CN115102698A - Quantum encrypted digital signature method and system - Google Patents

Quantum encrypted digital signature method and system Download PDF

Info

Publication number
CN115102698A
CN115102698A CN202210696436.3A CN202210696436A CN115102698A CN 115102698 A CN115102698 A CN 115102698A CN 202210696436 A CN202210696436 A CN 202210696436A CN 115102698 A CN115102698 A CN 115102698A
Authority
CN
China
Prior art keywords
server
client
quantum
authentication
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210696436.3A
Other languages
Chinese (zh)
Inventor
高越寒
鲍捷
韦国华
胡小鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Lingshi Communication Technology Development Co ltd
Suzhou Keda Technology Co Ltd
Original Assignee
Shanghai Lingshi Communication Technology Development Co ltd
Suzhou Keda Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Lingshi Communication Technology Development Co ltd, Suzhou Keda Technology Co Ltd filed Critical Shanghai Lingshi Communication Technology Development Co ltd
Priority to CN202210696436.3A priority Critical patent/CN115102698A/en
Publication of CN115102698A publication Critical patent/CN115102698A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0858Details about key distillation or coding, e.g. reconciliation, error correction, privacy amplification, polarisation coding or phase coding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/14Systems for two-way working
    • H04N7/15Conference systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Power Engineering (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a digital signature method and a digital signature system based on quantum encryption, and the method applied to a client comprises the following steps: receiving a quantum shared key distributed by a quantum key machine, wherein the quantum shared key is also distributed to a server side; encrypting the authentication information by using the quantum shared secret key to generate first encrypted authentication data; encrypting the randomly selected message digest algorithm by using the quantum shared secret key to generate message digest algorithm encrypted data; executing a message digest algorithm on the authentication information to generate digital digest data of the authentication information; encrypting a first public key of a first key pair which is randomly generated by using a quantum shared secret key to generate first public key encrypted data; encrypting the digital summary data by using a first private key of a first key pair to generate a digital signature; and sending the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature to a server side. The application improves the safety of data transmission in the video conference.

Description

Quantum encrypted digital signature method and system
Technical Field
The present application relates to the field of communications, and in particular, to a quantum encryption digital signature method and system.
Background
With the development of internet technology, video conferences serve as important network applications, but huge potential risks of network security are brought at the same time. Cyber security threats and risks are increasingly highlighted, and video-related cyber security events are coming out endlessly, such as: the network camera is illegally logged in, the video conference system is attacked and eavesdropped by hackers, and the security challenge of the video conference is increasingly urgent.
Currently, video conferencing generally uses firewall or network isolation technology to secure data communication. However, since the firewall is not easy to configure, it is easy to cause security holes, and it is not able to prevent application layer virus and eavesdropping. Meanwhile, although the network isolation can prevent the attack of the unsafe network, on one hand, the latest protocol of the video conference needs to be well supported, otherwise, the communication failure can be caused; on the other hand, due to the characteristic of network isolation, the method is not suitable for a large amount of frequent real-time data interaction, especially relates to a large batch of encrypted conferences, and seriously influences the effectiveness of the video conference.
Therefore, how to improve the security of data transmission in the video conference is a technical problem that needs to be solved urgently by the technical personnel in the field.
Disclosure of Invention
In order to overcome the defects in the prior art, the application provides a quantum encryption digital signature method and system, so that the safety of data transmission in a video conference is improved.
According to one aspect of the application, a digital signature method based on quantum encryption is provided, which is applied to a client and comprises the following steps:
the client receives a quantum shared secret key distributed by a quantum secret key machine, and the quantum shared secret key is also distributed to the server;
the client encrypts authentication information by using the quantum sharing secret key to generate first encrypted authentication data, wherein the authentication information is used for encrypting communication between the client and the server;
the client encrypts a randomly selected message digest algorithm by using the quantum shared secret key to generate message digest algorithm encrypted data;
the client executes the message digest algorithm on the authentication information to generate digital digest data of the authentication information;
the client encrypts a first public key of a first key pair generated randomly by using the quantum shared secret key to generate first public key encrypted data;
the client encrypts the digital digest data by using a first private key of the first private key pair to generate a digital signature;
and the client sends the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature to a server so that the server can obtain the authentication information by using the quantum shared secret key and authenticate the digital signature.
In some embodiments of the present application, the authentication information at least includes a second symmetric key, and after the server successfully authenticates the client:
the client encrypts a first signaling and/or a first code stream by using the second symmetric secret key to generate first encrypted transmission data, and transmits the first encrypted transmission data to the server through network address conversion; and/or
And the client uses the second symmetric key to decrypt the second encrypted transmission data sent by the server to obtain a second signaling and/or a second code stream sent by the server.
In some embodiments of the present application, the authentication information includes a first authentication identifier randomly generated by the client and an authentication identifier bit, the authentication identifier bit includes a first value indicating that the client requests to continue connecting with the server and a second value indicating that the client requests to re-authenticate with the server, and the method further includes:
responding to the disconnection between the client and the server and requesting the client to continue to be connected with the server, wherein the client uses the first authentication identifier and the authentication identifier bit set as a first value as parameters of the authentication information, executes generation of the first encryption authentication data, message digest algorithm encryption data, first public key encryption data and digital signature again, and sends the generated data to the server, so that the server executes comparison between the first authentication identifier and a second authentication identifier locally stored by the server to determine whether the client successfully authenticates based on the value of the authentication identifier bit;
responding to the authentication success message returned by the server, and continuing to use the second symmetric key to communicate with the server by the client in a signaling and/or code stream manner;
and in response to the authentication failure returned by the server, the client randomly generates a third authentication identifier again, uses the third authentication identifier and the authentication identifier bit set to the second value as parameters of the authentication information, and executes generation of the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature again, and sends the generated data to the server, so that the server executes the steps of acquiring the authentication information by using the quantum sharing secret key and authenticating the digital signature by using the value of the authentication identifier bit.
In some embodiments of the present application, the client sends the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data, and the digital signature to the server, so that the server obtains the authentication information using the quantum shared key, locally stores the first authentication identifier in the server as a second authentication identifier, and responds that a time interval between the current time and a connection between the client and the server is less than or equal to a first session keep-alive period, where the second authentication identifier is valid.
In some embodiments of the present application, the client uses the first authentication identifier and the authentication identifier bit set to the first value as parameters of the authentication information, performs generation of the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data, and the digital signature again, and sends the generated data to the server, including:
in response to that the time interval between the current time and the disconnection between the client and the server is less than or equal to a second session keep-alive period, the client uses the first authentication identifier and the authentication identifier bit set to a first value as parameters of the authentication information, and executes generation of the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature again and sends the generated data to the server, wherein the second session keep-alive period is less than the first session keep-alive period;
and in response to that the time interval of the disconnection between the current time and the client and the server is greater than a second session keep-alive period, the client randomly generates the third authentication identifier again, uses the third authentication identifier and the authentication identifier bit set to be a second value as parameters of the authentication information, and executes the generation of the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature again, and sends the generated data to the server, so that the server executes the steps of acquiring the authentication information by using the quantum shared secret key and authenticating the digital signature by using the value of the authentication identifier bit.
According to another aspect of the present application, there is also provided a digital signature method based on quantum cryptography, applied to a server, including:
the server receives a quantum shared secret key distributed by a quantum secret key machine, and the quantum shared secret key is also distributed to the client;
the server receives the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature which are sent by the client by executing the digital signature method based on the quantum encryption;
the server side decrypts the first encrypted authentication data by using the quantum shared secret key to obtain the authentication information;
the server side decrypts the encrypted data of the message digest algorithm by using the quantum shared secret key to obtain the message digest algorithm;
the server side decrypts the first public key encrypted data by using the quantum shared secret key to obtain a first public key of the first secret key pair;
the server side decrypts the digital signature by using the first public key to obtain first to-be-authenticated digital digest data;
the server executes the message digest algorithm on the authentication information to obtain second digital digest data to be authenticated;
and responding to the consistency of the first to-be-authenticated digital abstract data and the second to-be-authenticated digital abstract data, and the server side sends an authentication success message to the client side.
In some embodiments of the present application, the authentication information at least includes a second symmetric key, and after the server successfully authenticates the client:
the server side encrypts a second signaling and/or a second code stream by using the second symmetric secret key to generate second encrypted transmission data, and the second encrypted transmission data is transmitted to the client side through network address conversion; and/or
And the server side decrypts the first encrypted transmission data sent by the client side by using the second symmetric key to obtain a first signaling and/or a first code stream sent by the client side.
According to another aspect of the present application, there is also provided a digital signature system based on quantum cryptography, including:
a plurality of clients configured to perform the quantum cryptography-based digital signature method as described above;
a server side configured to execute the quantum encryption-based digital signature method as described above; and
a quantum key machine configured to distribute quantum shared keys to the client and the server.
In some embodiments of the present application, the client requests a quantum shared key from the quantum key machine through a network address translation, and the quantum key machine distributes the quantum shared key to the client through the network address translation.
In some embodiments of the present application, the number of the quantum key machines is multiple, and multiple quantum key machines negotiate a quantum shared key to determine the quantum shared key distributed to the server and the client connected to each other.
According to yet another aspect of the present application, there is also provided an electronic apparatus, including: a processor; a storage medium having stored thereon a computer program which, when executed by the processor, performs the steps as described above.
According to yet another aspect of the present application, there is also provided a storage medium having stored thereon a computer program which, when executed by a processor, performs the steps as described above.
Therefore, compared with the prior art, the scheme provided by the application has the following advantages:
on one hand, a quantum shared key obtained by a quantum key machine is used for encrypting a first public key in the digital signature, so that the first public key can be determined to be sent by a client communicating with the quantum key machine through the quantum shared key, and the identity of a sender can be determined; on the other hand, the first public key can be encrypted and transmitted on the network by using the quantum shared secret key, a third party cannot decrypt the first public key without the quantum shared secret key, and even if the third party intercepts and tampers the message, the third party also cannot encrypt data without the quantum shared secret key, so that the server fails in decryption and cannot finish the authentication of the digital signature, and the authentication safety is improved; on the other hand, the quantum shared secret key obtained by the quantum secret key machine is used for encrypting all the digitally signed message, the message digest algorithm and the first public key, so that the digital signature is absolutely secret in the whole authentication process, and third parties on a network are prevented from tampering and forging data; in another aspect, the authentication process is completed through one-time data interaction between the client and the server, so that multiple information interaction steps are reduced, and the data interaction efficiency is improved.
Drawings
The above and other features and advantages of the present application will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings.
Fig. 1 shows a flowchart of a quantum encryption-based digital signature method applied to a client according to an embodiment of the present application.
Fig. 2 is a schematic diagram illustrating a quantum encryption-based digital signature method applied to a client according to an embodiment of the present application.
Fig. 3 shows a flowchart of a quantum encryption-based digital signature method applied to a server according to an embodiment of the present application.
Fig. 4 is a schematic diagram illustrating a quantum encryption-based digital signature method applied to a server according to an embodiment of the present application.
Fig. 5 shows a schematic diagram of a digital signature system based on quantum cryptography according to an embodiment of the present application.
Fig. 6 shows a schematic diagram of distributing quantum shared keys of a digital signature system based on quantum encryption according to an embodiment of the present application.
Fig. 7 is a schematic diagram illustrating an authentication process of a digital signature system based on quantum cryptography according to an embodiment of the present application.
Fig. 8 is a schematic diagram illustrating a signaling/code stream transmission process of a digital signature system based on quantum cryptography according to an embodiment of the present application.
Fig. 9 shows a schematic diagram of a quantum shared key distribution process of a quantum encryption-based digital signature system with multiple quantum key machines according to an embodiment of the present application.
FIG. 10 schematically illustrates a computer-readable storage medium in an exemplary embodiment of the disclosure.
Fig. 11 schematically illustrates an electronic device in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present application and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the steps. For example, some steps may be decomposed, and some steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
Referring first to fig. 1, fig. 1 shows a flowchart of a quantum encryption-based digital signature method applied to a client according to an embodiment of the present application. The digital signature method based on quantum encryption applied to the client comprises the following steps:
step S101: the client receives the quantum shared key distributed by the quantum key machine, and the quantum shared key is also distributed to the server.
Specifically, each time a digital signature is made, the quantum key machine updates the clientQuantum shared secret key K distributed with server side Q And the safety and the confidentiality of the video conference are improved.
Step S102: and the client encrypts authentication information by using the quantum sharing secret key to generate first encrypted authentication data, wherein the authentication information is used for encrypting communication between the client and the server.
In particular, the authentication information may comprise a second symmetric key pair. The second symmetric key pair is used for encrypting communication between the client and the server. The authentication information may further include an IP address of the client, a conference terminal number, and identification information for connecting the client and the server. Further, the authentication information may further include an authentication identifier for reconnection between the client and the server.
Further, specifically, the second symmetric key pair of the authentication information is updated at each authentication, so that the client uses the new second symmetric key at each authentication of the connection server, the subsequent deciphered ciphertext can be prevented, and the forward security is ensured. The security of using the second symmetric key is higher than using an asymmetric key, such as the RSA asymmetric key. This is because, when the private key of the asymmetric key pair is leaked, after the private key can be decrypted by a third party, all the intercepted ciphertext before decryption can be decrypted by using the private key, and the forward security reason cannot be guaranteed. In addition, the encryption efficiency of the symmetric key pair is high, while the interaction steps of the RSA asymmetric key are more, and the efficiency is low.
Specifically, the Encryption algorithm used in step S102 may be Advanced Encryption Standard (AES), which is not limited in this application, and the use of other Encryption algorithms is also within the protection scope of this application.
Step S103: and the client encrypts the randomly selected message digest algorithm by using the quantum shared secret key to generate message digest algorithm encrypted data.
In particular, the message digest algorithm may be a hash algorithm for performing digital digest calculations. Step S103 may randomly select one of a plurality of Hash algorithms such as a single Hash function, MD5(Message-Digest Algorithm, cryptographic Hash function), SHA-1(Secure Hash Algorithm 1), SHA-2(Secure Hash Algorithm 2, Secure Hash Algorithm 2), and the like, to encrypt. The encryption algorithm of step S103 may be the same as the encryption algorithm used in step S102, or may be different from the encryption algorithm used in step S102.
Further, the client executes random selection of a message digest algorithm every time signature is carried out, so that the safety and the confidentiality of the video conference are improved.
Step S104: and the client executes the message digest algorithm on the authentication information to generate digital digest data of the authentication information.
Step S105: and the client encrypts a first public key of a first key pair generated randomly by using the quantum shared key to generate first public key encrypted data.
Specifically, the first key pair is randomly generated, thereby improving the security and confidentiality of the video conference.
Step S106: and the client encrypts the digital digest data by using a first private key of the first private key pair to generate a digital signature.
Step S107: and the client sends the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature to a server so that the server can obtain the authentication information by using the quantum shared secret key and authenticate the digital signature.
Specifically, the first encrypted authentication data, the message digest algorithm encryption data, the first public key encryption data, and the digital signature may be combined into encrypted digital signature data to be sent to the server side.
Therefore, in the digital signature method based on quantum encryption applied to the client and the server, on one hand, the quantum shared key obtained by the quantum key machine is used for encrypting the first public key in the digital signature, so that the first public key can be determined to be sent by the client communicating with the quantum key machine through the quantum shared key, and therefore, the identity of the sender can be determined; on the other hand, the first public key can be encrypted and transmitted on the network by using the quantum shared secret key, a third party cannot decrypt the first public key without the quantum shared secret key, and even if the third party intercepts and tampers the message, the third party also cannot encrypt data without the quantum shared secret key, so that the server fails to decrypt the data, the authentication of the digital signature cannot be completed, and the authentication safety is improved; on the other hand, the quantum shared secret key obtained by the quantum secret key machine is used for encrypting all the digitally signed message, the message digest algorithm and the first public key, so that the digital signature is absolutely secret in the whole authentication process, and third parties on a network are prevented from tampering and forging data; in another aspect, the authentication process is completed through one-time data interaction between the client and the server, so that multiple information interaction steps are reduced, the data interaction efficiency is improved, and high-capacity concurrent communication of the proxy server is facilitated.
Further, in the application, the client and the server obtain the quantum shared key through the quantum key machine distribution, and encrypt and sign the authentication information for encrypting the communication between the client and the server through the quantum shared key, so as to realize the authentication of the server to the client and ensure the communication between the server and the authenticated client. Further, the application enables the authentication message to carry a second symmetric key, so that the transfer of the second symmetric key is realized, and after the server successfully authenticates, the second symmetric key can be obtained and used as a negotiation of the encryption key for communication between the client and the server, so that the negotiation of the encryption key for communication between the client and the server is realized while the authentication is performed. Therefore, authentication and encryption key negotiation of the client and the server are simultaneously realized in one-time interaction of the client and the server in a quantum encryption mode, communication safety of the client and the server is improved, interaction times of the client and the server are reduced, interaction instantaneity of signaling code streams of the client and the server is improved, and bandwidth occupation required by communication is reduced.
Fig. 2 illustrates a quantum encryption-based digital signature method for a client according to a specific embodiment of the present application. As shown in fig. 2:
the client 100 shares the secret key K with the quantum for the authentication information M to be transmitted Q AES encryption is carried out to obtain first encryption authentication data C 1 =E(M,K Q ). First encrypted authentication data C 1 The authentication information M can be made not to be transmitted in plaintext on the network, and because the quantum shared key K is signed each time Q In contrast, even if the encrypted authentication information M is intercepted and reproduced, the security of the authentication information communication can still be ensured.
Client 100 message digest Algorithm A for random selection Hash Sharing a secret key K by quantum Q AES encryption is carried out to obtain encrypted data C of message digest algorithm 2 =E(A Hash ,K Q ). Message digest algorithm encrypted data C 2 The server side can be informed of which message digest algorithm to use for digital digest, so that the server side can use the digital digest when authentication comparison is carried out.
The client 100 performs the selected message digest algorithm calculation on the authentication information M to be transmitted to obtain the digital digest data C 5 =E(M,A Hash )。
When the client 100 performs digital signature, a first secret key pair Kc (K) is randomly generated pb ,K pv ) Wherein, K is pb Is a first public key of a first key pair, K pv A first private key of a first key pair. The client 100 checks the first public key K pb Sharing a secret key K by quantum Q AES encryption is carried out to obtain first public key encrypted data C 3 =E(K pb ,K Q ). First public key encrypted data C 3 First public key K for notifying server side of using client 100 pb Decrypt the following digital signature C 4 And obtaining the digital abstract data to be authenticated.
The client 100 uses the first private key K pv Encrypted digital digest data C 5 To obtain a digital signature C 4 =E(C 5 ,K pv )。
When the client 100 sends a message to the server, the first encrypted authentication data C is sent 1 Message digest algorithm encrypted data C 2 First public key encrypted data C 3 And a digital signature C 4 And sending the data to the server side together. In other words, the message C sent by the client 100 to the server 0 =C 1 +C 2 +C 3 +C 4
Referring now to fig. 3, fig. 3 is a flow chart illustrating a quantum encryption based digital signature method applied to a server according to an embodiment of the present application. The digital signature method based on quantum encryption applied to the server side comprises the following steps:
step S201: the server receives the quantum shared key distributed by the quantum key machine, and the quantum shared key is also distributed to the client.
Step S202: the server receives the first encryption authentication data, the message digest algorithm encryption data, the first public key encryption data and the digital signature which are sent by the client by executing the quantum encryption-based digital signature method shown in fig. 1.
Step S203: and the server side decrypts the first encrypted authentication data by using the quantum shared secret key to obtain the authentication information.
Step S204: and the server side decrypts the encrypted data of the message digest algorithm by using the quantum shared secret key to obtain the message digest algorithm.
Step S205: and the server side decrypts the first public key encrypted data by using the quantum shared secret key to obtain a first public key of the first secret key pair.
Step S206: and the server side decrypts the digital signature by using the first public key to obtain first to-be-authenticated digital digest data.
Step S207: and the server executes the message digest algorithm on the authentication information to obtain second digital digest data to be authenticated.
Step S208: and responding to the consistency of the first to-be-authenticated digital abstract data and the second to-be-authenticated digital abstract data, and the server side sends an authentication success message to the client side.
Therefore, in the digital signature method based on quantum encryption applied to the client and the server, on one hand, the quantum shared key obtained by the quantum key machine is used for encrypting the first public key in the digital signature, so that the first public key can be determined to be sent by the client communicating with the quantum key machine through the quantum shared key, and therefore, the identity of the sender can be determined; on the other hand, the first public key can be encrypted and transmitted on the network by using the quantum shared secret key, a third party cannot decrypt the first public key without the quantum shared secret key, and even if the third party intercepts and tampers the message, the third party also cannot encrypt data without the quantum shared secret key, so that the server fails in decryption and cannot finish the authentication of the digital signature, and the authentication safety is improved; on the other hand, the quantum shared secret key obtained by the quantum secret key machine is used for encrypting all the digitally signed message, the message digest algorithm and the first public key, so that the digital signature is absolutely secret in the whole authentication process, and third parties on a network are prevented from tampering and forging data; in another aspect, the authentication process is completed through one-time data interaction between the client and the server, so that multiple information interaction steps are reduced, the data interaction efficiency is improved, and high-capacity concurrent communication of the proxy server is facilitated.
Further, in the application, the client and the server obtain the quantum shared key through the quantum key machine distribution, and encrypt and sign the authentication information for encrypting the communication between the client and the server through the quantum shared key, so as to realize the authentication of the server to the client and ensure the communication between the server and the authenticated client. Further, the authentication message carries the second symmetric key, so that the transfer of the second symmetric key is realized, and after the server successfully authenticates, the second symmetric key can be obtained and is used as the negotiation of the encryption key for communication between the client and the server, so that the negotiation of the encryption key for communication between the client and the server is realized while the authentication is performed. Therefore, authentication and encryption key negotiation of the client and the server are simultaneously realized in one-time interaction of the client and the server in a quantum encryption mode, so that the communication safety of the client and the server is improved, the interaction times of the client and the server are reduced, the interaction instantaneity of signaling code streams of the client and the server is improved, and the bandwidth occupation required by communication is reduced.
A digital signature method based on quantum encryption for a server according to a specific embodiment of the present application is described below with reference to fig. 4:
the server 200 receives the sent message C from the client 0 =C 1 +C 2 +C 3 +C 4 Wherein, C 1 Authenticating data for first encryption, C 2 Encrypting data, C for a message digest algorithm 3 Encrypting data for the first public key, C 4 Is a digital signature.
The server 200 adopts quantum shared secret key K Q And AES decryption algorithm to the first encrypted authentication data C 1 And decrypting to obtain the authentication information M.
The server 200 adopts quantum shared secret key K Q Data C encrypted by AES decryption algorithm and message digest algorithm 2 Decryption is carried out to obtain a message digest algorithm A Hash
The server 200 adopts quantum shared secret key K Q And AES decryption algorithm encrypts the data C with the first public key 3 Decrypting to obtain the first public key K pb
The server 200 adopts the first public key K pb Decrypting digital signature C 4 Obtaining the first digital abstract data C to be authenticated 5 ”。
The server 200 uses the message digest algorithm A Hash Calculating the message abstract value of the authentication information to obtain second digital abstract data C to be authenticated 5 ’=E(M,A Hash )。
The server 200 compares the first to-be-authenticated digital abstract data C 5 "and second digital digest data to be authenticated C 5 If yes, the signature authentication is successful; if not, the signature authentication fails.
Further, the present application may be applicable to various video conference protocols (e.g., h.323, sip (Session initiation Protocol), rtc (Real-Time Communication, Real-Time audio and video)), which is not limited herein.
Specifically, after the authentication between the client and the server is completed, the client and the server may perform encrypted transmission of signaling and/or code stream by using the authentication information during the authentication. Specifically, the authentication information includes at least a second symmetric key. The second symmetric key may be a shared key randomly generated by the client. The shared secret key is randomly generated by the client, so that the steps of generating and managing a large number of client-server secret key pairs by the server are reduced, and the performance of the quantum encryption proxy server video conference is improved.
After the server side successfully authenticates the client side, the server side and the client side can communicate in the following mode: and the client encrypts a first signaling and/or a first code stream by using the second symmetric key to generate first encrypted transmission data, and can transmit the first encrypted transmission data to the server through network address translation. And the server side decrypts the first encrypted transmission data sent by the client side by using the second symmetric key to obtain a first signaling and/or a first code stream sent by the client side. And the server side encrypts a second signaling and/or a second code stream by using the second symmetric secret key to generate second encrypted transmission data, and transmits the second encrypted transmission data to the client side through network address conversion. And the client decrypts the second encrypted transmission data sent by the server by using the second symmetric key to obtain a second signaling and/or a second code stream sent by the server.
In some embodiments, after the server and the client are disconnected, the present application may further provide a disconnection authentication mechanism.
Specifically, the authentication information M may include a first authentication identifier M randomly generated by the client ID1 And an authentication flag MF. The authentication flag MF includes a first value (e.g., may be set to 1) indicating that the client requests to continue connection with the server and a second value (e.g., may be set to 0) indicating that the client requests to re-authenticate with the server.
During the first authentication, the client sets the authentication identification bit MF to a second value, the server acquires the authentication information M by using the quantum shared key and acquires the authentication identification bit, and the server acquires the first authentication identification M due to the fact that the authentication identification bit is the second value ID1 Locally stored as a second authentication identifier M at the server end ID2 And performing an authentication step. A time interval of disconnection between the client and the server in response to the current time is less than or equal to a first session keep-alive period T s The second authentication mark M ID2 Is effective. In other words, the time interval for which the current time is disconnected from the connection of the client and the server is greater than the first session keep-alive period T s Then the second authentication mark M ID2 Will be deleted by the server side.
In response to a disconnection between the client and the server, the client may identify the first authentication identity M ID1 And the authentication identifier MF set as a first value is used as a parameter of the authentication information M, the first encryption authentication data, the message digest algorithm encryption data, the first public key encryption data and the digital signature are generated again and sent to the server side, so that the server side can identify that the client side needs to be continuously connected based on the authentication identifier MF, and the server side needs to connect the first authentication identifier M ID1 And a second authentication identifier M locally stored by the server ID2 And determining whether the client-side is successfully authenticated by comparing the authentication results.
And responding to the authentication success message returned by the server, and the client continuously uses the second symmetric key to communicate with the server by signaling and/or code stream.
Responding to the authentication failure returned by the server, and then the client randomly generates a third authentication identifier M again ID3 The third authentication mark M is marked ID3 And an authentication identifier MF set to a first value as a parameter of the authentication information, performing generation of the first encrypted authentication data, the message digest algorithm encryption data, the first public key encryption data, and the digital signature again, andsending the authentication information to the server side for the server side to identify that the client side needs to re-authenticate based on the authentication identifier, so that the server side obtains the authentication information by using the quantum shared secret key and authenticates the digital signature to obtain an updated third authentication identifier M ID3 . Further, the second symmetric key is also updated when the authentication is performed again. In other words, after the server side returns that the authentication fails, the client side re-executes the steps shown in fig. 1 for the server to perform authentication.
Therefore, through the setting of the authentication identifier MF, the server side can know whether the client side needs to be connected with the disconnected connection before or needs to be re-authenticated, and the situation that when the client side needs to be re-authenticated, the authentication identifiers are not consistent after being compared by the server side, so that an authentication failure message is returned, re-authentication is not carried out any more, and re-authentication cannot be carried out is avoided. Furthermore, by setting the authentication identifier, when the client needs to authenticate again, the server does not need to compare the authentication identifiers, so that the redundant authentication identifier comparison steps are reduced, and the authentication efficiency is improved.
Further, the client can maintain a second keep-alive period T c . A time interval responsive to a disconnection of the current time from the client and the server is less than or equal to a second session keep-alive period T c The client identifies the first authentication mark M ID1 And setting the authentication identifier as a first value as a parameter of the authentication information M, executing generation of the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature again, and sending the generated data to the server, wherein the second session keep-alive period T is c Less than the first session keep-alive period T s . In particular by causing a second session keep-alive period T c Is less than the first session keep-alive period T s To avoid a second session keep-alive period T c Greater than the first session keep-alive period T s When the second authentication mark M is deleted, the server end is caused to delete the second authentication mark M ID2 Resulting in authentication failure of the client and the server, requiring two timesAnd (4) authentication, adding unnecessary authentication steps. Further, a second session keep-alive period T is caused c Is less than the first session keep-alive period T s The authentication times can be reduced to the maximum extent, especially in the scenario of large-capacity concurrent client access to the server.
A time interval for disconnection of the client and the server in response to the current time being greater than a second session keep-alive period T c The client-side generates a third authentication identifier M again at random ID3 The third authentication mark M is marked ID3 And the authentication identifier set as the second value is used as a parameter of the authentication information, the first encryption authentication data, the message digest algorithm encryption data, the first public key encryption data and the digital signature are generated again and sent to the server, so that the server can identify that the client needs to be re-authenticated based on the authentication identifier, and then the server can acquire the authentication information by using the quantum sharing key and authenticate the digital signature. Further, the second symmetric key is also updated when the authentication is performed again.
Thus, the time interval from the previous disconnection of the client to the next connection establishment (such as a TCP connection) with the server does not exceed the second session keep-alive period T c During the process, re-authentication is not needed, and the related information such as the secret keys used at the two ends is consistent with the last communication, so that the authentication times are reduced, and the real-time performance of video conference signaling and code stream interaction is improved. In other words, the authentication does not need to be carried out every time the connection is established between the client and the server in the communication process, and the time interval between the disconnection and the connection establishment does not exceed the second session keep-alive period T c And then, after the connection, the authentication process of the client can be saved.
According to the embodiments of the application, the expandability of the authentication information of the client and the server is strong. Different service logics can be realized according to different authentication information. Through the disconnection authentication mechanism, the method and the device can solve the problem of repeated authentication. By adding the authentication identifier into the authentication information, the client can send the authentication identifier to the server when the connection between the client and the server is disconnected. Because the server side stores the authentication identifier, when the server side receives the authentication identifier of the client side again, if the authentication identifier is the same as the authentication identifier stored by the server side, the server side shows that the authentication is passed before, and the authentication does not need to be performed again. Therefore, the authentication efficiency is improved, and the signaling interaction delay and the bandwidth occupation are reduced.
Further, the client registration message is added into the authentication information, so that the client registration message is sent to the server, and the client actively invites the terminal to join in the conference in a network address conversion networking mode instead of only adopting a single and troublesome conference joining mode of terminal active conference. All terminals are invited to join in a conference uniformly by the platform, and the conference opening efficiency is greatly improved. Meanwhile, the message interaction between the client and the server can be reduced.
Furthermore, in the application, the authentication information, the message digest algorithm and the public key are encrypted in a sub-key mode and transmitted in the network, so that the invisibility is realized, and the confidentiality level is improved. In addition, the security is higher by an authentication mode combining quantum encryption with an asymmetric encryption mode (national cryptogram or RSA).
Furthermore, the authentication of the server side to the client side is completed through one-time information interaction, and the process is simple. The problems that in a large-capacity conference, due to multiple times of authentication message interaction, the bandwidth occupation is increased, the signaling interaction delay is increased, and the real-time performance of the signaling interaction is reduced can be effectively solved. The authentication between the client and the server is performed at most once, the client is connected and registered again in one session period, the server does not need to perform the authentication again, the program operation efficiency is improved, the calculated amount is simplified, and the effect in a large-capacity conference is remarkable.
The above illustrates a plurality of implementation manners of the present application, and the present application is not limited thereto, and in each implementation manner, the addition, omission, and sequence change of steps are all within the protection scope of the present application; the embodiments may be implemented individually or in combination.
The present application further provides a digital signature system based on quantum encryption, as shown in fig. 5, the digital signature system includes a client 100, a server 200, and a quantum key engine 300. The client 100 is configured to perform a quantum encryption based digital signature method as applied to the client of fig. 1. The server side 200 is configured to execute the quantum encryption based digital signature method applied to the server side as shown in fig. 3. The quantum key engine 300 is configured to distribute quantum shared keys to the client 100 and the server 200.
Specifically, when signature authentication is required between the client 100 and the server 200, the client 100 and the server 200 respectively request the quantum key machine 300 to obtain the quantum shared key. After receiving the requests of the client 100 and the server 200, the quantum key machine distributes the same quantum shared key to the client 100 and the server 200, respectively. In one specific implementation, as can be seen in fig. 6, client 100A and client 100B need to conduct a video conference through server 200. Before proceeding with the video conference, the server 200 needs to be signed and authenticated by the server 200 to register with the server 200. Thus, client 100A and client 100B may request the assignment of quantum-shared keys to vector-sub-key machine 300 via network address translation 400, respectively. Meanwhile, the server 200 also requests the sub-secret key machine 300 to distribute the quantum shared secret key. The quantum key machine 300 receives the request from the server 200 and the requests from the clients 100A and 100B through the network address translation 400, and then distributes the quantum shared keys to the server 200, the clients 100A and 100B, respectively.
Specifically, for some applications requiring a higher conference security level, the client may be deployed in combination with network address translation, so that the processes of allocation, authentication, signaling/code stream encryption of the quantum shared key may be implemented in combination with network address translation, so as to improve the security of data transmission. In the scenario of network address translation, in order that a server side can directly call clients in the network address translation, each client side can actively register own information on the server side in a TCP connection mode, and then the server side can actively call the client side. Therefore, the video conference is divided into an internal network and an external network by a network address conversion proxy mode, and the video conference equipment can pass through network address conversion or a firewall by improving a video conference protocol stack communication mode, and the proxy server forwards signaling and code stream data to a destination terminal, so that the establishment of the video conference is realized. In the following embodiments, the description is performed in conjunction with network address translation, which is not limited to this application, and application scenarios without network address translation are also within the scope of the application.
Further, after the client 100 and the server 200 obtain the quantum-shared key, signature authentication may be performed by the method as illustrated in fig. 1 and 3. In one specific implementation, referring to fig. 7, the client 100A and the client 100B may respectively send the authentication message C to the server 200 through the network address translation 400 0 For the server 200 to perform authentication, and return an authentication result through the network address translation 400, so as to complete signature authentication between the clients 100A and 100B and the server 200.
After the authentication between the client 100 and the server 200 is completed, the client 100 and the server 200 may perform encrypted transmission of signaling and/or code stream by using the authentication information during the authentication. Specifically, the authentication information includes at least a second symmetric key. The second symmetric key may be a shared key M randomly generated by the client 100 1 . The shared secret key is randomly generated by the client, so that the steps of generating and managing a large number of client-server secret key pairs by the server are reduced, and the performance of the quantum encryption proxy server video conference is improved. Therefore, after the server 200 successfully authenticates the client 100, the server 200 and the client 100 communicate in the following manner:
the client 100 uses the second symmetric key M 1 Encrypting the first signaling and/or the first code stream D c1 Generating first encrypted transmission data C m1 =E(M 1 ,D c1 ) And may be sent to the server 200 via network address translation. The server 200 uses the second symmetric key M 1 Decrypting the first encrypted transmission data C sent by the client 100 m1 =E(M 1 ,D c1 ) Obtaining the first signaling and/or the first code stream D sent by the client c1
The server 200 uses the second symmetric key M 1 Encrypting the second signaling and/or the second code stream Ds 1 Generating second encrypted transmission data S m1 =E(M 1 ,Ds 1 ) And sent to the client 100 via network address translation. The client 100 uses the second symmetric key M 1 Decrypting second encrypted transmission data S sent by the server side m1 Obtaining a second signaling and/or a second code stream Ds sent by the server 1
In some implementations, a server side is connected with a plurality of clients. Taking two clients 100A and 100B shown in fig. 8 as an example, a data transmission process after both the clients 100A and 100B pass authentication will be described.
The client 100A uses the second symmetric key M randomly generated by the home terminal 1A Encrypting the first signaling and/or the first code stream D c1A Generating first encrypted transmission data C m1A =E(M 1 ,D c1A ) And may be sent to the server 200 via network address translation. The server 200 uses the second symmetric key M 1A Decrypting the first encrypted transmission data C sent by the client 100A m1A =E(M 1 ,D c1A ) Obtaining the first signaling and/or the first code stream D sent by the client c1A
The server 200 uses the second symmetric key M of the client 100B 1B Encrypting the second signaling and/or the second code stream Ds 2B (in a data forwarding scenario, Ds 2B And D c1A Same), second encrypted transmission data S is generated m2B =E(M 1 ,Ds 2B ) And sent to the client 100B via network address translation. The client 100B uses the second symmetric key M 1B Decrypting second encrypted transmission data S sent by the server side m2B Obtaining a second signaling and/or a second code stream Ds sent by the server 2B . The client 100B may send the encrypted data to the server 200 and the server 200 may send the encrypted data to the client 100A in the same manner, which is not described herein again.
In some specific implementations of the foregoing embodiments, when the client 100 and the server 200 communicate with each other, the cipher stream and the signaling may be simultaneously encrypted, so as to effectively prevent a third party from capturing packets and analyzing the content of the conference signaling through a network, thereby attacking the video conference.
In some specific implementations of the foregoing embodiments, a cryptographic SM4 algorithm may be used to encrypt signaling and code streams, so as to prevent a third party from eavesdropping or cracking video conference data, thereby making video conference communication more secure and reliable.
Referring now to fig. 9, fig. 9 illustrates a schematic diagram of a quantum-shared key distribution process for a quantum-encryption-based digital signature system with multiple quantum key machines according to an embodiment of the present application. In this embodiment, the client 1, the client 2, and the server 1 are connected to the quantum key machine 1, and the client 3, the client 4, and the server 2 are connected to the quantum key machine 2. The client 1, the client 2, the server 1 and the quantum key machine 1 distribute the quantum shared key in the manner described above; the client 3, the client 4, the server 2, and the quantum key machine 2 perform distribution of the quantum shared key in the manner described above. In order to realize the communication between the client 1, the client 2, the server 1, the client 3, the client 4, and the server 2, the quantum key machine 1 and the quantum key machine 2 also perform the quantum shared key negotiation.
Therefore, the number expansion of the client, the server and the quantum key machine can be realized.
The above illustrates a plurality of implementations of the present application by way of example, and the present application is not limited thereto, and in each implementation, the addition, the omission and the sequence change of the devices are all within the protection scope of the present application; the embodiments may be implemented individually or in combination.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium is further provided, on which a computer program is stored, which when executed by, for example, a processor, can implement the steps of the quantum encryption-based digital signature method described in any one of the above embodiments. In some possible embodiments, the various aspects of the present application may also be implemented in the form of a program product, which includes program code for causing a terminal device to perform the steps according to the various exemplary embodiments of the present application described in the above-mentioned quantum cryptography-based digital signature methods section of this specification, if the program product is run on the terminal device.
Referring to fig. 10, a program product 800 for implementing the above method according to an embodiment of the present application is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the tenant computing device, partly on the tenant device, as a stand-alone software package, partly on the tenant computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing devices may be connected to the tenant computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
In an exemplary embodiment of the present disclosure, there is also provided an electronic device, which may include a processor, and a memory for storing executable instructions of the processor. Wherein the processor is configured to perform the steps of the quantum encryption based digital signature method in any of the above embodiments via execution of the executable instructions.
As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.), or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 600 according to this embodiment of the present application is described below with reference to fig. 11. The electronic device 600 shown in fig. 11 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 11, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one storage unit 620, a bus 630 that connects the various system components (including the storage unit 620 and the processing unit 610), a display unit 640, and the like.
Wherein the storage unit stores program code, which can be executed by the processing unit 610, so that the processing unit 610 executes the steps according to various exemplary embodiments of the present application described in the above-mentioned quantum encryption based digital signature method part of the present specification. For example, the processing unit 610 may perform the steps as shown in fig. 1 or 3.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which or some combination thereof may comprise an implementation of a network environment.
Bus 630 may be one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 600 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a tenant to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with other modules of the electronic device 600 via the bus 630. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, to name a few.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above-mentioned digital signature method based on quantum encryption according to the embodiments of the present disclosure.
Therefore, compared with the prior art, the scheme provided by the application has the following advantages:
on one hand, a first public key in the digital signature is encrypted by using a quantum shared key obtained by a quantum key machine, so that the first public key can be determined to be sent by a client communicating with the quantum key machine through the quantum shared key, and the identity of a sender can be determined; on the other hand, the first public key can be encrypted and transmitted on the network by using the quantum shared secret key, a third party cannot decrypt the first public key without the quantum shared secret key, and even if the third party intercepts and tampers the message, the third party also cannot encrypt data without the quantum shared secret key, so that the server fails in decryption and cannot finish the authentication of the digital signature, and the authentication safety is improved; on the other hand, the quantum shared secret key obtained by the quantum secret key machine is used for encrypting all the digitally signed message, the message digest algorithm and the first public key, so that the digital signature is absolutely secret in the whole authentication process, and third parties on a network are prevented from tampering and forging data; in another aspect, the authentication process is completed through one-time data interaction between the client and the server, so that multiple information interaction steps are reduced, and the data interaction efficiency is improved.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1. A digital signature method based on quantum encryption is applied to a client and comprises the following steps:
the client receives a quantum shared secret key distributed by a quantum secret key machine, and the quantum shared secret key is also distributed to the server;
the client encrypts authentication information by using the quantum sharing secret key to generate first encrypted authentication data, wherein the authentication information is used for encrypting communication between the client and the server;
the client encrypts a randomly selected message digest algorithm by using the quantum shared secret key to generate message digest algorithm encrypted data;
the client executes the message digest algorithm on the authentication information to generate digital digest data of the authentication information;
the client encrypts a first public key of a first key pair generated randomly by using the quantum shared secret key to generate first public key encrypted data;
the client encrypts the digital digest data by using a first private key of the first private key pair to generate a digital signature;
and the client sends the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature to a server so that the server can obtain the authentication information by using the quantum shared secret key and authenticate the digital signature.
2. The digital signature method based on quantum encryption according to claim 1, wherein the authentication information at least includes a second symmetric key, and after the server successfully authenticates the client:
the client encrypts a first signaling and/or a first code stream by using the second symmetric secret key to generate first encrypted transmission data, and the first encrypted transmission data is transmitted to the server through network address conversion; and/or
And the client uses the second symmetric key to decrypt the second encrypted transmission data sent by the server to obtain a second signaling and/or a second code stream sent by the server.
3. The quantum encryption-based digital signature method as claimed in claim 2, wherein the authentication information comprises a first authentication identity randomly generated by the client and an authentication identity bit, the authentication identity bit comprising a first value for indicating that the client requests to continue connection with the server and a second value for indicating that the client requests to re-authenticate with the server, the method further comprising:
responding to the disconnection between the client and the server and requesting the client to continue to be connected with the server, wherein the client uses the first authentication identifier and the authentication identifier bit set as a first value as parameters of the authentication information, executes generation of the first encryption authentication data, message digest algorithm encryption data, first public key encryption data and digital signature again, and sends the generated data to the server, so that the server executes comparison between the first authentication identifier and a second authentication identifier locally stored by the server to determine whether the client successfully authenticates based on the value of the authentication identifier bit;
responding to the authentication success message returned by the server, and continuing to use the second symmetric secret key to communicate with the server by the client through signaling and/or code stream;
and in response to the authentication failure returned by the server, the client randomly generates a third authentication identifier again, uses the third authentication identifier and the authentication identifier bit set to the second value as parameters of the authentication information, and executes generation of the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature again, and sends the generated data to the server, so that the server executes the steps of acquiring the authentication information by using the quantum sharing secret key and authenticating the digital signature by using the value of the authentication identifier bit.
4. The digital signature method based on quantum encryption according to claim 3, wherein the client sends the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data, and the digital signature to the server, so that the server obtains the authentication information using the quantum shared key, and locally stores the first authentication identifier in the server as the second authentication identifier, and the second authentication identifier is valid in response to that a time interval between the current time and a connection disconnection between the client and the server is less than or equal to a first session keep-alive period.
5. The quantum-encryption-based digital signature method according to claim 4, wherein the client performs generation of the first encrypted authentication data, the message digest algorithm encryption data, the first public key encryption data, and the digital signature again using the first authentication flag and the authentication flag bit set to the first value as parameters of the authentication information, and sends the generated first encrypted authentication data, the message digest algorithm encryption data, the first public key encryption data, and the digital signature to the server, and the method comprises:
in response to that the time interval between the current time and the disconnection between the client and the server is less than or equal to a second session keep-alive period, the client uses the first authentication identifier and the authentication identifier bit set to a first value as parameters of the authentication information, and executes generation of the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature again and sends the generated data to the server, wherein the second session keep-alive period is less than the first session keep-alive period;
and in response to that the time interval of the disconnection between the current time and the client and the server is greater than a second session keep-alive period, the client randomly generates the third authentication identifier again, uses the third authentication identifier and the authentication identifier bit set to be a second value as parameters of the authentication information, and executes the generation of the first encrypted authentication data, the message digest algorithm encrypted data, the first public key encrypted data and the digital signature again, and sends the generated data to the server, so that the server executes the steps of acquiring the authentication information by using the quantum shared secret key and authenticating the digital signature by using the value of the authentication identifier bit.
6. A digital signature method based on quantum encryption is applied to a server side and comprises the following steps:
the server receives a quantum shared secret key distributed by a quantum secret key machine, and the quantum shared secret key is also distributed to the client;
the server receives the first encrypted authentication data, message digest algorithm encrypted data, first public key encrypted data and a digital signature which are sent by the client by executing the quantum encryption-based digital signature method according to any one of claims 1 to 5;
the server side decrypts the first encrypted authentication data by using the quantum shared secret key to obtain the authentication information;
the server side decrypts the encrypted data of the message digest algorithm by using the quantum shared secret key to obtain the message digest algorithm;
the server side decrypts the first public key encrypted data by using the quantum shared secret key to obtain a first public key of the first secret key pair;
the server side decrypts the digital signature by using the first public key to obtain first to-be-authenticated digital digest data;
the server executes the message digest algorithm on the authentication information to obtain second digital digest data to be authenticated;
and responding to the consistency of the first to-be-authenticated digital abstract data and the second to-be-authenticated digital abstract data, and the server side sends an authentication success message to the client side.
7. The digital signature method based on quantum encryption of claim 6, wherein the authentication information at least comprises a second symmetric key, and after the server successfully authenticates the client:
the server side encrypts a second signaling and/or a second code stream by using the second symmetric secret key to generate second encrypted transmission data, and the second encrypted transmission data is transmitted to the client side through network address conversion; and/or
And the server side decrypts the first encrypted transmission data sent by the client side by using the second symmetric key to obtain a first signaling and/or a first code stream sent by the client side.
8. A digital signature system based on quantum cryptography, comprising:
a client configured to perform the quantum cryptography-based digital signature method of any one of claims 1 to 5;
a server configured to execute the quantum encryption based digital signature method according to claim 6 or 7; and
a quantum key machine configured to distribute quantum shared keys to the client and the server.
9. The quantum encrypted digital signature system of claim 8, wherein the client requests a quantum shared key from the quantum key machine through network address translation, and the quantum key machine distributes the quantum shared key to the client through the network address translation.
10. The quantum encrypted digital signature system according to claim 8, wherein the number of the quantum key machines is plural, and the plural quantum key machines negotiate a quantum shared key to determine the quantum shared key distributed to the server and the client connected to each other.
CN202210696436.3A 2022-06-20 2022-06-20 Quantum encrypted digital signature method and system Pending CN115102698A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210696436.3A CN115102698A (en) 2022-06-20 2022-06-20 Quantum encrypted digital signature method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210696436.3A CN115102698A (en) 2022-06-20 2022-06-20 Quantum encrypted digital signature method and system

Publications (1)

Publication Number Publication Date
CN115102698A true CN115102698A (en) 2022-09-23

Family

ID=83290238

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210696436.3A Pending CN115102698A (en) 2022-06-20 2022-06-20 Quantum encrypted digital signature method and system

Country Status (1)

Country Link
CN (1) CN115102698A (en)

Similar Documents

Publication Publication Date Title
US11316677B2 (en) Quantum key distribution node apparatus and method for quantum key distribution thereof
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
US8788805B2 (en) Application-level service access to encrypted data streams
US11736304B2 (en) Secure authentication of remote equipment
KR101021708B1 (en) Group Key Distribution Method and Server and Client for Implementing the Same
US6725276B1 (en) Apparatus and method for authenticating messages transmitted across different multicast domains
CN111756529B (en) Quantum session key distribution method and system
US20020106085A1 (en) Security breach management
US10015144B2 (en) Method and system for protecting data using data passports
CN109981271B (en) Network multimedia safety protection encryption method
CN112332986B (en) Private encryption communication method and system based on authority control
CN116886288A (en) Quantum session key distribution method and device
JP2012100206A (en) Cryptographic communication relay system, cryptographic communication relay method and cryptographic communication relay program
CN105591748B (en) A kind of authentication method and device
CN107104888B (en) Safe instant messaging method
WO2024041498A1 (en) Secret communication processing method, first terminal, and storage medium
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN116132025A (en) Key negotiation method, device and communication system based on preset key group
JP2005175992A (en) Certificate distribution system and certificate distribution method
CN112019553B (en) Data sharing method based on IBE/IBBE
CN111431846B (en) Data transmission method, device and system
CN115102698A (en) Quantum encrypted digital signature method and system
CN114760034A (en) Identity authentication method and device
RU2693192C1 (en) Computer-implemented method of providing secure group communications with failure properties, perfect direct privacy and correspondence of text of correspondence
WO2023151427A1 (en) Quantum key transmission method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination