a random number packet, using the random number packet as 1 shared key packet between the virtual relay node and a service node, calculating an exclusive-or value of any two shared key packets in (m +1) shared key packets and creating corresponding identifications, sending C (m +1,2) exclusive-or values and the identifications to a server or a target receiving party indicated by a virtualization instruction, and safely storing the random number packet by the service node, wherein C (m +1,2) is a combined number of 2 randomly selected from m +1, the random number packet and the shared key packets have the same data format, and the packet identification of the random number packet is consistent with the corresponding global identification.
2. The method for applying the service node according to claim 1, comprising: creating node state identifiers for the C (m +1,2) xor values and their identifiers, or encapsulating the C (m +1,2) xor values and their identifiers and their node state identifiers into one data file, wherein the node state identifiers include: an identification of a serving node, a global identification, a number of virtual node routing states, or a number of neighboring nodes.
3. The method for applying a service node according to claim 1 or 2, comprising: before creating the grouping identification, obtaining the global identification, wherein the method for obtaining the global identification comprises the step of determining the current global identification according to the virtualization instruction or the step of determining the current global identification according to the last global identification.
4. The method for applying the service node according to any one of claims 1 or 2, comprising: after the creation of the C (m +1,2) said exclusive or values and their identities is completed, the corresponding m shared key groups are destroyed.
5. The method for applying the service node according to any one of claim 4, comprising: the service node and the virtual relay node are provided with logic isolation, and the virtual relay node cannot read key data of the service node, wherein the key data comprises any one or more of the following data: shared key grouping, random number grouping, random key grouping.
6. The method for applying the service node according to any one of claim 5, comprising: if m adjacent nodes of the service node need to be logically isolated, firstly, a plurality of virtual service node units which are logically isolated from each other are created for the m adjacent nodes according to the logical isolation requirement, and then, a corresponding virtual node routing state is created for each virtual service node unit.
7. The method for applying the service node according to any one of claim 6, comprising: the service node reports topology information of the service node to a network controller or a server, wherein the topology information comprises: identification of the serving node, link status between the serving node and each neighboring node.
8. The method for applying the service node according to any one of claim 7, comprising: the service node receives a virtualization instruction issued by a network controller or a server, wherein the virtualization instruction is used for indicating any one or more of the following contents: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode.
9. The method for applying the service node according to any one of claim 8, comprising: distributing the securely stored one or more shared key packets or random number packets to a proxy device of the service node, wherein the proxy device of the service node performs an application function of the corresponding service node in dependence on the obtained one or more shared key packets or random number packets.
10. The method of any one of claim 9, comprising: providing a random key packet service, comprising the steps of: generating a random number sequence, grouping according to a certain data size, performing randomness test on each group, caching random key groups passing the randomness test, providing one or more random key groups for an application device and creating an associated identifier, and safely storing the random key groups and the associated identifier thereof, wherein the safe storage comprises: encrypted storage or non-encrypted physically protected storage,
the association identifier is used for locating a corresponding random key packet, and the content of the association identifier comprises an identifier of an application device, an identifier of an associated service node and a number of the random key packet.
11. The method of any one of claim 10, comprising: receiving the states of other relay nodes and virtual relay nodes, packaging the states of the virtual relay nodes with the same global identification into a data file, or selecting a relay link between any two service nodes, carrying out XOR operation on routing state data of the virtual nodes corresponding to each relay node on the relay link in a virtual network state, and taking the XOR operation result as virtual link data between the two service nodes.
12. The method of any one of claim 11, comprising: a virtual link service, the virtual link service comprising any one or more of the following options: the first direct method comprises the following steps: the xor values of a random key packet of an application terminal associated with the service node and a random key packet of another associated application terminal are respectively transmitted to the two application terminals,
the second direct method comprises the following steps: the service node calculates the exclusive or value of the shared key packet associated with one virtual link and the virtual link data and obtains the shared key packet of another service node associated with the virtual link,
The indirect method comprises the following steps: the service node generates a random number packet, calculates the exclusive OR value of the shared key packet associated with the service node and a virtual link and the virtual link data, and sends the exclusive OR value of the exclusive OR value and the random number packet to another service node or a third-party server associated with the virtual link,
and (2) an indirect method II: the service node selects a random key group of the application terminal, calculates an exclusive OR value of a shared key group associated with the service node and a virtual link and the virtual link data, and sends the exclusive OR value and the exclusive OR value of the random key group to a third-party server or the application terminal or another service node associated with the virtual link, wherein the virtual link data is the exclusive OR value of the corresponding shared key groups of two service nodes associated with the virtual link.
13. The method of claim 1, wherein negotiating a shared key packet comprises: a real-time sharing method, or a pre-caching method, wherein,
the real-time sharing method comprises the following steps: the service node and the adjacent node negotiate a certain amount of shared secret keys in real time, and the certain amount of shared secret keys are used as a shared secret key group, or further, the service node and the adjacent node respectively divide the shared secret keys into one or more groups by adopting the same data format, carry out randomness test on each group by adopting the same randomness test method, and use a group passing the randomness test as a shared secret key group,
The pre-caching method comprises the following steps: the service node negotiates a certain amount of shared secret keys with adjacent nodes, divides the shared secret keys into one or more groups respectively by adopting the same data format, tests the randomness of each group by adopting the same randomness test method, caches each group passing the randomness test and respectively creates group identifications, negotiates with the adjacent nodes to respectively select one group with the same or same group number from the cached groups as a shared secret key group,
wherein the negotiating an amount of shared keys comprises any one of the following methods: the method comprises the steps of negotiating a shared key with a plurality of adjacent nodes in sequence, simultaneously negotiating the shared key with the adjacent nodes, and negotiating the shared key with the corresponding adjacent nodes according to a network system instruction, wherein the negotiation of the shared key comprises the occupation of the whole bandwidth of a key negotiation channel or the occupation of only part of the bandwidth of the whole key negotiation channel.
14. The method of claim 1, wherein the identification of the shared key packet or/and the random number packet comprises: a packet number, a link identification of the current service node and the neighboring node, or an identification of the current service node and the neighboring node, wherein the packet number adopts a local number or a global identification, and in the case of adopting the local number, after a certain shared key packet or/and a random number packet is used for creating a virtual node routing state, the corresponding local number is changed into the global identification of the corresponding virtual node routing state,
The content of the virtual node routing state identifier comprises the following steps: the global mark, the route marks of the previous adjacent node and the next adjacent node which connect the current service node and the current service node, the mark of the first adjacent node and the mark of the second adjacent node.
15. The method as claimed in claim 14, wherein the content of the virtual node routing state identifier further comprises any one or more of the following:
identification of the target network, for distinguishing between different target networks,
checking information for checking the integrity of the virtual node routing state data or/and the virtual node routing state, including a data digest of the corresponding data, or a Hash value, or a MAC code,
digitally signing, digitally signing the routing state of the virtual node by adopting a digital signature algorithm,
a timestamp for recording a creation time of a virtual node routing state,
the data abstract or the Hash value of the routing state of the current virtual node, the data abstract or the Hash value of the routing state of the last virtual node or the data abstract or the Hash value of the routing state of the current virtual node and the last virtual node.
16. The application method of a service node according to claim 1, wherein said sending comprises any one or more of the following options: real-time transmission, passive response transmission, wherein,
the real-time transmission comprises the following steps: outputting the created virtual node routing state to a memory of the service node device or/and a third party server or/and a target receiver indicated by the virtualization instruction in real time,
the passive response transmission includes: and outputting the routing state of the virtual node to a storage of the service node equipment or/and a third party server or/and a target receiver indicated by the virtualization instruction according to the virtualization instruction.
17. The method of any of claims 1 or 16, wherein the sending comprises: encrypted transmissions, the encrypted transmissions including any one of the following options: the method adopts symmetric cryptographic algorithm encryption, asymmetric cryptographic algorithm encryption and VPN tunnel mode or transmission mode.
18. The method of claim 10, wherein providing the one or more random key packets to the application device comprises: either directly, or indirectly, wherein,
The direct mode includes the service node sending one or more random key packets to the application device, and the indirect mode includes the service node importing one or more random key packets to the mobile storage device or the portable device, and the mobile storage device or the portable device importing the one or more random key packets to the application device.
19. An application apparatus of a service node, comprising:
the transceiver is used for reporting the topology information of the quantum service node by the vector sub-network controller, receiving a virtualization instruction sent by the quantum network controller,
a data processing unit for negotiating a shared key packet with neighboring nodes, confirming the negotiated shared key packet and a global identifier of a virtual node routing state used for creation thereof with each neighboring node, respectively, updating the identifier of the shared key packet to a corresponding global identifier in case the identifier of the shared key packet is not identical to the corresponding global identifier, or, further, creating a virtual relay node, creating a virtual node routing state,
a secure storage unit for storing key data,
wherein, the virtual node routing state comprises: the xor value of the shared key packet between the target serving node and the two neighboring nodes and their corresponding identities,
The virtualization instructions are for indicating any one or more of: global identification, data format of shared key grouping, data structure of virtual node routing state, identification of target receiver, data transmission mode,
the topology information includes: the identity of the serving node, the link state between the serving node and each neighboring node,
the key data includes any one or any plurality of the following data: shared key grouping, random number grouping, random key grouping.
20. The apparatus of claim 19, further comprising: a random key service unit, configured to generate a random number sequence, group the random key packets according to a certain data size, perform a randomness test on each packet, buffer all random key packets that pass the randomness test, and output one or more random key packets and create a corresponding association identifier, where the association identifier is used to locate a corresponding random key packet, and the content of the association identifier includes: identification of the application device, identification of the associated service node, number of the random key packet.
21. The application device of a service node according to claim 19 or 20, comprising: a QKD module for negotiating a shared quantum key with an adjacent quantum node and inputting the shared quantum key into a data processing unit, comprising: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node, the QKD receivers or/and transmitters including any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
22. The application device of the service node according to any one of claims 19 or 20, further comprising: and the node virtualization unit is used for creating the virtual relay node and the virtual node routing state and/or the virtual relay node state thereof, and is used for storing and outputting the virtual node routing state and/or the virtual relay node state.
23. The application device of the service node according to any one of claims 19 or 20, further comprising: a virtual link service unit for providing any one or more of the following: the first direct method comprises the following steps: the xor values of a random key packet of an application terminal associated with the service node and a random key packet of another associated application terminal are respectively transmitted to the two application terminals,
the second direct method comprises the following steps: the service node calculates the exclusive or value of the shared key packet associated with one virtual link and the virtual link data and obtains the shared key packet of another service node associated with the virtual link,
the indirect method comprises the following steps: the service node generates a random number packet, calculates the exclusive OR value of the shared key packet associated with the service node and a virtual link and the virtual link data, and sends the exclusive OR value of the exclusive OR value and the random number packet to another service node or a third-party server associated with the virtual link,
And (2) an indirect method II: the service node selects a random key group of the application terminal, calculates an exclusive OR value of a shared key group associated with the service node and a virtual link and the virtual link data, and sends the exclusive OR value and the exclusive OR value of the random key group to a third-party server or the application terminal or another service node associated with the virtual link, wherein the virtual link data is the exclusive OR value of the corresponding shared key groups of two service nodes associated with the virtual link.
24. The application device of the service node according to any one of claims 19 or 20, further comprising any one or more of the following units:
a storage unit for storage of virtual node routing states and/or virtual relay node states,
the identity authentication module is used for authenticating the access of the application device of the service node to the quantum network and authenticating the application device of the service node with the adjacent node or/and the server, wherein the authentication comprises the following steps: CA certificate based authentication, initial root key based authentication,
the password management module is used for data encryption and decryption, digital signature and integrity check value calculation, and the data encryption and decryption comprise: data encryption and decryption by adopting a symmetric cryptographic algorithm, data encryption and decryption by adopting an asymmetric cryptographic algorithm, data encryption and decryption by adopting a tunnel mode or a transmission mode of VPN,
The access control module is used for identifying the received control command and the service request command, responding to a legal command or rejecting an illegal command, wherein the identification method comprises the following steps: verifying the digital signature of the received instruction, if the received instruction passes the verification, judging the received instruction to be a legal instruction, otherwise, judging the received instruction to be an illegal instruction,
an illegal start-up protection module, if the device is illegally started up or the case is illegally started up, the system automatically destroys all the cache data and the stored key data,
a private key protection module for protecting an initial root key or/and a private key for digital signature from being illegally accessed or derived,
the virtual mapping module of the service node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and the virtual mapping module of the service node sends the routing state of the virtual node or the state of the virtual relay node to a server and a receiver indicated by the server instruction according to the instruction of a network controller or the server so as to provide virtual link service.
25. The application device of a service node according to any of claims 19 or 20, comprising: a logical isolation module that partitions application devices of a service node into security domain unit public domain units, wherein,
The security domain unit includes: the data processing unit, the secure storage unit, optionally, further include any one or more of the following modules: a QKD module, a cryptographic module, a random key grouping service module, wherein the QKD module is used for negotiating a quantum key with an adjacent node, providing the quantum key to the data processing module,
the open domain unit includes: a transceiver and a node virtualization module.
26. The application device of a service node according to claim 19, wherein the data processing unit is further configured to virtualize a service, and the application device comprises: receiving the states of the virtual relay nodes of other quantum relay nodes and the virtual quantum relay nodes, and packaging the states of the virtual relay nodes with the same global number into a data file.
27. The apparatus as claimed in claim 19, wherein the transceiver further comprises: the wireless communication module is used for sending the virtual relay node state to a server or a receiving party indicated by a server instruction and providing a virtual quantum link service, wherein the wireless communication comprises communication based on a mobile communication network, communication based on a communication satellite channel and communication based on a WIFI network.
CN201910820386.3A 2019-09-01 2019-09-01 Application method and device of service node Active CN110690962B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910820386.3A CN110690962B (en) 2019-09-01 2019-09-01 Application method and device of service node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910820386.3A CN110690962B (en) 2019-09-01 2019-09-01 Application method and device of service node

Publications (2)

Publication Number Publication Date
CN110690962A CN110690962A (en) 2020-01-14
CN110690962B true CN110690962B (en) 2022-06-28

Family

ID=69108723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910820386.3A Active CN110690962B (en) 2019-09-01 2019-09-01 Application method and device of service node

Country Status (1)

Country Link
CN (1) CN110690962B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111262699A (en) * 2020-03-03 2020-06-09 成都量安区块链科技有限公司 Quantum security key service method and system
CN114172638B (en) * 2020-09-11 2024-04-30 军事科学院系统工程研究院网络信息研究所 Quantum encryption communication method and system based on multi-model data fusion
CN113193958B (en) * 2021-05-10 2023-07-07 成都量安区块链科技有限公司 Quantum key service method and system
CN114124369B (en) * 2021-09-16 2023-08-29 国科量子通信网络有限公司 Multi-group quantum key cooperation method and system
CN114071461B (en) * 2021-11-12 2023-11-03 江苏亨通问天量子信息研究院有限公司 5G communication module based on quantum key encryption

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243143A (en) * 2013-06-08 2014-12-24 安徽量子通信技术有限公司 Mobile secret communication method based on quantum key distribution network
CN108023725A (en) * 2016-11-04 2018-05-11 华为技术有限公司 A kind of quantum key trunking method and device based on centralized management with control network
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN109995512A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of mobile security application method based on quantum key distribution network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7535856B2 (en) * 2005-02-19 2009-05-19 Cisco Technology, Inc. Techniques for zero touch provisioning of edge nodes for a virtual private network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243143A (en) * 2013-06-08 2014-12-24 安徽量子通信技术有限公司 Mobile secret communication method based on quantum key distribution network
CN108023725A (en) * 2016-11-04 2018-05-11 华为技术有限公司 A kind of quantum key trunking method and device based on centralized management with control network
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN109995512A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of mobile security application method based on quantum key distribution network

Also Published As

Publication number Publication date
CN110690962A (en) 2020-01-14

Similar Documents

Publication Publication Date Title
CN110690962B (en) Application method and device of service node
CN110690928B (en) Quantum relay link virtualization method and device
CN112926982B (en) Transaction data processing method, device, equipment and storage medium
CN110661620B (en) Shared key negotiation method based on virtual quantum link
CN110690961B (en) Quantum network function virtualization method and device
US11804967B2 (en) Systems and methods for verifying a route taken by a communication
CN110677241B (en) Quantum network virtualization architecture method and device
CN110690960B (en) Routing service method and device of relay node
CN101300806B (en) System and method for processing secure transmissions
CN112367163B (en) Quantum network virtualization method and device
US11336627B2 (en) Packet inspection and forensics in an encrypted network
CN107078898A (en) A kind of method that the private interconnection of safety is set up on multi-path network
CN114157415A (en) Data processing method, computing node, system, computer device and storage medium
CN113193957A (en) Quantum key service method and system separated from quantum network
CN114142995B (en) Key security distribution method and device for block chain relay communication network
CN115766002A (en) Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition
CN113193958B (en) Quantum key service method and system
CN110557253A (en) Relay route acquisition method, device and application system
CN112367160A (en) Virtual quantum link service method and device
CN112367124B (en) Quantum relay node virtualization method and device
CN112367161A (en) Relay node function virtualization method and device
CN116166749A (en) Data sharing method and device, electronic equipment and storage medium
CN116155483A (en) Block chain signing machine safety design method and signing machine
CN114826702A (en) Database access password encryption method and device and computer equipment
CN114143038A (en) Key secure distribution method and device for block chain relay communication network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant