CN113784345B - Power distribution terminal point-to-point key negotiation method and device based on quantum secure channel - Google Patents
Power distribution terminal point-to-point key negotiation method and device based on quantum secure channel Download PDFInfo
- Publication number
- CN113784345B CN113784345B CN202111335330.2A CN202111335330A CN113784345B CN 113784345 B CN113784345 B CN 113784345B CN 202111335330 A CN202111335330 A CN 202111335330A CN 113784345 B CN113784345 B CN 113784345B
- Authority
- CN
- China
- Prior art keywords
- key
- power distribution
- distribution terminal
- negotiation
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000009826 distribution Methods 0.000 title claims abstract description 322
- 238000000034 method Methods 0.000 title claims abstract description 33
- 230000005540 biological transmission Effects 0.000 claims abstract description 59
- 238000013481 data capture Methods 0.000 claims description 21
- 238000012544 monitoring process Methods 0.000 claims description 12
- 229920006235 chlorinated polyethylene elastomer Polymers 0.000 description 17
- 238000004891 communication Methods 0.000 description 15
- 238000003860 storage Methods 0.000 description 14
- 238000005516 engineering process Methods 0.000 description 10
- 238000012795 verification Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 230000008859 change Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000000136 cloud-point extraction Methods 0.000 description 2
- 239000002131 composite material Substances 0.000 description 2
- 230000005611 electricity Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/06—Energy or water supply
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/30—Services specially adapted for particular environments, situations or purposes
- H04W4/35—Services specially adapted for particular environments, situations or purposes for the management of goods or merchandise
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Economics (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Public Health (AREA)
- Electromagnetism (AREA)
- Water Supply & Treatment (AREA)
- General Health & Medical Sciences (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明提供一种基于量子安全通道的配电终端点对点密钥协商方法及装置,包括:所述第一配电终端和所述中继设备基于接收到的第一传输密钥、中继密钥建立第一信道,所述第二配电终端和所述中继设备基于接收到的第二传输密钥、中继密钥生成第二信道;第一配电终端将所述第一协商密钥、中间协商密钥分别发送至所述第二配电终端;第二配电终端将所述第二协商密钥、中间协商密钥分别发送至所述第一配电终端;所述第一配电终端和第二配电终端分别生成第一组合密钥和第二组合密钥;若中继设备判断所述第一组合密钥和第二组合密钥相同,则第一配电终端和所述第二配电终端基于所述第一组合密钥和/或第二组合密钥建立数据传输信道。
The present invention provides a point-to-point key negotiation method and device for a power distribution terminal based on a quantum secure channel, including: the first power distribution terminal and the relay device are based on the received first transmission key and relay key. establishing a first channel, the second power distribution terminal and the relay device generate a second channel based on the received second transmission key and the relay key; the first power distribution terminal converts the first negotiated key and the intermediate negotiation key are respectively sent to the second power distribution terminal; the second power distribution terminal sends the second negotiation key and the intermediate negotiation key to the first power distribution terminal respectively; the first power distribution terminal The electrical terminal and the second power distribution terminal generate the first combined key and the second combined key respectively; if the relay device determines that the first combined key and the second combined key are the same, the first power distribution terminal and the The second power distribution terminal establishes a data transmission channel based on the first combined key and/or the second combined key.
Description
技术领域technical field
本发明涉及数据传输技术领域,尤其涉及一种基于量子安全通道的配电终端点对点密钥协商方法及装置。The invention relates to the technical field of data transmission, in particular to a method and device for point-to-point key negotiation of power distribution terminals based on a quantum secure channel.
背景技术Background technique
近年来,国家一直在推动电网与互联网深度融合,着力构建能源互联网。通过充分应用移动互联、人工智能、5G通信、北斗和量子保密等现代信息技术和先进通信技术,实现电力系统各个环节万物互联、人机交互,打造状态全面感知、信息高效处理、应用便捷灵活的智能电网,为电网安全经济运行、提高经营绩效、改善服务质量以及培育发展战略性新兴产业,提供强有力的数据资源支撑。In recent years, the country has been promoting the deep integration of the power grid and the Internet, and striving to build an energy Internet. Through the full application of modern information technologies and advanced communication technologies such as mobile internet, artificial intelligence, 5G communication, Beidou and quantum secrecy, the interconnection of all things and human-computer interaction in all aspects of the power system will be realized, and a comprehensive state perception, efficient information processing, convenient and flexible application will be created. Smart grid provides strong data resource support for the safe and economic operation of the power grid, improving business performance, improving service quality, and cultivating and developing strategic emerging industries.
随着5G技术的逐步成熟,电力系统逐步考虑将海量的配电终端系统,根据应用场景通信情况,采用5G技术进行数据传输。但随之而来的是配电业务在业务信息、业务模式、业务载体等方面都面临着新的安全威胁,若网络遭入侵,将会严重影响各类关键系统的稳定运行,进而严重威胁经济社会稳定和人民生产生活。传统依靠物理隔离、部署安全手段的纵深防御体系不再适用5G网络,如何进行有效业务安全防护成为急需解决的全新问题。With the gradual maturity of 5G technology, the power system gradually considers the use of 5G technology for data transmission according to the communication situation of the application scenario for a large number of power distribution terminal systems. But what follows is that the power distribution business faces new security threats in terms of business information, business models, business carriers, etc. If the network is invaded, it will seriously affect the stable operation of various key systems, and then seriously threaten the economy. Social stability and people's production and life. The traditional defense-in-depth system that relies on physical isolation and deployment of security measures is no longer applicable to 5G networks. How to carry out effective business security protection has become a new problem that needs to be solved urgently.
量子保密通信技术利用量子不确定性原理与量子态不可复制的特性进行安全密钥分发,攻击者无法测量和复制密钥(量子态),且一旦进行窃听即会被发现,具有比传统密钥分发机制更高的安全性,也是目前实用化程度最高的量子技术。因此,探索利用量子保密通信安全防护技术与现有5G网络安全防护技术兼容机制,提升5G网络在电力系统应用中得安全等级,对提升调度自动化业务在5G系统网络中运行具有重要意义。Quantum secure communication technology utilizes the principle of quantum uncertainty and the non-replicable feature of quantum state for secure key distribution. An attacker cannot measure and copy the key (quantum state), and it will be discovered once eavesdropping, which is more efficient than traditional keys. The higher security of the distribution mechanism is also the most practical quantum technology at present. Therefore, it is of great significance to explore the use of quantum security communication security protection technology and the existing 5G network security protection technology compatibility mechanism to improve the security level of 5G network in power system applications, which is of great significance to improve the operation of dispatch automation services in 5G system network.
国内公司完成了国内首个以5G+量子通信终端承载精准负荷控制业务的验证,进一步提出了推广性强、部署简洁的5G+量子通信终端的应用解决方案,5G+量子通信终端具备5G通信和量子保密双重功能,能够应用于各类型业务场景,解决了公网5G网络承载电力生产控制类业务的安全性、可靠性问题。作为国内首次将5G通信技术、量子加密技术与电力业务设备的融合应用,该应用既发挥出5G高带宽、低时延、广链接的优势,又发挥量子通信的安全可靠优势,能够为5G+量子在电力中的应用提供科技研究、实验验证、性能测试、安全分析、创新研发等全方位支撑能力。The domestic company has completed the first domestic verification of using 5G+ quantum communication terminals to carry precise load control services, and further proposed an application solution for 5G+ quantum communication terminals with strong promotion and simple deployment. It can be applied to various business scenarios, and solves the security and reliability problems of power production control services carried by the public network 5G network. As the first integration application of 5G communication technology, quantum encryption technology and power business equipment in China, this application not only takes advantage of 5G's high bandwidth, low latency, and wide link, but also takes advantage of the security and reliability of quantum communication. The application in electric power provides all-round support capabilities such as scientific and technological research, experimental verification, performance testing, safety analysis, and innovative research and development.
如图1所示是量子安全服务平台网络基础架构设计图,主要包括量子密钥生成系统、量子密钥调度系统、量子密钥应用系统,各部分功能如下:Figure 1 shows the network infrastructure design diagram of the quantum security service platform, which mainly includes a quantum key generation system, a quantum key scheduling system, and a quantum key application system. The functions of each part are as follows:
1.量子密钥生成系统,包括量子密钥生成与管理终端,量子随机数发生器,主要功能为:利用量子特性生成量子密钥,为前端系统提供量子密钥支撑。1. Quantum key generation system, including quantum key generation and management terminal, quantum random number generator, the main function is: use quantum characteristics to generate quantum key, and provide quantum key support for front-end system.
2.量子密钥调度系统,包括交换密码机,量子密码服务平台系统,量子密钥充注系统,主要功能为:交换密码机负责量子密钥存储及输出;量子密码服务平台系统负责实现量子密钥的调度和协商,确保量子密钥可以安全有序的分发至量子密钥应用系统;量子密钥充注系统,负责将量子密钥通过U盾/TF卡等方式进行充注,并在量子密钥应用终端使用。2. Quantum key scheduling system, including exchange encryption machine, quantum encryption service platform system, quantum key charging system, the main functions are: exchange encryption machine is responsible for quantum key storage and output; quantum encryption service platform system is responsible for realizing quantum encryption. The scheduling and negotiation of the key ensures that the quantum key can be distributed to the quantum key application system in a safe and orderly manner; the quantum key charging system is responsible for charging the quantum key through U shield/TF card, etc. Key application terminal use.
3.量子密钥应用系统,包括量子安全网关和量子CPE,主要功能为:利用量子密钥构建量子安全加密传输通道,提升5G传输通道的安全等级,确保业务系统数据可以安全的传输至无线安全接入区,并通过安全接入区传输至电力内网主站系统。3. Quantum key application system, including quantum security gateway and quantum CPE, the main functions are: use quantum key to build quantum security encrypted transmission channel, improve the security level of 5G transmission channel, and ensure that business system data can be safely transmitted to wireless security The access area is transmitted to the main station system of the power intranet through the secure access area.
现有的量子保密通信方案是通过量子密钥分发将量子密钥分发至量子CPE和配电终端,通过密钥协商建立量子CPE与配电终端之间的量子安全通道。其量子密钥一般由量子密钥生成系统生成,而密钥的分发则由量子密钥分发系统完成,但是在配电终端之间如何建立安全通道还没有一种高效的方式。The existing quantum secure communication scheme distributes quantum keys to quantum CPEs and power distribution terminals through quantum key distribution, and establishes a quantum secure channel between quantum CPEs and power distribution terminals through key negotiation. Its quantum key is generally generated by a quantum key generation system, and the key distribution is completed by a quantum key distribution system, but there is no efficient way to establish a secure channel between power distribution terminals.
发明内容SUMMARY OF THE INVENTION
本发明实施例提供一种基于量子安全通道的配电终端点对点密钥协商方法及装置,能够通过配电终端之间进行点对点的协商得到相应的密钥,保障数据传输的安全性。Embodiments of the present invention provide a method and device for point-to-point key negotiation of power distribution terminals based on quantum secure channels, which can obtain corresponding keys through point-to-point negotiation between power distribution terminals to ensure the security of data transmission.
本发明实施例的第一方面,提供一种基于量子安全通道的配电终端点对点密钥协商方法,第一配电终端、第二配电终端以及中继设备,所述第一配电终端、第二配电终端以及中继设备分别与量子网络基础平台连接,通过以下步骤在所述第一配电终端和第二配电终端之间进行密钥协商,包括:A first aspect of the embodiments of the present invention provides a point-to-point key agreement method for a power distribution terminal based on a quantum secure channel, a first power distribution terminal, a second power distribution terminal, and a relay device, the first power distribution terminal, The second power distribution terminal and the relay device are respectively connected to the quantum network basic platform, and key negotiation is performed between the first power distribution terminal and the second power distribution terminal through the following steps, including:
所述第一配电终端和所述中继设备基于接收到的第一传输密钥、中继密钥建立第一信道 ,所述第二配电终端和所述中继设备基于接收到的第二传输密钥、中继密钥生成第二信道;The first power distribution terminal and the relay device establish a first channel based on the received first transmission key and the relay key, and the second power distribution terminal and the relay device establish a first channel based on the received first transmission key and the relay key. 2. The transmission key and the relay key generate the second channel;
第一配电终端基于当前时刻的属性信息和数据抓取信息生成第一协商密钥,所述第一协商密钥经过所述第一信道传输至中继设备,中继设备基于所述第一信道和第二信道的属性生成中间协商密钥,将所述第一协商密钥、中间协商密钥分别发送至所述第二配电终端;The first power distribution terminal generates a first negotiation key based on the attribute information and data capture information at the current moment, the first negotiation key is transmitted to the relay device through the first channel, and the relay device is based on the first negotiation key. The attributes of the channel and the second channel generate an intermediate negotiation key, and send the first negotiation key and the intermediate negotiation key to the second power distribution terminal respectively;
第二配电终端基于当前时刻的属性信息和数据抓取信息生成第二协商密钥,所述第二协商密钥经过所述第二信道传输至中继设备,中继设备基于所述第二信道和第一信道的属性生成中间协商密钥,将所述第二协商密钥、中间协商密钥分别发送至所述第一配电终端;The second power distribution terminal generates a second negotiation key based on the attribute information and data capture information at the current moment, the second negotiation key is transmitted to the relay device through the second channel, and the relay device is based on the second negotiation key. The attributes of the channel and the first channel generate an intermediate negotiation key, and send the second negotiation key and the intermediate negotiation key to the first power distribution terminal respectively;
所述第一配电终端和第二配电终端分别基于所述第一协商密钥、中继密钥、第二协商密钥生成第一组合密钥和第二组合密钥;The first power distribution terminal and the second power distribution terminal generate a first combined key and a second combined key based on the first negotiated key, the relay key, and the second negotiated key, respectively;
若中继设备判断所述第一组合密钥和第二组合密钥相同,则第一配电终端和所述第二配电终端基于所述第一组合密钥和第二组合密钥建立数据传输信道。If the relay device determines that the first combined key and the second combined key are the same, the first power distribution terminal and the second power distribution terminal establish data based on the first combined key and the second combined key transmission channel.
可选地,在第一方面的一种可能实现方式中,所述量子网络基础平台用于生成第一传输密钥、中继密钥以及第二传输密钥;Optionally, in a possible implementation manner of the first aspect, the quantum network infrastructure platform is configured to generate a first transmission key, a relay key, and a second transmission key;
基于量子安全服务引擎和终端密钥分发系统将所述第一传输密钥、中继密钥以及第二传输密钥分别分发至第一配电终端、中继设备以及第二配电终端。The first transmission key, the relay key and the second transmission key are distributed to the first power distribution terminal, the relay device and the second power distribution terminal respectively based on the quantum security service engine and the terminal key distribution system.
可选地,在第一方面的一种可能实现方式中,所述第一配电终端和所述第二配电终端的属性信息预先设置。可选地,在第一方面的一种可能实现方式中,第一配电终端基于当前时刻的属性信息和数据抓取信息生成第一协商密钥包括:Optionally, in a possible implementation manner of the first aspect, attribute information of the first power distribution terminal and the second power distribution terminal is preset. Optionally, in a possible implementation manner of the first aspect, generating the first negotiation key by the first power distribution terminal based on the attribute information and data capture information at the current moment includes:
获取当前时刻第一配电终端的电能监测数据,抓取所述电能监测数据中的第一电能信息和第二电能信息,所述数据抓取信息包括所述第一电能信息和第二电能信息;Obtain the power monitoring data of the first power distribution terminal at the current moment, and capture the first power information and the second power information in the power monitoring data, and the data capture information includes the first power information and the second power information ;
所述属性信息包括第一配电终端的编码信息值和当前时刻的时间信息,对所述时间信息量化处理得到量化后的时间值;The attribute information includes the encoded information value of the first power distribution terminal and the time information of the current moment, and the quantized time value is obtained by quantizing the time information;
通过以下公式计算第一协商密钥,The first negotiated key is calculated by the following formula,
其中,
中继设备基于所述第一信道和第二信道的属性生成中间协商密钥包括:The relay device generating the intermediate negotiation key based on the attributes of the first channel and the second channel includes:
中继设备获取所述第一信道建立的第一时刻以及所述第二信道建立的第二时刻,基于所述第一时刻和第二时刻生成中间协商密钥。The relay device acquires the first moment when the first channel is established and the second moment when the second channel is established, and generates an intermediate negotiation key based on the first moment and the second moment.
可选地,在第一方面的一种可能实现方式中,第二配电终端基于当前时刻的属性信息和数据抓取信息生成第二协商密钥,所述第二协商密钥经过所述第二信道传输至中继设备包括:Optionally, in a possible implementation manner of the first aspect, the second power distribution terminal generates a second negotiation key based on the attribute information and data capture information at the current moment, and the second negotiation key passes through the first negotiation key. The two-channel transmission to the repeater includes:
获取第二配电终端在当前时刻的电能监测数据,抓取所述电能监测数据中的第三电能信息和第四电能信息,所述数据抓取信息包括所述第三电能信息和第四电能信息;Acquire the power monitoring data of the second power distribution terminal at the current moment, and capture the third power information and the fourth power information in the power monitoring data, and the data capture information includes the third power information and the fourth power information;
所述属性信息包括第二配电终端的编码信息值和当前时刻的时间信息,对所述时间信息量化处理得到量化后的时间值;The attribute information includes the encoded information value of the second power distribution terminal and the time information at the current moment, and the time information is quantized to obtain a quantized time value;
通过以下公式计算第二协商密钥,Calculate the second negotiated key by the following formula,
其中,
中继设备基于所述第二信道和第一信道的属性生成中间协商密钥包括:The relay device generating the intermediate negotiation key based on the attributes of the second channel and the first channel includes:
中继设备获取所述第一信道建立的第一时刻以及所述第二信道建立的第二时刻,基于所述第一时刻和第二时刻生成中间协商密钥。The relay device acquires the first moment when the first channel is established and the second moment when the second channel is established, and generates an intermediate negotiation key based on the first moment and the second moment.
可选地,在第一方面的一种可能实现方式中,所述第一配电终端和第二配电终端分别基于所述第一协商密钥、中继密钥、第二协商密钥生成第一组合密钥和第二组合密钥包括:Optionally, in a possible implementation manner of the first aspect, the first power distribution terminal and the second power distribution terminal are generated based on the first negotiation key, the relay key, and the second negotiation key, respectively. The first composite key and the second composite key include:
第一配电终端和第二配电终端分别获取所述第一配电终端和第二配电终端的编码信息值,基于所述编码信息值将所述第一协商密钥、中继密钥、第二协商密钥分别填入至预先设置的密钥生成模板中生成第一组合密钥和第二组合密钥。The first power distribution terminal and the second power distribution terminal respectively obtain the encoded information value of the first power distribution terminal and the second power distribution terminal, and based on the encoded information value, the first negotiation key and the relay key are assigned. and the second negotiated key are respectively filled into the preset key generation template to generate the first combined key and the second combined key.
可选地,在第一方面的一种可能实现方式中,基于所述编码信息值将所述第一协商密钥、中继密钥、第二协商密钥分别填入至预先设置的密钥生成模板中生成第一组合密钥和第二组合密钥包括:Optionally, in a possible implementation manner of the first aspect, the first negotiated key, the relay key, and the second negotiated key are respectively filled into a preset key based on the encoded information value. Generating the first combined key and the second combined key in the generating template includes:
所述密钥生成模板包括第一槽位、第二槽位以及第三槽位;The key generation template includes a first slot, a second slot and a third slot;
若第一配电终端的编码信息值大于第二配电终端的编码信息值,则将所述第一组合密钥置于所述第一槽位、第二组合密钥置于所述第三槽位、将所述中继密钥设置于第二槽位。If the encoded information value of the first power distribution terminal is greater than the encoded information value of the second power distribution terminal, the first combined key is placed in the first slot, and the second combined key is placed in the third slot, setting the relay key in the second slot.
可选地,在第一方面的一种可能实现方式中,若中继设备判断所述第一组合密钥和第二组合密钥相同,则第一配电终端和所述第二配电终端基于所述第一组合密钥和第二组合密钥建立数据传输信道包括:Optionally, in a possible implementation manner of the first aspect, if the relay device determines that the first combined key and the second combined key are the same, the first power distribution terminal and the second power distribution terminal Establishing a data transmission channel based on the first combined key and the second combined key includes:
第一配电终端和所述第二配电终端生成所述第一组合密钥和第二组合密钥后分别发送至所述中继设备;The first power distribution terminal and the second power distribution terminal generate the first combined key and the second combined key and send them to the relay device respectively;
中继设备判断所述第一组合密钥和第二组合密钥相同,则向第一配电终端发送请求指令、向所述第二配电终端发送接收指令;The relay device determines that the first combined key and the second combined key are the same, and sends a request instruction to the first power distribution terminal and a receive instruction to the second power distribution terminal;
所述第一配电终端在接收到所述请求指令后以所述第一组合密钥为请求基础向所述第二配电终端请求建立数据传输信道;After receiving the request instruction, the first power distribution terminal requests the second power distribution terminal to establish a data transmission channel based on the first combined key;
所述第二配电终端基于所述接收指令接收第一配电终端的请求,根据所述第二组合密钥对第一组合密钥验证,若第一组合密钥与所述第二组合密钥相同,则所述第一配电终端与所述第二配电终端基于所述第一组合密钥建立数据传输信道。The second power distribution terminal receives the request of the first power distribution terminal based on the receiving instruction, and verifies the first combined key according to the second combined key. If the key is the same, the first power distribution terminal and the second power distribution terminal establish a data transmission channel based on the first combined key.
可选地,在第一方面的一种可能实现方式中,所述第一配电终端和第二配电终端分别具有唯一的编码信息值。Optionally, in a possible implementation manner of the first aspect, the first power distribution terminal and the second power distribution terminal respectively have unique encoded information values.
本发明实施例的第二方面,提供一种基于量子安全通道的配电终端点对点密钥协商装置,第一配电终端、第二配电终端以及中继设备,所述第一配电终端、第二配电终端以及中继设备分别与量子网络基础平台连接,通过以下装置在所述第一配电终端和第二配电终端之间进行密钥协商,包括:A second aspect of the embodiments of the present invention provides a point-to-point key agreement device for power distribution terminals based on quantum secure channels, a first power distribution terminal, a second power distribution terminal, and a relay device, the first power distribution terminal, The second power distribution terminal and the relay device are respectively connected to the quantum network basic platform, and key negotiation is performed between the first power distribution terminal and the second power distribution terminal through the following means, including:
第一信道建立模块,用于使所述第一配电终端和所述中继设备基于接收到的第一传输密钥、中继密钥建立第一信道 ,所述第二配电终端和所述中继设备基于接收到的第二传输密钥、中继密钥生成第二信道;A first channel establishment module, configured to enable the first power distribution terminal and the relay device to establish a first channel based on the received first transmission key and relay key, and the second power distribution terminal and the relay device. The relay device generates a second channel based on the received second transmission key and the relay key;
第一密钥协商模块,用于使第一配电终端基于当前时刻的属性信息和数据抓取信息生成第一协商密钥,所述第一协商密钥经过所述第一信道传输至中继设备,中继设备基于所述第一信道和第二信道的属性生成中间协商密钥,将所述第一协商密钥、中间协商密钥分别发送至所述第二配电终端;A first key negotiation module, configured to enable the first power distribution terminal to generate a first negotiation key based on the attribute information and data capture information at the current moment, and the first negotiation key is transmitted to the relay through the first channel device, the relay device generates an intermediate negotiation key based on the attributes of the first channel and the second channel, and sends the first negotiation key and the intermediate negotiation key to the second power distribution terminal respectively;
第二密钥协商模块,用于使第二配电终端基于当前时刻的属性信息和数据抓取信息生成第二协商密钥,所述第二协商密钥经过所述第二信道传输至中继设备,中继设备基于所述第二信道和第一信道的属性生成中间协商密钥,将所述第二协商密钥、中间协商密钥分别发送至所述第一配电终端;The second key negotiation module is configured to enable the second power distribution terminal to generate a second negotiation key based on the attribute information and data capture information at the current moment, and the second negotiation key is transmitted to the relay through the second channel device, the relay device generates an intermediate negotiation key based on the attributes of the second channel and the first channel, and sends the second negotiation key and the intermediate negotiation key to the first power distribution terminal respectively;
组合模块,用于使所述第一配电终端和第二配电终端分别基于所述第一协商密钥、中继密钥、第二协商密钥生成第一组合密钥和第二组合密钥;The combination module is configured to enable the first power distribution terminal and the second power distribution terminal to generate a first combined key and a second combined key based on the first negotiation key, the relay key, and the second negotiation key, respectively. key;
第二信道建立模块,若中继设备判断所述第一组合密钥和第二组合密钥相同,则第一配电终端和所述第二配电终端基于所述第一组合密钥和第二组合密钥建立数据传输信道。The second channel establishment module, if the relay device determines that the first combined key and the second combined key are the same, the first power distribution terminal and the second power distribution terminal are based on the first combined key and the second power distribution terminal. The two combined keys establish a data transmission channel.
本发明实施例的第三方面,提供一种可读存储介质,所述可读存储介质中存储有计算机程序,所述计算机程序被处理器执行时用于实现本发明第一方面及第一方面各种可能设计的所述方法。In a third aspect of the embodiments of the present invention, a readable storage medium is provided, where a computer program is stored in the readable storage medium, and the computer program is used to implement the first aspect and the first aspect of the present invention when executed by a processor Various possible designs of the described method.
本发明提供的一种基于量子安全通道的配电终端点对点密钥协商方法及装置,首先根据量子网络基础平台使第一配电终端、第二配电终端以及中继设备建立量子通讯信道,然后根据第一配电终端、第二配电终端的属性分别生成第一协商密钥和第二协商密钥,通过中继设备将第一协商密钥和第二协商密钥分别发送实现第一配电终端和第二配电终端之间的密钥协商,使得第一配电终端和第二配电终端处分别根据第一协商密钥、第二协商密钥以及中间协商密钥生成相应的第一组合密钥和第二组合密钥,使得每个终端在生成密钥时都会充分考虑其他终端的情况、获取其他终端的信息,使得所生成的密钥会根据当前的数据传输场景进行变化,保障了在第一配电终端和第二配电终端之间所建立的数据传输信道的安全性。The invention provides a point-to-point key negotiation method and device for a power distribution terminal based on a quantum secure channel. First, the first power distribution terminal, the second power distribution terminal and the relay device establish a quantum communication channel according to the basic quantum network platform, and then a quantum communication channel is established. The first negotiation key and the second negotiation key are respectively generated according to the attributes of the first power distribution terminal and the second power distribution terminal, and the first negotiation key and the second negotiation key are respectively sent through the relay device to realize the first distribution. The key negotiation between the electrical terminal and the second power distribution terminal enables the first power distribution terminal and the second power distribution terminal to generate the corresponding first negotiation key, the second negotiation key and the intermediate negotiation key, respectively. A combined key and a second combined key, so that each terminal will fully consider the situation of other terminals and obtain the information of other terminals when generating the key, so that the generated key will change according to the current data transmission scenario, The security of the data transmission channel established between the first power distribution terminal and the second power distribution terminal is guaranteed.
本发明在生成第一协商密钥和第二协商密钥时,会充分考虑第一配电终端和第二配电终端的属性信息、当前的电力数据抓取信息以及当前时刻的时间信息,保障第一协商密钥和第二协商密钥不会出现重复的情况。并且第一协商密钥和第二协商密钥是动态变化的,在动态变化时会与第一配电终端和第二配电终端存在一定的关联,既保障了第一协商密钥和第二协商密钥的可循性,又保障了其具有一定的随机性。When generating the first negotiation key and the second negotiation key, the present invention will fully consider the attribute information of the first power distribution terminal and the second power distribution terminal, the current power data capture information and the time information at the current moment, ensuring that The first negotiated key and the second negotiated key will not be duplicated. In addition, the first negotiation key and the second negotiation key are dynamically changed, and there will be a certain association with the first power distribution terminal and the second power distribution terminal when dynamically changing, which not only guarantees the first negotiation key and the second power distribution terminal. The followability of the negotiated key also ensures that it has a certain randomness.
本发明在生成第一组合密钥和第二组合密钥时,会根据第一配电终端和第二配电终端的编码信息对第一协商密钥、中继密钥、第二协商密钥进行排序,并将排序结果填入至相应的槽位中,使得能够快速的将第一协商密钥、中继密钥、第二协商密钥进行结合得到组合密钥,提高了组合密钥生成的效率。When the present invention generates the first combined key and the second combined key, the first negotiated key, the relay key and the second negotiated key are analyzed according to the encoded information of the first power distribution terminal and the second power distribution terminal. Sorting is performed, and the sorting result is filled into the corresponding slot, so that the first negotiated key, the relay key, and the second negotiated key can be quickly combined to obtain a combined key, which improves the generation of the combined key. s efficiency.
附图说明Description of drawings
图1为量子网络基础平台的连接结构示意图;Figure 1 is a schematic diagram of the connection structure of the quantum network basic platform;
图2为基于量子安全通道的配电终端点对点密钥协商方法的第一种实施方式的流程图;Fig. 2 is a flow chart of the first embodiment of the point-to-point key agreement method for power distribution terminals based on quantum secure channels;
图3为基于量子安全通道的配电终端点对点密钥协商方法的第二种实施方式的流程图;3 is a flowchart of a second embodiment of a quantum secure channel-based power distribution terminal point-to-point key agreement method;
图4为基于量子安全通道的配电终端点对点密钥协商装置的第一种实施方式的结构图;4 is a structural diagram of a first embodiment of a power distribution terminal point-to-point key agreement device based on a quantum secure channel;
图5为配电终端和CPE之间的通道示意图;Figure 5 is a schematic diagram of the channel between the power distribution terminal and the CPE;
图6为配电终端和配电终端之间的通道示意图。FIG. 6 is a schematic diagram of a distribution terminal and a channel between the distribution terminals.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments It is only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。The terms "first", "second", "third", "fourth", etc. (if any) in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to Describe a particular order or sequence. It is to be understood that the data so used may be interchanged under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein.
应当理解,在本发明的各种实施例中,各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of each process does not mean the sequence of execution, and the execution sequence of each process should be determined by its functions and internal logic, and should not be used in the embodiments of the present invention. Implementation constitutes any limitation.
应当理解,在本发明中,“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be understood that in the present invention, "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to Those steps or elements that are expressly listed may instead include other steps or elements that are not expressly listed or are inherent to the process, method, product or apparatus.
应当理解,在本发明中,“多个”是指两个或两个以上。“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。“包含A、B和C”、“包含A、B、C”是指A、B、C三者都包含,“包含A、B或C”是指包含A、B、C三者之一,“包含A、B和/或C”是指包含A、B、C三者中任1个或任2个或3个。It should be understood that, in the present invention, "plurality" refers to two or more. "And/or" is just an association relationship that describes an associated object, indicating that there can be three kinds of relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone. Happening. The character "/" generally indicates that the associated objects are an "or" relationship. "Contains A, B and C", "contains A, B, C" means that A, B, and C are all contained, "contains A, B or C" means that one of A, B, and C is contained, "Comprising A, B and/or C" means including any one or any two or three of A, B, and C.
应当理解,在本发明中,“与A对应的B”、“与A相对应的B”、“A与B相对应”或者“B与A相对应”,表示B与A相关联,根据A可以确定B。根据A确定B并不意味着仅仅根据A确定B,还可以根据A和/或其他信息确定B。A与B的匹配,是A与B的相似度大于或等于预设的阈值。It should be understood that in the present invention, "B corresponding to A", "B corresponding to A", "A corresponds to B" or "B corresponds to A" means that B is associated with A, according to A B can be determined. Determining B based on A does not mean determining B based only on A, but also determining B based on A and/or other information. The matching between A and B means that the similarity between A and B is greater than or equal to a preset threshold.
取决于语境,如在此所使用的“若”可以被解释成为“在……时”或“当……时”或“响应于确定”或“响应于检测”。"If" as used herein may be interpreted as "at" or "when" or "in response to determining" or "in response to detecting," depending on the context.
下面以具体地实施例对本发明的技术方案进行详细说明。下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例不再赘述。The technical solutions of the present invention will be described in detail below with specific examples. The following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments.
本发明提供一种基于量子安全通道的配电终端点对点密钥协商方法,第一配电终端、第二配电终端以及中继设备,所述第一配电终端、第二配电终端以及中继设备分别与量子网络基础平台连接,如图1所示,量子安全网关可以看做是第一配电终端或第二配电终端所连接的网关。The present invention provides a point-to-point key negotiation method for power distribution terminals based on a quantum secure channel, a first power distribution terminal, a second power distribution terminal and a relay device, the first power distribution terminal, the second power distribution terminal and the middle power distribution terminal. The relay devices are respectively connected to the basic platform of the quantum network. As shown in Figure 1, the quantum security gateway can be regarded as the gateway connected to the first power distribution terminal or the second power distribution terminal.
所述量子网络基础平台用于生成第一传输密钥、中继密钥以及第二传输密钥;The quantum network basic platform is used to generate a first transmission key, a relay key and a second transmission key;
基于量子安全服务引擎和终端密钥分发系统将所述第一传输密钥、中继密钥以及第二传输密钥分别分发至第一配电终端、中继设备以及第二配电终端。本发明可以通过量子密钥生成系统生成第一传输密钥、中继密钥以及第二传输密钥。The first transmission key, the relay key and the second transmission key are distributed to the first power distribution terminal, the relay device and the second power distribution terminal respectively based on the quantum security service engine and the terminal key distribution system. The present invention can generate the first transmission key, the relay key and the second transmission key through the quantum key generation system.
所述中继设备为量子CPE,量子CPE通过量子安全TF卡的充注密钥对中继密钥解密;量子CPE和第一配电终端分别基于所述中继密钥和第一传输密钥建立第一信道;量子CPE和第二配电终端分别基于所述中继密钥和第二传输密钥建立第二信道。第一信道和第二信道可以看做是图中的量子安全加密隧道。The relay device is a quantum CPE, and the quantum CPE decrypts the relay key through the charging key of the quantum security TF card; the quantum CPE and the first power distribution terminal are based on the relay key and the first transmission key, respectively. A first channel is established; the quantum CPE and the second power distribution terminal respectively establish a second channel based on the relay key and the second transmission key. The first channel and the second channel can be regarded as quantum-safe encryption tunnels in the figure.
如图2所示,配电终端点对点密钥协商方法具体包括:As shown in Figure 2, the point-to-point key agreement method for the power distribution terminal specifically includes:
步骤S110、所述第一配电终端和所述中继设备基于接收到的第一传输密钥、中继密钥建立第一信道 ,所述第二配电终端和所述中继设备基于接收到的第二传输密钥、中继密钥生成第二信道。本发明提供的技术方案,第一信道和第二信道可以是量子安全加密隧道,通过该量子安全加密隧道可以保障第一配电终端和中继设备之间、第二配电终端和中继设备之间的数据传输的安全性。Step S110, the first power distribution terminal and the relay device establish a first channel based on the received first transmission key and the relay key, and the second power distribution terminal and the relay device are based on the received first transmission key and relay key. The received second transmission key and relay key generate a second channel. According to the technical solution provided by the present invention, the first channel and the second channel can be quantum security encryption tunnels, and the quantum security encryption tunnel can guarantee the connection between the first power distribution terminal and the relay device, and the second power distribution terminal and the relay device. Security of data transfer between.
步骤S120、第一配电终端基于当前时刻的属性信息和数据抓取信息生成第一协商密钥,所述第一协商密钥经过所述第一信道传输至中继设备,中继设备基于所述第一信道和第二信道的属性生成中间协商密钥,将所述第一协商密钥、中间协商密钥分别发送至所述第二配电终端。第一配电终端和所述第二配电终端的属性信息预先设置。Step S120, the first power distribution terminal generates a first negotiated key based on the attribute information and data capture information at the current moment, the first negotiated key is transmitted to the relay device through the first channel, and the relay device is based on the The attributes of the first channel and the second channel are used to generate an intermediate negotiation key, and the first negotiation key and the intermediate negotiation key are respectively sent to the second power distribution terminal. The attribute information of the first power distribution terminal and the second power distribution terminal is preset.
在步骤S120的一种实施方式中,步骤S120具体包括:In an embodiment of step S120, step S120 specifically includes:
获取当前时刻第一配电终端的电能监测数据,抓取所述电能监测数据中的第一电能信息和第二电能信息,所述数据抓取信息包括所述第一电能信息和第二电能信息。本发明中的当前时刻可以是第一配电终端与中继设备之间建立第一信道的时刻,该第一时刻可以是2020年10月15日12时19分。由于第一配电终端会进行配电,在配电过程中会产生相应的配电电压、配电电流、配电功率等等。本发明中的第一电能信息和第二电能信息可以是配电电压、配电电流、配电功率等等。第一电能信息和第二电能信息可以是1000V、20A等等,对于第一电能信息和第二电能信息的具体形式,本发明不做任何限定。Obtain the power monitoring data of the first power distribution terminal at the current moment, and capture the first power information and the second power information in the power monitoring data, and the data capture information includes the first power information and the second power information . The current moment in the present invention may be the moment when the first channel is established between the first power distribution terminal and the relay device, and the first moment may be 12:19 on October 15, 2020. Since the first power distribution terminal performs power distribution, corresponding power distribution voltage, power distribution current, power distribution power, etc. will be generated during the power distribution process. The first power information and the second power information in the present invention may be distribution voltage, distribution current, distribution power, and the like. The first power information and the second power information may be 1000V, 20A, etc. The present invention does not make any limitation on the specific forms of the first power information and the second power information.
所述属性信息包括第一配电终端的编码信息值和当前时刻的时间信息,对所述时间信息量化处理得到量化后的时间值。本发明会对时间值进行量化,使其成为一个数值,例如说2020年10月15日12时19分,本发明可以直接将其量化为202010151219,将其统计为一个数字,对其进行量化的目的是其方便用于计算、生成密钥。编码信息值可以是预先设置的,本发明的技术方案中,每个第一配电终端和第二配电终端分别具有唯一的编码信息值,编码信息值可以是阿拉伯数字,例如说11100、11421等等。The attribute information includes the encoded information value of the first power distribution terminal and the time information of the current moment, and the quantized time value is obtained by quantizing the time information. The present invention quantifies the time value to make it a numerical value. For example, at 12:19 on October 15, 2020, the present invention can directly quantify it as 202010151219, count it as a number, and quantify it. The purpose is that it is convenient for calculation and key generation. The encoded information value may be preset. In the technical solution of the present invention, each of the first power distribution terminal and the second power distribution terminal respectively has a unique encoded information value, and the encoded information value may be Arabic numerals, such as 11100, 11421 and many more.
通过以下公式计算第一协商密钥,The first negotiated key is calculated by the following formula,
其中,
通过
所生成的第一协商密钥中,会具有第一配电终端的编码信息、时间信息以及电能信息,由于时间信息以及电能信息都是动态变化的,所以会使第一协商密钥也是动态变化的,保障该第一动态密钥不会被破译。The generated first negotiation key will include the coding information, time information, and power information of the first power distribution terminal. Since the time information and power information are both dynamically changed, the first negotiation key will also be dynamically changed. , it is guaranteed that the first dynamic key will not be deciphered.
中继设备基于所述第一信道和第二信道的属性生成中间协商密钥包括:The relay device generating the intermediate negotiation key based on the attributes of the first channel and the second channel includes:
中继设备获取所述第一信道建立的第一时刻以及所述第二信道建立的第二时刻,
基于所述第一时刻和第二时刻生成中间协商密钥。本发明在第一配电终端和第二配电终端
之间建立数据传输通道时,中继设备会进行参与,其会根据第一信道建立的第一时刻以及
第二信道建立的第二时刻得到中间协商密钥,中间协商密钥
步骤S130、第二配电终端基于当前时刻的属性信息和数据抓取信息生成第二协商密钥,所述第二协商密钥经过所述第二信道传输至中继设备,中继设备基于所述第二信道和第一信道的属性生成中间协商密钥,将所述第二协商密钥、中间协商密钥分别发送至所述第一配电终端。Step S130, the second power distribution terminal generates a second negotiation key based on the attribute information and data capture information at the current moment, the second negotiation key is transmitted to the relay device through the second channel, and the relay device is based on the The attributes of the second channel and the first channel are used to generate an intermediate negotiation key, and the second negotiation key and the intermediate negotiation key are respectively sent to the first power distribution terminal.
其中,步骤S130具体包括:Wherein, step S130 specifically includes:
获取第二配电终端在当前时刻的电能监测数据,抓取所述电能监测数据中的第三电能信息和第四电能信息,所述数据抓取信息包括所述第三电能信息和第四电能信息。本发明中的当前时刻可以是第一配电终端与中继设备之间建立第二信道的时刻,该第二时刻可以是2020年10月15日14时21分。由于第二配电终端会进行配电,在配电过程中会产生相应的配电电压、配电电流、配电功率等等。本发明中的第三电能信息和第四电能信息可以是配电电压、配电电流、配电功率等等。第三电能信息和第四电能信息可以是1000V、20A等等,对于第三电能信息和第四电能信息的具体形式,本发明不做任何限定。Acquire the power monitoring data of the second power distribution terminal at the current moment, and capture the third power information and the fourth power information in the power monitoring data, and the data capture information includes the third power information and the fourth power information. The current moment in the present invention may be the moment when the second channel is established between the first power distribution terminal and the relay device, and the second moment may be 14:21 on October 15, 2020. Since the second power distribution terminal performs power distribution, corresponding power distribution voltage, power distribution current, power distribution power, etc. will be generated during the power distribution process. The third power information and the fourth power information in the present invention may be distribution voltage, distribution current, distribution power, and the like. The third power information and the fourth power information may be 1000V, 20A, etc. The present invention does not make any limitation on the specific forms of the third power information and the fourth power information.
所述属性信息包括第二配电终端的编码信息值和当前时刻的时间信息,对所述时间信息量化处理得到量化后的时间值。本发明会对时间值进行量化,使其成为一个数值,例如说2020年10月15日14时21分,本发明可以直接将其量化为202010151421,将其统计为一个数字,对其进行量化的目的是其方便用于计算、生成密钥。编码信息值可以是预先设置的,本发明的技术方案中,每个第一配电终端和第二配电终端分别具有唯一的编码信息值,编码信息值可以是阿拉伯数字,例如说11100、11421等等。The attribute information includes the encoded information value of the second power distribution terminal and the time information of the current moment, and the quantized time value is obtained by quantizing the time information. The present invention quantifies the time value to make it a numerical value. For example, at 14:21 on October 15, 2020, the present invention can directly quantify it as 202010151421, count it as a number, and quantify it. The purpose is that it is convenient for calculation and key generation. The encoded information value may be preset. In the technical solution of the present invention, each of the first power distribution terminal and the second power distribution terminal respectively has a unique encoded information value, and the encoded information value may be Arabic numerals, such as 11100, 11421 and many more.
通过以下公式计算第二协商密钥,Calculate the second negotiated key by the following formula,
其中,
通过
所生成的第一协商密钥中,会具有第一配电终端的编码信息、时间信息以及电能信息,由于时间信息以及电能信息都是动态变化的,所以会使第一协商密钥也是动态变化的,保障该第一动态密钥不会被破译。The generated first negotiation key will include the coding information, time information, and power information of the first power distribution terminal. Since the time information and power information are both dynamically changed, the first negotiation key will also be dynamically changed. , it is guaranteed that the first dynamic key will not be deciphered.
中继设备基于所述第二信道和第一信道的属性生成中间协商密钥包括:The relay device generating the intermediate negotiation key based on the attributes of the second channel and the first channel includes:
中继设备获取所述第一信道建立的第一时刻以及所述第二信道建立的第二时刻,基于所述第一时刻和第二时刻生成中间协商密钥。该步骤与步骤S120的步骤相似,本发明不再赘述。The relay device acquires the first moment when the first channel is established and the second moment when the second channel is established, and generates an intermediate negotiation key based on the first moment and the second moment. This step is similar to the step of step S120, and will not be repeated in the present invention.
步骤S140、所述第一配电终端和第二配电终端分别基于所述第一协商密钥、中间协商密钥、第二协商密钥生成第一组合密钥和第二组合密钥。Step S140, the first power distribution terminal and the second power distribution terminal generate a first combined key and a second combined key based on the first negotiated key, the intermediate negotiated key, and the second negotiated key, respectively.
本发明实施例提供的技术方案,步骤S140具体包括:In the technical solution provided by the embodiment of the present invention, step S140 specifically includes:
第一配电终端和第二配电终端分别获取所述第一配电终端和第二配电终端的编码信息值,基于所述编码信息值将所述第一协商密钥、中间协商密钥、第二协商密钥分别填入至预先设置的密钥生成模板中生成第一组合密钥和第二组合密钥。The first power distribution terminal and the second power distribution terminal respectively obtain the encoded information values of the first power distribution terminal and the second power distribution terminal, and based on the encoded information values, the first negotiation key and the intermediate negotiation key are assigned. and the second negotiated key are respectively filled into the preset key generation template to generate the first combined key and the second combined key.
其中,基于所述编码信息值将所述第一协商密钥、中间协商密钥、第二协商密钥分别填入至预先设置的密钥生成模板中生成第一组合密钥和第二组合密钥包括:Wherein, based on the encoded information value, the first negotiated key, the intermediate negotiation key, and the second negotiated key are respectively filled into a preset key generation template to generate a first combined key and a second combined key Keys include:
所述密钥生成模板包括第一槽位、第二槽位以及第三槽位。密钥生成模板可以是□-□-□,第一个方框为密钥生成模板的第一槽位、第二个方框为密钥生成模板的第二槽位、第三个方框为密钥生成模板的第三槽位。The key generation template includes a first slot, a second slot and a third slot. The key generation template can be □-□-□, the first box is the first slot of the key generation template, the second box is the second slot of the key generation template, and the third box is The third slot of the key generation template.
若第一配电终端的编码信息值大于第二配电终端的编码信息值,则将所述第一组合密钥置于所述第一槽位、第二组合密钥置于所述第三槽位、将所述中继密钥设置于第二槽位。If the encoded information value of the first power distribution terminal is greater than the encoded information value of the second power distribution terminal, the first combined key is placed in the first slot, and the second combined key is placed in the third slot, setting the relay key in the second slot.
本发明在将第一协商密钥、中间协商密钥、第二协商密钥分别填入至密钥生成模板中时,可以是根据每个配电终端的编码信息值进行确定,例如说第一配电终端的编码信息值是11100,第二配电终端的编码信息值是11421,则第二配电终端的编码信息值大于第一配电终端的编码信息值,此时本发明会将第一配电终端对应的第一协商密钥填入至第三槽位,将第二配电终端对应的第二协商密钥填入至第一槽位。此时的第一组合密钥和第二组合密钥是第二协商密钥的数字-中继密钥的数字-第一组合密钥的数字。In the present invention, when the first negotiated key, the intermediate negotiation key and the second negotiated key are respectively filled into the key generation template, it can be determined according to the encoded information value of each power distribution terminal. The code information value of the power distribution terminal is 11100, and the code information value of the second power distribution terminal is 11421, then the code information value of the second power distribution terminal is greater than the code information value of the first power distribution terminal. The first negotiation key corresponding to a power distribution terminal is filled into the third slot, and the second negotiation key corresponding to the second power distribution terminal is filled into the first slot. The first combined key and the second combined key at this time are the number of the second negotiated key - the number of the relay key - the number of the first combined key.
会根据第一配电终端和第二配电终端的编码信息对第一协商密钥、中间协商密钥、第二协商密钥进行排序,并将排序结果填入至相应的槽位中,使得能够快速的将第一协商密钥、中间协商密钥、第二协商密钥进行结合得到组合密钥,提高了组合密钥生成的效率。The first negotiation key, the intermediate negotiation key, and the second negotiation key will be sorted according to the coding information of the first power distribution terminal and the second power distribution terminal, and the sorting result will be filled into the corresponding slot, so that The combined key can be obtained by combining the first negotiated key, the intermediate negotiated key and the second negotiated key quickly, which improves the efficiency of generating the combined key.
步骤S150、若中继设备判断所述第一组合密钥和第二组合密钥相同,则第一配电终端和所述第二配电终端基于所述第一组合密钥和/或第二组合密钥建立数据传输信道。Step S150: If the relay device determines that the first combined key and the second combined key are the same, the first power distribution terminal and the second power distribution terminal are based on the first combined key and/or the second combined key. The combined key establishes a data transmission channel.
本发明提供的技术方案,如图3所示,步骤S150具体包括:In the technical solution provided by the present invention, as shown in FIG. 3 , step S150 specifically includes:
步骤S1501、第一配电终端和所述第二配电终端生成所述第一组合密钥和第二组合密钥后分别发送至所述中继设备。第一配电终端和所述第二配电终端会将各自分别生成的第一组合密钥和第二组合密钥后分别发送至所述中继设备以寻求验证。In step S1501, the first power distribution terminal and the second power distribution terminal generate the first combined key and the second combined key and send them to the relay device respectively. The first power distribution terminal and the second power distribution terminal will send the respectively generated first combined key and second combined key to the relay device for verification.
步骤S1502、中继设备判断所述第一组合密钥和第二组合密钥相同,则向第一配电终端发送请求指令、向所述第二配电终端发送接收指令。当第一组合密钥和第二组合密钥是相同的时,作为第三方的中继设备会分别向第一配电终端和第二配电终端发送相应的指令,在进行指令发送之前,中继设备会判断第一配电终端和所述第二配电终端的编码信息值的关系,本发明会将编码信息值大的终端作为第二配电终端,将编码信息值小的终端作为第二配电终端。该种方式的设定,会使中继设备根据第一配电终端和第二配电终端之间能够固定数据传输通道的建立方式。即向第一配电终端发送请求指令、向所述第二配电终端发送接收指令。Step S1502: The relay device determines that the first combined key and the second combined key are the same, and sends a request instruction to the first power distribution terminal and a receive instruction to the second power distribution terminal. When the first combined key and the second combined key are the same, the relay device as a third party will send corresponding instructions to the first power distribution terminal and the second power distribution terminal respectively. The following equipment will judge the relationship between the coded information values of the first power distribution terminal and the second power distribution terminal. In the present invention, the terminal with the larger coded information value will be used as the second power distribution terminal, and the terminal with the smaller coded information value will be used as the first power distribution terminal. Two power distribution terminals. The setting of this mode enables the relay device to fix the establishment mode of the data transmission channel between the first power distribution terminal and the second power distribution terminal. That is, a request instruction is sent to the first power distribution terminal, and a receive instruction is sent to the second power distribution terminal.
步骤S1503、所述第一配电终端在接收到所述请求指令后,以所述第一组合密钥为请求基础,向所述第二配电终端请求建立数据传输信道。本发明提供的技术方案,第一配电终端在接收到所述请求指令后会请求第二配电终端与其建立数据传输信道。Step S1503: After receiving the request instruction, the first power distribution terminal requests the second power distribution terminal to establish a data transmission channel based on the first combined key. In the technical solution provided by the present invention, after receiving the request instruction, the first power distribution terminal will request the second power distribution terminal to establish a data transmission channel with it.
步骤S1504、所述第二配电终端基于所述接收指令接收第一配电终端的请求,根据所述第二组合密钥对第一组合密钥验证,若第一组合密钥与所述第二组合密钥相同,则所述第一配电终端与所述第二配电终端基于所述第一组合密钥建立数据传输信道。第二配电终端在接收到第一配电终端的请求后对第一配电终端发送的第一组合密钥进行验证,当第一组合密钥与所述第二组合密钥相同,此时第一配电终端与所述第二配电终端建立数据传输信道。此时数据传输信道中所传输数据的加密密钥即为第一组合密钥。Step S1504, the second power distribution terminal receives the request of the first power distribution terminal based on the receiving instruction, and verifies the first combined key according to the second combined key. If the two combined keys are the same, the first power distribution terminal and the second power distribution terminal establish a data transmission channel based on the first combined key. After receiving the request from the first power distribution terminal, the second power distribution terminal verifies the first combined key sent by the first power distribution terminal. When the first combined key is the same as the second combined key, then The first power distribution terminal establishes a data transmission channel with the second power distribution terminal. At this time, the encryption key of the data transmitted in the data transmission channel is the first combined key.
本发明的实施例还提供一种基于量子安全通道的配电终端点对点密钥协商装置,第一配电终端、第二配电终端以及中继设备,所述第一配电终端、第二配电终端以及中继设备分别与量子网络基础平台连接,通过以下装置在所述第一配电终端和第二配电终端之间进行密钥协商,如图4所示,配电终端点对点密钥协商装置具体包括:Embodiments of the present invention further provide a point-to-point key agreement device for power distribution terminals based on quantum secure channels, a first power distribution terminal, a second power distribution terminal and a relay device, the first power distribution terminal and the second power distribution terminal The electrical terminal and the relay device are respectively connected to the quantum network basic platform, and the key negotiation is performed between the first power distribution terminal and the second power distribution terminal through the following means. As shown in Figure 4, the power distribution terminal point-to-point key The negotiation device specifically includes:
第一信道建立模块,用于使所述第一配电终端和所述中继设备基于接收到的第一传输密钥、中继密钥建立第一信道 ,所述第二配电终端和所述中继设备基于接收到的第二传输密钥、中继密钥生成第二信道;A first channel establishment module, configured to enable the first power distribution terminal and the relay device to establish a first channel based on the received first transmission key and relay key, and the second power distribution terminal and the relay device. The relay device generates a second channel based on the received second transmission key and the relay key;
第一密钥协商模块,用于使第一配电终端基于当前时刻的属性信息和数据抓取信息生成第一协商密钥,所述第一协商密钥经过所述第一信道传输至中继设备,中继设备基于所述第一信道和第二信道的属性生成中间协商密钥,将所述第一协商密钥、中间协商密钥分别发送至所述第二配电终端;A first key negotiation module, configured to enable the first power distribution terminal to generate a first negotiation key based on the attribute information and data capture information at the current moment, and the first negotiation key is transmitted to the relay through the first channel device, the relay device generates an intermediate negotiation key based on the attributes of the first channel and the second channel, and sends the first negotiation key and the intermediate negotiation key to the second power distribution terminal respectively;
第二密钥协商模块,用于使第二配电终端基于当前时刻的属性信息和数据抓取信息生成第二协商密钥,所述第二协商密钥经过所述第二信道传输至中继设备,中继设备基于所述第二信道和第一信道的属性生成中间协商密钥,将所述第二协商密钥、中间协商密钥分别发送至所述第一配电终端;The second key negotiation module is configured to enable the second power distribution terminal to generate a second negotiation key based on the attribute information and data capture information at the current moment, and the second negotiation key is transmitted to the relay through the second channel device, the relay device generates an intermediate negotiation key based on the attributes of the second channel and the first channel, and sends the second negotiation key and the intermediate negotiation key to the first power distribution terminal respectively;
组合模块,用于使所述第一配电终端和第二配电终端分别基于所述第一协商密钥、中间协商密钥、第二协商密钥生成第一组合密钥和第二组合密钥;The combination module is configured to enable the first power distribution terminal and the second power distribution terminal to generate a first combined key and a second combined key based on the first negotiation key, the intermediate negotiation key, and the second negotiation key, respectively. key;
第二信道建立模块,若中继设备判断所述第一组合密钥和第二组合密钥相同,则第一配电终端和所述第二配电终端基于所述第一组合密钥和/或第二组合密钥建立数据传输信道。The second channel establishment module, if the relay device determines that the first combined key and the second combined key are the same, the first power distribution terminal and the second power distribution terminal are based on the first combined key and/or or the second combined key to establish a data transmission channel.
在本发明的另外一种实施方式中,如图5所示,设定量子CPE和第i个配电终端
基本思路:The basic idea:
(1)步骤001,
(2)步骤002,量子CPE通过自己与
(3)步骤003,
(4)步骤004,量子CPE通过自己与
(5)如前4个步骤无误,
(6)步骤005,如出现网络故障或传输错误,每一方都可传输005号ERROR给其余两者,收到RST的一方清空之前建立的消息队列,强制刚才参与协商的对象重新从001号消息开始密钥协商。(6) Step 005, if there is a network failure or transmission error, each party can transmit ERROR No. 005 to the other two, and the party receiving the RST clears the message queue established before, forcing the object that just participated in the negotiation to re-start the message No. 001 Start key negotiation.
在本发明的另外一种实施方式中,如图6所示,设定配电终端
基本思路:The basic idea:
(1)步骤006,
(2)步骤007,
如果验证通过,进入步骤008,
(3)步骤009,
其中,可读存储介质可以是计算机存储介质,也可以是通信介质。通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。计算机存储介质可以是通用或专用计算机能够存取的任何可用介质。例如,可读存储介质耦合至处理器,从而使处理器能够从该可读存储介质读取信息,且可向该可读存储介质写入信息。当然,可读存储介质也可以是处理器的组成部分。处理器和可读存储介质可以位于专用集成电路(ApplicationSpecific Integrated Circuits,简称:ASIC)中。另外,该ASIC可以位于用户设备中。当然,处理器和可读存储介质也可以作为分立组件存在于通信设备中。可读存储介质可以是只读存储器(ROM)、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。The readable storage medium may be a computer storage medium or a communication medium. Communication media includes any medium that facilitates transfer of a computer program from one place to another. Computer storage media can be any available media that can be accessed by a general purpose or special purpose computer. For example, a readable storage medium is coupled to the processor such that the processor can read information from, and write information to, the readable storage medium. Of course, the readable storage medium can also be an integral part of the processor. The processor and the readable storage medium may be located in application specific integrated circuits (Application Specific Integrated Circuits, ASIC for short). Alternatively, the ASIC may be located in the user equipment. Of course, the processor and the readable storage medium may also exist in the communication device as discrete components. The readable storage medium may be read only memory (ROM), random access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and the like.
本发明还提供一种程序产品,该程序产品包括执行指令,该执行指令存储在可读存储介质中。设备的至少一个处理器可以从可读存储介质读取该执行指令,至少一个处理器执行该执行指令使得设备实施上述的各种实施方式提供的方法。The present invention also provides a program product including execution instructions stored in a readable storage medium. At least one processor of the device can read the execution instruction from the readable storage medium, and the execution of the execution instruction by the at least one processor causes the device to implement the methods provided by the various embodiments described above.
在上述终端或者服务器的实施例中,应理解,处理器可以是中央处理单元(英文:Central Processing Unit,简称:CPU),还可以是其他通用处理器、数字信号处理器(英文:Digital Signal Processor,简称:DSP)、专用集成电路(英文:Application SpecificIntegrated Circuit,简称:ASIC)等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本发明所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。In the above embodiments of the terminal or server, it should be understood that the processor may be a central processing unit (English: Central Processing Unit, CPU for short), or other general-purpose processors, digital signal processors (English: Digital Signal Processor) , referred to as: DSP), application specific integrated circuit (English: Application Specific Integrated Circuit, referred to as: ASIC) and so on. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in conjunction with the present invention can be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.
最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features thereof can be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present invention. scope.
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111335330.2A CN113784345B (en) | 2021-11-11 | 2021-11-11 | Power distribution terminal point-to-point key negotiation method and device based on quantum secure channel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111335330.2A CN113784345B (en) | 2021-11-11 | 2021-11-11 | Power distribution terminal point-to-point key negotiation method and device based on quantum secure channel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113784345A CN113784345A (en) | 2021-12-10 |
| CN113784345B true CN113784345B (en) | 2022-02-08 |
Family
ID=78956895
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111335330.2A Active CN113784345B (en) | 2021-11-11 | 2021-11-11 | Power distribution terminal point-to-point key negotiation method and device based on quantum secure channel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113784345B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117376404B (en) * | 2023-11-10 | 2024-04-26 | 国网浙江省电力有限公司绍兴供电公司 | Transformer substation communication network frame architecture based on wireless public network and quantum encryption |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108809645A (en) * | 2018-07-24 | 2018-11-13 | 南方电网科学研究院有限责任公司 | Key negotiation method and device and power distribution automation system |
| CN108880800A (en) * | 2018-07-03 | 2018-11-23 | 北京智芯微电子科技有限公司 | Adapted electrical communication system and method based on quantum secret communication |
-
2021
- 2021-11-11 CN CN202111335330.2A patent/CN113784345B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108880800A (en) * | 2018-07-03 | 2018-11-23 | 北京智芯微电子科技有限公司 | Adapted electrical communication system and method based on quantum secret communication |
| CN108809645A (en) * | 2018-07-24 | 2018-11-13 | 南方电网科学研究院有限责任公司 | Key negotiation method and device and power distribution automation system |
Non-Patent Citations (1)
| Title |
|---|
| 基于Mesh网络的自组网配电终端安全互联设计;戴瑞海 等;《电工技术》;20170710;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113784345A (en) | 2021-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103596167B (en) | Machine type communication Authentication and Key Agreement method based on agency | |
| CN102685749B (en) | Wireless safety authentication method orienting to mobile terminal | |
| US20140317406A1 (en) | Communication between network nodes that are not directly connected | |
| CN115694815B (en) | Communication encryption method and device for power distribution terminal | |
| CN112910861A (en) | Group authentication and segmented authentication-based authentication method for terminal equipment of power internet of things | |
| CN105407483A (en) | Method for safe aggregation model communication based on public-state key in wireless sensor network | |
| CN112737770B (en) | PUF-based network bidirectional authentication and key agreement method and device | |
| CN107579820A (en) | Sychronisation and synchronous method for multichannel quantum key distribution system | |
| CN117098120B (en) | A Beidou short message data encryption and decryption method, equipment and storage medium | |
| CN110267266B (en) | An Improved Safety Data Interaction Method of Train Control System | |
| CN113784345B (en) | Power distribution terminal point-to-point key negotiation method and device based on quantum secure channel | |
| WO2024141094A1 (en) | Distributed encryption and decryption method, apparatus, system and medium | |
| CN114422588A (en) | Secure autonomous implementation system and method for terminal access authentication by edge IoT agent | |
| CN117749371A (en) | A collection terminal, load management center and quantum safe load management system | |
| CN218450552U (en) | Electric core network terminal based on 5G | |
| CN111246460A (en) | A low-complexity and low-latency secure transmission method | |
| Wang et al. | Energy minimum encrypted data aggregation scheme for WSN in smart grid | |
| CN112788527A (en) | Underwater sound cooperative network multi-mobile equipment identity verification method based on block chain technology | |
| Dong et al. | Application of CDMA interference estimation in secure transmission of big data in blockchain communication | |
| CN115277090B (en) | Security authentication system based on lightweight algorithm and working method thereof | |
| CN117376404B (en) | Transformer substation communication network frame architecture based on wireless public network and quantum encryption | |
| CN115714981B (en) | A networking device and a networking method | |
| Huang et al. | Data source authentication protocol for aviation broadband communication system | |
| CN115913787B (en) | File encryption and decryption transmission method suitable for electric power data | |
| Yu et al. | New Lattice‐Based Broadcast Authentication Protocol for Wireless Sensor Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |