CN114124369B - Multi-group quantum key cooperation method and system - Google Patents

Multi-group quantum key cooperation method and system Download PDF

Info

Publication number
CN114124369B
CN114124369B CN202111088440.3A CN202111088440A CN114124369B CN 114124369 B CN114124369 B CN 114124369B CN 202111088440 A CN202111088440 A CN 202111088440A CN 114124369 B CN114124369 B CN 114124369B
Authority
CN
China
Prior art keywords
key
password
service
information
management system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111088440.3A
Other languages
Chinese (zh)
Other versions
CN114124369A (en
Inventor
王家勇
张雪松
杨勇华
李晋
王涛
李淼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cas Quantum Network Co ltd
Original Assignee
Cas Quantum Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cas Quantum Network Co ltd filed Critical Cas Quantum Network Co ltd
Priority to CN202111088440.3A priority Critical patent/CN114124369B/en
Publication of CN114124369A publication Critical patent/CN114124369A/en
Application granted granted Critical
Publication of CN114124369B publication Critical patent/CN114124369B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention provides a method and a system for cooperating a plurality of groups of quantum keys, wherein a password module and a key management system acquire a quantum key group and generate a key group serial number S; the password service client obtains S of the password module and the secret key cooperative parameter SF, generates information M1 and sends the secret key management system; the key management system analyzes the message M1 to obtain a key position P and a key KP, generates a random number RS, generates information M2 and sends a password module by a password service client; the password module analyzes the information M2 to obtain a key position P, a key KP2 and an RS1, generates a random number RC and generates information M3 together with the RS1, and the information M3 is sent to the password management system by the password service client; the key management system analyzes and verifies the information M3, obtains RC1 and RS2, calculates a transmission key, and establishes a (S, P) -based password index; the business program client side calls the password encryption and decryption service of the password module by the password service client side, and the business program server side calls the password management system encryption and decryption service.

Description

Multi-group quantum key cooperation method and system
Technical Field
The invention relates to the field of quantum key usage, in particular to a method and a system for cooperatively using a plurality of groups of keys.
Background
Conventional cryptographic techniques are classified into symmetric algorithms and asymmetric algorithms. With the rapid development of quantum technology, the difficulty of breaking through by the traditional asymmetric algorithm is greatly reduced, and the asymmetric algorithm RSA and the elliptic algorithm according to NIST official document have been listed as unsafe algorithms.
Aiming at the post quantum age, the method can improve the cracking difficulty of a system and the safety of data transmission by combining the Quantum Key Distribution (QKD) technology with the existing symmetric encryption algorithm. However, if the symmetric key is used for a long time, the risk of cracking is relatively high
At present, the quantum key distribution speed of Quantum Key Distribution (QKD) is relatively slow, and the quantum key distribution system (QKD) is not timely in the weak network or the off-network, so that the real-time key requirements of a mass service system and a rapid data transmission system cannot be met. Aiming at the problem, a batch of sub-keys can be generated and preset in the application, so that the application is convenient. Such a scheme also has a problem of how both parties of the communication determine the key used by the service.
Aiming at the problem in the use process of the quantum key distribution multi-group key, the invention realizes the safety protection of the opposite-end key by pre-storing the batch quantum keys into the safety chip and the key management system, and constructs a key cooperation protocol between the safety chip and the key management system, thereby ensuring the safety and reliability of the key cooperation process. The scheme improves the convenience and the safety of key use based on a QKD mechanism.
Disclosure of Invention
Based on the foregoing, it is necessary to provide a method and a system for cooperatively using multiple sets of keys.
The invention provides a multi-group quantum key cooperation method, which comprises the following steps:
the cryptographic module and the key management system obtain the same quantum key set from a quantum key distribution system (QKD) and generate a key set serial number based on preset information;
the password service client obtains a password module key group serial number S and a key cooperative parameter SF, generates information M1 based on the key group serial number S and the key cooperative parameter SF and sends a key management system;
the key management system analyzes the message M1 to obtain a key position P and a key KP, generates a random number RS, generates information M2 based on the key position P, the key KP and the random number RS, and sends the information M2 to the password service client;
the password module receives and analyzes the information M2 from the password service client to obtain a key position P, a key KP2 and a random number RS1, generates a random number RC and generates information M3 together with the random number RS1 by the password module, and the information M3 is sent to the password management system by the password service client;
the key management system analyzes and verifies the information M3 to obtain a random number RC1 and a random number RS2, calculates a transmission key based on a key cooperative parameter SF, the random number RC1 and the random number RS2, and establishes a (S, P) -based password index;
the business program client side calls the password encryption and decryption service of the password module by the password service client side, and the business program service side calls the password management system encryption and decryption service by calling the key group serial number.
Based on the above, the cryptographic module and the key management system obtain the same quantum key set from a quantum key distribution system (QKD), specifically comprising:
the cryptographic module and the key management system simultaneously obtain the same number of quantum keys in the same order from the quantum key distribution system.
Based on the above, the generating the key set serial number based on the preset information specifically includes:
and carrying out summary calculation on the combination of all key information in the quantum key group through the preset information, wherein the preset information is a summary algorithm, and the summary algorithm is any one of SHA1, SM3, SHA256 and MD 5.
Based on the above, the key cooperation parameter SF at least includes a one-way function H for generating a transmission key and a line encryption and decryption function LF; the one-way function H of the transmission key is a digest algorithm and a symmetric encryption algorithm; the line encryption and decryption function LF is a symmetric encryption algorithm and is used for encrypting information in a key cooperation process, and is preferably AES.
Based on the above, the generating information M1 based on the key group serial number S and the key cooperation parameter SF specifically includes:
and splicing the key group serial number S and the key cooperative parameter SF to generate information M1, wherein the splicing mode is S||SF.
Based on the above, the key management system parses the message M1 to obtain the key position P and the key KP, which specifically includes:
acquiring a key group serial number S based on the M1 information, and acquiring a quantum key group through the key group serial number S;
generating a key position P based on a random mode, and finding a key KP of the position from a quantum key group of the key group serial number S based on the key position P; the random manner is preferably obtained by performing a modulo operation on a random number R generated by the key management system and a length len of a key set with a key set serial number S, i.e. a key position p= (R mod len) +1.
Based on the above, the information M2 is generated based on the key position P, the key KP, and the random number RS, and specifically includes:
generating information M2 from the key position P, the key KP and the random number RS through a calculation formula LF (KP, RS) ||P, namely encrypting the random number RS by using the KP key as an encryption key through the line encryption and decryption function LF to obtain LF (KP, RS), and splicing the key position P.
Based on the above, the cryptographic module receives and parses the information M2 from the cryptographic service client, and specifically includes:
the password module obtains a password position P from M2, obtains a key KP2 of the position from the quantum key group based on the password position P, takes the key KP2 as a decryption key and decrypts LF (KP, RS) through the line encryption and decryption function LF to obtain RS1.
Based on the above, the cryptographic module generates the random number RC and generates the information M3 together with the random number RS1, specifically including:
and splicing the random number RC and the random number RS1 to obtain RC|RS 1, and encrypting by using the key KP2 as an encryption key through the line encryption and decryption function LF to generate LF (KP 2, RC|RS1), namely the information M3.
Based on the above, the key management system parses and verifies the M3 information, which specifically includes:
and the key management system takes the key KP as a decryption key, decrypts M3 through the line encryption and decryption function LF to obtain splicing information RC 1I RS1 of two random numbers RC1 and RS2, compares the random number RS2 with the random number RS, and passes verification if the random numbers RS2 and RS are equal.
Based on the above, the specific implementation of calculating the transmission key based on the key cooperative parameter SF, the random number RC1, and the random number RS2 is as follows: h (RC 1I RS 2), namely, calculating splicing information of RC1 and RS2 by a one-way function.
Based on the above, establishing a (S, P) -based password index specifically includes:
and establishing a ternary array of the key group serial number S, the key position P and the transmission key, and { the key group serial number S, the key position P and the transmission key }, so that a subsequent key management system provides the key group serial number S based on the service program server, obtains the transmission key through a key index (S, P), and provides encryption and decryption services for the service program server.
Based on the above, the service program client calls the password encrypting and decrypting service of the password module by the password service client, and the service program server calls the password management system encrypting and decrypting service by calling the key group serial number, which specifically comprises:
the service program client sends an encryption request of the service DATA DATA to the password service client, and the password service client sends an encryption request of the service DATA DATA to the password module;
the cryptographic module calculates a transmission key KT based on a key cooperative parameter SF, a random number RC and a random number RS1, encrypts service DATA DATA by using the transmission key and a agreed encryption algorithm to generate a service ciphertext M4, and returns the service ciphertext to the cryptographic service client;
the password service client generates a service message S I M by using the key group serial number S and the connection number of the service ciphertext data M4;
the business program client sends a business message S M to the business program server;
the service program server side sends a decryption request of the service message S I M to the key management system;
the key management system analyzes the service message S I M to obtain a key group serial number S and a service ciphertext M, obtains a transmission key KT1 through a key index (S, P), decrypts the ciphertext M by using the transmission key KT1 and a contract decryption algorithm to obtain service DATA DATA, and transmits the service DATA DATA to a service program server; the agreed encryption and decryption algorithm can be one of AES and 3 DES.
The invention also discloses a system using system of the multi-group quantum key, which is used for realizing the system using method of the multi-group quantum key, and the system comprises the following steps: the system comprises a password module, a password service client and a key management system.
The invention solves the problems that the quantum key distribution speed of the quantum key distribution system (QKD) is relatively slow and the application system cannot timely and effectively obtain the quantum key under weak network or off network by obtaining the same key group from the quantum key distribution system (QKD) in advance in the cryptographic module and the key management system and storing the key group into the cryptographic module or the key management system. The invention establishes the key group corresponding relation between the cipher module and the key management system based on the key group serial number and the key group corresponding relation between the cipher module and the key management system based on the same key group serial number by generating the key group serial number based on the preset information through the cipher module and the key management system, solves the problem of the corresponding relation between the key management system, the cipher module and the key group in the scenes of on-line, off-line and the like, and realizes the management of a plurality of key groups by the key management system. The invention realizes the key system between the password module and the key management system based on the key group serial number, generates the transmission key based on the key cooperative parameter SF in the password management system and the password module, hides the realization process of the transmission key for other key system sides (such as a password service client, a business application client and a business application server) and network equipment, increases the difficulty of cracking the transmission password and improves the security of the transmission password; according to the invention, the random number RC generated by the key position P, the password module and the random number RS generated by the key management system are randomly selected as key materials, and the transmission key is generated together with the quantum key, so that the randomness of the transmission key is increased, the entropy of the transmission key is increased, and the security of the transmission key is improved.
According to the invention, the random number RC is generated by the password module, the random number RS is generated by the key management system to participate in the key cooperation process, and the randomness in the cooperation process is improved, so that the difficulty of cracking information is improved. By comprehensively utilizing the technology, the invention solves the possible problems of a quantum key distribution system (QKD) and the safety problem in the cooperative use process of a plurality of groups of keys, improves the application universality of the quantum keys and improves the safety of the transmission keys.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a multi-group quantum key co-operation method of the present invention.
Fig. 2 is a flow chart of an implementation of the present invention involving the cooperation of multiple sets of quantum keys.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As shown in fig. 1, a first aspect of the present invention proposes a multi-group quantum key cooperation method, which includes the following steps:
1. the cryptographic module and the key management system obtain the same quantum key set from a quantum key distribution system (QKD) and generate a key set serial number based on preset information.
2. The password service client obtains a password module key group serial number S and a key cooperative parameter SF, generates information M1 based on the key group serial number S and the key cooperative parameter SF and sends a key management system;
3. the key management system analyzes the message M1 to obtain a key position P and a key KP, generates a random number RS, generates information M2 based on the key position P, the key KP and the random number RS, and sends the information M2 to the password service client;
4. the password module receives and analyzes the information M2 from the password service client to obtain a key position P, a key KP2 and a random number RS1, generates a random number RC and generates information M3 together with the random number RS1 by the password module, and the information M3 is sent to the password management system by the password service client;
5. the key management system analyzes and verifies the information M3 to obtain a random number RC1 and a random number RS2, calculates a transmission key based on a key cooperative parameter SF, the random number RC1 and the random number RS2, and establishes a (S, P) -based password index;
6. the business program client side calls the password encryption and decryption service of the password module by the password service client side, and the business program service side calls the password management system encryption and decryption service by calling the key group serial number.
The invention solves the problems of low speed of a quantum key distribution system (QKD) and weak network by presetting the same quantum key group; the key group serial number is generated based on preset information, so that the key corresponding relation between the two parties is established based on the key group serial number and the key group serial number which are cooperatively generated by the cryptographic module and the key management system without connection. The invention realizes the key system between the password module and the key management system based on the key group serial number, generates the transmission key based on the key cooperative parameter SF in the password management system and the password module, hides the realization process of the transmission key for other key system sides (such as a password service client, a business application client and a business application server) and network equipment, increases the difficulty of cracking the transmission password and improves the security of the transmission password; according to the invention, the random number RC generated by the password module and the random number RS generated by the key management system are used as key materials to generate the transmission key together with the quantum key, so that the randomness of the transmission key is increased, the entropy of the transmission key is increased, and the security of the transmission key is improved.
Based on the above, the cryptographic module and the key management system obtain the same quantum key set from a quantum key distribution system (QKD), specifically comprising:
the cryptographic module and the key management system simultaneously obtain the same number of quantum keys in the same order from the quantum key distribution system.
Based on the above, the generating the key set serial number based on the preset information specifically includes:
and carrying out summary calculation on the combination of all key information in the quantum key group through the preset information, wherein the preset information is a summary algorithm, and the summary algorithm is any one of SHA1, SM3, SHA256 and MD 5.
The invention carries out summary calculation on the keys in the quantum key group through a summary algorithm, the calculation result is the key group serial number, and the key serial numbers calculated by the two parties are the same because the key management system and the cipher modules have the same number and the same sequence of quantum keys. By the method, the consistent key group serial number is formed under the condition that the password module and the key management system do not negotiate, the unique correspondence between the quantum key group and the key group serial number is realized, the synchronization of the key group information is realized under the condition that the password module and the key management system do not have information interaction, and the convenience, the usability and the reliability of the system are improved.
Based on the above, the key cooperation parameter SF at least includes a one-way function H for generating a transmission key and a line encryption and decryption function LF; the one-way function H of the transmission key is a digest algorithm and a symmetric encryption algorithm; the line encryption and decryption function LF is a symmetric encryption algorithm and is used for encrypting information in a key cooperation process, and is preferably AES.
The invention realizes the algorithm of the cipher module and the key management system in the key cooperation process and the transmission key generation algorithm through the key cooperation parameter SF, conceals the realization process for the parts outside the cipher module and the key management system, and improves the safety of the system by adopting the approved algorithm.
Based on the above, the generating information M1 based on the key group serial number S and the key cooperation parameter SF specifically includes:
and splicing the key group serial number S and the key cooperative parameter SF to generate information M1, wherein the splicing mode is S||SF.
Based on the above, the key management system parses the message M1 to obtain the key position P and the key KP, which specifically includes:
acquiring a key group serial number S based on the M1 information, and acquiring a quantum key group through the key group serial number S;
generating a key position P based on a random mode, and finding a key KP of the position from a quantum key group of the key group serial number S based on the key position P; the random manner is preferably obtained by performing a modulo operation on a random number R generated by the key management system and a length len of a key set with a key set serial number S, i.e. a key position p= (R mod len) +1.
The invention realizes the positioning of the key group by the key management system through the key group serial number S, and generates the key position P in a random mode, thereby realizing the random selection of the quantum key and improving the security of the transmission key.
Based on the above, the information M2 is generated based on the key position P, the key KP, and the random number RS, and specifically includes:
generating information M2 from the key position P, the key KP and the random number RS through a calculation formula LF (KP, RS) ||P, namely encrypting the random number RS by using the KP key as an encryption key through the line encryption and decryption function LF to obtain LF (KP, RS), and splicing the key position P.
Based on the above, the cryptographic module receives and parses the information M2 from the cryptographic service client, and specifically includes:
the password module obtains a password position P from M2, obtains a key KP2 of the position from the quantum key group based on the password position P, takes the key KP2 as a decryption key and decrypts LF (KP, RS) through the line encryption and decryption function LF to obtain RS1.
Based on the above, the cryptographic module generates the random number RC and generates the information M3 together with the random number RS1, specifically including:
and splicing the random number RC and the random number RS1 to obtain RC|RS 1, and encrypting by using the key KP2 as an encryption key through the line encryption and decryption function LF to generate LF (KP 2, RC|RS1), namely the information M3.
In the invention, in the cooperative process of the password module and the key management system, the random numbers RC and RS are added, so that the anti-attack capability in the communication process is improved, meanwhile, in the communication process, the quantum keys preset in the password module and the key management system are adopted for encryption aiming at the random numbers, the cracking difficulty of transmission data is increased, and the transmission safety in the cooperative process is improved.
Based on the above, the key management system parses and verifies the M3 information, which specifically includes:
and the key management system takes the key KP as a decryption key, decrypts M3 through the line encryption and decryption function LF to obtain splicing information RC 1I RS1 of two random numbers RC1 and RS2, compares the random number RS2 with the random number RS, and passes verification if the random numbers RS2 and RS are equal.
Based on the above, the specific implementation of calculating the transmission key based on the key cooperative parameter SF, the random number RC1, and the random number RS2 is as follows: h (RC 1I RS 2), namely, calculating splicing information of RC1 and RS2 by a one-way function.
Based on the above, establishing a (S, P) -based password index specifically includes:
and establishing a ternary array of the key group serial number S, the key position P and the transmission key, and { the key group serial number S, the key position P and the transmission key }, so that a subsequent key management system provides the key group serial number S based on the service program server, obtains the transmission key through a key index (S, P), and provides encryption and decryption services for the service program server.
The invention calculates the splicing information of RC1 and RS2 through the one-way function to obtain the transmission key, increases the entropy value of the transmission key, improves the safety of the transmission key, realizes the establishment of the (S, P) key index, facilitates the inquiry and use of the transmission key by the key management system, and improves the usability and convenience of the system.
Based on the above, the service program client calls the password encrypting and decrypting service of the password module by the password service client, and the service program server calls the password management system encrypting and decrypting service by calling the key group serial number, which specifically comprises:
the service program client sends an encryption request of the service DATA DATA to the password service client, and the password service client sends an encryption request of the service DATA DATA to the password module;
the cryptographic module calculates a transmission key KT based on a key cooperative parameter SF, a random number RC and a random number RS1, encrypts service DATA DATA by using the transmission key and a agreed encryption algorithm to generate a service ciphertext M4, and returns the service ciphertext to the cryptographic service client;
the password service client generates a service message S I M4 by using the key group serial number S and the connection number of the service ciphertext data M4;
the business program client sends a business message S M4 to the business program server;
the service program server side sends a decryption request of a service message S I M4 to the key management system;
the key management system analyzes the service message S I M4 to obtain a key group serial number S and a service ciphertext M4, obtains a transmission key KT1 through a key index (S, P), decrypts the ciphertext M by using the transmission key KT1 and a contract decryption algorithm to obtain service DATA DATA, and transmits the service DATA DATA to a service program server; the agreed encryption and decryption algorithm can be one of AES and 3 DES.
The invention realizes transparent encryption transmission service between the business program client and the business program server. The service program realizes encryption and decryption processing of service data through the password service client and encapsulates a service message S I M containing a key group serial number; and the service program server side calls a key management system to realize encryption of data. The transmission key is not required to be managed for the service program, so that the method is convenient and easy to use. The transmission key and the data encryption are carried out in high-security environments such as a cryptographic module and a key management system, so that the difficulty of cracking is improved, and the security of service data transmission is improved.
In order to further explain the technical solution of the present invention, fig. 2 shows a method for cooperatively using multiple sets of quantum keys according to another embodiment of the present invention, which specifically includes the following steps:
1. the cryptographic service client invokes the cryptographic module to generate a key co-request message M1. Prior to this, the cryptographic module and key management system have completed the generation of a key set, the cryptographic module and key management system obtaining the same quantum key set from the quantum key distribution system (QKD), generating the same key sequence number;
2. the cryptographic module generates a key co-message M1. The cryptographic module obtains a key group serial number S of the cryptographic module and generates a key cooperative parameter SF, wherein a one-way function H and a line encryption and decryption function LF of a transmission key in the key cooperative parameter are set as a symmetric encryption algorithm AES. The cryptographic module returns a message M1;
3. the cipher service client saves S, composes a message M1, and sends the M1 message to the key management system. The password service client and the key management system adopt an industry universal technology when carrying out key cooperative communication, so that a secure transmission channel based on SSL is realized, and a session mechanism of key cooperation is realized;
4. the key management system analyzes the M1 message to obtain a key group serial number S, and searches the key group according to the key group serial number. The key management system generates a random number, and obtains a key position P by adding 1 after modulus is carried out on the random number and the key group length, and obtains a key KP based on the key position information. And meanwhile, the key management system adopts a key KP to carry out AES encryption calculation on a random number RC generated by the key management system, and the calculated result and a key position P generate key information M2. The random number RC is adopted, so that the message is prevented from being intercepted and replaced in the transmission process, and the hour transmission process is prevented from being cracked through an encryption mechanism;
5. the password service client receives the message M2 of the key management system and transmits the message to the password module;
6. the cryptographic module analyzes the message M2 to obtain a key position P, obtains a key KP2 by searching a local key group, and decrypts encrypted data in the M2 by adopting the key KP2 as a decryption key to obtain a random number RS1. Since the cryptographic module and the key management system have the same quantum key group, the number of keys and the key sequence are the same, all KP2 and KP are the same, and the same RS1 and RS are also the same. The password module generates a random number RC, the RC and the RS1 are spliced, encryption of an AES algorithm is realized by taking KP2 as a secret key, and information M3=AES (KP 2, RC||RS1) is formed;
7. the password module sends M3 information to the password service client, and the password service client sends the information M3 to the key management system;
8. the key management system receives the M3 message, adopts the key KP, decrypts through the AES algorithm to obtain the random numbers RC1 and RS2, verifies whether RS2 is equal to RS, generates a transmission key if the RS2 is equal to RS, and establishes a key index. It can be known from step 6 that the key KP2 of the cryptographic module is substantially identical to the key KP of the key management system, and that all decrypted information random numbers RC1 are substantially identical to RC, and RS2 is substantially identical to RS. The key management system adopts RC1 as a key and encrypts RS2 as a transmission key. The key index of the ternary array of the { key group index S, the key position P and the transmission key } is established and is used for calling encryption and decryption service application by the service end of the business program in the future;
9. the service program client sends the DATA DATA to the password management client for encryption, and the password management client sends the service DATA DATA to the password module. In this embodiment the business program client is only executing encrypted business. When the business system needs to do encryption and decryption service, the business program client and the password service client establish a transmission session based on the prior art and agree on command formats such as encryption, decryption and the like. The service program client side can send an encryption instruction at the same time when sending service DATA DATA;
10. the password management client sends a service DATA encryption request. In this embodiment, the service system client only has encrypted services. If the service program client has decryption or more password services, the password service client and the password module can transmit service data and encryption and decryption operations between the key service client and the password module based on the prior art;
11. the encryption module takes a random number RC as a key to encrypt RS1 by adopting AES to obtain a transmission key KT, and adopts AES-based encryption to the service DATA DATA by using the transmission key KT;
12. the password service client receives decryption information AES (KT, DATA) of the password module, generates a service message S I M4, and sends the service message S I M4 to the service program client to complete encryption;
13. the business program client sends a business message S M4 to the business program server; the service program server side sends a decryption request to the key management system.
14. The key management system inquires about the obtained transmission key and decrypts the DATA M4 to obtain the service DATA1. In fact, since the transmission key KT is identical to the transmission key KT1, DATA1 is identical to DATA.
15. The key management system sends the decrypted service DATA DATA1 to the service program server.
The invention realizes the cooperative use of a plurality of groups of quantum keys through the password module, the password service client and the key management system. The quantum key group is stored in the password module and the key management system, the password module and the key management system provide encryption and decryption services for the application program, the password leakage risk caused by password leakage outside is reduced, meanwhile, encrypted data is realized through negotiation between two parties, data leakage and replay attack are prevented through challenge random numbers in the negotiation process, the safety of key negotiation is improved, meanwhile, the key group serial number (unique identification information of a group of keys) is provided for the application program, the position P of the key in the quantum key group is not involved in the communication process, the risk of acquiring the password through attack of the application program is reduced, and the safety of the system is improved.
The second aspect of the present invention also proposes a system using system for multiple sets of quantum keys, for implementing a system using method for multiple sets of quantum keys, the system comprising: the system comprises a password module, a password service client and a key management system.
The password module is used for realizing key storage and password service; the Key storage realizes the storage of the quantum Key group and the Key group serial number, and the cryptographic module can encrypt the card and encrypt the Key.
The password service client module is used for realizing data transmission between the password module and the key management system; and realizing the password service call of the business program client to the password module.
The key management system realizes key generation, key coordination and key maintenance.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. A method for collaborative use of multiple sets of quantum keys, the method comprising:
the cryptographic module and the key management system acquire the same quantum key group from the quantum key distribution system QKD and generate a key group serial number S based on preset information;
the password service client obtains a password module key group serial number S and a key cooperative parameter SF, generates information M1 based on the key group serial number S and the key cooperative parameter SF and sends a key management system;
the key management system analyzes the message M1 to obtain a key position P and a key KP, generates a random number RS, generates information M2 based on the key position P, the key KP and the random number RS, and sends the information M2 to the password service client;
the password module receives and analyzes the information M2 from the password service client to obtain a key position P, a key KP2 and a random number RS1, generates a random number RC and generates information M3 together with the random number RS1 by the password module, and the information M3 is sent to the password management system by the password service client;
the key management system analyzes and verifies the information M3 to obtain a random number RC1 and a random number RS2, calculates a transmission key based on a key cooperative parameter SF, the random number RC1 and the random number RS2, and establishes a (S, P) -based password index;
the service program client side calls the password encryption and decryption service of the password module by the password service client side, and the service program client side calls the password management system encryption and decryption service by calling the key group serial number;
the key cooperation parameter SF at least comprises a one-way function H for generating a transmission key and a line encryption and decryption function LF; the one-way function H of the transmission key is a digest algorithm and a symmetric encryption algorithm; the line encryption and decryption function LF is a symmetric encryption algorithm and is used for encrypting information in the key cooperation process;
the generating information M1 based on the key group serial number S and the key cooperation parameter SF specifically includes: splicing the key group serial number S and the key cooperative parameter SF to generate information M1, wherein the splicing mode is S||SF;
the key management system analyzes the message M1 to obtain a key position P and a key KP, and specifically comprises the following steps: acquiring a key group serial number S based on the information M1, and acquiring a quantum key group through the key group serial number S; generating a key position P based on a random mode, and finding a key KP of the position from a quantum key group of the key group serial number S based on the key position P;
generating information M2 based on the key position P, the key KP, and the random number RS specifically includes: generating information M2 from the key position P, the key KP and the random number RS through a calculation formula LF (KP, RS) ||P, namely encrypting the random number RS by using the KP key as an encryption key through the line encryption and decryption function LF to obtain LF (KP, RS), and splicing the key position P;
the cryptographic module receives and parses the information M2 from the cryptographic service client, and specifically includes: the password module obtains a password position P from the information M2, obtains a key KP2 of the position from the quantum key group based on the password position P, takes the key KP2 as a decryption key and decrypts LF (KP, RS) through the line encryption and decryption function LF to obtain RS1;
the cryptographic module receives and parses the information M2 from the cryptographic service client, and specifically includes: the password module obtains a password position P from the information M2, obtains a key KP2 of the position from the quantum key group based on the password position P, takes the key KP2 as a decryption key and decrypts LF (KP, RS) through the line encryption and decryption function LF to obtain RS1;
the cryptographic module generates a random number RC and generates information M3 together with the random number RS1, specifically including: splicing the random number RC and the random number RS1 to obtain RC|RS1, and encrypting by using the key KP2 as an encryption key through the line encryption and decryption function LF to generate LF (KP 2, RC|RS1), namely information M3;
the key management system parses and verifies the information M3, and specifically includes: the key management system takes the key KP as a decryption key, decrypts the information M3 through the line encryption and decryption function LF to obtain spliced information RC 1I RS2 of two random numbers RC1 and RS2, and compares the random number RS2 with the random number RS, and if the two random numbers RS2 are equal, the key management system passes verification;
the service program client side calls the password encryption and decryption service of the password module by the password service client side, and the service program client side calls the password management system encryption and decryption service by calling the key group serial number, and specifically comprises the following steps: the service program client sends an encryption request of the service DATA DATA to the password service client, and the password service client sends an encryption request of the service DATA DATA to the password module; the cryptographic module calculates a transmission key KT based on a key cooperative parameter SF, a random number RC and a random number RS1, encrypts service DATA DATA by using the transmission key and a agreed encryption algorithm to generate a service ciphertext M4, and returns the service ciphertext to the cryptographic service client; the password service client generates a service message S I M by using the key group serial number S and the connection number of the service ciphertext data M4; the business program client sends a business message S M to the business program server; the service program server side sends a decryption request of the service message S I M to the key management system; the key management system analyzes the service message S I M to obtain a key group serial number S and a service ciphertext M, obtains a transmission key KT1 through a key index (S, P), decrypts the ciphertext M by using the transmission key KT1 and a contract decryption algorithm to obtain service DATA DATA, and transmits the service DATA DATA to a service program server; the agreed encryption and decryption algorithm is one of AES and 3 DES.
2. The method according to claim 1, wherein the cryptographic module and the key management system obtain the same quantum key set from the quantum key distribution system QKD, in particular comprising:
the cryptographic module and the key management system simultaneously obtain the same number of quantum keys in the same order from the quantum key distribution system.
3. The method for collaborative use of multiple sets of quantum keys according to claim 2, wherein the generating a key set sequence number based on preset information specifically comprises:
and carrying out abstract calculation on the combination of all key information in the quantum key group through the preset information, wherein the preset information is an abstract algorithm, and the abstract algorithm is any one of SHA1, SM3, SHA256 and MD 5.
4. A method for collaborative use of multiple sets of quantum keys according to claim 3, wherein the line encryption and decryption function LF is AES.
5. The method for collaborative use of multiple sets of quantum keys according to claim 1, wherein the calculating the transmission key based on the key collaborative parameter SF, the random number RC1, the random number RS2 is specifically implemented as: h (RC 1I RS 2), namely, calculating splicing information of RC1 and RS2 by a one-way function.
6. The method for collaborative use of multiple sets of quantum keys according to claim 5, wherein establishing (S, P) -based cryptographic indexes comprises:
and establishing a ternary array of the key group serial number S, the key position P and the transmission key, and { the key group serial number S, the key position P and the transmission key }, so that a subsequent key management system provides the key group serial number S based on the service program server, obtains the transmission key through a key index (S, P), and provides encryption and decryption services for the service program server.
7. The method according to claim 1, wherein the random manner is that the key management system generates a random number R and a length len of a key set with a key set serial number S is obtained by adding 1 to a modulo operation, i.e. a key position p= (R mod len) +1.
8. A system for using multiple sets of quantum keys for implementing a method for collaborative use of multiple sets of quantum keys according to any one of claims 1-7, the system comprising: the system comprises a password module, a password service client and a key management system.
CN202111088440.3A 2021-09-16 2021-09-16 Multi-group quantum key cooperation method and system Active CN114124369B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111088440.3A CN114124369B (en) 2021-09-16 2021-09-16 Multi-group quantum key cooperation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111088440.3A CN114124369B (en) 2021-09-16 2021-09-16 Multi-group quantum key cooperation method and system

Publications (2)

Publication Number Publication Date
CN114124369A CN114124369A (en) 2022-03-01
CN114124369B true CN114124369B (en) 2023-08-29

Family

ID=80441402

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111088440.3A Active CN114124369B (en) 2021-09-16 2021-09-16 Multi-group quantum key cooperation method and system

Country Status (1)

Country Link
CN (1) CN114124369B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016147382A1 (en) * 2015-03-19 2016-09-22 三菱電機株式会社 Encrypted communication system terminal device, encrypted communication system relay device, and encrypted communication system control method
CN108989309A (en) * 2018-07-16 2018-12-11 苏州大学张家港工业技术研究院 Encryption communication method and its encrypted communication device based on narrowband Internet of Things
CN110601838A (en) * 2019-10-24 2019-12-20 国网山东省电力公司信息通信公司 Identity authentication method, device and system based on quantum key
CN110690962A (en) * 2019-09-01 2020-01-14 成都量安区块链科技有限公司 Application method and device of service node

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016147382A1 (en) * 2015-03-19 2016-09-22 三菱電機株式会社 Encrypted communication system terminal device, encrypted communication system relay device, and encrypted communication system control method
CN108989309A (en) * 2018-07-16 2018-12-11 苏州大学张家港工业技术研究院 Encryption communication method and its encrypted communication device based on narrowband Internet of Things
CN110690962A (en) * 2019-09-01 2020-01-14 成都量安区块链科技有限公司 Application method and device of service node
CN110601838A (en) * 2019-10-24 2019-12-20 国网山东省电力公司信息通信公司 Identity authentication method, device and system based on quantum key

Also Published As

Publication number Publication date
CN114124369A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
US6289451B1 (en) System and method for efficiently implementing an authenticated communications channel that facilitates tamper detection
CN108574569B (en) Authentication method and authentication device based on quantum key
US20140192976A1 (en) Method and system for id-based encryption and decryption
KR100506076B1 (en) Method for mutual authentication and key exchange based on the user's password and apparatus thereof
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN113630248A (en) Session key negotiation method
CN110138795A (en) A kind of multistep in communication process mixes encipher-decipher method
CN101707767A (en) Data transmission method and devices
CN101931623A (en) Safety communication method suitable for remote control with limited capability at controlled end
CN113300842B (en) Method for improving security of symmetric encryption algorithm
CN111404671A (en) Mobile quantum secret communication method, gateway, mobile terminal and server
CN114124369B (en) Multi-group quantum key cooperation method and system
CN114363086B (en) Industrial Internet data encryption transmission method based on stream cipher
CN114499857B (en) Method for realizing data correctness and consistency in encryption and decryption of large data quanta
CN110365482B (en) Data communication method and device
CN115021906A (en) Method, terminal and device for realizing data transmission of digital envelope
CN111526131B (en) Anti-quantum-computation electronic official document transmission method and system based on secret sharing and quantum communication service station
JP2009141767A (en) Generation system of encryption key, generation method of encryption key, encryption authentication system, and encrypted communication system
CN113347153A (en) File encryption transmission method combining identity authentication and dynamic key
CN105791301A (en) Key distribution management method with information and key separated for multiple user groups
JPS63161745A (en) Terminal equipment for cryptographic communication
CN112039663A (en) Data transmission method and system
CN110636502A (en) Wireless encryption communication method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant