CN111988288A - Key exchange method, system, equipment and storage medium based on network time delay - Google Patents

Key exchange method, system, equipment and storage medium based on network time delay Download PDF

Info

Publication number
CN111988288A
CN111988288A CN202010772187.2A CN202010772187A CN111988288A CN 111988288 A CN111988288 A CN 111988288A CN 202010772187 A CN202010772187 A CN 202010772187A CN 111988288 A CN111988288 A CN 111988288A
Authority
CN
China
Prior art keywords
data packet
user terminal
intermediate node
data
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010772187.2A
Other languages
Chinese (zh)
Other versions
CN111988288B (en
Inventor
黄杰
王威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Network Communication and Security Zijinshan Laboratory
Original Assignee
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Network Communication and Security Zijinshan Laboratory filed Critical Network Communication and Security Zijinshan Laboratory
Priority to CN202010772187.2A priority Critical patent/CN111988288B/en
Priority to PCT/CN2020/117988 priority patent/WO2022027807A1/en
Publication of CN111988288A publication Critical patent/CN111988288A/en
Application granted granted Critical
Publication of CN111988288B publication Critical patent/CN111988288B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a key exchange method, a system, equipment and a storage medium based on network time delay, relates to the technical field of network measurement and information security, and can solve the problem that the negotiation of a session key must depend on a third party key to distribute a trusted authority in the current internet communication process. The invention comprises the following steps: the first user terminal writes the random number into a data packet and transmits the random number to the second user terminal through the intermediate node; after receiving the data packet, the second user terminal reads the information of the intermediate node which directly sends the data packet to the second user terminal from the data packet; the second user terminal reversely transmits the data packet to the first user terminal; and acquiring a session key by utilizing the one-way time delay of the first user terminal and the second user terminal for transmitting the data packet. The invention is suitable for session key generation.

Description

Key exchange method, system, equipment and storage medium based on network time delay
Technical Field
The present invention relates to the field of network measurement and information security technologies, and in particular, to a key exchange method, system, device, and storage medium based on network latency.
Background
With the rapid development of internet technology, how to ensure information security in an open network has become an important research topic. At present, the basic means for securing information in the disclosed network is to encrypt the communication data. The most common encryption scheme at present relies on a trusted third party Key Distribution Center (KDC) for the distribution of the communication key.
Third party Key Distribution Centers (KDCs) also rely on the PKI/CA authentication system to work due to the problems involved in the key distribution process, such as user identity authentication. Public Key Infrastructure (PKI) is an Infrastructure for providing security services, which is established using Public Key theory and technology, and is the core of information security. The PKI technology uses a certificate management public key, binds the public key of the user and other identification information (such as name, E-mail, identity card number, etc.) of the user together through a trusted authority CA (certificate authority) of a third party, and verifies the identity of the user on the Internet (where the certificate authority CA is the core part of the PKI system). The PKI/CA-based authentication system can ensure the confidentiality, authenticity, integrity and non-repudiation of information transmission, thereby ensuring the safe transmission of information.
However, the conventional PKI/CA authentication system has many security problems, for example, the public key of the user is not trusted due to the problems of center failure and the like in the conventional PKI/CA system, and thus the information security of the user who uses the third party key distribution trusted authority to perform the session key negotiation is affected.
Disclosure of Invention
Embodiments of the present invention provide a key exchange method, system, device and storage medium based on network delay, which can solve the problem that negotiation of a session key must rely on a third party key to distribute a trusted authority in the current internet communication process, and better guarantee information security of a user.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present application provides a key exchange method based on network latency, including:
a first user terminal writes a random number into a data packet and transmits the random number to a second user terminal through an intermediate node, wherein the random number represents the total transmission times of the data packet at the intermediate node;
after receiving the data packet, the second user terminal reads the information of the intermediate node which directly sends the data packet to the second user terminal from the data packet;
the second user terminal reversely transmits the data packet to the first user terminal;
and acquiring a session key by utilizing the one-way time delay of the first user terminal and the second user terminal for transmitting the data packet.
In a second aspect, an embodiment of the present application provides a key exchange system based on network delay, which is composed of a first user terminal, a second user terminal, and at least 2 intermediate nodes;
the first user terminal is used for writing a random number into a data packet and transmitting the random number to the second user terminal through the intermediate node, wherein the random number represents the total transmission times of the data packet at the intermediate node;
the second user terminal is configured to, after receiving the data packet, read information of an intermediate node that directly sends the data packet to the second user terminal from the data packet; then, the second user terminal transmits the data packet to the first user terminal in a reverse direction;
each intermediate node is used for randomly selecting a next hop intermediate node to send the data packet after receiving the data packet; writing the information of the last intermediate node into the data packet before sending the data packet;
and the session key is obtained by utilizing the one-way time delay of the first user terminal and the second user terminal for transmitting the data packet.
In a third aspect, embodiments of the present application provide a network latency-based key exchange device, where the communication key exchange device includes at least a processor and a memory, where the memory stores computer-executable instructions, and the at least the processor executes the computer-executable instructions stored in the memory, so that the communication key exchange device performs the method recited in any one of claims 1 to 6.
In a fourth aspect, an embodiment of the present application provides a storage medium storing a computer program or instructions which, when executed, implement the method according to any one of claims 1 to 6.
The key exchange method, the system, the equipment and the storage medium based on the network time delay provided by the embodiment of the invention solve the problem that the negotiation of the session key must depend on a third party key distribution trusted authority in the current internet communication process. The problems of center failure and the like in the traditional PKI/CA system can cause that whether the public key of the user is credible or not can not be verified, and further the information security of the user using a third party key distribution credible authority to carry out session key negotiation is influenced. The user can negotiate a communication key through a key exchange method based on network delay, and the information security transmission is guaranteed.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a diagram illustrating an example of a system implementation according to an embodiment of the present invention.
Fig. 2 is a diagram of a result of network delay data according to an embodiment of the present invention.
Fig. 3 is a flow chart of processing network delay characteristic data according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of an information reconciliation process according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of a method flow provided by the embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments. Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention. As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items. It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The present embodiment is designed to specifically solve the security problems of the conventional PKI/CA certification system, such as: 1. the central failure problem, the root CA (Certificate Authority) as the core of the system is an extremely obvious attack target for hackers, the attack cost is relatively low, and the profit is very large. Once the root CA is compromised, the certificates issued by the CA to other users and the root certificate issued by the CA to itself will be disabled. 2. The performance bottleneck problem, the core of a Public Key Infrastructure (PKI) system is a CA, and the work performed by the CA includes certificate issuance, certificate update, certificate revocation, certificate verification, and the like, which is burdensome and cannot be proxied. This easily makes the CA a performance stub for the entire system, creating a bottleneck problem. 3. When configuring the certificate, the user first applies for the certificate to the CA, and after the CA issues the certificate, the user needs to install the issued certificate on the personal terminal. In some cases requiring batch operations, such as a production line of terminal devices, the installation certificates must be configured one by one due to the privacy and uniqueness of the private keys, which wastes a lot of time and effort. Therefore, the public key of the user can be untrusted due to the problems of center failure and the like in the traditional PKI/CA system, and the information security of the user who uses a third-party key distribution trusted authority to perform session key negotiation is further influenced. Therefore, it is very practical to design a key distribution method based on the physical characteristics of the internet. The user can negotiate a communication key through a key exchange method based on network delay, and the information security transmission is guaranteed.
The design idea of this embodiment is to provide a key exchange method based on network delay for solving the problem that negotiation of a session key must rely on a third party key to distribute a trusted authority in the current internet communication process, thereby better ensuring information security of a user.
An embodiment of the present invention provides a key exchange method based on network delay, as shown in fig. 5, including:
and S1, the first user terminal writes the random number into the data packet and transmits the random number to the second user terminal through the intermediate node.
The random number written in the data packet is generated by the terminal device that originally sent the data packet (for example, the first user terminal in this embodiment), and the generated random number may adopt a currently existing algorithm or rule. In practical applications, the size of the generated random number depends on specific application scenarios, and it is generally understood that the size of the random number is positively correlated with the processing time for finally acquiring the session key, because a larger random number means that the number of times that the data packet needs to be transferred between the intermediate nodes is larger, and the time consumption is higher, so the maximum upper limit of the random number may depend on the acquisition time limit of the session key in the application scenario.
And S2, after receiving the data packet, the second user terminal reads the information of the intermediate node which directly sends the data packet to the second user terminal from the data packet.
Wherein, each intermediate node stores the information of the previous node when receiving the data packet.
And S3, the second user terminal reversely transmits the data packet to the first user terminal.
The reverse transmission may be understood as that a data packet from a first user terminal passes through a plurality of intermediate nodes and finally reaches a second user terminal, and the reverse process of the transmission path of the data packet is the transmission path of the reverse transmission. Specifically, the data packet is transmitted to the previous intermediate node, the previous intermediate node is restored by the intermediate node according to the node information stored in the data stack of the previous intermediate node, and the like, so that the complete transmission path of the data packet can be restored. In practical applications, the transmission path of the data packet may be recorded in a terminal receiving the data packet, such as the second user terminal, so that the second user terminal initiates reverse transmission; or, the transmission path may not be recorded, and the first and second user terminals and the intermediate node for transmitting all parameters only need to record the device that directly receives and transmits the data packet with itself, such as: the first user terminal sends out the data packet A and finally reaches the second user terminal through the intermediate node 1, the intermediate node 2 and the intermediate node 3 … …, wherein the intermediate node 2 only needs to record the data packet A sent from the intermediate node 1 and then sent to the intermediate node 3, and the rest of the nodes are analogized, so when the second user terminal reversely transmits the data packet, all the intermediate nodes only need to reverse the recorded receiving/sending ends of the data packet.
And S4, acquiring a session key by using the one-way time delay of the first user terminal and the second user terminal for transmitting the data packet.
Wherein the random number represents a total number of transmissions of the data packet at the intermediate node. Since the intermediate node records the information of the last node of the data packet each time, the second user terminal can transmit the data packet to the first user terminal in the reverse transmission path after receiving the data packet. The two communication parties respectively record the one-way time delay required by the data packet from sending to receiving, namely a set of characteristic data. After both sides generate enough network delay characteristic data with equal quantity, abnormal values in the characteristic data are corrected by using the Schweiler criterion, and then linear normalization, uniform quantization and Gray coding are carried out to generate 01 bit streams. Finally, the two parties remove different bits through information reconciliation, and a consistent session key is ensured to be negotiated. By using the method, the session key can be generated through the internet network time delay physical characteristics without depending on a key distribution mechanism of a third party, thereby reducing the key leakage risk and ensuring the information safe transmission.
Specifically, for any intermediate node, after receiving the data packet, the next-hop intermediate node is randomly selected to send the data packet. And writing the information of the last intermediate node into the data packet before transmitting the data packet. And writing the information of the last data packet into the data stack of the current node. Therefore, in the process of reverse transmission, the information of the last node is extracted from each node, and the path can be recovered reversely.
In this embodiment, step S1 generally includes:
the first user terminal generates the data packet with fixed length, generates a random number M carried in the data packet, and then sends the random number M to a randomly selected intermediate node, wherein M is a positive integer and represents the total transmission times of the data packet in the intermediate node, N intermediate nodes are totally arranged, N is a positive integer and is more than or equal to 2, and each intermediate node is connected with other N-1 nodes.
And storing the information of the last node of the data packet in a data stack of a local node after one intermediate node receives the data packet, subtracting 1 from the value M in the data packet, and then randomly selecting one node from N-1 connected nodes to send the data packet. And directly sending the data packet to the second user terminal until the value of M is changed to 0.
In this embodiment, before step S4, the method further includes: and the first user terminal and the second user terminal respectively record the one-way time delay required by the next data packet from sending to receiving and use the one-way time delay as a group of characteristic data. And acquiring a specified group number of feature data, correcting abnormal values in all feature data, and generating a 01 bit stream. And removing different bits in the 01 bit stream through information reconciliation to obtain the session key.
Specifically, the correcting the abnormal values in all the feature data includes: if the absolute value of the difference between the measured value of the characteristic data and the average value is greater than the product of the standard deviation and the Schweiler coefficient, the abnormal value is determined.
The generating of the 01 bit stream includes: and carrying out normalization processing on the corrected characteristic data through linear normalization, and normalizing all data to be between 0 and 1. And uniformly quantizing the normalized characteristic data to obtain discrete sampling values, wherein the bit number corresponding to the sampling values is taken as the quantization order. The quantized sample values are converted into a 01-bit stream by gray coding.
For example, a specific interaction process between the first user terminal and the second user terminal is shown in fig. 1, where each process includes:
(1) the first user terminal generates a data packet with fixed length, and simultaneously generates a random number M carried in the data packet and transmitted to the intermediate node, wherein M represents the total transmission times of the data packet in the intermediate node.
(2) There are a total of N intermediate nodes, each node being connected to N-1 other nodes. After receiving the data packet, the intermediate node stores the information of the last node of the data packet in the data stack of the local node. The data packet simultaneously subtracts 1 from the value M in the data packet, randomly selects one node from N-1 nodes connected with the data packet and delivers the data packet to the node.
(3) And directly delivering the data packet to the second user terminal until the value of M is changed into 0. Transmitting data packets from a first user terminalThe time elapsed until the second user terminal receives the data packet is TABThe path is
Figure BDA0002617063430000081
The following are specific:
Figure BDA0002617063430000082
Figure BDA0002617063430000083
(1≤i,j,k,…,l,m,n≤N)
(4) and after receiving the data packet, the second user terminal retransmits the data packet to the first user terminal. Because the intermediate node records the information of the last node of the data packet each time the intermediate node receives the data, the second user terminal can reversely recover the transmission path of the data packet, i.e. ensure that
Figure BDA0002617063430000091
Figure BDA0002617063430000092
Transmitting data packet from the second user terminal to the first user terminal, the time elapsed being TBAThe path is
Figure BDA0002617063430000093
The details are as follows:
Figure BDA0002617063430000094
Figure BDA0002617063430000095
(5) when the network condition is more ideal, TAB≈TBA。TABCorresponds to the firstA time delay characteristic data, T, generated by a user terminalBAA delay profile data generated corresponding to the second user terminal.
Wherein, i, j, k, …, l, m, N are all positive integers, which indicate the label of the intermediate node, i.e. (1 ≦ i, j, k, …, l, m, N ≦ N, N is a positive integer.
In this embodiment, the communication key is exchanged by using the internet network delay feature. Network delay is an important measure of the quality of service of a communication network. Round Trip Time (RTT) is the time required for a packet to travel from a source host to a remote host that receives the packet and retransmit it back to the source computer. The value of the one-way delay (OWD) is calculated between two synchronized nodes 1 and 2, and refers to the time it takes for a packet to travel through the network from node 1 to node 2. In general, it is approximately assumed that RTT/2 ≈ OWD, that is, the transmission time OWD of a data packet from node 1 to node 212And the transmission time OWD of the data packet from node 2 to node 121Approximately equal, i.e. OWD12≈OWD21. Based on the two processes of generating the characteristic data and processing the characteristic data, the user can be ensured to negotiate the same communication key.
Since the first user terminal and the second user terminal complete the feature data generation process after generating an equal and sufficient amount of network delay feature data, the generated feature data result is shown in fig. 2. As can be seen from the figure, the feature data generated by the first user terminal and the second user terminal have a very high correlation. After the feature data is generated, both parties enter a feature data processing stage to obtain the same communication key, and a data processing flow chart is shown in fig. 3 and includes the following steps:
(1) and (3) correcting data abnormal points: abnormal data is corrected using the Schweiler criterion of equal confidence probability. If the absolute value of the difference between a measurement and the mean is greater than the product of the standard deviation and the Schweiler coefficient, then the measurement is an outlier, as shown below:
Figure BDA0002617063430000101
wherein
Figure BDA0002617063430000102
Is the standard deviation of the data samples, WnApproximately 1+0.4ln (n) represents the schweiler coefficient, where n is the total number of data samples. Calculate the deviation S of all dataxMean value of
Figure BDA0002617063430000103
Then each feature data is analyzed. If one data satisfies
Figure BDA0002617063430000104
Then the value X is measurediIs abnormal. If it is not
Figure BDA0002617063430000105
Then X will beiIs corrected to
Figure BDA0002617063430000106
If it is not
Figure BDA0002617063430000107
Then X will beiIs corrected to
Figure BDA0002617063430000108
Updating the deviations S of all characteristic data after each correctionxAnd average value
Figure BDA0002617063430000109
The next data is then analyzed until all data has been analyzed, so that all data outliers can be corrected.
(2) Linear normalization: the linear normalization method used was max-min normalization, normalizing all data to between 0 and 1. Maximum value XmaxAnd minimum value XminThe normalization is affected by the outlier, so the outlier is corrected in the previous stepThen, the bit error rate of the key is reduced, and the formula is as follows:
Figure BDA00026170634300001010
(3) uniform quantization: to normalized data XnormCarrying out uniform quantization to obtain a discrete sampling value q, wherein the bit number corresponding to the sampling value is a quantization order R, and the formula is as follows:
q=Xnorm×2R
(4) gray coding: the quantized value q is changed into a 01 bit stream using gray coding.
(5) Information reconciliation: ensuring that the users negotiate a completely consistent communication key.
The specific process of information reconciliation is shown in fig. 4, and the bit character strings generated by the first user terminal and the second user terminal of both communication parties are key1 and key 2. The first user terminal group calculates the CRC check code of key1 and transmits the codeword verifying the redundant part to the second user terminal. And the second user terminal carries out the same grouping and removes inconsistent groups according to the redundant code words sent by the first user terminal. The second user terminal sends back the check result to the first user terminal, the first user terminal removes the inconsistent group according to the check result, and finally the two parties can obtain the consistent communication key.
The present embodiment also provides a key exchange system based on network delay, as shown in fig. 1, which is composed of a first user terminal, a second user terminal, and at least 2 intermediate nodes, it should be noted that, the number of the intermediate nodes shown in fig. 1 is 4, but the number of the actual intermediate nodes may be far more than 4, and the number in fig. 1 is only illustrative and understood.
The first user terminal is used for writing a random number into a data packet and transmitting the data packet to the second user terminal through the intermediate node, wherein the random number represents the total transmission times of the data packet at the intermediate node.
And the second user terminal is used for reading the information of the intermediate node which directly sends the data packet to the second user terminal from the data packet after receiving the data packet. And then, the second user terminal transmits the data packet to the first user terminal in a reverse direction.
Each intermediate node is used for randomly selecting the next hop intermediate node to send the data packet after receiving the data packet. And writing the information of the last intermediate node into the data packet before transmitting the data packet.
And the session key is obtained by utilizing the one-way time delay of the first user terminal and the second user terminal for transmitting the data packet.
The first user terminal is specifically configured to generate the data packet with a fixed length, generate a random number M carried in the data packet, and then send the random number M to a randomly selected intermediate node, where M is a positive integer and represents a total transmission number of the data packet in the intermediate node, N is a total number of N intermediate nodes, N is a positive integer and N is greater than or equal to 2, and each intermediate node is connected to N-1 other nodes.
Each intermediate node is specifically configured to store information of a previous node of the data packet in a data stack of a local node after receiving the data packet, subtract 1 from the value M in the data packet, and then randomly select one node from N-1 nodes connected to the node to send the data packet. And directly sending the data packet to the second user terminal until the value of M is changed to 0.
The first user terminal and the second user terminal are respectively used for recording the one-way time delay required by the next data packet from sending to receiving and are used as a group of characteristic data. And acquiring a specified group number of feature data, correcting abnormal values in all feature data, and generating a 01 bit stream. And removing different bits in the 01 bit stream through information reconciliation to obtain the session key.
The first user terminal and the second user terminal are specifically configured to perform normalization processing on the corrected feature data through linear normalization, and normalize all data between 0 and 1. And uniformly quantizing the normalized characteristic data to obtain discrete sampling values, wherein the bit number corresponding to the sampling values is taken as the quantization order. The quantized sample values are converted into a 01-bit stream by gray coding.
The embodiment solves the problem that the negotiation of the session key must depend on a third party key distribution trusted authority in the current internet communication process. The problems of center failure and the like in the traditional PKI/CA system can cause that whether the public key of the user is credible or not can not be verified, and further the information security of the user using a third party key distribution credible authority to carry out session key negotiation is influenced. The user can negotiate a communication key through a key exchange method based on network delay, and the information security transmission is guaranteed.
The present embodiment also provides a key exchange device based on network latency, where the communication key exchange device at least includes a processor and a memory, where the memory stores computer execution instructions, and the at least processor executes the computer execution instructions stored in the memory, so that the communication key exchange device executes the above method flow.
The present embodiment also provides a storage medium, which stores a computer program or instructions, and when the computer program or instructions are executed, the method flow described above is implemented. The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or in software instructions executed by a processor. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash memory, Read Only Memory (ROM), Erasable Programmable Read Only Memory (EPROM), Electrically Erasable Programmable Read Only Memory (EEPROM), registers, a hard disk, a removable hard disk, a compact disc read only memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a core network interface device. Of course, the processor and the storage medium may reside as discrete components in a core network interface device.
Those skilled in the art will recognize that in one or more of the examples described above, the functions described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above-mentioned embodiments, objects, technical solutions and advantages of the present application are further described in detail, it should be understood that the above-mentioned embodiments are only examples of the present application, and are not intended to limit the scope of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present application should be included in the scope of the present application.

Claims (10)

1. A key exchange method based on network time delay is characterized by comprising the following steps:
a first user terminal writes a random number into a data packet and transmits the random number to a second user terminal through an intermediate node, wherein the random number represents the total transmission times of the data packet at the intermediate node;
after receiving the data packet, the second user terminal reads the information of the intermediate node which directly sends the data packet to the second user terminal from the data packet;
the second user terminal reversely transmits the data packet to the first user terminal;
and acquiring a session key by utilizing the one-way time delay of the first user terminal and the second user terminal for transmitting the data packet.
2. The method of claim 1, further comprising:
for any intermediate node, after receiving the data packet, randomly selecting a next hop intermediate node to send the data packet;
and writing the information of the last intermediate node into the data packet before transmitting the data packet.
3. The method of claim 1, wherein the first user terminal writes a random number into a data packet and transmits the random number to the second user terminal through the intermediate node, comprising:
the first user terminal generates the data packet with fixed length, generates a random number M carried in the data packet, and then sends the random number M to a randomly selected intermediate node, wherein M is a positive integer and represents the total transmission times of the data packet in the intermediate node, N intermediate nodes are totally arranged, each intermediate node is connected with other N-1 nodes, N is a positive integer, and N is more than or equal to 2;
and after receiving the data packet by one intermediate node, storing the information of the last node of the data packet in a data stack of a local node, subtracting 1 from the value of M in the data packet, then randomly selecting one node from N-1 connected nodes to send the data packet until the value of M is changed to 0, and directly sending the data packet to the second user terminal.
4. The method according to claim 1, further comprising, before said obtaining a session key using a one-way delay of the first user terminal and the second user terminal for transmitting the data packet, a step of:
the first user terminal and the second user terminal respectively record the one-way time delay required by the next data packet from sending to receiving, and the one-way time delay is used as a group of characteristic data;
acquiring characteristic data of a specified group number, correcting abnormal values in all the characteristic data, and then generating a 01 bit stream;
and removing different bits in the 01 bit stream through information reconciliation to obtain the session key.
5. The method of claim 4, wherein the correcting for outliers in all feature data comprises:
if the absolute value of the difference between the measured value of the characteristic data and the average value is greater than the product of the standard deviation and the Schweiler coefficient, the abnormal value is determined.
6. The method of claim 4, wherein generating the 01 bit stream comprises:
normalizing the corrected characteristic data through linear normalization, and normalizing all data between 0 and 1;
uniformly quantizing the normalized characteristic data to obtain discrete sampling values, wherein the bit number corresponding to the sampling values is taken as a quantization order;
the quantized sample values are converted into a 01-bit stream by gray coding.
7. A key exchange system based on network time delay is characterized by comprising a first user terminal, a second user terminal and at least 2 intermediate nodes;
the first user terminal is used for writing a random number into a data packet and transmitting the random number to the second user terminal through the intermediate node, wherein the random number represents the total transmission times of the data packet at the intermediate node;
the second user terminal is configured to, after receiving the data packet, read information of an intermediate node that directly sends the data packet to the second user terminal from the data packet; then, the second user terminal transmits the data packet to the first user terminal in a reverse direction;
each intermediate node is used for randomly selecting a next hop intermediate node to send the data packet after receiving the data packet; writing the information of the last intermediate node into the data packet before sending the data packet;
and the session key is obtained by utilizing the one-way time delay of the first user terminal and the second user terminal for transmitting the data packet.
8. The system according to claim 7, wherein the first user terminal is specifically configured to generate the data packet with a fixed length by the first user terminal, generate a random number M to be carried in the data packet, and then send the random number M to a randomly selected intermediate node, where M is a positive integer and represents a total number of transmission times of the data packet in the intermediate node, and there are N intermediate nodes in total, N is a positive integer and N ≧ 2, and each intermediate node is connected to N-1 other nodes;
each intermediate node is specifically configured to, after receiving the data packet, store information of a previous node of the data packet in a data stack of a local node, subtract 1 from the value M in the data packet, and then randomly select one node from N-1 nodes connected to the node to send the data packet; and directly sending the data packet to the second user terminal until the value of M is changed to 0.
9. A network latency based key exchange device, the communication key exchange device comprising at least a processor and a memory, the memory storing computer-executable instructions, the at least processor executing the memory-stored computer-executable instructions to cause the communication key exchange device to perform the method of any of claims 1 to 6.
10. A storage medium, storing a computer program or instructions which, when executed, implement the method of any one of claims 1 to 6.
CN202010772187.2A 2020-08-04 2020-08-04 Key exchange method, system, equipment and storage medium based on network time delay Active CN111988288B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010772187.2A CN111988288B (en) 2020-08-04 2020-08-04 Key exchange method, system, equipment and storage medium based on network time delay
PCT/CN2020/117988 WO2022027807A1 (en) 2020-08-04 2020-09-27 Network latency-based key exchange method, system, and device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010772187.2A CN111988288B (en) 2020-08-04 2020-08-04 Key exchange method, system, equipment and storage medium based on network time delay

Publications (2)

Publication Number Publication Date
CN111988288A true CN111988288A (en) 2020-11-24
CN111988288B CN111988288B (en) 2021-11-23

Family

ID=73444491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010772187.2A Active CN111988288B (en) 2020-08-04 2020-08-04 Key exchange method, system, equipment and storage medium based on network time delay

Country Status (2)

Country Link
CN (1) CN111988288B (en)
WO (1) WO2022027807A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220123921A1 (en) * 2020-10-20 2022-04-21 Samsung Electronics Co., Ltd. Method of performing key exchange for security operation in storage device and method of performing authority transfer in storage device using the same

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969661A (en) * 2010-10-27 2011-02-09 北京握奇数据系统有限公司 Method, device and system for transmitting data in mobile Ad hoc network
CN106961449A (en) * 2017-05-24 2017-07-18 重庆和贯科技有限公司 Internet of things data transmission method
CN108809762A (en) * 2018-06-13 2018-11-13 郑州云海信息技术有限公司 A kind of server network performance test methods and system
US20190097909A1 (en) * 2017-09-25 2019-03-28 Splunk Inc. Collaborative incident management for networked computing systems
US10356185B2 (en) * 2016-04-08 2019-07-16 Nokia Of America Corporation Optimal dynamic cloud network control
CN110224976A (en) * 2019-04-29 2019-09-10 北京邮电大学 A kind of encryption communication method, device and computer readable storage medium
CN110493257A (en) * 2019-09-06 2019-11-22 江苏省水文水资源勘测局 Session key management method in a kind of water conservancy industrial control system encryption equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007031088A1 (en) * 2005-09-15 2007-03-22 Aalborg Universited A method for sending secure information or increasing communication capacity via coding of wavefronts and a system using said method
CN109309644B (en) * 2017-07-26 2020-11-20 中国科学院信息工程研究所 Network watermarking method and system based on biorthogonal carrier

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969661A (en) * 2010-10-27 2011-02-09 北京握奇数据系统有限公司 Method, device and system for transmitting data in mobile Ad hoc network
US10356185B2 (en) * 2016-04-08 2019-07-16 Nokia Of America Corporation Optimal dynamic cloud network control
CN106961449A (en) * 2017-05-24 2017-07-18 重庆和贯科技有限公司 Internet of things data transmission method
US20190097909A1 (en) * 2017-09-25 2019-03-28 Splunk Inc. Collaborative incident management for networked computing systems
CN108809762A (en) * 2018-06-13 2018-11-13 郑州云海信息技术有限公司 A kind of server network performance test methods and system
CN110224976A (en) * 2019-04-29 2019-09-10 北京邮电大学 A kind of encryption communication method, device and computer readable storage medium
CN110493257A (en) * 2019-09-06 2019-11-22 江苏省水文水资源勘测局 Session key management method in a kind of water conservancy industrial control system encryption equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220123921A1 (en) * 2020-10-20 2022-04-21 Samsung Electronics Co., Ltd. Method of performing key exchange for security operation in storage device and method of performing authority transfer in storage device using the same
US11863664B2 (en) * 2020-10-20 2024-01-02 Samsung Electronics Co., Ltd. Method of performing key exchange for security operation in storage device and method of performing authority transfer in storage device using the same

Also Published As

Publication number Publication date
CN111988288B (en) 2021-11-23
WO2022027807A1 (en) 2022-02-10

Similar Documents

Publication Publication Date Title
US20190103964A1 (en) Methods for encrypted data communications
US9215218B2 (en) Systems and methods for secure workgroup management and communication
EP2891267B1 (en) Multi-factor authentication using quantum communication
KR100519770B1 (en) Method and apparatus for distributed certificate management for Ad-hoc networks
US8112624B2 (en) Method and system for certificate revocation list compression
US8458457B2 (en) Method and system for certificate revocation list pre-compression encoding
JP2004274459A (en) Method for delivering quantum key and communication apparatus
WO2005109735A1 (en) Key management messages for secure broadcast
US11356272B2 (en) Methods and devices for handling hash-tree based data signatures
WO2023050557A1 (en) Blockchain identity authentication and privacy protection core technology such as zero-knowledge proof
CN106027230A (en) Method for carrying out Hamming error correction for error code in quantum secret key distribution postprocessing
CN111988288B (en) Key exchange method, system, equipment and storage medium based on network time delay
US20130010953A1 (en) Encryption and decryption method
VS et al. A secure regenerating code‐based cloud storage with efficient integrity verification
AU2014201692B2 (en) Systems and Methods for Secure Workgroup Management and Communication
CN115865520A (en) Authentication and access control method with privacy protection in mobile cloud service environment
US20230216838A1 (en) System and methods for puf-based authentication
US10848481B1 (en) Systems and methods for revocation management in an AMI network
US20100037052A1 (en) Network Binding
JP2008177815A (en) Broadcast encryption system and broadcast encryption device
CN113746623A (en) Threshold key verification method and related equipment
Mander et al. Open-Access-Compatibility Security Layer for Enhanced Protection Data Transmission
JPWO2004105310A1 (en) ENCRYPTION DEVICE, ENCRYPTION METHOD, AND ENCRYPTION PROGRAM
JP2006054638A (en) Quantum key delivering method and communication apparatus
Gong et al. U-EPS: An Ultra-small and Efficient Post-quantum Signature Scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant