CN111385087B - Reliable key relay method and system thereof - Google Patents

Reliable key relay method and system thereof Download PDF

Info

Publication number
CN111385087B
CN111385087B CN201811612140.9A CN201811612140A CN111385087B CN 111385087 B CN111385087 B CN 111385087B CN 201811612140 A CN201811612140 A CN 201811612140A CN 111385087 B CN111385087 B CN 111385087B
Authority
CN
China
Prior art keywords
key
relay
node
forwarding
amount
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811612140.9A
Other languages
Chinese (zh)
Other versions
CN111385087A (en
Inventor
尹飞
杨国梁
王学富
于林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Institute Of Quantum Science And Technology Co ltd
Original Assignee
Shandong Institute Of Quantum Science And Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Institute Of Quantum Science And Technology Co ltd filed Critical Shandong Institute Of Quantum Science And Technology Co ltd
Priority to CN201811612140.9A priority Critical patent/CN111385087B/en
Publication of CN111385087A publication Critical patent/CN111385087A/en
Application granted granted Critical
Publication of CN111385087B publication Critical patent/CN111385087B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • H04L43/106Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/20Hop count for routing purposes, e.g. TTL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a reliable key relay method and a system thereof, wherein the method comprises the following steps: and the source node sends a first key relay frame to the destination node through the key relay path to confirm the key relay forwarding capability of each forwarding node, when the path key amount of all the forwarding nodes meets the relay forwarding key amount, the destination node returns a successful key relay confirmation response to the source node, and the source node sends the next key relay frame to the destination node until the transmission of all the relay keys is completed, otherwise, the source node abandons the subsequent key relay. According to the key routing table calculated by the key routing, the invention applies and confirms the forwarding condition of each node in the key relay forwarding process, thereby fundamentally solving the problem of key relay failure.

Description

Reliable key relay method and system thereof
Technical Field
The invention belongs to the technical field of quantum communication, and particularly relates to a reliable key relay method and a system thereof.
Background
Along with the development of network information, the network affects all aspects of people's life, the security requirement is higher and higher, the security requirement on people's network activities is higher and higher, the encryption or authentication technology of service data meets the security requirement of people on own data and some related data in the network activities, and the security and confidentiality of the network are ensured. Quantum communication brings revolutionary development to information security due to the characteristics of unconditional security, high efficiency and the like, and is the main research direction of data secret transmission at present.
With the increasing construction of quantum communication networks at present, the networks are increasingly large, two quantum key management devices separated by thousands of kilometers need to generate a shared symmetric key through a key relay service, a long key relay forwarding path needs to pass through in the middle, and a key relay forwarding node on the path is likely to cause relay failure due to the limitation of traffic and key quantity. To solve this problem, quantum communication networks now perform control of the key relay forwarding path through key routing computation. And the key routing calculation uniformly plans the key relay forwarding path by collecting the key quantity information of each node.
However, in the quantum key relay method in the prior art, statistical calculation is performed by collecting key amount information of each node, timeliness is poor, and key routing cannot be updated in time when the key is secondary, so that the problem of quantum key relay failure can be only solved, but the problem cannot be solved at all.
In summary, how to fundamentally solve the problem of quantum key relay failure is still lack of an effective solution.
Disclosure of Invention
The invention provides a reliable key relay method and a system thereof in order to solve the problems that the prior quantum key relay method can not solve the problem of quantum key relay failure fundamentally, and the invention provides a reliable key relay method and a system thereof under the condition that the prior quantum communication network calculates through key routing.
A first object of the present invention is to provide a reliable key relay method.
In order to achieve the purpose, the invention adopts the following technical scheme:
a method of reliable key relay, the method comprising:
and the source node sends a first key relay frame to the destination node through the key relay path to confirm the key relay forwarding capability of each forwarding node, when the path key amount of all the forwarding nodes meets the relay forwarding key amount, the destination node returns a successful key relay confirmation response to the source node, and the source node sends the next key relay frame to the destination node until the transmission of all the relay keys is completed, otherwise, the source node abandons the subsequent key relay.
Further, the key relay frame includes a relay number, a relay forwarding key amount, and a current relay key.
Furthermore, the key mark states of the keys in all the forwarding nodes are three states which can be mutually converted, including a free key, a pre-application key and a key to be transmitted; and reserving keys for key relay forwarding in the key pool of each forwarding node in advance through the pre-application key and the state of the key to be transmitted.
Further, the free key is a state marked on the original key;
the pre-application key is the state of a key mark for the amount of the pre-applied relay forwarding key amount when the path key amount of the forwarding node meets the relay forwarding key amount;
and the key to be transmitted is the state of the pre-application key or the free key mark when the forwarding node receives the successful key relay confirmation response.
Further, before confirming the key relay forwarding capability of each forwarding node, the source node and each forwarding node receive a quantum key routing table issued by the server, where the quantum key routing table includes a destination node, a next hop node to the destination node, a full-path hop count and a path key quantity, and the path key quantity is a key quantity value of one hop with the smallest key quantity on the key relay path.
Further, the source node and each forwarding node statically configure a quantum key routing table at the node, where the quantum key routing table includes a destination node, a next-hop node to the destination node, a full-path hop count, and a path key quantity, and the path key quantity is a key quantity value of a hop with the smallest key quantity on a key relay path.
Further, the specific step of the source node sending the key relay frame to the destination node via the key relay path includes:
the source node sends a key relay frame containing the current relay key to the next hop forwarding node according to the quantum key routing table, and the source node encrypts the current relay key by adopting a shared key of the next hop forwarding node;
and the forwarding node receives the key relay frame, judges whether the path key quantity of the forwarding node meets the relay forwarding key quantity according to the quantum key routing table, if so, continuously encrypts and forwards the key relay frame containing the current relay key until the destination node, otherwise, returns a failed key relay confirmation response to the source node, and the source node abandons the subsequent key relay.
Further, when the path key amount of the forwarding node satisfies the relay forwarding key amount, recording the key information of the current node and the next hop node, and pre-applying the key of the relay forwarding key amount in the key pool of the current forwarding node and marking the pre-applied key as the pre-applied key.
Further, the specific step of the destination node returning a successful key relay confirmation response to the source node includes:
the destination node returns a key relay return frame containing a successful key relay confirmation response to the previous hop forwarding node;
and the last hop forwarding node receives the key relay return frame, marks the pre-applied key in the key pool of the forwarding node as the key to be transmitted, and continues to forward the key relay return frame containing the successful key relay confirmation response until the source node.
Further, when the path key amount of the forwarding node does not meet the relay forwarding key amount, the forwarding node returns a key relay return frame containing a failed key relay confirmation response to the previous hop forwarding node;
and the last hop forwarding node receives the key relay return frame, releases the pre-applied key in the key pool of the forwarding node as a free key, and continues to forward the key relay return frame containing the failed key relay confirmation response until the source node.
Further, a first timeout time threshold is preset, the forwarding node does not receive a returned key relay return frame containing a key relay acknowledgement response when the first timeout time threshold is exceeded, and the pre-application key in the forwarding node key pool is released as a free key.
Further, a second timeout threshold is preset, the second timeout threshold is greater than the first timeout threshold, the forwarding node does not use the key to be transmitted for key relay forwarding when the second timeout threshold is exceeded, and the key to be transmitted in the forwarding node key pool is released as a free key.
Further, when the forwarding node receives a key relay return frame containing a successful key relay confirmation response and a pre-application key does not exist in the forwarding node key pool, whether the path key quantity of the forwarding node meets the relay forwarding key quantity is judged according to the quantum key routing table, if yes, keys of the relay forwarding key quantity in the forwarding node key pool are marked as keys to be transmitted, and otherwise, a key relay return frame containing a failed key relay confirmation response is returned to the previous hop node.
It is a second object of the invention to provide a reliable key relay system.
In order to achieve the purpose, the invention adopts the following technical scheme:
a reliable key relay system is based on any reliable key relay method and comprises a source node, a destination node and a forwarding node.
Further, the system also comprises a server end which is configured to issue the quantum key routing table to each node.
The invention has the beneficial effects that:
1. according to the reliable key relay method and the system thereof, the confirmation of the key relay forwarding capacity is carried out through the key relay frame sent to each node, the subsequent data transmission can be completed only when the path key quantity of all forwarding nodes on the path meets the key quantity of relay forwarding, and the application and confirmation are carried out on the forwarding condition of each node when the key relay forwarding process is carried out, so that the problem of relay failure is fundamentally solved.
2. The invention relates to a reliable key relay method and a system thereof, which mark three different states for keys in a key pool: the key to be used for key relay forwarding is reserved in advance through the states of the pre-applied key and the key to be transmitted, and the success rate of key relay is improved.
3. According to the reliable key relay method and the system thereof, the key identification state is added with an overtime mechanism, a first overtime time threshold value is preset, the forwarding node does not receive a returned key relay frame containing a successful key relay confirmation response when exceeding the first overtime time threshold value, the pre-applied key in the key pool of the forwarding node is released into a free key, and the occupied key can be effectively released when the process is abnormal.
Drawings
FIG. 1 is a schematic diagram of a key topology of the present invention;
FIG. 2 is a representation of quantum key routing for each node of the present invention;
FIG. 3 is a key relay initiation diagram of the present invention;
fig. 4 is a first schematic diagram of key relay forwarding according to the present invention;
FIG. 5 is a second diagram of key relay forwarding according to the present invention;
FIG. 6 is a first diagram of a key relay response according to the present invention;
FIG. 7 is a second diagram of a key relay response according to the present invention;
FIG. 8 is a first diagram of a key relay failure response of the present invention;
FIG. 9 is a diagram illustrating a key signing state according to the present invention;
FIG. 10 is a schematic diagram of the present invention converted to a free key;
FIG. 11 is a schematic illustration of the present invention in relation to a relabeling process;
fig. 12 is a second diagram illustrating a key relay failure response according to the present invention.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure herein. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
The embodiments and features of the embodiments in the present application may be combined with each other without conflict. The invention is further described with reference to the following figures and examples.
Example 1:
the object of this embodiment 1 is to provide a reliable key relay method.
A method of reliable key relay, the method comprising: the source node sends a first key relay frame to the destination node through the key relay path to confirm the key relay forwarding capability of each forwarding node, when the path key amount of all the forwarding nodes meets the relay forwarding key amount, the destination node returns a successful key relay confirmation response to the source node, and the source node sends the next key relay frame to the destination node until the transmission of all the relay keys is completed, otherwise, the source node gives up the subsequent key relay.
As shown in the key topology of fig. 1, the key amount from the source node Y3 to the forwarding node X3 is 400, the key amount from the forwarding node X3 to the forwarding node X1 is 200, and the key amount from the forwarding node X1 to the destination node Y7 is 490. The server side obtains a key relay path from the source node Y3 to the destination node Y7 after the key routing calculation as follows: y3- > X3- > X1- > Y7.
The key amount from one node to another node refers to the quantum key amount shared between the two nodes that can be used when encrypted transmission is performed from the node to the another node, that is, the remaining quantum key amount shared between the nodes. The remaining quantum key shared between nodes may be in a plaintext form or in a ciphertext form for security, which is not limited in this respect. For example, the quantum key shared with the previous hop node is subjected to an exclusive or with the quantum key shared with the next hop node, and the exclusive or is a shared key in a ciphertext form.
The source node and each forwarding node firstly receive a quantum key routing table issued by a server, wherein the quantum key routing table comprises a destination node, a next hop node from the destination node, a full-path hop number and a path key quantity, and the path key quantity is a key quantity value of one hop with the minimum key quantity on a key relay path. In this embodiment, a quantum key routing table issued by the server to each node on the path is shown in fig. 2.
It should be noted that, in one or more embodiments of the present disclosure, the method for obtaining the quantum key routing table is not limited, and the quantum key routing table may be a static routing table, or may also be a dynamic routing table, for example, a quantum key routing table is statically configured at the source node and each forwarding node.
Y7: X3:3 in the quantum key routing table of the source node Y3 indicates that the next hop node to the destination node Y7 is X3, the full path hop count is 3 hops, and the path key amount is 200. The path key amount is the key amount value of one hop with the smallest key amount on the path.
Y7: X1:2 in the quantum key routing table of the forwarding node X3 indicates that the next hop node to the destination node Y7 is X1, the full path hop count is 2 hops, and the path key amount is 200.
Y7:1 in the quantum key routing table of the forwarding node X1 indicates that the next hop node to the destination node Y7 is Y7, the full path hop count is 1 hop, and the path key amount is 490.
In this embodiment, a key relay frame is sent from the source node to the destination node, and a key relay return frame is returned from the destination node to the source node.
The relay forwarding process of the reliable key in this embodiment is as follows:
step (1): the source node Y3 initiates a key relay to the destination node Y7, the relay number is RID1, the total initiated relay key amount is N, and the key relay is divided into a relay key KR1, a relay key KR2 \8230anda relay key KRN.
Step (2): the source node Y3 sends a first key relay frame to a next hop node, namely a forwarding node X3 according to Y7: X3:3 in the quantum key routing table, wherein the first key relay frame comprises a relay number RID1, a relay forwarding key amount N and a current relay key KR1. The source node Y3 encrypts the relay key KR1 of the first key relay frame of the key relay process this time with the shared key of the forwarding node X3. As shown in fig. 3.
And (3): the forwarding node X3 receives the first key relay frame of the key relay process from the source node Y3, checks the relay forwarding key amount N in the first key relay frame, and determines whether the path key amount (200) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7: X1:2, that is, the forwarding node X3 checks whether the path key amount (200) is sufficient for forwarding N relay keys according to the routing table guidance.
When the path key amount (200) of the forwarding node X3 meets the relay forwarding key amount N, the key relay frame including the current relay key is continuously forwarded to the next hop node X1, the relay key KR1 is decrypted by using the shared key with the previous hop node Y3, encrypted by using the shared key with the next hop node X1 and forwarded to the next hop node X1, and the key information of the local node and the next hop node X1 is recorded.
When the path key amount of the forwarding node meets the relay forwarding key amount, recording the key information of the node and the next hop node, and pre-applying the keys of the relay forwarding key amount in the key pool of the forwarding node and marking the keys as pre-applied keys. The N keys corresponding to the pre-application are used for encrypting and forwarding the relay key in the key relay process RID 1. As shown in fig. 4.
And (4): the forwarding node X1 receives the first key relay frame of the key relay process from the forwarding node X3, checks the relay forwarding key amount N in the first key relay frame, and determines whether the path key amount (490) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7:1 490, that is, the forwarding node X1 checks whether the path key amount (490) is sufficient to forward N relay keys according to the routing table guidance.
When the path key amount (490) of the forwarding node X1 satisfies the relay forwarding key amount N, the key relay frame including the current relay key is continuously forwarded to the next hop node, i.e., the destination node Y7, the relay key KR1 is decrypted by using the shared key with the previous hop node X3, encrypted by using the shared key with the next hop node Y7, forwarded to the destination node Y7, and recorded in the key information of the local node and the destination node Y7.
When the path key amount of the forwarding node meets the relay forwarding key amount, recording the key information of the node and the next hop node, and pre-applying the keys with the relay forwarding key amount in the key pool of the node and marking the keys as pre-applied keys. The N keys corresponding to the pre-application are used for encrypting and forwarding the relay key in the key relay process RID 1. As shown in fig. 5.
And (5): the destination node Y7 receives the first key relay frame in the key relay process from the forwarding node X1, decrypts the relay key KR1 using the shared key with the previous-hop node X1, and returns a successful key relay confirmation response to the previous-hop node, i.e., the forwarding node X1, to confirm that the first key relay frame data has been received, so that subsequent transmission can be continued. The first key relay return frame returned by the destination node Y7 to the forwarding node X1 includes the relay number RID1, the relay forwarding key amount N, and a successful key relay acknowledgement response. As shown in fig. 6.
And (6): the forwarding node X1 receives a first key relay return frame returned in the key relay process from the destination node Y7, and marks a key pre-applied for the RID1 as a key to be transmitted. And continuously returning a successful key relay confirmation response to the previous hop node, namely the forwarding node X3, confirming that the first key relay frame data is received by the destination node Y7, and continuing subsequent transmission. The first key relay return frame returned by the forwarding node X1 to the forwarding node X3 includes the relay number RID1, the relay forwarding key amount N, and a successful key relay acknowledgement response.
And (7): the forwarding node X3 receives a first key relay return frame returned in the key relay process from the forwarding node X1, and marks a key pre-applied for the RID1 as a key to be transmitted. And continuing to return a successful key relay confirmation response to the previous hop node, namely the source node Y3, confirming that the first key relay frame data is received by the destination node Y7, and continuing to transmit the data. The first key relay return frame returned by the forwarding node X3 to the source node Y3 includes the relay number RID1, the relay forwarding key amount N, and a successful key relay acknowledgement response. As shown in fig. 7.
And (8): the source node Y3 receives the first key relay return frame returned by the key relay process from the forwarding node X3.
And (4) continuing to send subsequent data (the relay key KR2 \8230; the relay key KRN) of the RID1 key relay process according to the same flow from the step (2) to the step (8).
Example 2:
this embodiment is a case where the path key amount of the forwarding node in the key relaying process fails to satisfy the relay forwarding key amount, resulting in key relaying failure. The relay forwarding process of the reliable key in this embodiment is as follows:
step (1): the source node Y3 initiates a key relay to the destination node Y7, the relay number is RID1, the total initiated relay key amount is N, and the key relay is divided into a relay key KR1, a relay key KR2 \8230anda relay key KRN.
Step (2): the source node Y3 sends a first key relay frame to a next hop node, namely a forwarding node X3 according to Y7: X3:3 in the quantum key routing table, wherein the first key relay frame comprises a relay number RID1, a relay forwarding key amount N and a current relay key KR1. The source node Y3 encrypts the relay key KR1 of the first key relay frame of the key relay process of this time with the shared key of the forwarding node X3. As shown in fig. 3.
And (3): the forwarding node X3 receives the first key relay frame of the key relay process from the source node Y3, looks up the relay forwarding key amount N in the first key relay frame, and determines whether the path key amount (200) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7: X1:2, that is, the forwarding node X3 checks whether the path key amount (200) is sufficient for forwarding N relay keys according to the quantum key routing table guidance.
When the path key amount (200) of the forwarding node X3 does not satisfy the relay forwarding key amount N, checking that the shared key with the next hop X1 is insufficient according to the guidance of the quantum key routing table to initiate key relay with the key amount N. The key relay acknowledgement response is sent as failure to the previous hop source node Y3. After receiving the key relay confirmation response that failed, the source node Y3 gives up the subsequent key relay data transmission. As shown in fig. 8. The first key relay return frame returned by the forwarding node X3 to the source node Y3 includes the relay number RID1, the relay forwarding key amount N, and the failed key relay acknowledgement response.
Example 3:
this embodiment is a key relay scenario that adds a timeout mechanism.
As shown in fig. 9, the key flag states of the keys in all forwarding nodes in this embodiment are three states that can be mutually converted, including a free key, a pre-application key, and a key to be transmitted; and reserving keys for key relay forwarding in the key pool of each forwarding node in advance through the pre-application key and the state of the key to be transmitted.
Description of the key flag state:
(1) The original key of the key pool is called a free key.
(2) And the forwarding node receives the key relay frame transmitted by the key relay, pre-applies the keys with the quantity of the relay forwarding key quantity when the relay forwarding key quantity is met, and marks the free keys with the quantity of the relay forwarding key quantity as pre-applied keys after the application is passed.
(3) The forwarding node receives the successful key relay confirmation response, and marks the pre-applied key as the key to be transmitted after receiving the successful key relay confirmation response.
(4) And releasing the pre-application key as a free key when the relay confirmation response of the key is received as failure.
(5) And presetting a first overtime threshold S1, and releasing the pre-application key in the key pool of the forwarding node into a free key when the forwarding node does not receive a returned key relay return frame containing a key relay confirmation response when the first overtime threshold S1 is exceeded. Namely, the key relay confirmation response is not received within a preset timeout S1, the pre-application key is released as a free key.
(6) Presetting a second overtime threshold S2, wherein the second overtime threshold S2 is larger than the first overtime threshold S1, the forwarding node does not use the key to be transmitted for key relay forwarding when exceeding the second overtime threshold S2, and releasing the key to be transmitted in the key pool of the forwarding node into a free key. Namely, the key to be transmitted is not used for key relay forwarding within a preset timeout S2, and is released as a free key.
The second timeout threshold S2 of the key to be transmitted is much larger than the first timeout threshold S1 of the pre-applied key.
The reliable key relay forwarding process of adding the timeout mechanism in this embodiment is as follows:
step (1): the source node Y3 initiates a key relay to the destination node Y7, the relay number is RID1, the total initiated relay key amount is N, and the key relay is divided into a relay key KR1, a relay key KR2 \8230anda relay key KRN.
Step (2): the source node Y3 sends a first key relay frame to a next hop node, namely a forwarding node X3 according to Y7: X3:3 in the quantum key routing table, wherein the first key relay frame comprises a relay number RID1, a relay forwarding key amount N and a current relay key KR1. The source node Y3 encrypts the relay key KR1 of the first key relay frame of the key relay process this time with the shared key of the forwarding node X3. As shown in fig. 3.
And (3): the forwarding node X3 receives the first key relay frame of the key relay process from the source node Y3, checks the relay forwarding key amount N in the first key relay frame, and determines whether the path key amount (200) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7: X1:2, that is, the forwarding node X3 checks whether the path key amount (200) is sufficient for forwarding N relay keys according to the routing table guidance.
When the path key amount (200) of the forwarding node X3 meets the relay forwarding key amount N, the key relay frame including the current relay key is continuously forwarded to the next hop node X1, the relay key KR1 is decrypted by using the shared key with the previous hop node Y3, encrypted by using the shared key with the next hop node X1 and forwarded to the next hop node X1, and the key information of the local node and the next hop node X1 is recorded.
When the path key amount of the forwarding node meets the relay forwarding key amount, recording the key information of the node and the next hop node, and pre-applying the keys with the relay forwarding key amount in the key pool of the node and marking the keys as pre-applied keys. The N keys corresponding to the pre-application are used for encrypting and forwarding the relay key in the key relay process RID 1. As shown in fig. 4.
And (4): the forwarding node X1 receives the first key relay frame of the key relay process from the forwarding node X3, checks the relay forwarding key amount N in the first key relay frame, and determines whether the path key amount (490) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7:1 490, that is, the forwarding node X1 checks whether the path key amount (490) is sufficient to forward N relay keys according to the routing table guidance.
When the path key amount (490) of the forwarding node X1 satisfies the relay forwarding key amount N, the key relay frame including the current relay key is continuously forwarded to the destination node Y7, which is the next hop node, the relay key KR1 is decrypted by using the shared key with the previous hop node X3, encrypted by using the shared key with the next hop node Y7, and forwarded to the destination node Y7, and recorded in the key information of the local node and the destination node Y7.
When the path key amount of the forwarding node meets the relay forwarding key amount, recording the key information of the node and the next hop node, and pre-applying the keys with the relay forwarding key amount in the key pool of the node and marking the keys as pre-applied keys. The N keys corresponding to the pre-application are used for encrypting and forwarding the relay key in the key relay process RID 1. As shown in fig. 5.
And (5): the destination node Y7 receives the first key relay frame in the key relay process from the forwarding node X1, decrypts the relay key KR1 using the shared key with the previous-hop node X1, and returns a successful key relay confirmation response to the previous-hop node, i.e., the forwarding node X1, to confirm that the first key relay frame data has been received, so that subsequent transmission can be continued. The first key relay return frame returned by the destination node Y7 to the forwarding node X1 includes the relay number RID1, the relay forwarding key amount N, and a successful key relay acknowledgement response. As shown in fig. 6.
And (6): the forwarding node X1 receives a first key relay return frame returned in the key relay process from the destination node Y7, and marks a key pre-applied for the RID1 as a key to be transmitted. And continuing to return a successful key relay confirmation response to the previous hop node, namely the forwarding node X3, confirming that the first key relay frame data is received by the destination node Y7, and continuing to transmit the data. The first key relay return frame returned by the forwarding node X1 to the forwarding node X3 includes the relay number RID1, the relay forwarding key amount N, and a successful key relay acknowledgement response.
And (7): when the forwarding node X3 receives the key relay return frame including the successful key relay confirmation response and the forwarding node X3 does not have the pre-applied key in the key pool, that is, when the forwarding node X3 receives the key relay confirmation response of the forwarding node X1, the key originally applied to the RID1 is converted into the free key due to timeout, as shown in fig. 10. The forwarding node X3 judges whether the path key amount (200) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7: X1: 2.
When the path key amount (200) of the forwarding node X3 meets the relay forwarding key amount N, the keys of the relay forwarding key amount in the key pool of the forwarding node X3 are marked as keys to be transmitted, a successful key relay confirmation response is returned to the previous hop node, namely the source node Y3, the first key relay frame data is confirmed to be received by the destination node Y7, and subsequent transmission can be continued. The first key relay return frame returned by the forwarding node X3 to the source node Y3 includes the relay number RID1, the relay forwarding key amount N, and a successful key relay acknowledgement response. As shown in fig. 11.
And (8): the source node Y3 receives the first key relay return frame returned by the key relay process from the forwarding node X3.
And (4) continuing to send subsequent data (the relay key KR2 \8230; the relay key KRN) of the RID1 key relay process according to the same flow of the steps (2) to (8).
Example 4:
the relay forwarding process of the reliable key added with the timeout mechanism in this embodiment is as follows:
step (1): the source node Y3 initiates a key relay to the destination node Y7, the relay number is RID1, the total key amount of the initiated relay is N, and the key relay is divided into a relay key KR1, a relay key KR2 \8230anda relay key KRN.
Step (2): and the source node Y3 sends a first key relay frame to a next hop node, namely a forwarding node X3 according to the Y7: X3:3 in the quantum key routing table, wherein the first key relay frame comprises a relay number RID1, a relay forwarding key amount N and a current relay key KR1. The source node Y3 encrypts the relay key KR1 of the first key relay frame of the key relay process of this time with the shared key of the forwarding node X3. As shown in fig. 3.
And (3): the forwarding node X3 receives the first key relay frame of the key relay process from the source node Y3, looks up the relay forwarding key amount N in the first key relay frame, and determines whether the path key amount (200) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7: X1:2, that is, the forwarding node X3 checks whether the path key amount (200) is sufficient for forwarding N relay keys according to the direction of the routing table.
When the path key amount (200) of the forwarding node X3 meets the relay forwarding key amount N, continuing to forward a key relay frame containing the current relay key to the next hop node X1, decrypting the relay key KR1 by using the shared key of the previous hop node Y3, encrypting the relay key KR by using the shared key of the next hop node X1, forwarding the relay key KR to the next hop node X1, and recording the key information of the node and the next hop node X1.
When the path key amount of the forwarding node meets the relay forwarding key amount, recording the key information of the node and the next hop node, and pre-applying the keys with the relay forwarding key amount in the key pool of the node and marking the keys as pre-applied keys. The N keys corresponding to the pre-application are used for encrypting and forwarding the relay key in the key relay process RID 1. As shown in fig. 4.
And (4): the forwarding node X1 receives the first key relay frame of the key relay process from the forwarding node X3, checks the relay forwarding key amount N in the first key relay frame, and determines whether the path key amount (490) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7:1 490, that is, the forwarding node X1 checks whether the path key amount (490) is sufficient to forward N relay keys according to the routing table guidance.
When the path key amount (490) of the forwarding node X1 satisfies the relay forwarding key amount N, the key relay frame including the current relay key is continuously forwarded to the destination node Y7, which is the next hop node, the relay key KR1 is decrypted by using the shared key with the previous hop node X3, encrypted by using the shared key with the next hop node Y7, and forwarded to the destination node Y7, and recorded in the key information of the local node and the destination node Y7.
When the path key amount of the forwarding node meets the relay forwarding key amount, recording the key information of the node and the next hop node, and pre-applying the keys of the relay forwarding key amount in the key pool of the forwarding node and marking the keys as pre-applied keys. The N keys corresponding to the pre-application are used for encrypting and forwarding the relay key in the key relay process RID 1. As shown in fig. 5.
And (5): the destination node Y7 receives the first key relay frame in the key relay process from the forwarding node X1, decrypts the relay key KR1 by using the shared key with the previous-hop node X1, returns a successful key relay confirmation response to the previous-hop node, i.e., the forwarding node X1, confirms that the first key relay frame data has been received, and can continue subsequent transmission. The first key relay return frame returned by the destination node Y7 to the forwarding node X1 includes the relay number RID1, the relay forwarding key amount N, and a successful key relay acknowledgement response. As shown in fig. 6.
And (6): the forwarding node X1 receives a first key relay return frame returned in the key relay process from the destination node Y7, and marks a key pre-applied for the RID1 as a key to be transmitted. And continuing to return a successful key relay confirmation response to the previous hop node, namely the forwarding node X3, confirming that the first key relay frame data is received by the destination node Y7, and continuing to transmit the data. The first key relay return frame returned by the forwarding node X1 to the forwarding node X3 includes the relay number RID1, the relay forwarding key amount N, and a successful key relay acknowledgement response.
And (7): when the forwarding node X3 receives the first key relay return frame returned in the key relay process from the forwarding node X1, and the forwarding node X3 receives the key relay return frame including the successful key relay confirmation response, and there is no pre-application key in the key pool of the forwarding node X3, that is, when the forwarding node X3 receives the key relay confirmation response of the forwarding node X1, the key originally pre-applied to the RID1 has been converted into a free key due to timeout, as shown in fig. 10. The forwarding node X3 judges whether or not the path key amount (200) of the forwarding node satisfies the relay forwarding key amount N according to the quantum key routing table Y7: X1: 2.
And when the path key amount (200) of the forwarding node X3 does not satisfy the relay forwarding key amount N, returning a key relay return frame containing a failed key relay confirmation response to the previous hop node. And returning a failed key relay confirmation response to the previous hop node, namely the source node Y3, wherein a first key relay return frame returned by the forwarding node X3 to the source node Y3 comprises the relay number RID1, the relay forwarding key quantity N and the failed key relay confirmation response. As shown in fig. 12.
And (8): after receiving the key relay confirmation response, the source node Y3 gives up the subsequent key relay data transmission.
Example 5:
the purpose of this embodiment 5 is to provide a reliable key relay system.
In order to achieve the purpose, the invention adopts the following technical scheme:
a reliable key relay system based on any one of embodiments 1 to 4 includes a source node, a destination node, and a forwarding node.
The system also includes a server configured to issue a quantum key routing table to each node.
In this embodiment, the source node, the destination node, and the forwarding node each include a key management terminal and a QKD device; the QKD equipment is used for distributing quantum keys between adjacent nodes; the key management terminal is configured to acquire, manage and store a quantum key distributed by a QKD device connected to the key management terminal, and execute the reliable key relay method described in any one of embodiments 1 to 4 according to a quantum key routing table issued by a server side.
Example 6:
the object of this embodiment 6 is to provide a reliable key relay system.
In this embodiment, the source node, the destination node, and the forwarding node use a key management terminal that integrates QKD functions, and other technical features are the same as those in embodiment 5.
The invention has the beneficial effects that:
1. according to the reliable key relay method and the system thereof, the confirmation of the key relay forwarding capacity is carried out through the key relay frame sent to each node, the subsequent data transmission can be completed only when the path key quantity of all forwarding nodes on the path meets the key quantity of relay forwarding, and the application and confirmation are carried out on the forwarding condition of each node when the key relay forwarding process is carried out, so that the problem of relay failure is fundamentally solved.
2. The invention relates to a reliable key relay method and a system thereof, which mark three different states for keys in a key pool: the key to be used for key relay forwarding is reserved in advance through the states of the pre-applied key and the key to be transmitted, and the success rate of key relay is improved.
3. According to the reliable key relay method and the system thereof, the key identification state is added with an overtime mechanism, a first overtime time threshold value is preset, the forwarding node does not receive a returned key relay frame containing a successful key relay confirmation response when exceeding the first overtime time threshold value, and the pre-applied key in the key pool of the forwarding node is released as a free key, so that the occupied key can be effectively released when the process is abnormal.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present invention, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive efforts by those skilled in the art based on the technical solution of the present invention.

Claims (14)

1. A method for reliable key relaying, the method comprising:
and the source node sends a first key relay frame to the destination node through the key relay path to confirm the key relay forwarding capability of each forwarding node, when the path key amount of all the forwarding nodes meets the relay forwarding key amount, the destination node returns a successful key relay confirmation response to the source node, and the source node sends the next key relay frame to the destination node until the transmission of all the relay keys is completed, otherwise, the source node abandons the subsequent key relay.
2. The method of claim 1, wherein the key relay frame comprises a relay number, a relay forwarding key amount, and a current relay key.
3. The method of claim 1, wherein the key flag states of the keys in all forwarding nodes are three states that can be mutually converted, including a free key, a pre-application key, and a key to be transmitted; pre-reserving keys for key relay forwarding in key pools of forwarding nodes according to the pre-application keys and the states of the keys to be transmitted;
the free key is a state marked on the original key;
the pre-application key is the state of a key mark for the amount of the pre-applied relay forwarding key when the path key amount of the forwarding node meets the relay forwarding key amount;
and the key to be transmitted is the state of the pre-application key or the free key mark when the forwarding node receives the successful key relay confirmation response.
4. The method according to claim 1, wherein before confirming the key relay forwarding capability of each forwarding node, the source node and each forwarding node receive a quantum key routing table issued by a server, the quantum key routing table includes a destination node, a next hop node to the destination node, a full path hop count and a path key quantity, and the path key quantity is a key quantity value of one hop with the smallest key quantity on a key relay path.
5. The method of claim 1, wherein the source node and each forwarding node statically configure a quantum key routing table at the node, the quantum key routing table comprising a destination node, a next hop node to the destination node, a full path hop count, and a path key quantity, the path key quantity being a key quantity value of one hop with the smallest key quantity on a key relay path.
6. The method as claimed in claim 4 or 5, wherein the step of the source node sending the key relay frame to the destination node via the key relay path comprises:
the source node sends a key relay frame containing the current relay key to the next hop forwarding node of the source node according to the quantum key routing table, and the source node encrypts the current relay key by adopting a shared key of the next hop forwarding node;
and the forwarding node receives the key relay frame, judges whether the path key quantity of the forwarding node meets the relay forwarding key quantity according to the quantum key routing table, if so, continuously encrypts and forwards the key relay frame containing the current relay key until the destination node, otherwise, returns a failed key relay confirmation response to the source node, and the source node abandons the subsequent key relay.
7. The method according to claim 6, wherein when the path key amount of the forwarding node satisfies the relay forwarding key amount, a key of the relay forwarding key amount is pre-applied in a key pool of the forwarding node and marked as a pre-applied key, and the key information of the forwarding node and the next hop node is recorded.
8. The method as claimed in claim 7, wherein the step of the destination node returning a successful key relay confirmation response to the source node comprises:
the destination node returns a key relay return frame containing a successful key relay confirmation response to the previous hop forwarding node;
and the last forwarding skip node receives the key relay return frame, marks the pre-applied key in the key pool of the forwarding node as a key to be transmitted, and continues to forward the key relay return frame containing the successful key relay confirmation response until the source node.
9. The method of claim 7, wherein when the path key amount of the forwarding node does not satisfy the relay forwarding key amount, the forwarding node returns a key relay return frame containing a failed key relay acknowledgement response to the previous hop forwarding node;
and the last hop forwarding node receives the key relay return frame, releases the pre-applied key in the key pool of the forwarding node as a free key, and continues to forward the key relay return frame containing the failed key relay confirmation response until the source node.
10. The method according to claim 8, wherein a first timeout threshold is preset, and when the forwarding node does not receive a returned key relay return frame containing a key relay acknowledgement response beyond the first timeout threshold, the forwarding node releases the pre-applied key in the forwarding node key pool as a free key.
11. The method according to claim 10, wherein a second timeout threshold is preset, the second timeout threshold is greater than the first timeout threshold, the forwarding node does not use the key to be transmitted for key relay forwarding when the second timeout threshold is exceeded, and the key to be transmitted in the key pool of the forwarding node is released as a free key.
12. The method according to claim 7, wherein when the forwarding node receives the key relay return frame containing the successful key relay confirmation response and there is no pre-application key in the forwarding node key pool, it determines whether the path key amount of the forwarding node satisfies the relay forwarding key amount according to the quantum key routing table, if so, marks the key of the relay forwarding key amount in the forwarding node key pool as the key to be transmitted, otherwise, returns the key relay return frame containing the failed key relay confirmation response to the previous hop node.
13. A reliable key relay system, characterized in that the system is based on a reliable key relay method according to any of claims 1-12, comprising a source node, a destination node and a forwarding node.
14. The system of claim 13, further comprising a server configured to issue a quantum key routing table to each node.
CN201811612140.9A 2018-12-27 2018-12-27 Reliable key relay method and system thereof Active CN111385087B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811612140.9A CN111385087B (en) 2018-12-27 2018-12-27 Reliable key relay method and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811612140.9A CN111385087B (en) 2018-12-27 2018-12-27 Reliable key relay method and system thereof

Publications (2)

Publication Number Publication Date
CN111385087A CN111385087A (en) 2020-07-07
CN111385087B true CN111385087B (en) 2023-01-03

Family

ID=71220840

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811612140.9A Active CN111385087B (en) 2018-12-27 2018-12-27 Reliable key relay method and system thereof

Country Status (1)

Country Link
CN (1) CN111385087B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN216959887U (en) * 2020-12-30 2022-07-12 广东国腾量子科技有限公司 Quantum secret communication dynamic selection QKD access network architecture

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001875A (en) * 2013-01-07 2013-03-27 山东量子科学技术研究院有限公司 Quantum cryptography network dynamic routing method
CN104579964A (en) * 2013-01-07 2015-04-29 山东量子科学技术研究院有限公司 Dynamic route architecture system for quantum cryptography network
CN107508671A (en) * 2017-08-18 2017-12-22 北京邮电大学 Service communication method and device based on quantum key distribution
CN108134672A (en) * 2018-03-16 2018-06-08 安徽问天量子科技股份有限公司 Data transmission system and its transmission method based on quantum cryptography exchange apparatus
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001875A (en) * 2013-01-07 2013-03-27 山东量子科学技术研究院有限公司 Quantum cryptography network dynamic routing method
CN104579964A (en) * 2013-01-07 2015-04-29 山东量子科学技术研究院有限公司 Dynamic route architecture system for quantum cryptography network
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN107508671A (en) * 2017-08-18 2017-12-22 北京邮电大学 Service communication method and device based on quantum key distribution
CN108134672A (en) * 2018-03-16 2018-06-08 安徽问天量子科技股份有限公司 Data transmission system and its transmission method based on quantum cryptography exchange apparatus

Also Published As

Publication number Publication date
CN111385087A (en) 2020-07-07

Similar Documents

Publication Publication Date Title
CN110581763B (en) Quantum key service block chain network system
Tysowski et al. The engineering of a scalable multi-site communications system utilizing quantum key distribution (QKD)
CN1860759B (en) Network and node for providing a secure transmission of mobile application part messages
TWI454112B (en) Key management for communication networks
JP6452205B2 (en) Key distribution in satellite systems
US9032203B2 (en) Key setting method, node, server, and network system
US20050215234A1 (en) Common key sharing method and wireless communication terminal in ad hoc network
JP2023502348A (en) System and method for satellite quantum key distribution
CN108028748A (en) For handling the method, equipment and system of VXLAN messages
CN105409157A (en) Adaptive traffic encryption for optical networks
CN109005030B (en) Method and system for protecting key service in quantum network
CN108134672B (en) Data transmission system based on quantum encryption switch device and transmission method thereof
JP2022549047A (en) Quantum encryption key distribution method, device and system
US20230040769A1 (en) Secure content routing using one-time pads
EP3909196B1 (en) One-time pads encryption hub
CN112187450B (en) Method, device, equipment and storage medium for key management communication
CN104041089A (en) Management of public keys for verification of public warning messages
CN111010274A (en) Safe and low-overhead SRv6 implementation method
CN113726795B (en) Message forwarding method and device, electronic equipment and readable storage medium
CN106712941B (en) Dynamic updating method and system for quantum key in optical network
CN110249584B (en) Method for providing end-to-end security in mission critical data communication systems
US20040158706A1 (en) System, method, and device for facilitating multi-path cryptographic communication
CN109428709B (en) Quantum key distribution method and system and optical network system
CN114556862A (en) External symmetric encryption key delivery for seat belts
CN111385087B (en) Reliable key relay method and system thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant