CN112367161A - Relay node function virtualization method and device - Google Patents

Relay node function virtualization method and device Download PDF

Info

Publication number
CN112367161A
CN112367161A CN201910820366.6A CN201910820366A CN112367161A CN 112367161 A CN112367161 A CN 112367161A CN 201910820366 A CN201910820366 A CN 201910820366A CN 112367161 A CN112367161 A CN 112367161A
Authority
CN
China
Prior art keywords
node
virtual
relay node
state
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910820366.6A
Other languages
Chinese (zh)
Inventor
陈晖�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Liang'an Blockchain Technology Co ltd
Original Assignee
Chengdu Liang'an Blockchain Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Liang'an Blockchain Technology Co ltd filed Critical Chengdu Liang'an Blockchain Technology Co ltd
Priority to CN201910820366.6A priority Critical patent/CN112367161A/en
Publication of CN112367161A publication Critical patent/CN112367161A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/29Repeaters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/70Photonic quantum communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Optics & Photonics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a relay node function virtualization method, which comprises the following steps: the relay node negotiates a shared key group with n adjacent nodes respectively, calculates the exclusive or value of any two shared key groups and creates an identifier (marked as a virtual node routing state), encapsulates the routing states of C (n,2) virtual nodes into a virtual relay node state, and stores or outputs or stores and outputs the part of the routing states of the C (n,2) virtual nodes or the virtual relay node state. The invention also provides a relay node function virtualization device, which comprises: the system comprises a transceiver, a data processing unit and a node virtualization unit. The invention can solve the problem of the routing concurrency conflict of the relay node in the target network and the problem of the safety management of the relay node, and has good application and popularization prospects.

Description

Relay node function virtualization method and device
Technical Field
The invention relates to the technical field of relay nodes of quantum networks and application, in particular to a relay node function virtualization method and device.
Background
Due to the lack of practical, non-landing quantum communication relay technology, quantum trusted relay technology is typically employed in Quantum Key Distribution (QKD) networks. However, in the disclosed quantum trusted relay scheme, the quantum trusted relay has bottleneck problems of relay link concurrency conflict, large delay and the like, and because the relayed quantum key falls to the ground of the quantum relay node, the security is based on the security and the credibility of all quantum relay nodes participating in the trusted relay. That is, on the one hand, the quantum relay node has the problems of concurrent conflict, large delay and the like of the quantum relay link, and on the other hand, the security management difficulty of the quantum relay node is large. In order to solve the above problems, it is an effective innovative solution to virtualize or electronize the function of the quantum relay node.
Disclosure of Invention
The invention provides a relay node function virtualization method and device, aiming at technical defects of quantum trusted relays and quantum relay nodes in the background art. The invention provides a relay node function virtualization method, which comprises the following steps: a target relay node in a target network negotiates a shared key group with each of n adjacent target nodes respectively (wherein n is a natural number greater than 1 and is not greater than the number of all nodes adjacent to the relay node); the target relay node calculates the xor value of any two of the n shared key packets and creates a corresponding identifier (for convenience, hereinafter, the xor value is referred to as virtual node routing state data, the identifier is referred to as virtual node routing state identifier, and the xor value and the corresponding identifier are referred to as a virtual node routing state); storing, outputting, or storing and outputting the part or the C (n,2) virtual node routing states (where C (n,2) is a combination number of 2 arbitrarily selected from n, the same applies below); or/and, creating a node identifier for the C (n,2) virtual node routing states, and storing, outputting, or storing and outputting the C (n,2) virtual node routing states and the node identifiers thereof (for convenience, the node identifier is hereinafter referred to as a virtual relay node state identifier, and the C (n,2) virtual node routing states and the corresponding node identifiers thereof are hereinafter referred to as a virtual relay node state), wherein the target network includes any one of the following options: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet.
Optionally, the method further includes: after the creation of the C (n,2) virtual node routing states is completed, the corresponding n shared key groups are destroyed, or after all the virtual node routing state data of one shared key group that needs to participate in the calculation are completed, the shared key group is destroyed.
Optionally, the method further comprises any one or both of: (1) before creating a virtual node routing state, obtaining a global identifier, wherein the method for obtaining the global identifier comprises the steps of determining the current global identifier according to a virtualization instruction or determining the current global identifier according to the last global identifier, (2) before creating the virtual node routing state, confirming the negotiated shared key packet and the global identifier of the virtual node routing state used for creation by a target relay node and an adjacent target node, and using the negotiated shared key packet for creating the virtual node routing state with the same global identifier by the target relay node and the adjacent target relay node respectively.
Optionally, the method further includes: and creating a virtual relay node, wherein the virtual relay node is used for storing and outputting management of the routing state of the virtual node or/and the state of the virtual relay node, and sending the routing state of the virtual node or the state of the virtual relay node to the server or a target receiving party indicated by the server instruction according to the instruction of the server.
Optionally, the method further includes: and packaging the routing states of the C (n,2) virtual nodes and the corresponding node identifications into a data file.
Optionally, the method further includes: the target relay node performs identity authentication with the adjacent target node or/and the server, wherein the identity authentication comprises: CA certificate based authentication or initial root key based authentication.
Optionally, the method further includes: the target relay node reports topology information of the target relay node to a network controller or a target receiver, wherein the topology information comprises: identification of the target relay node, link status between the target relay node and each neighboring target node.
Optionally, the method further includes: the target relay node receives a virtualization instruction issued by a network controller or a target receiver, wherein the virtualization instruction is used for indicating any one or more of the following contents: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode. Or, determining any one or any plurality of the following according to a given system policy: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode.
The invention also provides a relay node function virtualization device, which comprises: the transceiver is used for reporting the topology information of the quantum relay node to a network controller or a server and receiving a virtualization instruction sent by the network controller or the server; the data processing unit is used for negotiating a shared key group with an adjacent target node and creating a virtual node routing state, and optionally, is also used for creating a virtual relay node state or/and creating a virtual relay node; and the node virtualization unit is used for creating a virtual relay node state or/and a virtual relay node, and storing and outputting management of a virtual node routing state and/or a virtual relay node state.
Optionally, the apparatus further comprises: the QKD module is used for negotiating a shared quantum key with an adjacent quantum node and inputting the shared quantum key into the data processing unit; the QKD module includes: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node; wherein the QKD receiver or/and transmitter includes any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
Optionally, the apparatus further comprises any one or more of the following units:
the storage unit is used for storing the routing state of the virtual node and/or the state of the virtual relay node;
the identity authentication module is used for authentication of the relay node virtualization application device accessing to the quantum network and identity authentication between the relay node virtualization application device and an adjacent target node or/and a server, wherein the authentication comprises: authentication based on CA certificate, authentication based on initial root key;
the password management module is used for encrypting and decrypting data, digitally signing and calculating an integrity check value;
the access control module is used for identifying the received control command and the service request command, responding to a legal command or rejecting an illegal command, wherein the identification method comprises the following steps: verifying the digital signature of the received instruction, if the digital signature passes the verification, judging the digital signature as a legal instruction, and otherwise, judging the digital signature as an illegal instruction;
the illegal starting-up protection module is used for automatically destroying all cache data if the system is illegally started up or the case is illegally started;
the private key protection module is used for protecting the initial root key or/and the private key for digital signature from being illegally accessed or exported;
and the virtual mapping module of the relay node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the state of the virtual relay node to the server and a receiver indicated by the server instruction according to the instruction of the network controller or the server.
Optionally, the apparatus further includes a logic isolation module, where the logic isolation module divides the relay node virtualization application apparatus into a security domain unit and a public domain unit; wherein the security domain unit comprises: the data processing unit optionally further comprises a QKD module or/and a password management module; the disclosure domain unit includes: a transceiver and a node virtualization module.
Compared with the conventional relay node device for quantum trusted relay and the application method, the relay node device has the following remarkable innovativeness and practicability, namely, the relay node function is virtualized or electronized, the relay service is separated from the relay link, and the problems of scale relay route concurrency conflict and relay delay existing in a target network can be solved; the relay node in the invention does not store the key, thereby reducing the safety management risk of the node and having good application and popularization prospects.
Drawings
Fig. 1 is a schematic diagram of a relay node function virtualization method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating another method for negotiating a shared key packet according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a shared key group identifier according to an embodiment of the present invention;
fig. 5 is a schematic diagram of another shared key group identifier provided in the embodiment of the present invention;
fig. 6 is a schematic diagram of a virtual node routing state identifier according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a virtual relay node status identifier according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a relay node application provided in the embodiment of the present invention;
fig. 9 is a schematic diagram of a virtual relay node state according to an embodiment of the present invention;
fig. 10 is a schematic diagram of a relay node function virtualization apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention and some terms and meanings thereof will be described below.
(1) Target networks to which embodiments of the present invention are applicable include, but are not limited to, any of the following networks: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet, other networks which adopt a point-to-point single-hop landing forwarding mode for relay transmission; accordingly, the relay node and the adjacent target node in the embodiments of the present invention include, but are not limited to, any one or more of the following nodes: quantum relay nodes, quantum service nodes (or quantum access nodes), virtual quantum relay nodes, virtual quantum service nodes. The relay node in the embodiment of the present invention is suitable for, but not limited to, a relay node that accesses a target network through an optical fiber interface and a wireless interface (or a free space interface).
(2) The relay node function virtualization application in the embodiment of the invention is electronization or instantiation of the relay node function, and data after electronization or instantiation can be used by being separated from a physical network to which the relay node function belongs.
(3) The relay node of the embodiment of the invention is a node used as a relay in a target network, or a node which has at least two adjacent nodes on one or more relay links and is used as a relay, wherein the relay node does not store a key which is negotiated between the relay node and the adjacent nodes and is used for function virtualization of the relay node; a serving node (or access node) refers to other nodes in the target network that are not used for relaying or are not used directly for relaying (in some possible designs, the serving node may be used for relaying through a virtual node).
(4) The communication channels involved in embodiments of the invention for quantum networks include quantum channels and conventional communication network channels, wherein conventional communication network channels are employed for other communication processes except that quantum key distribution between adjacent quantum nodes (an adjacent quantum node refers to two nodes capable of normal point-to-point QKD or quantum communication) requires occupation of the quantum channel or link, and include, but are not limited to, one or more of wired communication and wireless/mobile/satellite communication channels.
(5) The terms "virtual node routing status", "virtual relay node status", and the like used in the embodiments of the present invention are only used for marking corresponding data or files, and are not used for limiting the corresponding data or files, and all schemes that are merely replacing names and have no substantial difference belong to the protection scope of the present invention.
(6) The shared key packet in the embodiment of the invention is shared data with a certain data length. Because different application systems have different requirements on the length of the shared key and the rate of the point-to-point QKD link has a certain difference, the invention does not specially limit the data length of the shared key packet; it is obvious that the data length refers to counting by the same data unit (e.g., bit, byte). In practice, the data length of the shared key packet (e.g., 2048 bits, 100 kbytes, 10 mbytes, 1 gbyte, or any other data length that meets the requirements of the system) may be determined according to the rate of encoding of the QKD system in actual use, the specific requirements of the application system, or future industry standard requirements. It should be clear that the shared key packet has the same data format (including but not limited to data type, data length, and data read/write sequence) for each virtualization process of the same embodiment.
(7) The global identifier in the embodiment of the invention is an identifier which is kept consistent by all nodes in a target network, namely, before the virtual node routing state is established, a target relay node and an adjacent target node confirm the negotiated shared key group and the global identifier of the virtual node routing state used for establishment, the target relay node and the adjacent target relay node respectively use the negotiated shared key group for establishing the virtual node routing state or/and the virtual relay node state with the same global identifier, and the group identifier of the corresponding shared key group stored by the adjacent target service node is consistent with the global identifier; the global identifier may be used to distinguish different target networks, and may also be used to distinguish different embodiments in the target network; the global identifier may adopt a global number unified in the whole network, or may adopt an identifier combining the target network identifier and the global number.
In order to make the technical solutions and advantages of the present invention clearer, the present invention is described in detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a method for virtualizing a relay node function according to an embodiment of the present invention, which includes the following steps:
s101: the quantum relay node obtains a current global number, that is, the current global number can be determined according to a virtualization instruction of the server (the virtualization instruction is used for indicating any one or more of a global identifier (including the global number), a data format of a shared key packet, a data structure of a virtual node routing state, a data structure of a virtual relay node state, an identifier of a target receiver and a data transmission mode), or the current global number is determined according to the last global number;
s102: respectively negotiating a shared quantum key group with n adjacent target nodes (it should be noted that the adjacent target nodes are adjacent nodes capable of normally performing quantum key distribution with the target quantum relay node, and if a quantum key distribution link between the quantum relay node and a certain adjacent quantum node is abnormal or broken, the adjacent quantum node is not taken as the adjacent target quantum node, and the following is the same);
s103: respectively calculating exclusive or values of all any two sharing quantum key groups and creating identifiers, creating C (n,2) virtual node routing states (wherein C (n,2) is a combined number of 2 randomly selected from n, the same applies below), and destroying the n sharing quantum key groups; the relay node may process the n shared quantum key packets into C (n,2) different combinations of two shared quantum key packets, and then calculate the xor value of the two shared quantum key packets in each combination and create a corresponding identifier (for convenience, the xor value is hereinafter referred to as virtual node routing state data, the identifier is referred to as virtual node routing state identifier, and the xor value and the corresponding identifier are hereinafter referred to as a virtual node routing state);
s104: storing, outputting, or storing and outputting the part or the C (n,2) virtual node routing states, or/and storing, outputting, or storing and outputting the virtual relay node states (i.e., the C (n,2) virtual node routing states and the node identifications thereof).
Further, in a possible design, the node id and the corresponding C (n,2) virtual node routing statuses are packaged into a data file, which includes but is not limited to a data list file, or a database file, and the required routing status of some virtual node or nodes can be quickly obtained by accessing the data file.
In the above embodiment, in step S102, a real-time sharing method or a pre-caching method may be used to negotiate a shared quantum key group; the real-time sharing method comprises the following steps: the relay node negotiates a certain amount of shared quantum keys with adjacent target nodes, takes the certain amount of shared quantum keys as a shared quantum key group and creates a group identifier; alternatively, a method for negotiating a shared quantum key packet according to an embodiment of the present invention shown in fig. 2 includes:
s201: a target node (namely a relay node) negotiates a certain amount of shared quantum keys with adjacent target nodes;
s202: the target node and the adjacent target node respectively divide the shared quantum key into one or more groups by adopting the same data format, and carry out randomness test on each group by adopting the same randomness test method;
s203: taking a group passing the randomness test as a shared quantum key group and creating a group identifier;
the precaching method includes (another method for negotiating a shared quantum key packet provided by the embodiment of the present invention shown in fig. 3):
s301: a target node (namely a relay node) negotiates a certain amount of shared quantum keys with adjacent target nodes;
s302: respectively dividing the shared quantum key into one or more groups by adopting the same data format, performing randomness test on each group by adopting the same randomness test method, caching each group which passes the randomness test and respectively creating a group identifier;
s303: and negotiating with the adjacent target nodes to respectively select one packet with the same or identical packet number from the cached packets as a shared quantum key packet.
The negotiating a quantum of shared quantum keys includes, but is not limited to: sequentially negotiating quantum keys with a plurality of adjacent target nodes, or simultaneously negotiating quantum keys with a plurality of adjacent target nodes, or negotiating quantum keys with corresponding adjacent target nodes according to a virtualization instruction; the negotiated quantum key may occupy the entire bandwidth of the quantum key distribution channel, or only occupy a part of the bandwidth of the entire quantum key distribution channel.
In a possible design, the negotiating a shared quantum key packet may further include: consistency check, wherein the consistency check comprises: respectively calculating a data abstract or a Hash value of a shared quantum key group by the relay node and the adjacent target node, if the two data abstracts or Hash values are different, the two data abstracts or Hash values cannot pass consistency check, and renegotiating; otherwise, passing consistency check and successfully negotiating a shared quantum key packet.
On the basis of the method shown in fig. 1, by adding any one or more of the following steps, a new embodiment is obtained:
(A1) before the virtual node routing state is established, the target relay node and the adjacent target node confirm the negotiated shared quantum key group and the global identifier of the virtual node routing state used for establishment, and the target relay node and the adjacent target relay node respectively use the negotiated shared quantum key group for establishing the virtual node routing state with the same global identifier;
(A2) creating a virtual relay node, wherein the virtual relay node is used for storage and output management of a virtual node routing state or/and a virtual relay node state, and sending the virtual node routing state or the virtual relay node state with a specific number to a server or a target receiving party indicated by the server instruction according to the instruction of the server;
(A3) performing identity authentication, namely performing identity authentication with a neighboring target node or/and a server, wherein the identity authentication comprises: CA certificate-based authentication or initial root key-based authentication;
(A4) the target relay node reports topology information of the relay node to a network controller or a server, where the topology information includes but is not limited to: the identification of the target relay node, and the link state between the target relay node and each adjacent target node;
(A5) the target relay node receives a virtualization instruction issued by a network controller or a server, wherein the virtualization instruction is used for indicating any one or more of the following contents: global identification, data format of shared quantum key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode. Obviously, in another possible design, the target relay node may also determine any one or any plurality of the following according to the established system policy: global identification, data format of shared quantum key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode. It is clear that, the global identifier may be used to distinguish different target networks and different embodiments in the target network, and may adopt a global number unified over the whole network, or adopt an identifier combining the target network identifier and the global number; the data structure of the virtual node routing state comprises the content of the virtual node routing state identifier and the ordering relation thereof adopted in one embodiment; the identification of the target receiver is used for determining the receiver; the data transmission mode is used for determining whether an encryption mode or a non-encryption mode is adopted.
It is obvious that a new embodiment having the same application properties as the method of the invention can be obtained by recombining the above-described method steps. Therefore, methods based on simple combinations of the above method steps and content adaptation fall within the scope of the present invention.
The shared quantum key packet in the above embodiment includes but is not limited to: group identification, shared quantum key data (shared quantum key with group length); the data structure of the shared quantum key group identifier may adopt a shared quantum key group identifier provided in the embodiment of the present invention shown in fig. 4, that is, the group identifier includes: the grouping number, the current relay node ID and the adjacent node ID are equivalent, and the current relay node ID and the adjacent node ID can be replaced by the link identifiers of the current relay node and the adjacent target node; wherein, the ID can also adopt other identifiers which can uniquely identify the corresponding nodes; the packet number may be a local number or a global number, in which case, when a certain shared quantum key packet is used to create a virtual node routing state, the corresponding local number is changed to the global number of the corresponding virtual node routing state.
On the basis of the data structure shown in fig. 4, a new shared quantum key grouping or grouping identification embodiment can be obtained by adding any one or any more of the following content options: data format, check information and time stamp, wherein the check information can be data digest (or Hash value) or MAC code of the shared quantum key packet; the content of the data format includes any one or any plurality of the following: data type (e.g., using binary, 16-ary storage), data length, and data read and write order.
Further, as an example, fig. 5 shows another data structure of a shared quantum key packet provided by one possible embodiment of the present invention, that is, the data structure includes a packet number, a current relay node ID, an adjacent node ID, a data length, check information, and quantum key data, where the data length may be the data length of the quantum key data or the data length of the entire shared quantum key packet; the check information may be a quantum key data digest (or Hash value) or a MAC code.
The virtual node routing state in the above embodiments includes, but is not limited to: virtual node routing state identification, virtual node routing state data (i.e., the exclusive or value of the shared quantum key packet between the current relay node and the two adjacent destination nodes). Fig. 6 shows a virtual node routing state identifier provided in an embodiment of the present invention, where the content of the virtual node routing state identifier includes but is not limited to: global number, current relay node ID1, neighbor node ID2, neighbor node ID3 (or link identifications of last and next neighbor target nodes connecting the current relay node with the current relay node).
The content of the virtual relay node status identifier in the above embodiment includes (as shown in fig. 7, a virtual relay node status identifier provided by the embodiment of the present invention): global number, current relay node ID1, number of virtual node routing states, where the number of virtual node routing states can be calculated from the number of neighboring destination nodes, and therefore the number of virtual node routing states can be replaced with the number of neighboring destination nodes and a new embodiment is obtained.
On the basis of the embodiments shown in fig. 6 and 7, a number of new embodiments can be obtained by adding any one or any number of the following options:
an identifier of the target network for distinguishing different target networks;
the local identification is used for distinguishing a plurality of virtual node routing states with the same global identification or/and distinguishing a plurality of virtual relay node states with the same global identification;
checking information, wherein the checking information is used for checking the integrity of the routing state data of the virtual node or/and the routing state of the virtual node, and includes but is not limited to a data abstract, a Hash value or an MAC code of corresponding data;
digitally signing, namely digitally signing the routing state of the virtual node or/and the state of the virtual relay node by adopting a digital signature algorithm;
the timestamp is used for recording the creation time of the routing state of the virtual node or/and the state of the virtual relay node;
the data digest (or Hash value) of the current virtual node routing state or/and the virtual relay node state, the data digest (or Hash value) of the last virtual node routing state or/and the virtual relay node state, or the data digest (or Hash value) of the current and last virtual node routing states or/and the virtual relay node state.
Further, in one possible design, the above-described private key for digital signature cannot be illegally accessed or derived.
The storage in the above embodiments includes, but is not limited to, any one or more of the following options: the method comprises the following steps of local storage, cloud storage and server-side storage, wherein the local storage method comprises but is not limited to: storing the virtual node routing state or/and the virtual relay node state in a memory of the relay node device (wherein the memory comprises but is not limited to a local memory or a network memory space), and sending the virtual node routing state identification or/and the virtual relay node state identification to the server;
cloud storage methods include, but are not limited to: storing a virtual node routing state (or virtual node routing state data) or/and a virtual relay node state on a cloud storage space; server-side storage includes, but is not limited to: and sending the routing state of the virtual node or/and the state of the virtual relay node to one or more servers for storage.
The outputting or sending in the above embodiments includes, but is not limited to, any one or both of the following options: real-time output and passive response output; among these, real-time output includes but is not limited to: outputting the created virtual node routing state or/and the virtual relay node state to a memory of the relay node equipment or/and a third party server or/and a target receiver indicated by the virtualization instruction in real time; passive response outputs include, but are not limited to: and outputting the virtual node routing state or/and the virtual relay node state with the specific number to a memory of the relay node device or/and a third party server or/and a target receiver indicated by the virtualization instruction according to the virtualization instruction.
Further, in one possible design, the outputting or sending in the above embodiment may be an encrypted transmission, the encrypted transmission including any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
The server in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The target recipient in the above embodiments may include, but is not limited to, any one or any plurality of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
The method of the present invention is further described below with respect to a relay node having 3 neighboring nodes (e.g., a relay node R, the relay node R and 3 neighboring nodes A, B and C provided in the embodiment of the present invention shown in fig. 8). As shown in fig. 8, it is assumed that the relay node R negotiates with 3 neighboring nodes A, B and C using the above-mentioned method to use the shared quantum key groups Kra, Krb and Krc, respectively (the shared quantum key groups may be negotiated with 3 neighboring nodes in turn, or with multiple neighboring nodes at the same time, or negotiated with corresponding neighboring nodes according to virtualization instructions); generating C (3,2) =3 virtual node routing states (one virtual relay node state provided by the embodiment of the present invention shown in fig. 9, including virtual node routing states VRS0, VRS1 and VRS 2) based on the above-mentioned 3 shared quantum key packets, where the virtual relay node state identification (i.e., the node identification in fig. 9) includes an ID identification 901 (i.e., ID _ R) of the target relay node, a global number 902 (i.e., 000123), a number 903 (i.e., 3) of virtual node routing states, a data length 904 (i.e., 3 × 1MB, the data length of each virtual node routing state is 1 MB), a data type 905 (i.e., 16 m), and the virtual node routing state (i.e., the state data in fig. 9) includes an ID identification 906 of the target relay node, an ID identification 907 of the first neighboring node, an ID identification 908 of the second neighboring node, virtual node routing state data 909, 909 and 909, A data digest 910 of the routing state of the virtual node, and a local number 911 of the routing state of the virtual node.
The function virtualization method of the relay node R comprises the following steps:
the relay node R negotiates a sharing quantum key group with A, B and C respectively by adopting a real-time sharing method or a pre-caching method, wherein the real-time sharing method comprises the following steps: negotiating a shared quantum key with an adjacent node in real time, and processing the shared quantum key into a shared quantum key group by adopting a key preprocessing method, for example: negotiating a 1MB key, and taking the key as a shared quantum key group after creating a group identifier and integrity check information; the pre-caching method comprises the following steps: negotiating with the adjacent node about the shared quantum key, processing the shared quantum key into one or more shared quantum key groups by adopting a key preprocessing method, caching the shared quantum key groups, and negotiating with the adjacent node about selecting one shared quantum key group with the same group number from the cached shared quantum key groups respectively. For example: negotiating a 10MB key at a time, dividing the key into 10 groups, respectively carrying out randomness tests, creating a group identifier and integrity check information for one group passing the randomness tests, and using the group identifier and the integrity check information as a shared quantum key group;
obtaining a global number (902 in fig. 9) of a current virtual node routing state, wherein R and A, B, C respectively negotiate a shared quantum key packet (Kra, Krb, and Krc), and R and A, B, C respectively confirm the global number (902 in fig. 9) of the Kra, Krb, and Krc and the virtual node routing state used for creation; r creates 3 virtual node routing states (i.e., VRS0, VRS1, and VRS2 using Kra, Krb, and Krc, where VRS0 ═ (0, ID _ R, ID _ a, ID _ B, Kra ≦ Krb, Hash (Kra ≦ Krb)), and the like), destroys Kra, Krb, and Krc; if a request for sending the routing state of the virtual node by the server is received, R sends the corresponding routing state of the virtual node to the server or a target receiving party indicated by the request of the server; the VRS0, the VRS1 and the VRS2 are packaged into a virtual node routing state respectively, and the 3 virtual node routing states are stored or output or stored and output.
Optionally, in one possible design, the following steps are added: and creating a virtual relay node of R, wherein the virtual relay node is used for storing and outputting the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the routing state of the virtual relay node with a specific number to the server or a target receiver indicated by the server instruction according to the instruction of the server.
In one possible design, the virtual relay node state shown in fig. 9 may be packaged as a database file, from which the global number 902 and the local number 911 may uniquely determine a virtual node routing state.
Additionally, since there is a correlation between VRS0, VRS1, and VRS2, i.e., where the exclusive-or value of any two virtual node routing state data is equal to the third virtual node routing state data, e.g., VRS0 VRS1 VRS2, in one possible design, the relay node may create (C (n,1) -1) virtual node routing states. Other similar possible designs with substantially equivalent application characteristics also fall within the scope of the present invention.
Although the present invention has described the data structure of the above-mentioned shared key packet and virtual node routing state (which may include content options of the target data and its identification and its ordering, data type, data length, etc.), it is contemplated that the elements or variables in the above-mentioned data structure may be randomly combined and do not significantly affect the application performance; in addition, it is obvious that if a certain element or variable (for example, a storage type, a data length) in a certain data structure is used as a global variable, the corresponding data format may not include the variable, and therefore, the present invention does not specifically limit the position ordering relationship of the element or variable in the data structure, nor does it limit the implementation manner of the certain element or variable; in addition, with similar considerations, the present invention does not specifically limit the position ordering relationship of the elements or variables in the data format, nor the implementation manner of a certain element or variable. Methods obtained by randomly combining or adjusting the positions of the elements in the data structure also fall within the scope of the present invention. It is obvious that some content options in the above virtual node routing state (or virtual relay node state) identification can be used as part of the corresponding virtual node routing state (or virtual relay node state) data in possible designs, and such similar possible designs fall within the scope of the present invention.
Fig. 10 illustrates an apparatus for virtualizing a relay node function according to an embodiment of the present invention, where the apparatus includes:
a transceiver: including various interface modules, a transceiver such as that shown in fig. 10 may include an interface module 1001, an interface module 1002, and an interface module 1003; the interface module 1001 is configured to report, by the vector sub-network controller 1006, topology information of the quantum relay node, and receive a virtualization instruction issued by the quantum network controller; the interface module 1002 is configured to send a virtual node routing status or/and a virtual relay node status to the virtualization server 1007; interface module 1003 is configured to negotiate a shared quantum key packet with neighboring quantum node 1008;
the data processing unit 1004: for negotiating a shared quantum key packet with a neighboring target node through interface module 1003; the router is also used for creating a virtual node routing state; optionally, the node virtualization unit 1005 is further configured to create a virtual relay node status or/and create a virtual relay node and send the virtual relay node status or/and the virtual relay node status to the node virtualization unit; optionally, the quantum key distribution unit 1009 is further configured to obtain the quantum key;
a node virtualization unit 1005 for managing storage and output of a virtual node routing state or/and a virtual relay node state; wherein, the virtual node routing state comprises: the exclusive or value and the corresponding identification of the shared quantum key grouping between the target relay node and two adjacent target nodes; the virtual relay node states include: routing states of part or all of virtual nodes of the target relay node and corresponding identifications of the virtual nodes; the virtualization instructions are for indicating any one or more of the following: global identification, data format of sharing quantum key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode; topology information includes, but is not limited to: the identification of the relay node, and the link state between the relay node and each adjacent target node; the virtualization server may include any one or more of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device. In one possible design, the virtualization server 1007 and the quantum network controller 1006 may be integrated devices.
Optionally, a quantum key distribution unit 1009 (abbreviated as QKD module) is further included in one possible design, where the QKD module is configured to negotiate a shared quantum key with an adjacent quantum node and input the shared quantum key into the data processing unit; the QKD module includes: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node; wherein the QKD receiver or/and transmitter includes any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
Optionally, a new embodiment is obtained by adding any one or any more of the following units in the above embodiment:
(B1) the storage unit is used for storing the routing state of the virtual node and/or the state of the virtual relay node;
(B2) the identity authentication module is used for authentication of the relay node virtualization application device accessing to the quantum network and identity authentication between the relay node virtualization application device and an adjacent target node or/and a server, wherein the authentication includes but is not limited to: authentication based on CA certificate, authentication based on initial root key;
(B3) the password management module is used for data encryption and decryption (including but not limited to data encryption and decryption by adopting a symmetric password algorithm, data encryption and decryption by adopting an asymmetric password algorithm, and data encryption and decryption by adopting a tunnel mode or a transmission mode of VPN), digital signature and calculation of an integrity check value;
(B4) an access control module, configured to identify a received control command and a service request command, and respond to a legal command or reject an illegal command, where the identification method includes, but is not limited to: verifying the digital signature of the received instruction, if the digital signature passes the verification, judging the digital signature as a legal instruction, and otherwise, judging the digital signature as an illegal instruction;
(B5) the illegal starting-up protection module is used for automatically destroying all cache data if the system is illegally started up or the case is illegally started;
(B6) the private key protection module is used for protecting the initial root key or/and the private key for digital signature from being illegally accessed or exported;
(B7) and the virtual mapping module of the relay node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the state of the virtual relay node with a specific number to a server and a target receiver indicated by the server instruction according to the instruction of a quantum network controller or the server.
In one possible design, the system further comprises a logic isolation module, wherein the logic isolation module divides the relay node virtualization application device into security domain unit open domain units; wherein the security domain unit comprises: the data processing unit optionally further comprises a QKD module or/and a password management module; the disclosure domain unit includes: a transceiver and a node virtualization module.
Further, in one possible design, the transceiver further includes: and the 5G mobile communication module is used for sending the routing state of the virtual node or the state of the virtual relay node to the server or a target receiver indicated by the server instruction. In another possible design, the transceiver may also employ other wireless communication modes (including, but not limited to, mobile communication network-based communication, communication satellite channel-based communication, WIFI network-based communication) and be used to transmit the virtual node routing status or virtual relay node status to the server or the intended recipient indicated by the server instructions.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus (or system), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (or systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the invention has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the invention. Accordingly, the specification and figures are merely exemplary of the invention as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the invention. It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (22)

1. A relay node function virtualization method is characterized by comprising the following steps: a target relay node in the target network negotiates a shared key packet with each of n adjacent target nodes respectively (where n is a natural number greater than 1 and n is not greater than the number of all nodes adjacent to the target relay node), the target relay node calculates an exclusive-or value of all any two of the n shared key packets and creates a corresponding identifier (for convenience, hereinafter, the exclusive-or value is referred to as virtual node routing state data, the identifier is referred to as virtual node routing state identifier, the exclusive-or value and its corresponding identifier are referred to as a virtual node routing state), stores, or outputs, or stores and outputs the portion or the C (n,2) virtual node routing states (where C (n,2) is a combined number of 2 arbitrarily selected from n, the same below), or/and, creating node identifiers for the C (n,2) virtual node routing states, storing, or outputting, or storing and outputting the C (n,2) virtual node routing states and their node identifiers (for convenience, the node identifiers are hereinafter referred to as virtual relay node state identifiers, and the C (n,2) virtual node routing states and their corresponding node identifiers are hereinafter referred to as a virtual relay node state), wherein the target network includes any one of the following options: quantum key distribution network, quantum communication network, quantum sensing network, quantum security internet.
2. The method of claim 1, wherein the method for virtualizing functions of the relay nodes comprises: and after the C (n,2) virtual node routing states are created, destroying the corresponding n shared key groups, or destroying the shared key groups after all the virtual node routing state data needing to participate in calculation of one shared key group are completed.
3. The relay node function virtualization method according to claim 1 or 2, wherein the method comprises any one or both of the following: (1) before creating a virtual node routing state, obtaining a global identifier, wherein the method for obtaining the global identifier comprises the steps of determining the current global identifier according to a virtualization instruction or determining the current global identifier according to the last global identifier, (2) before creating the virtual node routing state, confirming the negotiated shared key packet and the global identifier of the virtual node routing state used by the negotiated shared key packet by a target relay node and an adjacent target node, and using the negotiated shared key packet for creating the virtual node routing state with the same global identifier by the target relay node and the adjacent target relay node respectively.
4. A relay node function virtualization method according to claim 1, 2 or 3, comprising: and creating a virtual relay node, wherein the virtual relay node is used for storing and outputting management of a virtual node routing state or/and a virtual relay node state, and sending the virtual node routing state or the virtual relay node state to a target receiving party indicated by the virtualization instruction according to the virtualization instruction.
5. The relay node function virtualization method according to claim 1, 2, 3 or 4, comprising: and packaging the routing states of the C (n,2) virtual nodes and the corresponding node identifications into a data file.
6. The method for virtualizing an application of a relay node according to claim 1, 2, 3, 4 or 5, wherein the method comprises: the relay node performs identity authentication with an adjacent target node or/and a network controller, wherein the identity authentication comprises: CA certificate based authentication or initial root key based authentication.
7. The relay node function virtualization method according to claim 1, 2, 3, 4, 5 or 6, comprising: the method comprises the following steps that a target relay node reports topology information of the target relay node to a network controller or a target receiver, and the target relay node receives a virtualization instruction issued by the network controller or the target receiver, wherein the topology information comprises: an identification of a target relay node, a link status between the target relay node and each neighboring target node, the virtualization instructions being for indicating any one or more of: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode.
8. The relay node function virtualization method according to claim 1, 2, 3, 4, 5, 6 or 7, comprising: determining any one or more of the following according to a given system policy: global identification, data format of shared key grouping, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver and data transmission mode.
9. The method of claim 1, wherein negotiating a shared key packet comprises any one or both of the following: a real-time sharing method, a pre-caching method, wherein,
the real-time sharing method comprises the following steps: the relay node and the adjacent target node negotiate a certain amount of shared secret keys in real time, the certain amount of shared secret keys are used as a shared secret key group and a group identification is created, or further, the relay node and the adjacent target node respectively divide the shared secret keys into one or more groups by adopting the same data format, carry out randomness test on each group by adopting the same randomness test method, use a group passing the randomness test as a shared secret key group and create a group identification,
the pre-caching method comprises the following steps: the method comprises the steps that a relay node negotiates a certain amount of shared keys with an adjacent target node, the shared keys are respectively divided into one or more groups by adopting the same data format, randomness test is carried out on each group by adopting the same randomness test method, each group passing the randomness test is cached, group identifications are respectively created, and the relay node negotiates with the adjacent target node to respectively select one group with the consistent or same group number from the cached groups as a shared key group, wherein the negotiation of the certain amount of shared keys comprises any one of the following methods: sequentially negotiating keys with a plurality of adjacent target nodes, simultaneously negotiating keys with the plurality of adjacent target nodes, and negotiating keys with the corresponding adjacent target nodes according to a virtualization instruction, wherein the negotiating of keys comprises occupying the whole bandwidth of a key negotiation channel or only occupying part of the bandwidth of the whole key negotiation channel.
10. The relay node function virtualization method according to claim 10, wherein the group identification comprises: the method comprises the steps of grouping numbers and link identifications of a current relay node and an adjacent target node (or identifications of the current relay node and the adjacent target node), wherein the grouping numbers adopt local numbers or global identifications, and in the case of adopting the local numbers, after a certain shared key grouping is used for creating a virtual node routing state, the corresponding local numbers are changed into the global identifications of the corresponding virtual node routing state.
11. The method according to claim 1, wherein the virtual node routing state identifier comprises: a global identity, a routing identity of a previous neighboring target node and a next neighboring target node connecting the current relay node and the current relay node (or, an identity of the current relay node, an identity of a first neighboring target node, an identity of a second neighboring target node),
the content of the virtual relay node state identifier comprises: the identification of the current relay node, the global identification, the number of virtual node routing states or the number of adjacent target nodes.
12. The relay node function virtualization method according to claim 11, wherein the virtual node routing state (or virtual relay node state) or the content of the virtual node routing state identifier (or content of the virtual relay node state identifier) further comprises any one or more of the following:
identification of the target network, for distinguishing between different target networks,
a local identification for distinguishing between multiple virtual node routing states having the same global identification (or for distinguishing between multiple virtual relay node states having the same global identification),
checking information for checking integrity of the virtual node routing state data (or virtual node routing state), including a data digest of the corresponding data, or a Hash value, or a MAC code,
digitally signing, digitally signing the routing state (or the state of the virtual relay node) of the virtual node by adopting a digital signature algorithm,
a timestamp for recording a creation time of a virtual node routing state (or a virtual relay node state),
a data digest (or Hash value) of the current virtual node routing state (or virtual relay node state), a data digest (or Hash value) of the last virtual node routing state (or virtual relay node state), or a data digest (or Hash value) of the current and last virtual node routing states (or virtual relay node states).
13. The relay node function virtualization method according to claim 12, wherein the private key for digital signature cannot be illegally accessed or derived.
14. A relay node function virtualization method according to claim 1 or 4, wherein the storing comprises any one or more of the following options:
local storage, including: storing the virtual node routing state or/and the virtual relay node state in a memory of the relay node device, sending the virtual node routing state identifier or/and the virtual relay node state identifier to the target receiver,
cloud storage, including: storing virtual node routing state (or virtual node routing state data) or/and virtual relay node state on a cloud storage space,
server-side storage, comprising: sending the virtual node routing state or/and the virtual relay node state to one or more servers for storage, wherein the storage comprises: local memory or network storage space.
15. A relay node function virtualization method according to claim 1 (or 4), wherein the outputting (or sending) comprises any one or more of the following options: real-time output, passive response output, wherein,
the real-time output comprises the following steps: outputting the created virtual node routing state or/and the virtual relay node state to a memory of the relay node device or/and a third party server or/and an intended receiver indicated by the virtualization instruction in real time,
the passive response output includes: and outputting the virtual node routing state or/and the virtual relay node state to a memory of the relay node device or/and a third party server or/and a target receiver indicated by the virtualization instruction according to the virtualization instruction.
16. The relay node function virtualization method of claim 1, 4 or 15, wherein the outputting (or sending) further comprises: an encrypted transmission comprising any one or more of the following options: the encryption transmission is carried out by adopting a symmetric cryptographic algorithm, the encryption transmission is carried out by adopting an asymmetric cryptographic algorithm, and the encryption transmission is carried out by adopting a tunnel mode or a transmission mode of VPN.
17. A relay node function virtualization method according to claim 4, 7, 8, 14 or 15, wherein the target recipient comprises any one or more of the following options: the system comprises a network management device, a network virtualization management device, a service node device, a cloud storage service device and a block chain accounting node device.
18. A relay node function virtualization apparatus, comprising:
a transceiver for reporting the topology information of the quantum relay node to a network controller or a server, for receiving a virtualization instruction issued by the network controller or the server,
a data processing unit for negotiating a shared key packet with a neighboring target node, creating a virtual node routing state, and optionally also for creating a virtual relay node state or/and creating a virtual relay node,
a node virtualization unit for storage and output management of virtual node routing states or/and virtual relay node states,
wherein, the virtual node routing state comprises: the xor value of the shared key packet between the target relay node and the two adjacent target nodes and its corresponding identification,
the virtual relay node states include: some or all of the virtual node routing states of the target relay node and their corresponding identities,
the virtualization instructions are for indicating any one or more of the following: global identification, data format of shared key packet, data structure of virtual node routing state, data structure of virtual relay node state, identification of target receiver, data transmission mode,
the topology information includes: identification of the relay node, link status between the relay node and each adjacent target node.
19. The relay node virtualization application device of claim 18, comprising: a QKD module for negotiating a shared quantum key with an adjacent quantum node and inputting the shared quantum key to a data processing unit, the QKD module comprising: one or more QKD receivers or/and transmitters capable of quantum key distribution with a respective QKD transmitter or/and receiver of a neighboring node, wherein the QKD receivers or/and transmitters include any one or more of the following options: a discrete variable QKD receiver or/and a discrete variable transmitter, a continuous variable QKD receiver or/and a continuous variable QKD transmitter, a discrete variable QKD receiver or/and a continuous variable transmitter, a continuous variable QKD receiver or/and a discrete variable QKD transmitter.
20. The relay node virtualization application device according to claim 18 or 19, further comprising any one or more of the following:
a storage unit for storage of virtual node routing states and/or virtual relay node states,
the identity authentication module is used for authentication of the relay node virtualization application device accessing to the quantum network and identity authentication between the relay node virtualization application device and an adjacent target node or/and a server, wherein the authentication comprises: CA certificate based authentication, initial root key based authentication,
a password management module used for data encryption and decryption, digital signature and integrity check value calculation,
the access control module is used for identifying the received control command and the service request command, responding to a legal command or rejecting an illegal command, wherein the identification method comprises the following steps: verifying the digital signature of the received instruction, if the received instruction passes the verification, judging the received instruction to be a legal instruction, otherwise, judging the received instruction to be an illegal instruction,
the illegal starting-up protection module is used for automatically destroying all cache data if the system is illegally started up or the case is illegally started up,
a private key protection module for protecting the initial root key or/and a private key for digital signature from being illegally accessed or derived,
and the virtual mapping module of the relay node is used for application management of the routing state of the virtual node and the routing state of the virtual node, and sending the routing state of the virtual node or the state of the virtual relay node to the server and a target receiving party indicated by the virtualization instruction according to the instruction of the network controller or the server.
21. The relay node virtualization application device according to claim 18, 19 or 20, comprising: a logical isolation module that divides the relay node virtualization application device into security domain unit public domain units, wherein,
the security domain unit includes: the data processing unit optionally further comprises a QKD module or/and a password management module,
the disclosure domain unit includes: a transceiver and a node virtualization module.
22. The relay node virtualization application device of claim 18, wherein the transceiver further comprises: and the wireless communication module is used for sending the virtual node routing state or/and the virtual relay node state to a server or a receiver indicated by the server instruction, wherein the wireless communication comprises communication based on a mobile communication network, communication based on a communication satellite channel and communication based on a WIFI network.
CN201910820366.6A 2019-09-01 2019-09-01 Relay node function virtualization method and device Withdrawn CN112367161A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910820366.6A CN112367161A (en) 2019-09-01 2019-09-01 Relay node function virtualization method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910820366.6A CN112367161A (en) 2019-09-01 2019-09-01 Relay node function virtualization method and device

Publications (1)

Publication Number Publication Date
CN112367161A true CN112367161A (en) 2021-02-12

Family

ID=74516428

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910820366.6A Withdrawn CN112367161A (en) 2019-09-01 2019-09-01 Relay node function virtualization method and device

Country Status (1)

Country Link
CN (1) CN112367161A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022193985A1 (en) * 2021-03-16 2022-09-22 腾讯科技(深圳)有限公司 Data processing method and apparatus, and device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080044011A1 (en) * 2005-09-22 2008-02-21 Fujitsu Limited Encryption method, cryptogram decoding method, encryptor, cryptogram decoder, transmission/reception system, and communication system
WO2009093034A2 (en) * 2008-01-25 2009-07-30 Qinetiq Limited Network having quantum key distribution
CN108270555A (en) * 2016-12-30 2018-07-10 山东量子科学技术研究院有限公司 A kind of relaying cipher key transmission methods
CN108449146A (en) * 2018-05-17 2018-08-24 中国科学院信息工程研究所 A kind of quantum key distribution method and quantum key distribution network system
CN108510270A (en) * 2018-03-06 2018-09-07 成都零光量子科技有限公司 A kind of move and transfer accounts method of quantum safety
CN109995510A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of quantum key relay services method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080044011A1 (en) * 2005-09-22 2008-02-21 Fujitsu Limited Encryption method, cryptogram decoding method, encryptor, cryptogram decoder, transmission/reception system, and communication system
WO2009093034A2 (en) * 2008-01-25 2009-07-30 Qinetiq Limited Network having quantum key distribution
CN108270555A (en) * 2016-12-30 2018-07-10 山东量子科学技术研究院有限公司 A kind of relaying cipher key transmission methods
CN109995510A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of quantum key relay services method
CN108510270A (en) * 2018-03-06 2018-09-07 成都零光量子科技有限公司 A kind of move and transfer accounts method of quantum safety
CN108449146A (en) * 2018-05-17 2018-08-24 中国科学院信息工程研究所 A kind of quantum key distribution method and quantum key distribution network system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
S. BANDYOPADHYAY: ""Quantum Information Science from the Perspective of a Device and Materials Engineer"", 《ADVANCED SEMICONDUCTOR AND ORGANIC NANO-TECHNIQUES》 *
杨超等: "基于密钥中继的广域量子密钥网络路由方案", 《网络与信息安全学报》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022193985A1 (en) * 2021-03-16 2022-09-22 腾讯科技(深圳)有限公司 Data processing method and apparatus, and device and storage medium

Similar Documents

Publication Publication Date Title
CN110690928B (en) Quantum relay link virtualization method and device
CN110690962B (en) Application method and device of service node
CN110690960B (en) Routing service method and device of relay node
CN110661620B (en) Shared key negotiation method based on virtual quantum link
CN110690961B (en) Quantum network function virtualization method and device
CN110677241B (en) Quantum network virtualization architecture method and device
CN107567704B (en) Network path pass authentication using in-band metadata
US11804967B2 (en) Systems and methods for verifying a route taken by a communication
CN112926982B (en) Transaction data processing method, device, equipment and storage medium
CN101300806B (en) System and method for processing secure transmissions
CN112367163B (en) Quantum network virtualization method and device
US10397274B2 (en) Packet inspection and forensics in an encrypted network
CN107078898A (en) A kind of method that the private interconnection of safety is set up on multi-path network
CN113193957B (en) Quantum key service method and system separated from quantum network
JP7410060B2 (en) Blockchain system with limited transactions
US20210105136A1 (en) Method for securing a data exchange in a distributed infrastructure
CN103973698B (en) User access right revoking method in cloud storage environment
CN110557253B (en) Relay route acquisition method, device and application system
CN114142995B (en) Key security distribution method and device for block chain relay communication network
CN113193958B (en) Quantum key service method and system
CN112367124B (en) Quantum relay node virtualization method and device
CN112367161A (en) Relay node function virtualization method and device
Halgamuge Latency estimation of blockchain-based distributed access control for cyber infrastructure in the iot environment
CN116155483A (en) Block chain signing machine safety design method and signing machine
CN112367162A (en) Application method and device of quantum relay node

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210212