Quantum secret communication system
Technical Field
The present invention relates to communication systems, and in particular to quantum secret communication systems.
Background
Quantum communication technology is an emerging secure communication technology established based on quantum physics. The quantum communication technology in China has entered a practical stage, and the application prospect and strategic significance of the quantum communication technology also draw great attention of local government and important industries. In addition to establishing quantum communication trunks, some large-scale metropolitan quantum communication networks have also been constructed and operated. Based on the metropolitan area quantum communication network, the quantum communication technology is preliminarily applied, and the functions of high confidentiality video voice communication and the like can be realized. Quantum communications trunks and quantum communications metropolitan area networks are equivalent to quantum communications networks, the nature of which is Quantum Key Distribution (QKD). Thus, a quantum communication network built on the basis of QKD technology may be referred to as a QKD network.
With the rapid development of the mobile internet, the internal service websites of enterprises and public institutions gradually develop towards the mobile terminal, so that workers can know the working content at any time, and users hope to access the server through the portable mobile terminal. If the identity authentication has a loophole, the data is leaked, and irrecoverable results are brought to enterprises. Therefore, a safe and reliable identity authentication method is very necessary. The existing authentication modes mainly comprise: through account number and password login authentication, dynamic password authentication and the like, but account passwords and dynamic passwords are possibly intercepted and leaked.
If a large number of users perform identity authentication in a short time, the conventional communication system will cause a slow response speed of the system, and if serious, the system will crash, so that the identity authentication cannot be performed. In addition, the existing communication system lacks effective evaluation for communication security, and cannot monitor the actions of eavesdropping, data leakage and the like which endanger the communication security.
Disclosure of Invention
(one) solving the technical problems
Aiming at the defects existing in the prior art, the invention provides a quantum secret communication system, which can effectively overcome the defects that the response speed of the system is slow and the effective evaluation of communication safety is lacking due to the short time and large task amount existing in the prior art.
(II) technical scheme
In order to achieve the above purpose, the invention is realized by the following technical scheme:
the quantum secret communication system comprises a user side, an access server and an authentication server, wherein the authentication server sends a key package to the user side through a data sending module, the user side generates first authentication information through a first authentication information generating module and sends the first authentication information to the authentication server through the access server, the access server receives the first authentication information, generates second authentication information through a second authentication information generating module and sends the second authentication information to the authentication server together with the first authentication information, the authentication server is connected with an authentication information decryption module for decrypting the first authentication information and the second authentication information, and the authentication server is connected with a communication pairing module for carrying out matching communication on the user side and the access server according to a decryption result;
the system comprises a user side, an access server and a security detection unit, wherein the user side and the access server both comprise a communication unit and the security detection unit, the communication unit comprises a quantum encoding module and a quantum decoding module, the security detection unit comprises a photon counting module for counting communication photons, a bit error rate detection module for detecting communication bit error rates, a data comparison analysis module for comparing and analyzing the communication photon quantity and the communication bit error rates, a communication state detection module for detecting communication states and a communication security assessment module for carrying out security assessment according to comparison analysis results and communication states.
Preferably, the verification server has a unique verification server private key, and the verification server generates a server public key through the verification server private key and a base point generation element;
the verification server sends a server public key to the user terminal through the data sending module, and the user terminal generates a user terminal public key and a user terminal private key through the server public key.
Preferably, the user side encrypts the first verification information by means of a private key of the user side and sends the first verification information to the verification server through the access server.
Preferably, the access server has a unique access server private key, and the access server generates an access server public key through the access server private key and the base point generation element.
Preferably, the access server encrypts the second authentication information by means of an access server private key and sends it to the authentication server.
Preferably, if the authentication server is capable of decrypting the first authentication information by using the server public key, the authentication server agrees to connect with the user terminal; and if the verification server can decrypt the second verification information through the public key of the access server, the verification server agrees to connect the access server, and the verification server performs matched communication on the connected user terminal and the access server through the communication pairing module.
Preferably, the quantum encoding module encodes the communication photons with "0", "1" periodically through different modulation frequencies;
and the quantum decoding module decodes according to the corresponding relation between the modulation frequency and the binary bit sequence generated by the quantum encoding module.
Preferably, the photon counting module fits according to the communication photon quantity under different light intensities, and calculates the communication photon quantity under single light intensity; and the error rate detection module is used for fitting according to the communication error rates under different light intensities and calculating the communication error rate under single light intensity.
Preferably, the data comparison analysis module judges the relation among the number of communication photons under the single light intensity, the communication error rate under the single light intensity and the respective threshold value.
Preferably, if the data comparison analysis module determines that the number of communication photons under the single light intensity is greater than a first threshold, or the communication error rate under the single light intensity is greater than a second threshold, and the communication state detection module detects that the current communication state is not stopped, the communication security assessment module assesses the current communication state as unsafe.
(III) beneficial effects
Compared with the prior art, the quantum secret communication system provided by the invention has the advantages that a user can send a login request to any verification server, the task amount borne on each verification server is optimized, and the condition that the response speed of the verification server is slow is prevented; because of adopting double-end verification, when the secret key of one party is leaked, the communication safety can be ensured as long as the secret key is not leaked by the other party which is matched with the secret key for communication; according to the detection results of the communication photon number and the communication error rate, whether communication safety is endangered such as interception, data leakage and the like can be judged, and the communication safety is effectively evaluated by combining the current communication state.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is evident that the drawings in the following description are only some embodiments of the present invention and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a schematic diagram of a system according to the present invention;
fig. 2 is a schematic diagram of an internal system of the client and the access server in fig. 1 according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more clear, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It will be apparent that the described embodiments are some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The quantum secret communication system comprises a user side, an access server and an authentication server, wherein the authentication server sends a key package to the user side through a data sending module, the user side generates first authentication information through a first authentication information generating module and sends the first authentication information to the authentication server through the access server, the access server receives the first authentication information, generates second authentication information through a second authentication information generating module and sends the second authentication information to the authentication server together with the first authentication information, the authentication server is connected with an authentication information decryption module for decrypting the first authentication information and the second authentication information, and the authentication server is connected with a communication pairing module for carrying out matching communication on the user side and the access server according to decryption results.
The verification server has a unique verification server private key, and the verification server generates a server public key through the verification server private key and the base point generation element.
The verification server sends the server public key to the user terminal through the data sending module, and the user terminal generates the user terminal public key and the user terminal private key through the server public key.
The user side encrypts the first verification information by means of the private key of the user side and sends the first verification information to the verification server through the access server.
The access server has a unique access server private key, and generates an access server public key through the access server private key and the base point generation element. The access server encrypts the second authentication information by means of the access server private key and sends the second authentication information to the authentication server.
If the verification server can decrypt the first verification information through the server public key, the verification server agrees to the connection of the user side; if the verification server can decrypt the second verification information through the public key of the access server, the verification server agrees to connect the access server, and the verification server performs matched communication on the connected user terminal and the access server through the communication pairing module.
The user can send a login request to any verification server, so that the task amount borne on each verification server is optimized, and the condition that the response speed of the verification server is slow is prevented. Since the double-ended authentication is adopted, when the key of one party is leaked, the communication security can be ensured as long as the other party which is in matched communication with the key does not leak the key.
The user end and the access server both comprise a communication unit and a safety detection unit, and the communication unit comprises a quantum encoding module and a quantum decoding module.
The quantum coding module carries out periodic '0' and '1' coding on communication photons through different modulation frequencies.
The quantum decoding module decodes according to the corresponding relation between the modulation frequency and the binary bit sequence generated by the quantum encoding module.
The safety detection unit comprises a photon counting module for counting communication photons, a bit error rate detection module for detecting the bit error rate of communication, a data comparison analysis module for comparing and analyzing the number of the communication photons and the bit error rate of communication, a communication state detection module for detecting the communication state, and a communication safety evaluation module for carrying out safety evaluation according to the comparison analysis result and the communication state.
The photon counting module is used for fitting according to the communication photon quantity under different light intensities, and calculating the communication photon quantity under single light intensity; and the error rate detection module is used for fitting according to the communication error rates under different light intensities and calculating the communication error rate under a single light intensity.
In fact, the number of communication photons under single light intensity, the communication error rate under single light intensity and the fitting result are all in linear relation, and the accuracy of the fitting result can be ensured only by acquiring the number of communication photons and the communication error rate under enough different light intensities.
The data comparison analysis module judges the relation among the number of communication photons under the single light intensity, the communication error rate under the single light intensity and the respective threshold value.
If the data comparison analysis module judges that the communication photon quantity under the single light intensity is larger than a first threshold value or the communication error rate under the single light intensity is larger than a second threshold value, and the communication state detection module detects that the current communication state is not stopped, the communication security assessment module assesses the current communication state as unsafe.
When the data comparison analysis module judges that the communication photon quantity under the single light intensity is larger than a first threshold value or the communication error rate under the single light intensity is larger than a second threshold value, the data comparison analysis module indicates that communication safety hazard behaviors such as eavesdropping and data leakage occur, and the communication photon quantity is directly reduced (under the same light intensity) and the communication error rate is increased once the behaviors occur.
At this time, the communication system should stop data transmission under normal conditions, report the data, and retransmit the data when the communication photon number and the communication error rate are recovered. If the communication state detection module detects that the current communication state is not stopped, a potential threat of communication content leakage exists, and the communication security assessment module assesses the current communication state as unsafe.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.