CN113765653B

CN113765653B - Quantum key output method and system and quantum key management device

Info

Publication number: CN113765653B
Application number: CN202010491274.0A
Authority: CN
Inventors: 杨国梁; 王学富; 于林
Original assignee: Shandong Institute Of Quantum Science And Technology Co ltd; Quantumctek Co Ltd
Current assignee: Shandong Institute Of Quantum Science And Technology Co ltd; Quantumctek Co Ltd
Priority date: 2020-06-02
Filing date: 2020-06-02
Publication date: 2022-04-12
Anticipated expiration: 2040-06-02
Also published as: CN113765653A

Abstract

The application provides a quantum key output method, a quantum key output system and a quantum key management device, wherein the method is applied to the quantum key output system, and a first quantum key management device sends an indication message to a second quantum key management device when detecting that any one condition in a preset output condition set is met; the second quantum key management device at least packs the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputs the quantum key output frame to the second password application device; and sending a result message to the first quantum key management device; and under the condition that the received result message indicates that the output is successful, the first quantum key management device at least packages the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputs the quantum key output frame to the first password application device. The quantum key output method solves the problem that the quantum key management device cannot output the quantum key to the password application device aiming at the message one-way isolation scene.

Description

Quantum key output method and system and quantum key management device

Technical Field

The present application relates to the field of quantum communication, and in particular, to a quantum key output method, a quantum key output system, and a quantum key management apparatus.

Background

Quantum key distribution is a key distribution technology which realizes unconditional safety by utilizing the Heisebauer uncertainty principle of quantum mechanics and the quantum state unclonable theorem. Specifically, a shared quantum key is formed between two endpoints by preparing a light quantum at one endpoint and measuring the light quantum at the other endpoint, and the quantum key is stored in the quantum key management device.

Currently, in the case where a cryptographic application device needs to use a quantum key, a quantum key management device outputs the quantum key to the cryptographic application device. Specifically, the quantum key output protocol between the quantum key management device and the cryptographic application device is in a response type, that is, one end sends a request, and the other end replies a response. For example, the cryptographic application device first sends a message requesting a quantum key to the quantum key management device, and then the quantum key management device replies a response message containing the quantum key to the cryptographic application device.

In a message unidirectional isolation scenario (a scenario in which messages can only be transmitted unidirectionally from one security domain to another security domain via an isolation device, e.g., power, banking, government, etc.). The quantum key management device cannot output the quantum key to the password application device by adopting the current quantum key output protocol.

Disclosure of Invention

The application provides a quantum key output method, a quantum key output system and a quantum key management device, and aims to solve the problem that the quantum key management device cannot output a quantum key to a password application device aiming at a message one-way isolation scene.

In order to achieve the above object, the present application provides the following technical solutions:

the application provides a quantum key output method, which is applied to a quantum key output system, wherein the quantum key output system at least comprises a pair of password application devices and quantum key management devices respectively corresponding to the password application devices; the pair of password application devices are a first password application device and a second password application device; the first password application device corresponds to a first quantum key management device, and the second password application device corresponds to a second quantum key management device; the method comprises the following steps:

the first quantum key management device sends an indication message to the second quantum key management device when detecting that any condition in a preset output condition set is met; the indication message is used for indicating the quantum key to be output by the second quantum key management device;

the second quantum key management device at least packs the quantum key to be output, which is indicated by the indication message, into a quantum key output frame, and outputs the quantum key output frame to the second password application device; and sending a result message to the first quantum key management device; the result message at least includes information indicating whether the quantum key output frame was successfully output;

and the first quantum key management device packages at least the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputs the quantum key output frame to the first password application device under the condition that the received result message indicates that the output is successful.

Optionally, the indication message includes: the identification of the first quantum key management device, the starting address and the number of the quantum keys to be output;

the second quantum key management device at least packs the quantum key to be output into a quantum key output frame, and outputs the quantum key output frame to the second cipher application device, including:

the second quantum key management device acquires the quantum keys of the number from the quantum keys shared by the first quantum key management device according to the identification of the first quantum key management device, and the quantum keys to be output are obtained from the starting address in the indication message;

generating an identification value of the quantum key to be output according to a preset first calculation mode to obtain a first identification value;

packing the quantum key to be output and the first identification value into the quantum key output frame;

and outputting the quantum key output frame to the second password application device.

Optionally, the indication message further includes: the quantum key outputs the service identification of the service; the result message further includes: the service identification;

the first quantum key management device, when the received result message indicates that the output is successful, at least packages the to-be-output quantum key into a quantum key output frame, and outputs the quantum key output frame to the first cryptographic application device, where the method includes:

the first quantum key management device determines the information of the indication message according to the service identifier under the condition that the received result message indicates that the output is successful; the information of the indication message includes: the receiver of the indication message, the starting address and the number contained in the indication message;

acquiring the quantum keys of the number from the start address contained in the indication message from the quantum keys shared by the receiver as the quantum keys to be output;

generating an identification value of the quantum key to be output according to a preset second calculation mode to obtain a second identification value;

packing the quantum key to be output and the second identification value into the quantum key output frame;

and outputting the quantum key output frame to the first password application device.

Optionally, the frame format of the quantum key output frame includes: message length and quantum key to be output.

Optionally, the method further includes:

the first password application device acquires a quantum key and the second identification value from the received quantum key output frame under the condition of receiving the quantum key output frame output by the first quantum key management device;

calculating the identification value of the obtained quantum key according to the preset second calculation mode;

and judging whether the quantum key sent by the first quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the second identification value or not.

Optionally, the method further includes:

the second password application device acquires a quantum key and the first identification value from the received quantum key output frame under the condition of receiving the quantum key output frame output by the second quantum key management device;

calculating the identification value of the obtained quantum key according to the preset first calculation mode;

and judging whether the quantum key sent by the second quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the first identification value or not.

Optionally, the frame format of the quantum key output frame further includes a service identifier and a target identifier; the target identification is an identification used for indicating an opposite-end password application device;

the method further comprises the following steps:

the first password application device acquires a quantum key from the received quantum key output frame under the condition of receiving the quantum key output frame output by the first quantum key management device;

calculating the obtained identification value of the quantum key according to a preset third calculation mode;

the first password application device sends an authentication message to the second password application device indicated by the target identification; the verification message includes: the service identifier and the identifier value calculated by the first password application device;

and under the condition that the second password application device receives the verification message, calculating the identification value of the acquired quantum key according to the preset third calculation mode aiming at the quantum key acquired in the quantum key output frame indicated by the service identification in the verification message, and comparing whether the calculated identification value of the quantum key is the same as the identification value in the verification message to obtain a comparison result.

Optionally, the method further includes:

and under the condition that the comparison results obtained by the second password application device indicate different results, the second password application device outputs the alarm message of the quantum key output failure.

Optionally, the method further includes:

and the first quantum key management device outputs the alarm message of the quantum key output failure when receiving the result message indicating the output failure.

Optionally, the preset output condition set includes a first condition; the first condition is that the current moment is one of a plurality of preset moments, and the current storage quantity of the quantum keys is not less than the preset quantity.

Optionally, the first quantum key management device and the second quantum key management device further store reserved quantum keys; the preset output condition set further comprises a second condition; the second condition is that a quantum key output instruction is received, and the current storage quantity of the reserved quantum keys is not less than the preset quantity;

under the condition that the first quantum key management device detects that the first condition is met, the quantum key to be output, which is indicated by the indication message, is a quantum key in an unreserved quantum key;

in a case that the first quantum key management device detects that the second condition is met, the quantum key to be output indicated by the indication message is a quantum key in the reserved quantum keys.

Optionally, the method further includes:

the first quantum key management device outputs an alarm message that the unreserved quantum key is insufficient when detecting that the current time is one of a plurality of preset times and the current storage quantity of the unreserved quantum key is less than the preset quantity.

Optionally, the frame format of the quantum key output frame further includes: whether it is an entry that reserves a quantum key.

The application also provides a quantum key output system, which at least comprises a pair of password application devices and quantum key management devices corresponding to the password application devices respectively; the pair of password application devices are a first password application device and a second password application device; the first password application device corresponds to a first quantum key management device, and the second password application device corresponds to a second quantum key management device;

the first quantum key management device is used for sending an indication message to the second quantum key management device when any condition in a preset output condition set is detected to be met; the indication message is used for indicating the quantum key to be output by the second quantum key management device;

the second quantum key management device is configured to pack at least the quantum key to be output, which is indicated by the indication message, into a quantum key output frame, and output the quantum key output frame to the second cipher application device; and sending a result message to the first quantum key management device; the result message at least includes information indicating whether the quantum key output frame was successfully output;

and the first quantum key management device is configured to, when the result message is received and output is successful, at least pack the to-be-output quantum key indicated by the indication message into a quantum key output frame, and output the quantum key output frame to the first password application device.

the second quantum key management device is configured to at least pack the to-be-output quantum key into a quantum key output frame, and output the quantum key output frame to the second cryptographic application device, and includes:

the second quantum key management device is specifically configured to obtain, from the quantum keys shared with the first quantum key management device according to the identifier of the first quantum key management device, the quantum keys of the number from the start address in the indication message as the quantum keys to be output;

the first quantum key management device is configured to, when the received result message indicates that output is successful, at least package the to-be-output quantum key into a quantum key output frame, and output the quantum key output frame to the first cryptographic application device, and includes:

the first quantum key management device is specifically configured to determine, when the result message received indicates that the output is successful, information of the indication message according to the service identifier; the information of the indication message includes: the receiver of the indication message, the starting address and the number contained in the indication message;

Optionally, the first cryptographic application device is configured to, in a case that a quantum key output frame output by the first quantum key management device is received, obtain a quantum key and the second identification value from the received quantum key output frame; calculating the identification value of the obtained quantum key according to the preset second calculation mode; and judging whether the quantum key sent by the first quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the second identification value or not.

Optionally, the second cryptographic application device is configured to, in a case that a quantum key output frame output by the second quantum key management device is received, obtain a quantum key and the first identification value from the received quantum key output frame; calculating the identification value of the obtained quantum key according to the preset first calculation mode; and judging whether the quantum key sent by the second quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the first identification value or not.

the first password application device is used for acquiring a quantum key from the received quantum key output frame under the condition of receiving the quantum key output frame output by the first quantum key management device; calculating the obtained identification value of the quantum key according to a preset third calculation mode;

the first password application device is further used for sending an authentication message to the second password application device indicated by the target identification; the verification message includes: the service identifier and the identifier value calculated by the first password application device;

and the second password application device is configured to, in a case that the verification message is received, calculate an identification value of the obtained quantum key according to the preset third calculation method for the quantum key obtained in the quantum key output frame indicated by the service identifier in the verification message, and compare the calculated identification value of the quantum key with the identification value in the verification message to determine whether the calculated identification value is the same, so as to obtain a comparison result.

Optionally, the second cryptographic application device is further configured to output an alarm message indicating that the quantum key output fails this time when the obtained comparison result indicates that the comparison result is different.

Optionally, the first quantum key management device is further configured to output an alarm message indicating that the output of the current quantum key fails when the result message is received and the output fails.

Optionally, the first quantum key management device is further configured to output an alarm message indicating that the unreserved quantum key is insufficient when it is detected that the current time is one of a plurality of preset times and the current storage quantity of the unreserved quantum key is less than the preset quantity.

The present application also provides a quantum key management device, including:

the processing module is used for sending an indication message to the opposite terminal quantum key management device under the condition that any condition in the preset output condition set is detected to be met; the indication message is used for indicating the quantum key to be output by the opposite terminal quantum key management device;

a first receiving module, configured to receive a result message sent by the peer quantum key management device; the result message at least includes information indicating whether the quantum key output frame was successfully output;

and the first packing module is used for packing at least the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputting the quantum key output frame to a corresponding password application device under the condition that the received result message indicates that the output is successful.

Optionally, the indication message includes: the identification of the quantum key management device, and the starting address and the number of the quantum keys to be output.

the first packing module is configured to, when the received result message indicates that the output is successful, pack at least the to-be-output quantum key into a quantum key output frame, and output the quantum key output frame to a corresponding cryptographic application device, and includes:

the first packetizing module is specifically configured to determine information of the indication message according to the service identifier if the received result message indicates that the output is successful; the information of the indication message includes: the receiver of the indication message, the starting address and the number contained in the indication message;

and outputting the quantum key output frame to a corresponding password application device.

Optionally, the frame format of the quantum key output frame further includes: a service identifier and a target identifier; the target identification is an identification used for indicating an opposite-end password application device.

Optionally, the method further includes:

and the first output module is used for outputting the alarm message of the quantum key output failure under the condition that the received result message indicates the output failure.

Optionally, a reserved quantum key is further stored in the quantum key management device; the preset output condition set further comprises a second condition; the second condition is that a quantum key output instruction is received, and the current storage quantity of the reserved quantum keys is not less than the preset quantity;

under the condition that the processing module detects that the first condition is met, the quantum key to be output, which is indicated by the indication message, is a quantum key in an unreserved quantum key;

and under the condition that the processing module detects that the second condition is met, the quantum key to be output, which is indicated by the indication message, is a quantum key in the reserved quantum key.

Optionally, the method further includes:

and the second output module is used for outputting an alarm message that the unreserved quantum key is insufficient when the processing module detects that the current time is one of a plurality of preset times and the current storage quantity of the unreserved quantum key is less than the preset quantity.

the second receiving module is used for receiving an indication message sent by the opposite terminal quantum key management device; the indication message is used for indicating the quantum key to be output by the quantum key management device;

the second packing module is used for packing at least the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputting the quantum key output frame to the corresponding password application device;

the sending module is used for sending a result message to the opposite terminal quantum key management device; the result message includes at least information indicating whether the quantum key output frame was successfully output.

Optionally, the indication message includes: identification of an opposite terminal quantum key management device, and the starting address and the number of the quantum keys to be output;

the second packing module is configured to pack at least the to-be-output quantum key into a quantum key output frame, and output the quantum key output frame to a corresponding password application device, and includes:

the second packing module is specifically configured to obtain, from the quantum key shared with the peer quantum key management device, the quantum key of the number from the start address in the indication message as the quantum key to be output according to the identifier of the peer quantum key management device;

Optionally, a reserved quantum key is further stored in the quantum key management device;

the quantum key to be output, which is indicated by the indication message received by the second receiving module, is a quantum key in an unreserved quantum key or a quantum key in the reserved quantum key.

The quantum key output method is applied to a quantum key output system, and comprises the following steps: the method comprises the steps that a first quantum key management device sends an indication message to a second quantum key management device under the condition that any one condition in a preset output condition set is detected to be met; the indication message is used for indicating the quantum key to be output by the second quantum key management device; the second quantum key management device at least packs the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputs the quantum key output frame to the second password application device; and sending a result message to the first quantum key management device; the result message includes at least information indicating whether the quantum key output frame is successfully output; and under the condition that the first quantum key management device receives the result message and indicates that the output is successful, packaging at least the quantum key to be output, which is indicated by the indication message, into a quantum key output frame, and outputting the quantum key output frame to the first password application device.

It can be seen from the foregoing quantum key output method that the first quantum key management device outputs a quantum key to the first cryptographic application device, and the second quantum key management device outputs a quantum key to the second cryptographic application device, and it is not necessary for the first cryptographic application device to send a message to the first quantum key management device, nor for the second cryptographic application device to send a message to the second quantum key management device, therefore, the quantum key output scheme provided in the present application can implement quantum key output in a message unidirectional isolation scenario, thereby solving a problem that the quantum key management device cannot output a quantum key to the cryptographic application device in the prior art for a message unidirectional isolation scenario.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a flowchart of a quantum key output method disclosed in an embodiment of the present application;

fig. 2 is a schematic diagram of a connection structure between a pair of cryptographic application devices and corresponding quantum key management devices disclosed in an embodiment of the present application;

fig. 3 is a frame structure diagram of a quantum key output frame disclosed in the embodiment of the present application;

fig. 4 is a schematic structural diagram of a quantum key output system disclosed in an embodiment of the present application;

fig. 5 is a schematic interface diagram of a quantum key management device disclosed in an embodiment of the present application;

fig. 6 is a schematic structural diagram of a quantum key management device disclosed in an embodiment of the present application;

fig. 7 is a schematic structural diagram of another quantum key management device disclosed in an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Fig. 1 is a quantum key output method provided in an embodiment of the present application, and the method is applied to a quantum key output system, where the quantum key output system includes: at least one pair of password application devices and quantum key management devices corresponding to the password application devices respectively.

In this embodiment, the password application device in the quantum key output system may be a user encryption and decryption device, and may also be a password application device for performing identity authentication and message authentication, and the specific content of the password application device is not limited in this embodiment.

In practice, the quantum key management device and the corresponding cryptographic application device are connected by a one-way channel, that is, a physical link formed by the quantum key management device and the corresponding cryptographic application device can only transmit data from one direction to the other direction, and otherwise, the data cannot be transmitted. The link can be in the form of 232 serial port, 485 serial port and the like in physical realization, and data receiving and transmitting are carried out by using a simplex mode.

In the embodiment of the application, the quantum key management devices respectively corresponding to any pair of password application devices can perform bidirectional communication.

In this embodiment, each quantum key management device and each password application device in the quantum key output system respectively have a unique identifier, where the identifier of any quantum key management device or any password application device may be a number or a letter, and the embodiment does not limit the specific forms of the identifier of the quantum key management device and the identifier of the password application device, as long as the unique identifiers are available.

In the embodiment of the present application, a user of any one of the cryptographic application devices calculates a quantum key demand in advance for a certain period of time, and arranges the calculated period of time and quantum key demand in a quantum key management device corresponding to the cryptographic application device, or in a quantum key management device corresponding to a cryptographic application device paired with the cryptographic application device. Optionally, the method for configuring the time period and the quantum key demand in which quantum key management device may include: in the quantum key management device corresponding to the cryptographic application device and the quantum key management device corresponding to the cryptographic application device paired with the cryptographic application device, the quantum key management device with the larger unique identifier value is taken as the quantum key management device to be configured.

In the embodiment of the present application, for convenience of describing an output process of a quantum key in a quantum key output system, an arbitrary pair of cryptographic application devices and corresponding quantum key management devices in the quantum key output system is taken as an example to describe the output process of the quantum key. For convenience of description, the cryptographic application devices included in the pair of cryptographic application devices are referred to as a first cryptographic application device and a second cryptographic application device, where the first cryptographic application device corresponds to a first quantum key management device and the second cryptographic application device corresponds to a second quantum key management device.

Specifically, when a quantum key management device having a time period and a quantum key demand is disposed in a quantum key management device corresponding to the pair of cryptographic application devices as a first quantum key management device, the other quantum key management device is a second quantum key management device. For convenience of description, a cryptographic application device corresponding to the first quantum key management device is taken as the first cryptographic application device, and a cryptographic application device corresponding to the second quantum key management device is taken as the second cryptographic application device. Fig. 2 is a schematic diagram of a connection structure of the first quantum key management device, the second quantum key management device, the first cryptographic application device, and the second cryptographic application device.

Specifically, the quantum key output process may include the following steps:

s101, the first quantum key management device sends an indication message to the second quantum key management device when detecting that any condition in a preset output condition set is met.

In this step, the preset output condition set may include: a first condition. Wherein the first condition may include: the current moment is located at one moment of a plurality of preset moments, and the number of the stored quantum keys is not less than the preset number. The preset generating manner at multiple moments may include: and generating a plurality of moments according to a preset time period, wherein the duration between two adjacent moments is the preset time period.

In this step, the indication message is used to indicate the quantum key to be output by the second quantum key management device.

Optionally, in this step, the specific content of the indication message may include: the quantum key outputs the service identification of the service, the identification of the first quantum key management device, and the initial address and the number of the quantum keys to be output.

Wherein the start address in the indication message may be determined by the first quantum key management device. Because the quantum keys are stored in a circular buffer (i.e. a key pool), the first quantum key management device records where to read, and reads from the address, which is the starting address, next time, the starting address is increased each time the quantum key management device reads, and the first quantum key management device reads from 0 again when the maximum value is reached. The number in the indication message is equal to the amount of demand configured in the first quantum key management device.

Of course, in practice, the specific content of the indication message may also be in other forms, for example, the start address and the number used for acquiring the quantum key to be output in the indication message may be replaced by the start address and the end address used for acquiring the quantum key to be output, and this embodiment does not limit the specific form of the indication message.

S102, the second quantum key management device at least packs the quantum key to be output, indicated by the indication message, into a quantum key output frame and outputs the quantum key output frame to the second password application device.

In this step, the second quantum key management device packs at least the quantum key to be output into an output frame according to the quantum key to be output indicated by the indication message, and for convenience of description, the packed output frame is referred to as a quantum key output frame. And outputs the quantum key output frame to the second cryptographic application device.

Optionally, in this step, the frame format of the quantum key output frame may include a message length and a quantum key to be output. The message length represents the total length of the quantum key output frame to be output, and may occupy 4 bytes. The number of bytes occupied by the quantum key to be output is generally a predetermined number, and it should be noted that, in order to ensure confidentiality of the quantum key during transmission, in this embodiment, the quantum key to be output may be encrypted and then transmitted. The key for encrypting and decrypting the quantum key to be output can be manually configured in advance in the password application device and the corresponding quantum key management device.

Optionally, in this step, the specific implementation manner that the second quantum key management device at least packages the to-be-output quantum key into the quantum key output frame according to the to-be-output quantum key indicated by the indication message, and outputs the quantum key output frame to the second cryptographic application device may include the following steps a1 to a step a 4:

and A1, acquiring the quantum key of the quantity indicated by the indication message from the starting address as the quantum key to be output from the quantum key shared by the first quantum key management device according to the identification of the first quantum key management device.

In this embodiment, the first quantum key management device has a shared quantum key with other quantum key management devices in the quantum key output system. In this step, the second quantum key management device selects a quantum key to be output from the quantum keys shared with the first quantum key management device according to the identifier of the first quantum key management device in the received indication message. Specifically, the indication message includes a start address and a number of the selected quantum keys to be output, so that in this step, the second quantum key management device may obtain the quantum keys to be output.

A2, generating an identification value of the quantum key to be output according to a preset first calculation mode, and obtaining a first identification value.

In this step, the identification value of the quantum key to be output is used to uniquely identify the quantum key to be output. Optionally, the identification value of the quantum key to be output may be a hash value of the quantum key to be output, and certainly, in practice, the identification value of the quantum key to be output may also be in other forms, and this embodiment does not limit the specific form of the identification value of the quantum key to be output.

In this step, the preset first calculation manner may be an algorithm such as SM3, MD5, SHA1, or the like, and of course, in practice, the preset first calculation manner may also be another algorithm. For convenience of description, the identification value of the quantum key to be output generated in this step is referred to as a first identification value.

And A3, packaging at least the quantum key to be output and the first identification value into a quantum key output frame.

In this step, the frame format of the quantum key output frame may include: the method comprises the steps of message length, a quantum key to be output and an identification value of the quantum key to be output.

In this step, the meaning of the message length and the number of occupied bytes may refer to S102, and the number of occupied bytes of the quantum key to be output may also refer to S102, which is not described herein again. In this step, the identification value of the quantum key to be output may occupy 16 bytes.

And A4, outputting the quantum key output frame to the second password application device.

In this step, the quantum key output frame is output to the second cryptographic application device.

In practice, the quantum key amount stored in the second quantum key management device is less than the quantum key amount required by the current quantum key output service, which may cause a failure in outputting the quantum key output frame to the second cryptographic application device in this step.

S103, the second quantum key management device sends a result message to the first quantum key management device.

In this step, the result message includes at least information indicating whether the quantum key output frame was successfully output. Optionally, in this step, the result message may further include a service identifier of the quantum key output service.

And S104, under the condition that the received result message indicates that the output is successful, the first quantum key management device at least packs the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputs the quantum key output frame to the first password application device.

In this embodiment, when the indication message includes a service identifier of the current quantum key output service, and the result message includes the service identifier, optionally, in this step, when the first quantum key management device receives the result message and indicates that the output is successful, at least the quantum key to be output is packed into a quantum key output frame, and a specific implementation manner of outputting the quantum key output frame to the first cryptographic application device may include the following steps B1 to B5:

b1, when the result message received indicates that the output is successful, the first quantum key management device determines the information of the indication message according to the service identifier.

In this step, since the service identifier of any one quantum key output service is unique, in this step, the first quantum key management device can find the indication message including the service identifier from the sent indication message according to the service identifier in the result message.

In this step, the information indicating the message may include: the receiver of the indication message, the initial address and the preset number in the indication message.

And B2, acquiring a preset number of quantum keys from the start address as the quantum keys to be output from the quantum keys shared by the receiver.

In this step, the receiver of the instruction message is the second quantum key management device, and therefore, in this step, the first quantum key management device obtains the preset number of quantum keys from the start address from the quantum keys shared with the second quantum key management device as the quantum keys to be output.

And B3, generating an identification value of the quantum key to be output according to a preset second calculation mode to obtain a second identification value.

In this step, the preset second calculation method may be an algorithm such as SM3, MD5, SHA1, or the like, and certainly, in practice, the preset second calculation method may also be another algorithm, and this embodiment does not limit specific contents of the preset second calculation method as long as the identification value of the quantum key to be output can be generated. For convenience of description, the identification value of the quantum key to be output generated in this step is referred to as a second identification value.

And B4, packaging at least the quantum key to be output and the second identification value into a quantum key output frame.

In this step, the contents and meanings of the items included in the frame format of the quantum key output frame may refer to step a3, and are not described herein again.

B5, outputting the quantum key output frame to the first cipher application device.

In this step, the quantum key output frame is output to the first cipher application device, and the specific output mode is the prior art and is not described herein again.

In this step, the quantum key output frame may include: the length of the message, the quantum key to be output, and the identification value of the quantum key to be output, where the number of bytes occupied by each item may refer to step a3, and is not described herein again.

Optionally, in this embodiment of the present application, in order to ensure correctness of the quantum key in the quantum key output frame received by the first cryptographic application device and the second cryptographic application device, in this embodiment, the following steps are further included:

and S105, after receiving the quantum key output frame sent by the first quantum key management device, the first password application device acquires the quantum key and the second identification value from the received quantum key output frame.

And S106, the first password application device calculates the obtained identification value of the quantum key according to a preset second calculation mode.

In this step, the preset second calculation method is the same as the calculation method adopted by the first quantum key management device to calculate the second identification value.

S107, the first password application device judges whether the quantum key sent by the first quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the second identification value or not.

And S108, the second password application device acquires the quantum key and the first identification value from the received quantum key output frame under the condition of receiving the quantum key output frame output by the second quantum key management device.

And S109, the second password application device calculates the obtained identification value of the quantum key according to a preset first calculation mode.

In this step, the preset first calculation mode is the same as the calculation mode adopted by the second quantum key management device to calculate the first identification value.

S110, the second password application device judges whether the quantum key sent by the second quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the first identification value or not.

Optionally, in this embodiment of the application, in order to further verify whether the output of the quantum key is successful at this time, it is necessary to verify whether the received quantum key is the same between the first password application device and the second password application device.

In this embodiment, one password application device is required to send an authentication message to another password application device, and optionally, in this embodiment, the determination manner of which password application device sends the authentication message may include: in the first and second password application devices, the password application device with the larger value of the unique identifier sends the verification message.

Optionally, in this embodiment, the frame format of the quantum key output frame may further include a service identifier and a target identifier. The service identifier represents the unique identifier of the quantum key output service, and can occupy 4 bytes. The target identifier is an identifier for indicating the opposite-end password application device. Specifically, the identifier used for indicating the peer password application device may be an identifier of the peer password application device, and may also be an identifier of a quantum key management device corresponding to the peer password application device. Wherein, the identifier for indicating the opposite-end password application device can occupy 4 bytes.

Since the quantum key output frame received by the first cryptographic application device includes the identifier indicating the peer cryptographic application device, the first cryptographic application device may determine to which cryptographic application device to send the verification message according to the identifier indicating the peer cryptographic application device in the received quantum key output frame. Specifically, the identifier indicating the opposite-end password application device in the quantum key output frame received by the first password application device indicates the second password application device, so that the first password application device can determine that the authentication message needs to be sent to the second password application device. In the present embodiment, the following S111-S114 are executed.

And S111, when the first password application device receives the quantum key output frame output by the first quantum key management device, acquiring the quantum key from the received quantum key output frame.

And S112, calculating the identification value of the obtained quantum key according to a preset third calculation mode.

In this step, the preset third calculation method may be an algorithm such as SM3, MD5, SHA1, or the like, and of course, in practice, the preset third calculation method may also be another algorithm, and the specific content of the preset third calculation method is not limited in this embodiment.

And S113, the first password application device sends an authentication message to the second password application device indicated by the target identification.

In this step, the verification message may include: the service identifier and the identifier value calculated by the first password application device.

S114, when receiving the verification message, the second cryptographic application device calculates, according to a preset third calculation method, an identification value of the obtained quantum key with respect to the quantum key obtained in the quantum key output frame indicated by the service identifier in the verification message, and compares the calculated identification value of the quantum key with the identification value in the verification message to determine whether the calculated identification value is the same, so as to obtain a comparison result.

In this step, if the comparison result indicates the same, it indicates that the output of the quantum key output service is successful. On the contrary, if the comparison result shows that the quantum key output service fails, the quantum key output service fails.

Optionally, in this embodiment, under the condition that the comparison result obtained by the second cryptographic application device indicates that the comparison result is different, the second cryptographic application device outputs an alarm message that the output of the current quantum key fails.

Optionally, in this embodiment, when receiving that the result message sent by the second quantum key management device indicates that the output fails, the first quantum key management device outputs an alarm message indicating that the output of the current quantum key fails.

Optionally, in this embodiment of the present application, in order to prevent a problem of service interruption caused by failure of the cryptographic application device when quantum key output fails for multiple times, a reserved quantum key is stored in the first quantum key management device and the second quantum key management device in this embodiment of the present application. Under the condition of multiple quantum key output failures, the quantum key management device can be triggered manually to select the quantum key to be output from the stored reserved quantum keys to the password application device, and the quantum key to be output is output to the password application device.

Specifically, the manual triggering mode may include triggering a preset button on the first quantum key management device, where the first quantum key management device receives the quantum key output instruction and the current storage number of the reserved quantum keys is not less than the preset number when the button is triggered. That is, the preset output condition set in the embodiment of the present application further includes a second condition, where the second condition may include: and receiving a quantum key output instruction, wherein the current storage quantity of the reserved quantum keys is not less than a preset quantity, and the preset quantity is a demand quantity configured in the first quantum key management device. That is, the first quantum key management device performs the above-described quantum key output process in the case where it is detected that the second condition is satisfied.

It should be noted that, in this embodiment of the application, in a case that the first quantum key management device detects that the first condition is satisfied, the quantum key to be output, which is indicated by the indication message in the quantum key output process, is a quantum key in the unreserved quantum keys. And under the condition that the first quantum key management device detects that the second condition is met, the quantum key to be output, which is indicated by the indication message in the quantum key output process, is the quantum key in the reserved quantum key.

Optionally, in this embodiment of the application, the frame format of the quantum key output frame sent by the first quantum key management device and the second quantum key management device to the corresponding cryptographic application device may further include whether the frame format is a reserved quantum key. Wherein, whether the reserved quantum key can occupy 1 byte, and the value can only be 0 or 1. Specifically, the frame format of the quantum key output frame is shown in fig. 3. It should be noted that fig. 3 is only an example of a frame format of the quantum key output frame, in practice, the frame format of the quantum key output frame may further include other items, and an order between each item may also be set according to actual needs, and this embodiment does not limit a specific form of the quantum key output frame.

Optionally, in this embodiment of the application, when it is detected that the current time in the first condition is one of multiple preset times and the current storage number of the unreserved quantum keys is less than the preset number, the first quantum key management device outputs an alarm message indicating that the unreserved quantum keys are insufficient.

The embodiment has the following beneficial effects:

the beneficial effects are that:

in this embodiment, a unidirectional transmission channel in a simplex mode is used between the quantum key management device and the password application device, so that the quantum key adopts a unidirectional transmission mode. Therefore, the quantum key output method provided by the embodiment can be applied to a scene of message unidirectional isolation, so that quantum keys can be transmitted between security domains of different levels in the scene of message unidirectional isolation.

The beneficial effects are that:

in this embodiment, a reserved quantum key is configured in the quantum key management device, so as to ensure that the cryptographic application device can still receive the quantum key under the condition that the output of the unreserved quantum key fails, and further ensure that the service of the cryptographic application device can be normally performed.

The beneficial effects are three:

in this embodiment, the reserved quantum key output switch is provided on the quantum key management device, and the output of the reserved quantum key can be triggered manually at any time, so that a condition is provided for the output of the reserved quantum key.

The beneficial effects are four:

the present embodiment provides a frame format of a quantum key output frame, which may be first applied to a scene of quantum key unidirectional transmission.

Secondly, the frame format is simple, the field semantics are clear, and the transmitted frame is convenient to safely examine. Therefore, the problem that in the prior art, the safety examination is difficult due to the fact that the quantum key output protocol is complex is solved. In particular, in the existing quantum key output protocol, each message frame has a plurality of fields, the contents of the fields have a large degree of freedom, some fields even allow filling of any character string, and the correctness of filling of the fields is difficult to determine.

Meanwhile, the frame format is simple, and the field semantics are clear, so that the problem that the safety is difficult to ensure due to the complex bearing protocol in the prior art is solved. Specifically, since the quantum key output protocol is carried by using the TCP/IP protocol, although the TCP/IP protocol has a wide application range, the specific implementation is very complicated due to the huge protocol family. Security holes arise inevitably, leading to attacks on one or both of the parties using their protocols.

The quantum key output system provided by the embodiment of the application comprises: at least one pair of password application devices and quantum key management devices corresponding to the password application devices respectively; the pair of password application devices are a first password application device and a second password application device; the first cryptographic application device corresponds to a first quantum key management device, and the second cryptographic application device corresponds to a second quantum key management device. Taking as an example that the quantum key output system includes a pair of cryptographic application devices and a quantum key management device corresponding to each cryptographic application device, the quantum key output system is shown in fig. 4.

Fig. 5 shows an interface description of the first quantum key management device and the second quantum key management device, and as can be seen from fig. 5, the quantum key management device includes: the quantum key output device comprises a quantum key output unidirectional channel, a quantum key management device interconnection bidirectional channel, a reserved quantum key output trigger button and a reserved quantum key output state indication. Wherein, quantum key output one-way channel: for outputting the quantum key to a corresponding cryptographic application device. Quantum key management device interconnect bidirectional channels: for sending negotiation messages to other quantum key management devices. Reserving a quantum key output trigger button: pressing this button once may trigger outputting the configured reserved quantum key once to the corresponding cryptographic application. Reserved quantum key output status indication: and the quantum key output control device is used for indicating whether the quantum key output is successful or not after the reserved quantum key output trigger button is pressed.

The process of outputting the quantum key by the quantum key output system provided by this embodiment may include the following:

the first quantum key management device is used for sending an indication message to the second quantum key management device when any condition in a preset output condition set is detected to be met; the indication message is used for indicating the quantum key to be output by the second quantum key management device.

The second quantum key management device is used for packaging at least the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputting the quantum key output frame to the second password application device; and sending a result message to the first quantum key management device; the result message includes at least information indicating whether the quantum key output frame was successfully output.

And the first quantum key management device is used for packaging at least the quantum key to be output, which is indicated by the indication message, into a quantum key output frame and outputting the quantum key output frame to the first password application device under the condition that the received result message indicates that the output is successful.

Optionally, the indication message includes: the identification of the first quantum key management device, and the starting address and the number of the quantum keys to be output;

the second quantum key management device is used for packaging at least a quantum key to be output into a quantum key output frame, and outputting the quantum key output frame to the second password application device, and comprises:

the second quantum key management device is specifically configured to, according to the identifier of the first quantum key management device, obtain, from the quantum keys shared with the first quantum key management device, the quantum keys of the number from the start address in the indication message as the quantum keys to be output; generating an identification value of a quantum key to be output according to a preset first calculation mode to obtain a first identification value; packing at least a quantum key to be output and a first identification value into a quantum key output frame; and outputting the quantum key output frame to a second password application device.

Optionally, the indication message further includes: the quantum key outputs the service identification of the service; the result message further includes: and (5) service identification.

The first quantum key management device is configured to, when the received result message indicates that the output is successful, at least pack a quantum key to be output into a quantum key output frame, and output the quantum key output frame to the first cryptographic application device, and includes:

the first quantum key management device is specifically used for determining the information of the indication message according to the service identifier under the condition that the received result message indicates that the output is successful; the information indicating the message includes: the receiving party of the indication message, the initial address and the number contained in the indication message; acquiring the quantum keys of the number from the initial address contained in the indication message from the quantum keys shared by the receiver as the quantum keys to be output; generating an identification value of the quantum key to be output according to the preset second calculation mode to obtain a second identification value; packing at least a quantum key to be output and a second identification value into the quantum key output frame; and outputting the quantum key output frame to the first password application device.

Optionally, the first cryptographic application device is configured to, in a case that a quantum key output frame output by the first quantum key management device is received, obtain a quantum key and a second identification value from the received quantum key output frame; calculating the identification value of the obtained quantum key according to a preset second calculation mode; and judging whether the quantum key sent by the first quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the second identification value or not.

Optionally, in this embodiment, the second cryptographic application device is configured to, in a case that a quantum key output frame output by the second quantum key management device is received, obtain a quantum key and a first identification value from the received quantum key output frame; calculating the identification value of the obtained quantum key according to a preset first calculation mode; and judging whether the quantum key sent by the second quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the first identification value or not.

Optionally, in this embodiment, the frame format of the quantum key output frame may further include a service identifier and a target identifier; the target identification is an identification used for indicating an opposite-end password application device; a first cipher application device for acquiring a quantum key from a received quantum key output frame in the case of receiving the quantum key output frame output by the first quantum key management device; calculating the obtained identification value of the quantum key according to a preset third calculation mode; sending an authentication message to the second password application device indicated by the target identifier; the authentication message includes: and the service identifier and the identifier value obtained by calculation of the first password application device.

And the second password application device is used for calculating the identification value of the acquired quantum key according to a preset third calculation mode aiming at the quantum key acquired from the quantum key output frame indicated by the service identification in the verification message under the condition of receiving the verification message, and comparing whether the calculated identification value of the quantum key is the same as the identification value in the verification message to obtain a comparison result.

Optionally, in this embodiment, the second cryptographic application device is further configured to output an alarm message indicating that the quantum key output fails this time when the obtained comparison result indicates that the comparison result is different.

Optionally, in this embodiment, the first quantum key management device is further configured to output an alarm message indicating that the output of the current quantum key fails when the received result message indicates that the output fails.

Optionally, the reserved quantum key is further stored in the first quantum key management device and the second quantum key management device; the preset output condition set further comprises a second condition; the second condition is that a quantum key output instruction is received, and the current storage quantity of the reserved quantum keys is not less than the preset quantity; under the condition that the first quantum key management device detects that the first condition is met, indicating that the quantum key to be output indicated by the message is a quantum key in the unreserved quantum key; and in the case that the first quantum key management device detects that the second condition is met, indicating that the quantum key to be output indicated by the message is the quantum key in the reserved quantum key.

Optionally, in this embodiment, the first quantum key management device is further configured to output an alarm message indicating that the unreserved quantum key is insufficient when it is detected that the current time is one of a plurality of preset times and the current storage quantity of the unreserved quantum key is less than the preset quantity.

Optionally, in this embodiment, the frame format of the quantum key output frame further includes: whether it is an entry that reserves a quantum key.

Fig. 6 is a quantum key management apparatus according to an embodiment of the present application, and the apparatus may include: a processing module 601, a first receiving module 602, and a first packetizing module 603. Wherein the content of the first and second substances,

a processing module 601, configured to send an indication message to an opposite-end quantum key management device when detecting that any condition in a preset output condition set is met; the indication message is used for indicating the quantum key to be output by the opposite terminal quantum key management device.

A first receiving module 602, configured to receive a result message sent by the peer quantum key management device. Wherein the result message includes at least information indicating whether the quantum key output frame is successfully output.

The first packetizing module 603 is configured to, when the received result message indicates that the output is successful, at least packetize the to-be-output quantum key indicated by the indication message into a quantum key output frame, and output the quantum key output frame to the corresponding cryptographic application device.

Optionally, the indication message includes: the identification of the quantum key management device, the starting address and the number of the quantum keys to be output.

a first packing module 603, configured to, when the received result message indicates that the output is successful, pack at least the quantum key to be output into a quantum key output frame, and output the quantum key output frame to a corresponding cryptographic application apparatus, where the first packing module 603 includes:

a first packetizing module 603, configured to determine information of the indication message according to the service identifier if the received result message indicates that the output is successful; the information indicating the message includes: the receiving party of the indication message, the initial address and the number contained in the indication message; acquiring the quantum keys of the number from the initial address contained in the indication message from the quantum keys shared by the receiver as the quantum keys to be output; generating an identification value of the quantum key to be output according to a preset second calculation mode to obtain a second identification value; packing at least the quantum key to be output and the second identification value into a quantum key output frame; and outputting the quantum key output frame to a corresponding password application device.

Optionally, the frame format of the quantum key output frame may further include: a service identifier and a target identifier; the target identifier is an identifier for indicating the opposite-end password application device.

Optionally, the quantum key management apparatus may further include:

Optionally, the preset output condition set may include a first condition; the first condition is that the current moment is one of a plurality of preset moments, and the current storage quantity of the quantum keys is not less than the preset quantity.

Optionally, a reserved quantum key is further stored in the quantum key management device; the preset output condition set may further include a second condition; and the second condition is that a quantum key output instruction is received, and the current storage quantity of the reserved quantum keys is not less than the preset quantity.

When the processing module 601 detects that the first condition is met, indicating that the quantum key to be output indicated by the message is a quantum key in the unreserved quantum key; in the case that the processing module 601 detects that the second condition is satisfied, the quantum key to be output indicated by the indication message is a quantum key in the reserved quantum key.

Optionally, the quantum key management apparatus may further include:

a second output module, configured to output an alarm message indicating that the unreserved quantum key is insufficient when the processing module 601 detects that the current time is one of multiple preset times and the current storage quantity of the unreserved quantum key is less than the preset quantity.

Optionally, the frame format of the quantum key output frame may further include: whether it is an entry that reserves a quantum key.

Fig. 7 is a further quantum key management device provided in an embodiment of the present application, and may include: a second receiving module 701, a second packing module 702, and a sending module 703. Wherein the content of the first and second substances,

a second receiving module 701, configured to receive an indication message sent by an opposite-end quantum key management device; the indication message is used for indicating the quantum key to be output by the quantum key management device.

A second packing module 702, configured to pack at least the to-be-output quantum key indicated by the indication message into a quantum key output frame, and output the quantum key output frame to a corresponding cryptographic application device.

A sending module 703, configured to send a result message to an opposite-end quantum key management apparatus; the result message includes at least information indicating whether the quantum key output frame was successfully output.

Optionally, the indication message may include: the identifier of the opposite terminal quantum key management device, and the starting address and the number of the quantum keys to be output.

A second packing module 702, configured to pack at least a quantum key to be output into a quantum key output frame, and output the quantum key output frame to a corresponding cryptographic application apparatus, including:

a second packing module 702, configured to specifically obtain, from the quantum key shared by the peer quantum key management device and the peer quantum key management device according to the identifier of the peer quantum key management device, the quantum key of the number from the start address in the indication message as the quantum key to be output; generating an identification value of a quantum key to be output according to a preset first calculation mode to obtain a first identification value; packing at least a quantum key to be output and a first identification value into a quantum key output frame; and outputting the quantum key output frame to a corresponding password application device.

Optionally, the frame format of the quantum key output frame may include: message length and quantum key to be output.

the quantum key to be output, which is indicated by the indication message received by the second receiving module 701, is a quantum key in an unreserved quantum key or a quantum key in the reserved quantum key.

The functions described in the method of the embodiment of the present application, if implemented in the form of software functional units and sold or used as independent products, may be stored in a storage medium readable by a computing device. Based on such understanding, part of the contribution to the prior art of the embodiments of the present application or part of the technical solution may be embodied in the form of a software product stored in a storage medium and including several instructions for causing a computing device (which may be a personal computer, a server, a mobile computing device or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Features described in the embodiments of the present specification may be replaced with or combined with each other, each embodiment is described with a focus on differences from other embodiments, and the same or similar portions among the embodiments may be referred to each other.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. The quantum key output method is characterized by being applied to a quantum key output system, wherein the quantum key output system at least comprises a pair of password application devices and quantum key management devices respectively corresponding to the password application devices; the pair of password application devices are a first password application device and a second password application device; the first password application device corresponds to a first quantum key management device, and the second password application device corresponds to a second quantum key management device; the method comprises the following steps:

2. The method of claim 1, wherein the indication message comprises: the identification of the first quantum key management device, the starting address and the number of the quantum keys to be output;

3. The method of claim 2, wherein the indication message further comprises: the quantum key outputs the service identification of the service; the result message further includes: the service identification;

4. The method of claim 1, wherein the frame format of the quantum key output frame comprises: message length and quantum key to be output.

5. The method of claim 3, further comprising:

6. The method of claim 2, further comprising:

7. The method of claim 4, wherein the frame format of the quantum key output frame further comprises a traffic identification and a target identification; the target identification is an identification used for indicating an opposite-end password application device;

the method further comprises the following steps:

8. The method of claim 7, further comprising:

9. The method of claim 1, further comprising:

10. The method according to any one of claims 1 to 9, wherein the preset set of output conditions comprises a first condition; the first condition is that the current moment is one of a plurality of preset moments, and the current storage quantity of the quantum keys is not less than the preset quantity.

11. The method of claim 10, wherein the first quantum key management device and the second quantum key management device further store a reserved quantum key therein; the preset output condition set further comprises a second condition; the second condition is that a quantum key output instruction is received, and the current storage quantity of the reserved quantum keys is not less than the preset quantity;

12. The method of claim 11, further comprising:

13. The method of claim 11, wherein the frame format of the quantum key output frame further comprises: whether it is an entry that reserves a quantum key.

14. A quantum key output system is characterized by at least comprising a pair of password application devices and quantum key management devices corresponding to the password application devices respectively; the pair of password application devices are a first password application device and a second password application device; the first password application device corresponds to a first quantum key management device, and the second password application device corresponds to a second quantum key management device;

15. The system of claim 14, wherein the indication message comprises: the identification of the first quantum key management device, the starting address and the number of the quantum keys to be output;

16. The system of claim 15, wherein the indication message further comprises: the quantum key outputs the service identification of the service; the result message further includes: the service identification;

17. The system of claim 14, wherein the frame format of the quantum key output frame comprises: message length and quantum key to be output.

18. The system according to claim 16, wherein the first cryptographic application device is configured to, in a case where a quantum key output frame output by the first quantum key management device is received, obtain a quantum key and the second identification value from the received quantum key output frame; calculating the identification value of the obtained quantum key according to the preset second calculation mode; and judging whether the quantum key sent by the first quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the second identification value or not.

19. The system of claim 15,

the second cipher application device is used for acquiring a quantum key and the first identification value from the received quantum key output frame under the condition that the quantum key output frame output by the second quantum key management device is received; calculating the identification value of the obtained quantum key according to the preset first calculation mode; and judging whether the quantum key sent by the second quantum key management device is correctly received or not by comparing whether the calculated identification value is the same as the first identification value or not.

20. The system of claim 17, wherein the frame format of the quantum key output frame further comprises a traffic identification and a target identification; the target identification is an identification used for indicating an opposite-end password application device;

21. The system according to claim 20, wherein the second cryptographic application device is further configured to output an alarm message indicating that the quantum key output fails this time if the obtained comparison result indicates that the comparison result is different.

22. The system according to claim 14, wherein the first quantum key management device is further configured to output an alarm message indicating that the output of the current quantum key fails if the result message is received to indicate that the output fails.

23. The system according to any one of claims 14 to 22, wherein the set of preset output conditions comprises a first condition; the first condition is that the current moment is one of a plurality of preset moments, and the current storage quantity of the quantum keys is not less than the preset quantity.

24. The system of claim 23, wherein the first quantum key management device and the second quantum key management device further store a reserved quantum key therein; the preset output condition set further comprises a second condition; the second condition is that a quantum key output instruction is received, and the current storage quantity of the reserved quantum keys is not less than the preset quantity;

25. The system of claim 24,

the first quantum key management device is further configured to output an alarm message indicating that the unreserved quantum key is insufficient when it is detected that the current time is one of a plurality of preset times and the current storage quantity of the unreserved quantum keys is less than the preset quantity.

26. The system of claim 24, wherein the frame format of the quantum key output frame further comprises: whether it is an entry that reserves a quantum key.

27. A quantum key management apparatus, comprising:

28. The quantum key management device of claim 27, wherein the indication message comprises: the identification of the quantum key management device, and the starting address and the number of the quantum keys to be output.

29. The quantum key management device of claim 28, wherein the indication message further comprises: the quantum key outputs the service identification of the service; the result message further includes: the service identification;

30. The quantum key management device of claim 27, wherein the frame format of the quantum key output frame comprises: message length and quantum key to be output.

31. The quantum key management device of claim 30, wherein the frame format of the quantum key output frame further comprises: a service identifier and a target identifier; the target identification is an identification used for indicating an opposite-end password application device.

32. The quantum key management device of claim 27, further comprising:

33. A quantum key management device according to any of claims 27 to 32, wherein the preset set of output conditions comprises a first condition; the first condition is that the current moment is one of a plurality of preset moments, and the current storage quantity of the quantum keys is not less than the preset quantity.

34. The quantum key management device of claim 33, wherein the quantum key management device further stores a reserved quantum key therein; the preset output condition set further comprises a second condition; the second condition is that a quantum key output instruction is received, and the current storage quantity of the reserved quantum keys is not less than the preset quantity;

35. The quantum key management device of claim 34, further comprising:

36. The quantum key management device of claim 34, wherein the frame format of the quantum key output frame further comprises: whether it is an entry that reserves a quantum key.

37. A quantum key management apparatus, comprising:

38. The quantum key management device of claim 37, wherein the indication message comprises: identification of an opposite terminal quantum key management device, and the starting address and the number of the quantum keys to be output;

39. The quantum key management device of claim 37, wherein the frame format of the quantum key output frame comprises: message length and quantum key to be output.

40. The quantum key management device of claim 37, wherein the quantum key management device further stores a reserved quantum key therein;

41. The quantum key management device of claim 40, wherein the frame format of the quantum key output frame further comprises: whether it is an entry that reserves a quantum key.