CN112291179B - Method, system and device for realizing equipment authentication - Google Patents
Method, system and device for realizing equipment authentication Download PDFInfo
- Publication number
- CN112291179B CN112291179B CN201910662994.6A CN201910662994A CN112291179B CN 112291179 B CN112291179 B CN 112291179B CN 201910662994 A CN201910662994 A CN 201910662994A CN 112291179 B CN112291179 B CN 112291179B
- Authority
- CN
- China
- Prior art keywords
- network
- network node
- authenticated
- authentication
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the application discloses a method, a system and a device for realizing equipment authentication, when a network equipment to be authenticated is accessed to a first network node, a public key is obtained from an equipment authentication server, a shared quantum true random number is encrypted by using the public key to generate a ciphertext of the shared quantum true random number, then the network equipment to be authenticated sends the ciphertext and authentication related information to the first network node, the first network node constructs a decryption private key according to a root key and the authentication related information stored by the first network node, the ciphertext is decrypted by using the private key to obtain a plaintext of the shared quantum true random number, and the decrypted plaintext of the shared quantum true random number is compared with whether the shared quantum true random number is consistent or not, so that the network equipment to be authenticated is authenticated by the first network node.
Description
Technical Field
The present application relates to the field of quantum communication technologies, and in particular, to a method, a system, and an apparatus for implementing device authentication.
Background
Quantum communication is a novel interdiscipline developed in the last two decades and is a new research field combining quantum theory and information theory. Recently, the subject has gradually gone from theory to experiment and developed to practicality. Efficient and secure information transfer is receiving increasing attention.
Physically, quantum communication can be understood as high performance communication achieved by quantum effects under physical limits. In informatics, quantum communication is considered to complete information transfer between two places by using the basic principles of quantum mechanics (such as quantum state unclonable principle, quantum state measurement collapse property and the like) or by using quantum state invisible transmission and other subsystem specific attributes and a quantum measurement method.
Quantum cryptography based on Quantum Key Distribution (QKD) protocols is one of the most important practical applications of Quantum communication at the present stage. The traditional cryptography is a mathematical-based cryptosystem, while the quantum cryptography is based on quantum mechanics, and the safety of the quantum cryptography is established on the physical characteristics of the inaccurate measurement principle, quantum non-clonable, quantum coherence and the like, and is proved to be unconditionally safe.
Quantum cryptography networks are a secure communication network that employs quantum cryptography. The quantum cryptography network is constructed by a classical communication network and a quantum communication network. The quantum communication network mainly comprises QKD terminal equipment and quantum channels, is used for key distribution and generates quantum keys for encrypted communication. Classical communication networks use quantum keys to enable encrypted transmission of communication data. The network nodes of the quantum cryptography network comprise two types of terminal nodes and relay nodes according to the positions and functions of the nodes in the network, and each type of node simultaneously comprises a classical communication terminal used for a classical communication network and a QKD terminal device connected to the quantum communication network. The QKD terminal equipment realizes quantum key distribution through a QKD network to obtain a quantum key; the classical communication terminal uses the quantum key to realize the encrypted communication of the classical data.
The quantum cryptography network is an encryption communication network with higher security level requirements, and even unconditional security of communication is required. Because the unconditional safety of channel communication between nodes can be ensured by adopting the safety quantum key to carry out one-time pad encryption communication, the safety of the network node, particularly the relay node, determines the possible safety level of the whole network. With the expansion of network scale, new network nodes are continuously accessed, and the validity of the original network nodes is also likely to change. How to ensure that quantum key distribution is performed between legal node devices to generate a secure quantum key and how to ensure that only the legal device can obtain a key distribution service of a quantum cryptography network becomes crucial for authentication of network devices.
The network equipment authentication in the quantum cipher network is an important safety mechanism for ensuring the safety of network nodes, and the aim is to determine the legality of network equipment by authenticating the identity of the network equipment accessed to the quantum cipher network, so that only legal equipment can use various resources of the quantum cipher network, mainly comprising quantum links, classical link connections and quantum keys generated by quantum key distribution, and simultaneously ensuring that the resources (network connections and quantum keys) of the legal equipment are not embezzled by illegal equipment.
In the prior art, a device authentication method based on a symmetric key is usually adopted to conveniently realize access authentication of a device and update of an authentication key by using rich symmetric key resources of a quantum cryptography network. However, the device authentication method based on the symmetric key has the disadvantages that it needs to establish a Certificate Authority (CA), the CA needs to manage a large number of authentication keys, network congestion and serious delay are easy to occur in communication, and once the CA is attacked, the device authentication service may be in a disabled state.
Disclosure of Invention
In view of this, embodiments of the present application provide a method, a system, and an apparatus for implementing device authentication, so as to solve the technical problem that in the prior art, an authentication center is under excessive pressure in a network device authentication process of a quantum cryptography network.
In order to solve the above problem, the technical solution provided by the embodiment of the present application is as follows:
a method of enabling device authentication, the method comprising:
a first network node and a second network node generate a shared quantum true random number through a Quantum Key Distribution (QKD) network, wherein the second network node is a network node connected with a network device to be authenticated;
the network equipment to be authenticated acquires the shared quantum true random number from the second network node, encrypts the shared quantum true random number by using a public key, and generates a ciphertext of the shared quantum true random number, wherein the public key is acquired from an equipment authentication server, the public key is generated by the equipment authentication server according to a private key, and the private key is constructed by the equipment authentication server according to a root key of the first network node and authentication related information of the network equipment to be authenticated; or, the public key is generated by the first network node according to the private key and sent to the device authentication server, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is acquired by the first network node from the device authentication server;
the network equipment to be authenticated sends the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node;
the first network node constructs the private key according to the authentication related information and a root key stored by the first network node;
the first network node decrypts the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number;
and the first network node compares whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, the authentication of the network equipment to be authenticated is determined to pass, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In one possible implementation, before the first network node and the second network node generate the shared quantum true random number through the QKD network, the method further includes:
a first network node receives an authentication request sent by network equipment to be authenticated, wherein the authentication request comprises network position information of a second network node;
the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node in the authentication request sent by the network equipment to be authenticated last time, if so, the first network node and the second network node generate a shared quantum true random number through a QKD network and follow-up steps are executed, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
In one possible implementation, the method further includes:
and the first network node receives and stores the updated root key sent by the equipment authentication server.
In one possible implementation, the method further includes:
after determining that the authentication of the network equipment to be authenticated passes, the first network node records network access information of the network equipment to be authenticated, wherein the network access information comprises network position information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
A method of enabling device authentication, the method comprising:
a first network node and a second network node generate a shared quantum true random number through a Quantum Key Distribution (QKD) network, wherein the second network node is a network node connected with a network device to be authenticated;
the first network node receives the ciphertext of the shared quantum true random number and the authentication related information of the network equipment to be authenticated, which are sent by the network equipment to be authenticated through the second network node; the cipher text of the shared quantum true random number is generated by encrypting the shared quantum true random number acquired from the second network node by the network equipment to be authenticated by using a public key, the public key is acquired by the network equipment to be authenticated from an equipment authentication server, the equipment authentication server is used for constructing a private key according to a root key of the first network node and authentication related information of the network equipment to be authenticated, and generating the public key according to the private key; or, the device authentication server receives the public key sent by the first network node, where the public key is generated by the first network node according to the private key, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is obtained by the first network node from the device authentication server;
the first network node constructs the private key according to the authentication related information and a root key stored by the first network node;
the first network node decrypts the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number;
and the first network node compares whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, the authentication of the network equipment to be authenticated is determined to pass, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In one possible implementation, before the first network node and the second network node generate the shared quantum true random number through the QKD network, the method further includes:
a first network node receives an authentication request sent by network equipment to be authenticated, wherein the authentication request comprises network position information of a second network node;
the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node in the authentication request sent by the network equipment to be authenticated last time, if so, the first network node and the second network node generate a shared quantum true random number through a QKD network and follow-up steps are executed, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
In one possible implementation, the method further includes:
and the first network node receives and stores the updated root key sent by the equipment authentication server.
In one possible implementation, the method further includes:
after determining that the authentication of the network equipment to be authenticated passes, the first network node records network access information of the network equipment to be authenticated, wherein the network access information comprises network position information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
A method of enabling device authentication, the method comprising:
the method comprises the steps that the network equipment to be authenticated acquires a public key from an equipment authentication server, wherein the public key is generated by the equipment authentication server according to a private key, and the private key is constructed by the equipment authentication server according to a root key of a first network node and authentication related information of the network equipment to be authenticated; or, the public key is generated by the first network node according to the private key and sent to the device authentication server, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is acquired by the first network node from the device authentication server;
the network equipment to be authenticated acquires a shared quantum true random number from a second network node, encrypts the shared quantum true random number by using the public key, and generates a ciphertext of the shared quantum true random number; the second network node is a network node connected with the network equipment to be authenticated; the shared quantum true random number is generated by the first network node and the second network node through a Quantum Key Distribution (QKD) network;
the network equipment to be authenticated sends the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node, so that the first network node constructs the private key according to the authentication related information and a root key stored by the first network node; decrypting the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number; and comparing whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, determining that the authentication of the network equipment to be authenticated is passed, and if not, determining that the authentication of the network equipment to be authenticated is not passed.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In one possible implementation, before the network device to be authenticated acquires the shared quantum true random number from the second network node, the method further includes:
the network equipment to be authenticated sends an authentication request to the first network node, wherein the authentication request comprises network position information of the second network node, so that the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node in the authentication request sent by the network equipment to be authenticated last time, if so, the first network node and the second network node generate a shared quantum true random number through a QKD network and follow-up steps, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
In a possible implementation manner, the root key stored by the first network node itself is updated according to the updated root key sent by the device authentication server.
In a possible implementation manner, if the first network node determines that the authentication of the network device to be authenticated passes, the network access information of the network device to be authenticated is stored in the first network node, and the network access information includes the network location information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
A system for implementing device authentication, the system comprising: the network authentication system comprises a first network node, a second network node and network equipment to be authenticated; the first network node communicates with the network equipment to be authenticated through the second network node;
the first network node is used for generating a shared quantum true random number with the second network node through a Quantum Key Distribution (QKD) network, and the second network node is a network node connected with the network equipment to be authenticated;
the network device to be authenticated is configured to obtain the shared quantum true random number from the second network node, encrypt the shared quantum true random number using a public key, and generate a ciphertext of the shared quantum true random number, where the public key is obtained from a device authentication server, the public key is generated by the device authentication server according to a private key, and the private key is constructed according to a root key of the first network node and authentication-related information of the network device to be authenticated;
the first network node is further configured to receive the authentication-related information sent by the device authentication server, construct the private key according to the authentication-related information and the root key, and generate the public key according to the private key;
the network device to be authenticated is further configured to send the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node;
the first network node is further configured to construct the private key according to the authentication related information and a root key stored by the first network node;
the first network node is further configured to decrypt the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number;
the first network node is further configured to compare whether a plaintext of the shared quantum true random number is consistent with the shared quantum true random number, determine that the authentication of the network device to be authenticated passes if the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, and determine that the authentication of the network device to be authenticated does not pass if the plaintext of the shared quantum true random number is inconsistent with the shared quantum true random number.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In a possible implementation manner, the first network node is further configured to receive an authentication request sent by a network device to be authenticated before the first network node and the second network node generate a shared quantum true random number through a QKD network, where the authentication request includes network location information of the second network node;
the first network node is further configured to determine whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent last time by the network device to be authenticated, if so, execute the steps of generating a shared quantum true random number by the first network node and the second network node through a QKD network and performing the subsequent steps, and if not, determine that the authentication of the network device to be authenticated does not pass.
In a possible implementation manner, the first network node is further configured to receive and store the updated root key sent by the device authentication server.
In a possible implementation manner, the first network node is further configured to record network access information of the network device to be authenticated after the first network node determines that the network device to be authenticated passes authentication, where the network access information includes network location information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
An apparatus to enable device authentication, the apparatus comprising:
the generation unit is used for generating a shared quantum true random number by a first network node and a second network node through a Quantum Key Distribution (QKD) network, wherein the second network node is a network node connected with the network equipment to be authenticated;
a first receiving unit, configured to receive, by the first network node, a ciphertext of the shared quantum true random number and authentication related information of the network device to be authenticated, where the ciphertext is sent by the network device to be authenticated through the second network node; the cipher text of the shared quantum true random number is generated by encrypting the shared quantum true random number acquired from the second network node by the network equipment to be authenticated by using a public key, the public key is acquired by the network equipment to be authenticated from an equipment authentication server, the equipment authentication server is used for constructing a private key according to a root key of the first network node and authentication related information of the network equipment to be authenticated, and generating the public key according to the private key; or, the device authentication server receives the public key sent by the first network node, where the public key is generated by the first network node according to the private key, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is obtained by the first network node from the device authentication server;
the construction unit is used for constructing the private key by the first network node according to the authentication related information and a root key stored by the first network node;
the decryption unit is used for decrypting the ciphertext of the shared quantum true random number by the first network node by using the private key to generate a plaintext of the shared quantum true random number;
and the comparison unit is used for comparing whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number or not by the first network node, if so, determining that the authentication of the network equipment to be authenticated is passed, and if not, determining that the authentication of the network equipment to be authenticated is not passed.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In one possible implementation, the apparatus further includes:
a second receiving unit, configured to receive, by the first network node, an authentication request sent by a network device to be authenticated before the generation unit executes, where the authentication request includes network location information of the second network node;
a determining unit, configured to determine, by the first network node, whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent by the network device to be authenticated last time, if so, execute the generating unit and the subsequent steps, and if not, determine that the authentication of the network device to be authenticated does not pass.
In one possible implementation, the apparatus further includes:
a third receiving unit, configured to receive and store, by the first network node, the updated root key sent by the device authentication server.
In one possible implementation, the apparatus further includes:
and the recording unit is used for recording the network access information of the network equipment to be authenticated when the comparison result of the comparison unit is that the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, wherein the network access information comprises the network position information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
An apparatus to enable device authentication, the apparatus comprising:
the network equipment to be authenticated acquires a public key from an equipment authentication server, wherein the public key is generated by the equipment authentication server according to a private key, and the private key is constructed by the equipment authentication server according to a root key of a first network node and authentication related information of the network equipment to be authenticated; or, the public key is generated by the first network node according to the private key and sent to the device authentication server, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is acquired by the first network node from the device authentication server;
a second obtaining unit, configured to obtain, by the network device to be authenticated, a shared quantum true random number from a second network node, encrypt the shared quantum true random number using the public key, and generate a ciphertext of the shared quantum true random number; the second network node is a network node connected with the network equipment to be authenticated; the shared quantum true random number is generated by the first network node and the second network node through a Quantum Key Distribution (QKD) network;
the first sending unit is used for sending the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node by the network device to be authenticated so that the first network node constructs the private key according to the authentication related information and a root key stored by the first network node; decrypting the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number; and comparing whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, determining that the authentication of the network equipment to be authenticated is passed, and if not, determining that the authentication of the network equipment to be authenticated is not passed.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In one possible implementation, the apparatus further includes:
a second sending unit, configured to send, before the second obtaining unit is executed, an authentication request to the first network node by the network device to be authenticated, where the authentication request includes network location information of the second network node, so that the first network node determines whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent by the network device to be authenticated last time, if so, execute the steps of generating a shared quantum true random number through a QKD network by the first network node and the second network node, and if not, determine that the authentication of the network device to be authenticated does not pass.
In a possible implementation manner, the root key stored by the first network node itself is updated according to the updated root key sent by the device authentication server.
In a possible implementation manner, if the first network node determines that the authentication of the network device to be authenticated passes, the network access information of the network device to be authenticated is stored in the first network node, and the network access information includes the network location information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
Therefore, the embodiment of the application has the following beneficial effects:
in the embodiment of the application, when the network equipment to be authenticated needs to access a first network node, the network equipment to be authenticated sends authentication related information to an equipment authentication server, the equipment authentication server constructs a private key according to a root key of the first network node and the authentication related information of the network equipment to be authenticated, then generates a public key according to the private key, the network equipment to be authenticated obtains the public key, encrypts a shared quantum true random number generated by the first network node and a second network node through a quantum key distribution QKD network by using the public key to generate a ciphertext of the shared quantum true random number, then the network equipment to be authenticated sends the ciphertext and the authentication related information to the first network node, the first network node constructs a decryption key, namely the private key, according to the root key stored by the first network node and the authentication related information, decrypts the ciphertext by using the private key to obtain a plaintext of the shared quantum true number, the first network node judges whether the decrypted plaintext of the shared quantum true random number is consistent with the shared quantum true random number or not, so that the first network node authenticates the network equipment to be authenticated, the problem that an authentication center is over-stressed in key management and authentication communication in an authentication mode based on a symmetric key is solved, and the load of an equipment authentication server is reduced. In addition, the embodiment of the application utilizes a public key encryption mode and a private key decryption mode to carry out authentication, so that the security of the secret key is improved, and malicious attacks are avoided.
Drawings
Fig. 1 is a schematic diagram of a framework of an exemplary application scenario provided in an embodiment of the present application;
fig. 2 is a signaling interaction diagram for implementing device authentication according to an embodiment of the present disclosure;
fig. 3 is another signaling interaction diagram for implementing device authentication according to an embodiment of the present application;
fig. 4 is a flowchart of a method for implementing device authentication by a first network node according to an embodiment of the present application;
fig. 5 is a flowchart of a method for implementing device authentication by a network device to be authenticated according to an embodiment of the present application;
fig. 6 is a diagram of a system structure for implementing device authentication according to an embodiment of the present disclosure;
fig. 7 is a structural diagram of an apparatus for implementing device authentication according to an embodiment of the present disclosure;
fig. 8 is a block diagram of another apparatus for implementing device authentication according to an embodiment of the present disclosure.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanying the drawings are described in detail below.
In order to facilitate understanding of the technical solutions provided in the present application, the following first describes the background art of the present application.
The inventor finds in research on a conventional symmetric key-based authentication method that a CA needs to be established in the symmetric key-based device authentication method, the CA manages a large number of authentication keys, and communication authentication is performed with a device to be authenticated. However, when a network fails or network congestion occurs, smooth execution of the authentication process may be affected. Moreover, when the CA is attacked, it may cause the device authentication service to be in a paralyzed state, which may affect the normal communication of the device.
Based on this, the embodiment of the present application provides a method for implementing device authentication, where the method is an authentication method based on a public key, and for a network device to be authenticated to be accessed to a first network node, a public key is obtained from a device authentication server in advance. The method comprises the steps that a first network node and a second network node where a network device to be authenticated is located generate a shared quantum true random number through a Quantum Key Distribution (QKD) network, the shared quantum true random number is sent to the network device to be authenticated, the shared quantum true random number is encrypted by the network device to be authenticated through a public key to obtain a ciphertext of the shared quantum true random number, the ciphertext and authentication related information are sent to the first network node through the second network node, the first network node constructs a private key according to the received authentication related information and a root key stored by the first network node, the ciphertext is decrypted through the private key to obtain a plaintext of the shared quantum true random number, and the first network node compares whether the shared quantum true random number is consistent with the plaintext of the shared quantum true random number or not, so that authentication of the network device to be authenticated is achieved. Therefore, the method provided by the embodiment of the application authenticates the network node to be accessed by the network equipment to be authenticated, avoids the problem that the authentication center is over-stressed in key management and authentication communication in an authentication mode based on a symmetric key, and reduces the load of the equipment authentication server. In addition, the embodiment of the application utilizes a public key encryption mode and a private key decryption mode to carry out authentication, so that the security of the secret key is improved, and malicious attacks are avoided.
Referring to fig. 1, which is a schematic diagram of a framework of an exemplary application scenario provided in an embodiment of the present application, in the diagram, a network device to be authenticated 40 has access to a second network node 30 and is about to access a first network node 20. The device authentication server 10 generates a private key according to the authentication related information sent by the network device 40 to be authenticated and the root key of the first network node 20, and then generates a public key according to the private key. Alternatively, the first network node 20 generates a private key according to the authentication-related information and the root key sent by the device authentication server 10, generates a public key according to the private key, and sends the public key to the device authentication server 10. The network device to be authenticated 40 acquires the public key from the device authentication server 10, and encrypts the public key to obtain a ciphertext. The first network node 20 generates a private key according to the root key and the authentication related information of the network device 40 to be authenticated, and decrypts the ciphertext by using the private key, so as to authenticate the network device to be authenticated.
Those skilled in the art will appreciate that the block diagram shown in fig. 1 is only one example in which embodiments of the present application may be implemented. The scope of applicability of the embodiments of the present application is not limited in any way by this framework.
It should be noted that the network device to be authenticated 40 in the embodiment of the present application may be any user equipment existing, developing or developed in the future, capable of interacting with the first network node 20 and the second network node 30 through any form of wired and/or wireless connection (e.g., Wi-Fi, LAN, cellular, coaxial cable, etc.), including but not limited to: existing, developing, or future developing QKD terminal devices, smart phones, non-smart phones, tablet computers, laptop personal computers, desktop personal computers, minicomputers, midrange computers, mainframe computers, and the like. Wherein the second network node 20 and the second network node 30 may be one example of existing, developing or future developed devices with relay functionality. It should also be noted that the device authentication server 10 in the embodiment of the present application may be an example of an existing, developing or future-developed device capable of providing a network access authentication service to a user, and the embodiment of the present application is not limited in this respect.
It should be noted that, in order to facilitate subsequent understanding, in this embodiment, R identifies the shared quantum true random number, a identifies the public key, S identifies the private key, K identifies the root key, and C identifies the ciphertext of the shared quantum true random number, and R' identifies the plaintext of the shared quantum true random number obtained after decryption.
In order to facilitate understanding of the technical solutions of the present application, the method for implementing device authentication provided in the present application will be described below with reference to the accompanying drawings.
Referring to fig. 2, which is a signaling interaction diagram for implementing device authentication according to an embodiment of the present application, as shown in fig. 2, the method may include:
s201: and the first network node and the second network node generate a shared quantum true random number through a quantum key distribution network.
In this embodiment, when a network device to be authenticated, which has access to a second network node, needs to access a first network node, the network device to be authenticated may send an authentication request to the first network node through the second network node, and after the first network node receives the authentication request, the first network node and the second network node generate a shared quantum true random number through a quantum key distribution network.
The shared quantum true random number can be regarded as a quantum key generated by the first network node and the second network node through QKD network negotiation, and the first network node and the second network node can perform quantum key distribution through the quantum links.
In practical application, the first network node may be a relay node in a quantum cryptography network, and the second network node may be a node that can access a device in the quantum cryptography network, and may be either a relay node or a terminal node. The relay node can provide a forwarding function for other network nodes and/or access equipment; the terminal node may provide a network access service for the access device.
It can be understood that, in this embodiment, both the first network node and the second network node may directly communicate with the device authentication server, and the first network node and the second network node may also directly communicate.
S202: and the network equipment to be authenticated acquires the shared quantum true random number from a second network node, encrypts the shared quantum true random number by using a public key, and generates a ciphertext of the shared quantum true random number.
In this embodiment, after the first network node and the second network node generate the shared quantum true random number R through the QKD network negotiation, the second network node sends the shared quantum true random number R to the network device to be authenticated, so that the network device to be authenticated encrypts the shared quantum true random number R by using the public key a to generate a ciphertext C of the shared quantum random number R, so as to perform network access authentication by using the ciphertext C.
The network device to be authenticated is a network access device to be authenticated, and may be a QKD device, a computer device, or some other network access devices, a direct-connected quantum link exists between a second network node where the network device to be authenticated is located and a first network node to be accessed, the network device to be authenticated needs to be registered in an equipment authentication server in advance before network access, a network access public key a is obtained, and network access authentication is performed on a permitted first network node through the public key a, so that the network device to be authenticated is ensured to be accessed to a network at a permitted first network node.
The public key a is obtained by the network device to be authenticated from the device authentication server, and may be directly generated by the device authentication server, or may be generated by the first network node and sent to the device authentication server. Specifically, the public key A is generated by the equipment authentication server according to a private key S, and the private key S is constructed by the equipment authentication server according to a root key K of the first network node and authentication related information I of the network equipment to be authenticated; the public key A is generated by the first network node according to the private key S and is sent to the equipment authentication server, the private key S is constructed by the first network node according to the root key K and the authentication related information I of the network equipment to be authenticated, and the authentication related information (I) of the network equipment to be authenticated is acquired by the first network node from the equipment authentication server. In practical application, in order to improve authentication security, the first network node may periodically update the root key K, so as to prevent public key information from being leaked.
It should be noted that, in this embodiment, the network device to be authenticated encrypts the shared quantum true random number generated by the first network node using the authentication key, that is, the public key a, so as to implement the binding of the line and the network location during network access authentication, and meanwhile, the shared quantum true random number can protect the authentication key information during each network access authentication, thereby preventing the authentication key information from being leaked.
In practical application, the network device to be authenticated sends authentication related information I to the device authentication server through the second network node, when the device authentication server receives the authentication related information I, a private key S is constructed according to a root key K of a first network node to which the network device to be authenticated is to be accessed, then a public key A is generated according to the private key and a certain algorithm, and finally the device authentication server sends the public key A to the network device to be authenticated through the second network node. Wherein the root key K of the first network node is assigned by the device authentication server.
The authentication related information may include identification information of the network device to be authenticated and network location information of the second network node. The identification information of the network device to be authenticated is used to uniquely identify the device, and is used to distinguish other network devices, specifically, the identification information may be an ID, a production serial number, and the like of the network device to be authenticated. The network location information of the second network node is used to identify the location of the second network node in the network, and may be an IP address or a port number of the second network node, so that the device authentication server may identify the network location of the second network.
It can be understood that the authentication key of each network device to be authenticated, i.e. the public key a, corresponds to the unique private key S, and the private key S is generated by the root key K of the first network node and the authentication related information I of the network device to be authenticated, and the authentication related information is information preset by the network device to be authenticated, but the illegal device cannot acquire or set the authentication related information, so as to prevent the illegal device from stealing and reusing the authentication key.
It should be noted that, in practical application, the device authentication server may allocate a unique root key K to all first network nodes in the network, record the root key K corresponding to each first network node, and send the root key K corresponding to each first network node to the corresponding first network node, so that the first network node stores the root key K corresponding to itself. In order to further improve the authentication security, the device authentication server may update the root keys K of all the first network nodes at regular time, and then send the updated root keys K to the corresponding first network nodes.
Therefore, in a possible implementation manner of the embodiment of the present application, the first network node may receive and store the updated root key K sent by the device authentication server, so that the first network node performs S204 using the updated root key K.
In addition, because the root keys K of different first network nodes are different, the legal network equipment to be authenticated is limited to be accessed to the first network node corresponding to the public key A only through the public key A, and an attacker is prevented from stealing the legal network equipment to be authenticated to perform illegal access. Moreover, each first network node can authenticate different network devices to be authenticated only by distributing one root key K, so that the complexity of key management is reduced.
S203: and the network equipment to be authenticated sends the ciphertext sharing the quantum true random number and the authentication related information to the first network node through the second network node.
In this embodiment, the network device to be authenticated sends the ciphertext C of the shared quantum true random number used for network access authentication and the authentication related information I to the first network node, so that the first network node executes S204 according to the received authentication related information I.
S204: and the first network node constructs a private key according to the authentication related information and the root key stored by the first network node.
In this embodiment, the first network node generates a private key S according to the received authentication related information I and the root key K stored in the first network node, so that the first network node decrypts by using the private key S. The private key S and the public key A generated by the equipment authentication server form a key pair.
S205: and the first network node decrypts the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number.
In this embodiment, the first network node decrypts the received ciphertext C of the shared quantum true random number by using the private key S constructed by the first network node, so as to obtain a plaintext R 'of the shared quantum true random number, so as to authenticate the network device to be authenticated by using the plaintext R' of the shared quantum true random number and the shared quantum true random number R.
S206: and the first network node compares whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, the authentication of the network equipment to be authenticated is determined to pass, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
In this embodiment, since the shared quantum true random number is generated by a first network node and a second network node through a QKD network negotiation, the first network node stores an original shared quantum true random number R, and when the first network node decrypts the shared quantum true random number encrypted by using a public key a and sent by a device to be authenticated by using a private key S constructed by the first network node itself to obtain a plaintext of the shared quantum true random number, the original shared quantum true random number stored by the first network node itself is compared with the plaintext of the shared quantum true random number to determine whether the two are identical, and if so, it indicates that the network device to be authenticated is a legitimate device, and it is determined that the network device to be authenticated passes authentication; if the network equipment to be authenticated is not consistent, the network equipment to be authenticated is illegal equipment, and the first network node is not allowed to be accessed, the authentication of the network equipment to be authenticated is determined not to pass.
Through the embodiments, when the network device to be authenticated needs to access the first network node, the network device to be authenticated acquires the public key from the device authentication server, encrypts the shared quantum true random number generated by the first network node and the second network node through the quantum key distribution QKD network by using the public key to generate the ciphertext of the shared quantum true random number, then the network device to be authenticated sends the ciphertext and the authentication related information to the first network node, the first network node constructs a decryption key, namely a private key, according to the root key stored by the first network node and the authentication related information, decrypts the ciphertext by using the private key to obtain the plaintext of the shared quantum true random number, and the first network node determines whether the plaintext of the shared quantum true random number decrypted by comparison is consistent with the shared quantum true random number or not, thereby realizing the authentication of the network device to be authenticated by the first network node, the problem that the authentication center is over stressed in key management and authentication communication in an authentication mode based on a symmetric key is solved, and the load of the equipment authentication server is reduced. In addition, the embodiment of the application utilizes a public key encryption mode and a private key decryption mode to carry out authentication, so that the security of the secret key is improved, and malicious attacks are avoided.
In a possible implementation manner of the embodiment of the present application, after the first network node determines that the authentication of the network device to be authenticated passes, network access information of the network device to be authenticated may be recorded, where the network access information may include network location information of the second network node.
In this embodiment, after the network device to be authenticated passes the authentication, the first network node records the network location information of the second network node where the network device to be authenticated is located, so that when other network devices to be authenticated in the second network node or the device to be accessed accesses the first network node again, the recorded network location information of the second network node is used to compare with the network location information of the second network node in the authentication related information sent by the network device to be authenticated.
In a possible implementation manner of the embodiment of the present application, before the first network node and the second network node generate the shared quantum true random number through the QKD network, the device authentication method further includes: a first network node receives an authentication request sent by network equipment to be authenticated, wherein the authentication request comprises network position information of a second network node; the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node included in the authentication request sent by the network equipment to be authenticated last time, if so, the first network node and the second network node generate a shared quantum true random number through a QKD network and follow-up steps are executed, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
In this embodiment, when the network device to be authenticated passes the last authentication, the first network node may record network location information of a second network node where the network device to be authenticated is located, and when the network device to be authenticated accesses the first network node again, the first network node may compare the location information of the second network node in the authentication request sent by the network device to be authenticated with the location information of the second network node recorded in advance, and if the two are the same, perform subsequent authentication; if the two are different, the authentication is terminated.
By the method, in order to avoid waste of authentication resources caused by access of the network equipment to be authenticated in a non-current network, before the network equipment to be authenticated is authenticated, the first network node can also authenticate network position information of the second network node included in an authentication request sent by the network equipment to be authenticated, when the authentication is passed, the generation of a shared quantum true random number by using a QKD network and subsequent steps are executed, when the authentication is not passed, the authentication of the network equipment to be authenticated is directly determined to be not passed, subsequent operations are not required, and resources are saved.
In order to facilitate understanding of the complete authentication process of the network device to be authenticated, the authentication process will be described with reference to the drawings.
Referring to fig. 3, which is another signaling interaction diagram for implementing device authentication provided in the embodiment of the present application, as shown in fig. 3, the signaling interaction diagram may include:
s301: the device authentication server presets a root key K for the first network node.
S302: and the network equipment to be authenticated sends authentication related information I to the equipment authentication server through the second network node.
In this embodiment, the authentication related information may include identification information of the network device to be authenticated and network location information of the second network node.
S303: the equipment authentication server generates a private key S according to the root key K and the authentication related information I, constructs a public key A according to the private key S, and sends the public key A to the network equipment to be authenticated through the second network node.
It should be noted that, the public key a may also be generated by the first network node according to the root key K and the authentication related information I, and the public key a is constructed according to the private key S and sent to the device authentication server.
S304: and the network equipment to be authenticated sends an authentication request to the first network node through the second network node.
Wherein the authentication request may include network location information of a second network node where the network device to be authenticated is located.
S305: the first network node judges whether the network position information of the second network node in the authentication request is consistent with the network position information of the second network node in the authentication request sent by the last network equipment to be authenticated.
S306: and if the network access heat certificates are consistent, the first network node and the second network node generate a shared quantum true random number R for the network access heat certificates of the network equipment to be authenticated through the QKD network.
In this embodiment, if they do not coincide, the authentication is terminated.
S307: and the second network node sends the shared quantum true random number to the network equipment to be authenticated.
S308: and the network equipment to be authenticated encrypts the shared quantum true random number R by using the public key A to generate a ciphertext C of the shared quantum true random number.
S309: and the network equipment to be authenticated sends the ciphertext C sharing the quantum true random number and the authentication related information I to the first network node through the second network node.
S310: and the first network node generates a private key S according to the root key K and the authentication related information I.
S311: and the first network node decrypts the ciphertext C of the shared quantum true random number by using the private key S to obtain a plaintext R' of the shared quantum true random number.
S312: the first network node compares whether a plaintext R' of the shared quantum true random number is consistent with the shared quantum true random number R, and if so, the network equipment to be authenticated is determined to pass authentication; and if not, determining that the network equipment to be authenticated fails to be authenticated.
Based on the above method embodiment for implementing device authentication, this embodiment provides a specific public key and private key construction method, where the construction method implements construction of a public key and a private key by using a lattice public key cipher based on a Learning error problem (LWE).
The specific construction method and encryption and decryption method are as follows:
1. generating a private key S according to the root key K and the authentication related information I
The root key of the first network node takes the value of
The equipment authentication server performs hash operation on the authentication related information I to obtain a hash value I ═ hash (I), performs modulo p operation on I to obtain I ═ I (mod p), and performs modulo p addition operation on each value in I' and K to obtain a private key S.
Wherein the content of the first and second substances,
n, l are integers, ZpIs not more than p non-negative integer set, l is cleartext length, ←ΘIndicating that a uniform distribution over the collection is satisfied.
2. Constructing a public key A from a private key S
Selection matrix
Selecting
Each value in E follows a separate χ distribution, with the public key:
wherein n, m and l are integers, and χ is Zp(ZpIs not greater than p non-negative integer set), l is the plaintext length, and ←ΘRepresenting a uniform distribution over the set, StIs the transposed matrix of S.
3. Encryption process
In practical application, the public key A is used as an authentication key of network equipment to be authenticated, the first network node and the second network node generate a shared quantum true random number R, and R belongs to {0,1}lThe second network node sends the shared quantum true random number R to the network equipment to be authenticated, and the network equipment to be authenticated encrypts l bits v epsilon {0,1} by using a public key AlFirst select x ←Θ{0,1}mThe output ciphertext is:
wherein the content of the first and second substances,
represents the integer closest to the real number p/2,
when the network equipment to be authenticated encrypts the shared quantum true random number to generate a ciphertext C of the shared quantum true random number, the ciphertext C of the shared quantum true random number and authentication related information I are sent to the first network node.
4. Decryption process
And the first network node generates a private key S according to the authentication related information I and the root key k according to the generation method of the private key S, and then decrypts the ciphertext C of the shared quantum true random number by using a formula (3) to obtain a plaintext R' of the shared quantum true random number.
Judging whether each value in the calculation result vector is close to 0 or not
A value close to 0 is 1, close to
Then the value is 1, wherein
Is an identity matrix.
The embodiment adopts the lattice code as the encryption method, on one hand, the lattice code has the quantum attack resisting property. On the other hand, the construction methods of the public and private keys of the LWE-based lattice code are all linear operations, and compared with the classical public key code, such as the public and private key construction method of RSA, the method has the advantages of small operation amount and higher operation speed.
It should be noted that the method for constructing the public and private keys based on the LWE lattice code in this embodiment is only a specific implementation manner of the method for constructing the public and private keys in the scheme of this application, and the method for constructing the public and private keys applicable to this application is not limited to the method for constructing the public and private keys based on the LWE lattice code in this embodiment, and may also include other methods for constructing the public and private keys in the post-quantum cryptography and methods for constructing the public and private keys in the classical cryptography.
And when the plaintext R' of the shared quantum true random number is obtained through decryption, comparing the shared quantum true random number R with the plaintext R of the shared quantum true random number, and determining the authentication result.
To further explain the implementation procedure of the embodiment of the present application, the operations performed by the network device to be authenticated and the first network node are separately described below with reference to the drawings.
Referring to fig. 4, which is a flowchart of a method for implementing authentication of a network device by a first network node according to an embodiment of the present application, as shown in fig. 4, the method may include:
s401: the first network node and the second network node generate a shared quantum true random number through a Quantum Key Distribution (QKD) network.
And the second network node is a network node connected with the network equipment to be authenticated, and the shared quantum true random number is used for network access authentication of the network equipment to be authenticated.
In particular implementations, a quantum link for quantum key distribution may exist between the first network node and the second network node, such that the shared quantum true random numbers produced are distributed using the quantum link.
In one possible implementation, the first network node is a relay node in a quantum cryptography network.
S402: the first network node receives a cipher text of the shared quantum true random number and authentication related information of the network equipment to be authenticated, which are sent by the network equipment to be authenticated through the second network node.
In this embodiment, the ciphertext c of the shared quantum true random number is generated by encrypting, by the network device to be authenticated, the shared quantum true random number R acquired from the second network node using the public key a. The public key A is obtained by the network equipment to be authenticated from the equipment authentication server, and the equipment authentication server is used for constructing a private key S according to the root key K of the first network node and the authentication related information I of the network equipment to be authenticated and generating the public key A according to the private key S. Or the device authentication server receives a public key a sent by the first network node, where the public key a is generated by the first network node according to a private key S, the private key S is constructed by the first network node according to the root key K and authentication-related information I of the network device to be authenticated, and the authentication-related information I of the network device to be authenticated is acquired by the first network node from the device authentication server.
The authentication related information I comprises identification information of the network equipment to be authenticated and network position information of the second network node.
S403: and the first network node constructs a private key according to the authentication related information and the root key stored by the first network node.
In this embodiment, the first network node receives and stores the updated root key K sent by the device authentication server, so as to construct the private key S according to the received root key K and the authentication related information.
S404: and the first network node decrypts the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number.
S405: and the first network node compares whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, the authentication of the network equipment to be authenticated is determined to pass, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
In a possible implementation manner, after determining that the authentication of the network device to be authenticated passes, the first network node records network access information of the network device to be authenticated, where the network access information includes the network location information of the second network node.
In one possible implementation, before the first network node and the second network node generate the shared quantum true random number (R) over the QKD network, the method further comprises: a first network node receives an authentication request sent by network equipment to be authenticated, wherein the authentication request comprises network position information of a second network node; the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node included in the authentication request sent by the network equipment to be authenticated last time, if so, the first network node and the second network node generate a shared quantum true random number (R) through a QKD network and follow-up steps are executed, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
Through the above description, in the embodiments of the present application, when a network device to be authenticated needs to access a first network node, the network device to be authenticated obtains a public key from a device authentication server, encrypts a shared quantum true random number generated by a quantum key distribution QKD network by using the public key, generates a ciphertext of the shared quantum true random number, then sends the ciphertext and authentication-related information to the first network node, the first network node constructs a decryption key, i.e., a private key, according to a root key stored in the first network node and the authentication-related information, decrypts the ciphertext by using the private key, obtains a plaintext of the shared quantum true random number, and the first network node authenticates the network device to be authenticated by using the first network node by comparing whether the decrypted plaintext of the shared quantum true random number is consistent with the shared quantum true random number or not, the problem that the authentication center is over stressed in key management and authentication communication in an authentication mode based on a symmetric key is solved, and the load of the equipment authentication server is reduced. In addition, the embodiment of the application utilizes a public key encryption mode and a private key decryption mode to carry out authentication, so that the security of the secret key is improved, and malicious attacks are avoided.
Referring to fig. 5, the step performed by the network device to be authenticated in authentication according to the embodiment of the present application may specifically include:
s501: the network equipment to be authenticated acquires the public key from the equipment authentication server.
In this embodiment, the public key a may be generated by the device authentication server according to the private key S, and the private key S is constructed by the device life server according to the root key K of the first network node and the authentication related information I of the network device to be authenticated. Or, the public key a may be generated by the first network node according to the private key S and sent to the device authentication server, where the private key S is constructed by the first network node according to the root key K and the authentication related information I of the network device to be authenticated, and the authentication related information I of the network device to be authenticated is acquired by the first network node from the device authentication server.
The authentication related information I comprises identification information of the network equipment to be authenticated and network position information of the second network node. The root key K stored by the first network node is updated according to the updated root key K sent by the equipment authentication server. The first network node may be a relay node in a quantum cryptography network.
S502: and the network equipment to be authenticated acquires the shared quantum true random number from the second network node, encrypts the shared quantum true random number by using the public key and generates a ciphertext of the shared quantum true random number.
In this embodiment, the second network node is a network node to which the network device to be authenticated is connected; the shared quantum true random number R is generated by the first network node and the second network node through a quantum key distribution QKD network.
In one possible implementation, a quantum link for quantum key distribution exists between the first network node and the second network node, so that the generated shared quantum true random numbers are distributed by using the quantum link.
S503: and the network equipment to be authenticated sends the ciphertext sharing the quantum true random number and the authentication related information to the first network node through the second network node.
In this embodiment, the network device to be authenticated sends the ciphertext C sharing the quantum true random number and the authentication related information I to the first network node through the second network node, so that the first network node constructs a private key S according to the authentication related information and a root key stored by the first network node, decrypts the ciphertext C sharing the quantum true random number by using the private key S, and generates a plaintext R' sharing the quantum true random number; and comparing whether the plaintext R' of the shared quantum true random number is consistent with the shared quantum true random number R, if so, determining that the authentication of the network equipment to be authenticated is passed, and if not, determining that the authentication of the network equipment to be authenticated is not passed.
In a possible implementation manner, if the first network node determines that the authentication of the network device to be authenticated passes, the network access information of the network device to be authenticated is stored in the first network node, and the network access information includes the network location information of the second network node.
In one possible implementation, before the network device to be authenticated acquires the shared quantum true random number (R) from the second network node, the method further comprises: the method comprises the steps that a network device to be authenticated sends an authentication request to a first network node, the authentication request comprises network position information of a second network node, so that the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node in the authentication request sent by the network device to be authenticated last time, if yes, the first network node and the second network node generate a shared quantum true random number (R) through a QKD network and follow-up steps are executed, and if not, the authentication of the network device to be authenticated is determined not to pass.
Through the above description, in the embodiments of the present application, when a network device to be authenticated needs to access a first network node, the network device to be authenticated obtains a public key from a device authentication server, encrypts a shared quantum true random number generated by a quantum key distribution QKD network by using the public key, generates a ciphertext of the shared quantum true random number, then sends the ciphertext and authentication-related information to the first network node, the first network node constructs a decryption key, i.e., a private key, according to a root key stored in the first network node and the authentication-related information, decrypts the ciphertext by using the private key, obtains a plaintext of the shared quantum true random number, and the first network node authenticates the network device to be authenticated by using the first network node by comparing whether the decrypted plaintext of the shared quantum true random number is consistent with the shared quantum true random number or not, the problem that the authentication center is over stressed in key management and authentication communication in an authentication mode based on a symmetric key is solved, and the load of the equipment authentication server is reduced. In addition, the embodiment of the application utilizes a public key encryption mode and a private key decryption mode to carry out authentication, so that the security of the secret key is improved, and malicious attacks are avoided.
Based on the above method embodiments, the present application provides a system for implementing device authentication, and the system will be described below with reference to the accompanying drawings.
Referring to fig. 6, which is a structural diagram of a system for implementing device authentication according to an embodiment of the present application, as shown in fig. 6, the system includes: a first network node 601, a second network node 602, and a network device to be authenticated 603; the first network node 601 communicates with the network device to be authenticated 603 through the second network node 602.
The first network node 601 is configured to generate a shared quantum true random number through a quantum key distribution QKD network with the second network node 602, where the second network node 602 is a network node connected to the network device to be authenticated 603;
the network device to be authenticated 603 is configured to obtain the shared quantum true random number from the second network node 602, encrypt the shared quantum true random number using a public key, and generate a ciphertext of the shared quantum true random number, where the public key is obtained from a device authentication server, the public key is generated by the device authentication server according to a private key, and the private key is constructed according to a root key of the first network node and authentication-related information of the network device to be authenticated;
the first network node 601 is further configured to receive the authentication related information (I) sent by the device authentication server, construct the private key (S) according to the authentication related information (I) and the root key (K), and generate the public key (a) according to the private key (S);
the network device to be authenticated 603 is further configured to send, through the second network node 602, the ciphertext of the shared quantum true random number and the authentication related information to the first network node 601;
the first network node 601 is further configured to construct the private key according to the authentication related information and a root key stored by the first network node;
the first network node 601 is further configured to decrypt the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number;
the first network node 601 is further configured to compare whether a plaintext of the shared quantum true random number is consistent with the shared quantum true random number, determine that the authentication of the network device to be authenticated passes if the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, and determine that the authentication of the network device to be authenticated does not pass if the plaintext of the shared quantum true random number is inconsistent with the shared quantum true random number.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In a possible implementation manner, the first network node is further configured to receive an authentication request sent by a network device to be authenticated before the first network node and the second network node generate a shared quantum true random number through a QKD network, where the authentication request includes network location information of the second network node;
the first network node is further configured to determine whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent last time by the network device to be authenticated, if so, execute the steps of generating a shared quantum true random number by the first network node and the second network node through a QKD network and performing the subsequent steps, and if not, determine that the authentication of the network device to be authenticated does not pass.
In a possible implementation manner, the first network node is further configured to receive and store the updated root key sent by the device authentication server.
In a possible implementation manner, the first network node is further configured to record network access information of the network device to be authenticated after the first network node determines that the network device to be authenticated passes authentication, where the network access information includes network location information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
It should be noted that, the implementation of each module in this embodiment may refer to the specific implementation described in fig. 1 to fig. 5, and this embodiment is not described herein again.
Based on the above embodiments, the present application further provides an apparatus for implementing device authentication, which will be described below with reference to the accompanying drawings.
Referring to fig. 7, which is a structural diagram of an apparatus for implementing device authentication according to an embodiment of the present application, as shown in fig. 7, the apparatus may include:
a generating unit 701, configured to generate a shared quantum true random number by a first network node and a second network node through a quantum key distribution QKD network, where the second network node is a network node to which a network device to be authenticated is connected;
a first receiving unit 702, configured to receive, by the first network node, a ciphertext of the shared quantum true random number and authentication related information of the network device to be authenticated, where the ciphertext is sent by the network device to be authenticated through the second network node; the cipher text of the shared quantum true random number is generated by encrypting the shared quantum true random number acquired from the second network node by the network equipment to be authenticated by using a public key, the public key is acquired by the network equipment to be authenticated from an equipment authentication server, the equipment authentication server is used for constructing a private key according to a root key of the first network node and authentication related information of the network equipment to be authenticated, and generating the public key according to the private key; or the device authentication server receives a public key sent by the first network node, the public key is generated by the first network node according to a private key, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is acquired by the first network node from the device authentication server.
A constructing unit 703, configured to construct, by the first network node, the private key according to the authentication related information and a root key stored by the first network node;
a decryption unit 704, configured to decrypt, by the first network node, the ciphertext of the shared quantum true random number using the private key, and generate a plaintext of the shared quantum true random number;
a comparing unit 705, configured to compare whether a plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, determine that the authentication of the network device to be authenticated passes, and if not, determine that the authentication of the network device to be authenticated does not pass.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In one possible implementation, the apparatus further includes:
a second receiving unit, configured to receive, by the first network node, an authentication request sent by a network device to be authenticated before the generation unit executes, where the authentication request includes network location information of the second network node;
a determining unit, configured to determine, by the first network node, whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent by the network device to be authenticated last time, if so, execute the generating unit and the subsequent steps, and if not, determine that the authentication of the network device to be authenticated does not pass.
In one possible implementation, the apparatus further includes:
a third receiving unit, configured to receive and store, by the first network node, the updated root key sent by the device authentication server.
In one possible implementation, the apparatus further includes:
and the recording unit is used for recording the network access information of the network equipment to be authenticated when the comparison result of the comparison unit is that the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, wherein the network access information comprises the network position information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
It should be noted that specific implementations of each unit in this embodiment may refer to the specific implementations described in fig. 1 to fig. 5, and details of this embodiment are not described herein again.
Referring to fig. 8, which is a structural diagram of another apparatus for implementing device authentication provided in the embodiment of the present application, as shown in fig. 8, the apparatus may include:
a first obtaining unit 801, configured to obtain, by a network device to be authenticated, a public key from a device authentication server, where the public key is generated by the device authentication server according to a private key, and the private key is constructed by the device authentication server according to a root key of a first network node and authentication related information of the network device to be authenticated; or, the public key is generated by the first network node according to the private key and sent to the device authentication server, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is acquired by the first network node from the device authentication server;
a second obtaining unit 802, configured to obtain, by the network device to be authenticated, a shared quantum true random number from a second network node, encrypt, using the public key, the shared quantum true random number, and generate a ciphertext of the shared quantum true random number; the second network node is a network node connected with the network equipment to be authenticated; the shared quantum true random number is generated by the first network node and the second network node through a Quantum Key Distribution (QKD) network;
a first sending unit 803, configured to send, by the network device to be authenticated, the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node, so that the first network node constructs the private key according to the authentication related information and a root key stored in the first network node; decrypting the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number; and comparing whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, determining that the authentication of the network equipment to be authenticated is passed, and if not, determining that the authentication of the network equipment to be authenticated is not passed.
In one possible implementation manner, the first network node is a relay node in a quantum cryptography network.
In a possible implementation manner, the authentication related information includes identification information of the network device to be authenticated and network location information of the second network node.
In a possible implementation manner, the second sending unit is configured to send, before the second obtaining unit is executed, an authentication request to the first network node by the network device to be authenticated, where the authentication request includes network location information of the second network node, so that the first network node determines whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent by the network device to be authenticated last time, if so, execute the step of generating a shared quantum true random number by the first network node and the second network node through a QKD network and the subsequent step, and if not, determine that the authentication of the network device to be authenticated does not pass.
In a possible implementation manner, the root key stored by the first network node itself is updated according to the updated root key sent by the device authentication server.
In a possible implementation manner, if the first network node determines that the authentication of the network device to be authenticated passes, the network access information of the network device to be authenticated is stored in the first network node, and the network access information includes the network location information of the second network node.
In one possible implementation, a quantum link exists between the first network node and the second network node for quantum key distribution.
It should be noted that specific implementations of each unit in this embodiment may refer to the specific implementations described in fig. 1 to fig. 5, and details of this embodiment are not described herein again.
Through the above description, in the embodiments of the present application, when a network device to be authenticated needs to access a first network node, the network device to be authenticated obtains a public key, encrypts a shared quantum true random number generated by the first network node and a second network node through a quantum key distribution QKD network using the public key to generate a ciphertext of the shared quantum true random number, then sends the ciphertext and authentication related information to the first network node, the first network node constructs a decryption key, i.e., a private key, according to a root key stored by itself and the authentication related information, decrypts the ciphertext using the private key to obtain a plaintext of the shared quantum true random number, and the first network node compares whether the decrypted plaintext of the shared quantum true random number is identical to the shared quantum true random number, thereby implementing authentication of the network device to be authenticated by the first network node, the problem that the authentication center is over stressed in key management and authentication communication in an authentication mode based on a symmetric key is solved, and the load of the equipment authentication server is reduced. In addition, the embodiment of the application utilizes a public key encryption mode and a private key decryption mode to carry out authentication, so that the security of the secret key is improved, and malicious attacks are avoided.
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the system or the device disclosed by the embodiment, the description is simple because the system or the device corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
It should be understood that in the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (42)
1. A method of implementing device authentication, the method comprising:
a first network node and a second network node generate a shared quantum true random number through a Quantum Key Distribution (QKD) network, wherein the second network node is a network node connected with a network device to be authenticated;
the network equipment to be authenticated acquires the shared quantum true random number from the second network node, encrypts the shared quantum true random number by using a public key, and generates a ciphertext of the shared quantum true random number, wherein the public key is acquired from an equipment authentication server, the public key is generated by the equipment authentication server according to a private key, and the private key is constructed by the equipment authentication server according to a root key of the first network node and authentication related information of the network equipment to be authenticated; or, the public key is generated by the first network node according to the private key and sent to the device authentication server, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is acquired by the first network node from the device authentication server;
the network equipment to be authenticated sends the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node;
the first network node constructs the private key according to the authentication related information and a root key stored by the first network node;
the first network node decrypts the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number;
and the first network node compares whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, the authentication of the network equipment to be authenticated is determined to pass, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
2. The method of claim 1, wherein the first network node is a relay node in a quantum cryptography network.
3. The method according to claim 1, wherein the authentication related information comprises identification information of the network device to be authenticated and network location information of the second network node.
4. The method of claim 1, wherein before the first network node and the second network node generate the shared quantum true random number over the QKD network, the method further comprises:
a first network node receives an authentication request sent by network equipment to be authenticated, wherein the authentication request comprises network position information of a second network node;
the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node in the authentication request sent by the network equipment to be authenticated last time, if so, the first network node and the second network node generate a shared quantum true random number through a QKD network and follow-up steps are executed, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
5. The method of claim 1, further comprising:
and the first network node receives and stores the updated root key sent by the equipment authentication server.
6. The method of claim 1, further comprising:
after determining that the authentication of the network equipment to be authenticated passes, the first network node records network access information of the network equipment to be authenticated, wherein the network access information comprises network position information of the second network node.
7. The method according to claim 1 or 2, characterized in that a quantum link for quantum key distribution exists between the first network node and the second network node.
8. A method of implementing device authentication, the method comprising:
a first network node and a second network node generate a shared quantum true random number through a Quantum Key Distribution (QKD) network, wherein the second network node is a network node connected with a network device to be authenticated;
the first network node receives the ciphertext of the shared quantum true random number and the authentication related information of the network equipment to be authenticated, which are sent by the network equipment to be authenticated through the second network node; the cipher text of the shared quantum true random number is generated by encrypting the shared quantum true random number acquired from the second network node by the network equipment to be authenticated by using a public key, the public key is acquired by the network equipment to be authenticated from an equipment authentication server, the equipment authentication server is used for constructing a private key according to a root key of the first network node and authentication related information of the network equipment to be authenticated, and generating the public key according to the private key; or, the device authentication server receives the public key sent by the first network node, where the public key is generated by the first network node according to the private key, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is obtained by the first network node from the device authentication server;
the first network node constructs the private key according to the authentication related information and a root key stored by the first network node;
the first network node decrypts the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number;
and the first network node compares whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, the authentication of the network equipment to be authenticated is determined to pass, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
9. The method of claim 8, wherein the first network node is a relay node in a quantum cryptography network.
10. The method according to claim 8, wherein the authentication related information comprises identification information of the network device to be authenticated and network location information of the second network node.
11. The method of claim 8, wherein before the first network node and the second network node generate the shared quantum true random number over the QKD network, the method further comprises:
a first network node receives an authentication request sent by network equipment to be authenticated, wherein the authentication request comprises network position information of a second network node;
the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node in the authentication request sent by the network equipment to be authenticated last time, if so, the first network node and the second network node generate a shared quantum true random number through a QKD network and follow-up steps are executed, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
12. The method of claim 8, further comprising:
and the first network node receives and stores the updated root key sent by the equipment authentication server.
13. The method of claim 8, further comprising:
after determining that the authentication of the network equipment to be authenticated passes, the first network node records network access information of the network equipment to be authenticated, wherein the network access information comprises network position information of the second network node.
14. The method according to claim 8 or 9, characterized in that a quantum link for quantum key distribution exists between the first network node and the second network node.
15. A method of implementing device authentication, the method comprising:
the method comprises the steps that the network equipment to be authenticated acquires a public key from an equipment authentication server, wherein the public key is generated by the equipment authentication server according to a private key, and the private key is constructed by the equipment authentication server according to a root key of a first network node and authentication related information of the network equipment to be authenticated; or, the public key is generated by the first network node according to the private key and sent to the device authentication server, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is acquired by the first network node from the device authentication server;
the network equipment to be authenticated acquires a shared quantum true random number from a second network node, encrypts the shared quantum true random number by using the public key, and generates a ciphertext of the shared quantum true random number; the second network node is a network node connected with the network equipment to be authenticated; the shared quantum true random number is generated by the first network node and the second network node through a Quantum Key Distribution (QKD) network;
the network equipment to be authenticated sends the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node, so that the first network node constructs the private key according to the authentication related information and a root key stored by the first network node; decrypting the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number; and comparing whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, determining that the authentication of the network equipment to be authenticated is passed, and if not, determining that the authentication of the network equipment to be authenticated is not passed.
16. The method of claim 15, wherein the first network node is a relay node in a quantum cryptography network.
17. The method according to claim 15, wherein the authentication related information comprises identification information of the network device to be authenticated and network location information of the second network node.
18. The method of claim 15, wherein before the network device to be authenticated obtains the shared quantum true random number from the second network node, the method further comprises:
the network equipment to be authenticated sends an authentication request to the first network node, wherein the authentication request comprises network position information of the second network node, so that the first network node judges whether the network position information of the second network node is consistent with the network position information of the second network node in the authentication request sent by the network equipment to be authenticated last time, if so, the first network node and the second network node generate a shared quantum true random number through a QKD network and follow-up steps, and if not, the authentication of the network equipment to be authenticated is determined not to pass.
19. The method according to claim 15, wherein the root key stored by the first network node itself is updated according to the updated root key sent by the device authentication server.
20. The method according to claim 15, wherein if the first network node determines that the network device to be authenticated is authenticated, the network entry information of the network device to be authenticated is stored in the first network node, and the network entry information includes the network location information of the second network node.
21. The method according to claim 15 or 16, characterized in that a quantum link for quantum key distribution exists between the first network node and the second network node.
22. A system for implementing device authentication, the system comprising: the network authentication system comprises a first network node, a second network node and network equipment to be authenticated; the first network node communicates with the network equipment to be authenticated through the second network node;
the first network node is used for generating a shared quantum true random number with the second network node through a Quantum Key Distribution (QKD) network, and the second network node is a network node connected with the network equipment to be authenticated;
the network device to be authenticated is configured to obtain the shared quantum true random number from the second network node, encrypt the shared quantum true random number using a public key, and generate a ciphertext of the shared quantum true random number, where the public key is obtained from a device authentication server, the public key is generated by the device authentication server according to a private key, and the private key is constructed according to a root key of the first network node and authentication-related information of the network device to be authenticated;
the first network node is further configured to receive the authentication-related information sent by the device authentication server, construct the private key according to the authentication-related information and the root key, and generate the public key according to the private key;
the network device to be authenticated is further configured to send the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node;
the first network node is further configured to construct the private key according to the authentication related information and a root key stored by the first network node;
the first network node is further configured to decrypt the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number;
the first network node is further configured to compare whether a plaintext of the shared quantum true random number is consistent with the shared quantum true random number, determine that the authentication of the network device to be authenticated passes if the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, and determine that the authentication of the network device to be authenticated does not pass if the plaintext of the shared quantum true random number is inconsistent with the shared quantum true random number.
23. The system of claim 22, wherein the first network node is a relay node in a quantum cryptography network.
24. The system according to claim 22, wherein said authentication related information comprises identification information of said network device to be authenticated and network location information of said second network node.
25. The system according to claim 22, wherein the first network node is further configured to receive an authentication request sent by a network device to be authenticated before the first network node and the second network node generate a shared quantum true random number through a QKD network, wherein the authentication request includes network location information of the second network node;
the first network node is further configured to determine whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent last time by the network device to be authenticated, if so, execute the steps of generating a shared quantum true random number by the first network node and the second network node through a QKD network and performing the subsequent steps, and if not, determine that the authentication of the network device to be authenticated does not pass.
26. The system of claim 22, wherein the first network node is further configured to receive and store the updated root key sent by the device authentication server.
27. The system according to claim 22, wherein the first network node is further configured to record network entry information of the network device to be authenticated after the first network node determines that the network device to be authenticated passes authentication, and the network entry information includes network location information of the second network node.
28. The system according to claim 22 or 23, characterized in that a quantum link for quantum key distribution exists between the first network node and the second network node.
29. An apparatus that enables device authentication, the apparatus comprising:
the generation unit is used for generating a shared quantum true random number by a first network node and a second network node through a Quantum Key Distribution (QKD) network, wherein the second network node is a network node connected with the network equipment to be authenticated;
a first receiving unit, configured to receive, by the first network node, a ciphertext of the shared quantum true random number and authentication related information of the network device to be authenticated, where the ciphertext is sent by the network device to be authenticated through the second network node; the cipher text of the shared quantum true random number is generated by encrypting the shared quantum true random number acquired from the second network node by the network equipment to be authenticated by using a public key, the public key is acquired by the network equipment to be authenticated from an equipment authentication server, the equipment authentication server is used for constructing a private key according to a root key of the first network node and authentication related information of the network equipment to be authenticated, and generating the public key according to the private key; or, the device authentication server receives the public key sent by the first network node, where the public key is generated by the first network node according to the private key, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is obtained by the first network node from the device authentication server;
the construction unit is used for constructing the private key by the first network node according to the authentication related information and a root key stored by the first network node;
the decryption unit is used for decrypting the ciphertext of the shared quantum true random number by the first network node by using the private key to generate a plaintext of the shared quantum true random number;
and the comparison unit is used for comparing whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number or not by the first network node, if so, determining that the authentication of the network equipment to be authenticated is passed, and if not, determining that the authentication of the network equipment to be authenticated is not passed.
30. The apparatus of claim 29, wherein the first network node is a relay node in a quantum cryptography network.
31. The apparatus according to claim 29, wherein the authentication related information comprises identification information of the network device to be authenticated and network location information of the second network node.
32. The apparatus of claim 29, further comprising:
a second receiving unit, configured to receive, by the first network node, an authentication request sent by a network device to be authenticated before the generation unit executes, where the authentication request includes network location information of the second network node;
a determining unit, configured to determine, by the first network node, whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent by the network device to be authenticated last time, if so, execute the generating unit and the subsequent steps, and if not, determine that the authentication of the network device to be authenticated does not pass.
33. The apparatus of claim 29, further comprising:
a third receiving unit, configured to receive and store, by the first network node, the updated root key sent by the device authentication server.
34. The apparatus of claim 29, further comprising:
and the recording unit is used for recording the network access information of the network equipment to be authenticated when the comparison result of the comparison unit is that the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, wherein the network access information comprises the network position information of the second network node.
35. The apparatus of claim 29 or 30, wherein a quantum link exists between the first network node and the second network node for quantum key distribution.
36. An apparatus that enables device authentication, the apparatus comprising:
the network equipment to be authenticated acquires a public key from an equipment authentication server, wherein the public key is generated by the equipment authentication server according to a private key, and the private key is constructed by the equipment authentication server according to a root key of a first network node and authentication related information of the network equipment to be authenticated; or, the public key is generated by the first network node according to the private key and sent to the device authentication server, the private key is constructed by the first network node according to the root key and the authentication related information of the network device to be authenticated, and the authentication related information of the network device to be authenticated is acquired by the first network node from the device authentication server;
a second obtaining unit, configured to obtain, by the network device to be authenticated, a shared quantum true random number from a second network node, encrypt the shared quantum true random number using the public key, and generate a ciphertext of the shared quantum true random number; the second network node is a network node connected with the network equipment to be authenticated; the shared quantum true random number is generated by the first network node and the second network node through a Quantum Key Distribution (QKD) network;
the first sending unit is used for sending the ciphertext of the shared quantum true random number and the authentication related information to the first network node through the second network node by the network device to be authenticated so that the first network node constructs the private key according to the authentication related information and a root key stored by the first network node; decrypting the ciphertext of the shared quantum true random number by using the private key to generate a plaintext of the shared quantum true random number; and comparing whether the plaintext of the shared quantum true random number is consistent with the shared quantum true random number, if so, determining that the authentication of the network equipment to be authenticated is passed, and if not, determining that the authentication of the network equipment to be authenticated is not passed.
37. The apparatus of claim 36, wherein the first network node is a relay node in a quantum cryptography network.
38. The apparatus according to claim 36, wherein the authentication related information comprises identification information of the network device to be authenticated and network location information of the second network node.
39. The apparatus of claim 36, further comprising:
a second sending unit, configured to send, before the second obtaining unit is executed, an authentication request to the first network node by the network device to be authenticated, where the authentication request includes network location information of the second network node, so that the first network node determines whether the network location information of the second network node is consistent with the network location information of the second network node included in the authentication request sent by the network device to be authenticated last time, if so, execute the steps of generating a shared quantum true random number through a QKD network by the first network node and the second network node, and if not, determine that the authentication of the network device to be authenticated does not pass.
40. The apparatus according to claim 36, wherein the root key stored by the first network node itself is updated according to the updated root key sent by the device authentication server.
41. The apparatus according to claim 36, wherein if the first network node determines that the network device to be authenticated is authenticated, the network entry information of the network device to be authenticated is stored in the first network node, and the network entry information includes the network location information of the second network node.
42. The apparatus of claim 36 or 37, wherein a quantum link exists between the first network node and the second network node for quantum key distribution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910662994.6A CN112291179B (en) | 2019-07-22 | 2019-07-22 | Method, system and device for realizing equipment authentication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910662994.6A CN112291179B (en) | 2019-07-22 | 2019-07-22 | Method, system and device for realizing equipment authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112291179A CN112291179A (en) | 2021-01-29 |
| CN112291179B true CN112291179B (en) | 2022-04-12 |
Family
ID=74418696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910662994.6A Active CN112291179B (en) | 2019-07-22 | 2019-07-22 | Method, system and device for realizing equipment authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112291179B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230051689A1 (en) * | 2021-08-11 | 2023-02-16 | Texas Instruments Incorporated | Wireless battery management system setup |
| CN114239010B (en) * | 2021-12-07 | 2024-06-14 | 北京天融信网络安全技术有限公司 | Multi-node distributed authentication method, system, electronic equipment and medium |
| CN114301593B (en) * | 2021-12-30 | 2023-08-22 | 济南量子技术研究院 | EAP authentication system and method based on quantum key |
| CN114726521A (en) * | 2022-04-14 | 2022-07-08 | 广东好太太智能家居有限公司 | Intelligent lock temporary password generation method and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001074004A1 (en) * | 2000-03-29 | 2001-10-04 | Non-Elephant Encryption Systems [Barbados] Inc. | Keyless encryption system and method |
| WO2017167771A1 (en) * | 2016-03-29 | 2017-10-05 | Koninklijke Philips N.V. | Handshake protocols for identity-based key material and certificates |
| WO2018071195A1 (en) * | 2016-10-14 | 2018-04-19 | Alibaba Group Holding Limited | Method and system for quantum key distribution based on trusted computing |
| CN108134671A (en) * | 2018-02-07 | 2018-06-08 | 浙江神州量子通信技术有限公司 | A kind of transparent encryption system and its encipher-decipher method based on quantum true random number |
| CN109639407A (en) * | 2018-12-28 | 2019-04-16 | 浙江神州量子通信技术有限公司 | A method of information is encrypted and decrypted based on quantum network |
| CN109687978A (en) * | 2019-01-15 | 2019-04-26 | 如般量子科技有限公司 | Anti- quantum calculation Proxy Digital Signature method and system based on private key pond and Elgamal |
-
2019
- 2019-07-22 CN CN201910662994.6A patent/CN112291179B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001074004A1 (en) * | 2000-03-29 | 2001-10-04 | Non-Elephant Encryption Systems [Barbados] Inc. | Keyless encryption system and method |
| WO2017167771A1 (en) * | 2016-03-29 | 2017-10-05 | Koninklijke Philips N.V. | Handshake protocols for identity-based key material and certificates |
| WO2018071195A1 (en) * | 2016-10-14 | 2018-04-19 | Alibaba Group Holding Limited | Method and system for quantum key distribution based on trusted computing |
| CN108134671A (en) * | 2018-02-07 | 2018-06-08 | 浙江神州量子通信技术有限公司 | A kind of transparent encryption system and its encipher-decipher method based on quantum true random number |
| CN109639407A (en) * | 2018-12-28 | 2019-04-16 | 浙江神州量子通信技术有限公司 | A method of information is encrypted and decrypted based on quantum network |
| CN109687978A (en) * | 2019-01-15 | 2019-04-26 | 如般量子科技有限公司 | Anti- quantum calculation Proxy Digital Signature method and system based on private key pond and Elgamal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112291179A (en) | 2021-01-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10785019B2 (en) | Data transmission method and apparatus | |
| CN112291179B (en) | Method, system and device for realizing equipment authentication | |
| US20170244687A1 (en) | Techniques for confidential delivery of random data over a network | |
| US11870891B2 (en) | Certificateless public key encryption using pairings | |
| CN108347404B (en) | Identity authentication method and device | |
| CN101212293A (en) | Identity authentication method and system | |
| CN113630248B (en) | Session key negotiation method | |
| CN110505053B (en) | Quantum key filling method, device and system | |
| EP4283922A2 (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
| CN112202544A (en) | Smart power grid data security aggregation method based on Paillier homomorphic encryption algorithm | |
| Niu et al. | A novel user authentication scheme with anonymity for wireless communications | |
| Junejo et al. | A Lightweight Attribute‐Based Security Scheme for Fog‐Enabled Cyber Physical Systems | |
| WO2022135391A1 (en) | Identity authentication method and apparatus, and storage medium, program and program product | |
| WO2018076798A1 (en) | Method and apparatus for transmitting data | |
| CN114499837A (en) | Method, device, system and equipment for preventing leakage of message | |
| NL1043779B1 (en) | Method for electronic signing and authenticaton strongly linked to the authenticator factors possession and knowledge | |
| US20220045848A1 (en) | Password security hardware module | |
| Hwang et al. | A new efficient authentication protocol for mobile networks | |
| TW202334848A (en) | Secure key generation | |
| WO2022135383A1 (en) | Identity authentication method and apparatus | |
| JP2019057827A (en) | Distributed authentication system and program | |
| CN110048920B (en) | Anti-quantum-computation intelligent home near-distance energy-saving communication method and system based on key fob | |
| CN110061895B (en) | Close-range energy-saving communication method and system for quantum computing resisting application system based on key fob | |
| WO2022135385A1 (en) | Identity authentication method and apparatus | |
| WO2022135418A1 (en) | Identity authentication method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |