Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It will be understood that, as used herein, the terms "first," "second," and the like may be used herein to describe various elements, but these elements are not limited by these terms unless otherwise specified. These terms are only used to distinguish one element from another. For example, a first xx script may be referred to as a second xx script, and similarly, a second xx script may be referred to as a first xx script, without departing from the scope of the present application.
Fig. 1 is a diagram of an application environment of a quantum security authentication method for secure file transmission according to an embodiment, as shown in fig. 1, in the application environment, including a client 110, a quantum authentication server 120, and a file server 130.
The client 110 may be a program running on a computer device, which may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, and the like. The client 110, the quantum verification server 120, and the file server 130 may be connected to each other through a network, which is not limited herein.
The quantum verification server 120 may be an independent physical server or terminal, may be a server cluster formed by a plurality of physical servers, and may be a cloud server providing quantum authentication service.
The file server 130 may be an independent physical server or terminal, may also be a server cluster formed by a plurality of physical servers, and may be a cloud server providing basic cloud computing services such as a cloud server, a cloud database, a cloud storage, and a CDN.
As shown in fig. 2, in an embodiment, a quantum security verification method for secure file transmission is provided, and this embodiment is mainly illustrated by applying the method to the quantum verification server 120 in fig. 1. The method specifically comprises the following steps:
step S202, receiving service request information from a file server, wherein the service request information comprises a first identity mark, a second identity mark and a third identity mark, and the first identity mark is used for uniquely identifying the identity of a file to be transmitted; the second identity mark is used for uniquely identifying the identity of the client, and the third identity mark is used for uniquely identifying the identity of the file server;
in this embodiment, when a file needs to be transmitted between the client and the file server, the client may first initiate a file transmission request to the file server, and send information of the file needing to be transmitted to the file server, and when the client sends information of the file needing to be transmitted, the client may synchronously send its own identity information. The client does not directly communicate with the quantum verification server, the file server sends file information to be transmitted and identity information of the client to the quantum verification server, the quantum verification server verifies the identity of the client and the identity of the file server, and acquires information of files to be transmitted, specifically, first identity marks recording the identities of the files to be transmitted, each first identity mark only marks one file to be transmitted, and the types of the first identity marks can be not unique. For example, when the security document is a patent document, the first identity identifier may be its publication number, application number, file name, etc.; when the security document is a technical background, the first identity identifier may be a background name, an internal number, or the like.
Step S204, generating a pair of first quantum verification information and second quantum verification information mutually quantum-authenticated according to the service request information; the first identity identification and the first quantum verification information are sent to the file server side, and the first identity identification and the second quantum verification information are sent to the client side;
in this embodiment, the quantum verification server is mainly configured to verify the credibility of the communication between the client and the file server, where the first quantum verification information and the second quantum verification information may be a pair of random numbers, and a correspondence between the pair of random numbers may be recorded in the quantum verification server, so as to verify the authenticity of the pair of random numbers and the correspondence in the subsequent process.
Step S206, receiving first verification request information from a file server, wherein the first verification request information comprises a first identity identifier and third quantum verification information received by the file server from a client;
in this embodiment, after the identity of the file server is verified, the file server sends the first verification request message to the vector verification server to verify that the communication entity in which the file server is located is a trusted communication entity. The first authentication request message comprises a first identity identification of a file to be transmitted and third quantum authentication information from the client. The quantum server sends and stores the first quantum verification information in the client, the client sends the content of the first quantum information as third quantum verification information to the file server, and the file server can directly forward the third quantum verification information to the quantum server; the content of the third quantum information should be generated by the quantum server. After the quantum server verifies, if the verification is passed, the information sent by the client to the file server can be considered to be authentic, and the file server is authentic and can be used for transmitting the secure file indicated by the first identity identifier.
Step S208, receiving second verification request information from the client, wherein the second verification request information comprises a first identity identifier and fourth quantum verification information received by the client from the file server;
in this embodiment, after the identity of the client is verified, the client sends the second verification request message to the sub-verification server to verify that the communication entity where the client is located is a trusted communication entity. The second verification request information comprises a first identity identification of the file to be transmitted and third quantum verification information from the file server. The quantum server sends and stores the second quantum verification information in the file server, the file server sends the content of the second quantum information as fourth quantum verification information to the client, and the client directly forwards the fourth quantum verification information to the quantum server; the content of the fourth quantum information should be generated by the quantum server. After the quantum server verifies, if the verification passes, the information sent by the file server to the client can be considered to be trusted, and the client is trusted and can be used for transmitting the file indicated by the first identity.
Step S210, verifying whether the first quantum verification information and the third quantum verification information can carry out mutual quantum authentication, and whether the second quantum verification information and the fourth quantum verification information can carry out mutual quantum authentication; if the verification result is yes, the third quantum verification information and the second quantum verification information are the same verification information, and the fourth quantum verification information and the first quantum verification information are the same verification information; and sending an instruction for determining to transmit the file to be transmitted to the file server.
In this embodiment, the quantum authentication server verifies the received first authentication request information and second authentication request information according to the initially generated first quantum authentication information and second quantum authentication information, so as to verify that the communication between the client and the file server is authentic. The pair of first quantum verification information and second quantum verification information initially generated by the quantum verification server are transmitted among the file server, the client and the quantum verification server respectively, and only by verifying that the first quantum verification information is matched with the third quantum verification information and the second quantum verification information is matched with the fourth quantum verification information, the file can be transmitted between the communication main body of the file server and the communication main body of the client, so that the safety of the file is ensured. After the verification is passed, the quantum verification server can send the result to the file server and send an instruction capable of carrying out file transmission so as to carry out the step of uploading the file to the file server by the client or transmitting the file to the client by the file server.
In the embodiment of the invention, the quantum verification server verifies the identities of the file server and the client through the service request of the file server, verifies that the communication between the file server and the client is credible through the first quantum verification information and the second quantum verification information and the first verification request information and the second verification request information, and sends the result to the file server after the verification is passed so as to transmit the file and ensure the security of the file.
As a preferred embodiment, as shown in fig. 3, the verification method further includes the steps of:
step S302, when the service request information describes a file uploading request, sending a command for determining that the file to be transmitted is transmitted to the file server as a command for storing the file to be transmitted;
step S304, when the service request information describes a file downloading request, sending an instruction for determining to transmit the file to be transmitted to the file server as an instruction for sending the file to be transmitted.
As shown in fig. 6, in an embodiment, when a client needs to upload a secure file to a file server, after the quantum verification server passes verification, an instruction for determining to transmit the file to be transmitted is sent to the file server, where the instruction is an instruction for storing the file to be transmitted, so that the file server receives the secure file uploaded by the client. The client side can send the file to be transmitted to the file server side together when sending the third quantum verification information to the file server side, the file server side caches the file to be transmitted first, and stores the cached file to be transmitted when receiving an instruction for determining to transmit the file to be transmitted, and therefore transmission efficiency of the confidential file is improved.
As shown in fig. 7, in an embodiment, when a client needs to download a secure file from a file server, after the quantum verification server passes verification, an instruction for determining to transmit the file to be transmitted is sent to the file server, so that the client receives the file to be transmitted sent by the file server. The file server side can extract and cache the file to be transmitted when sending the fourth quantum verification information to the client side, and send the cached file to be transmitted to the client side when receiving the instruction for determining to transmit the file to be transmitted, so that the transmission efficiency of the confidential file is improved.
As a preferred embodiment, as shown in fig. 4, the verification method further includes the following steps:
step S402, whether the identities of the client and the file server are legal or not is verified according to the second identity identification and the third identity identification, and whether first quantum verification information and second quantum verification information are sent or not is determined.
In this embodiment, the client and the file server have registered legal identities at the quantum verification server, and after receiving the service request information, the quantum server verifies whether the client and the file server are legal, and generates first quantum verification information and second quantum verification information according to the first identity in the service request information for subsequent verification after the verification is legal.
In a preferred embodiment, the second identity in the first authentication request message of the file server comes from the client. The client does not directly communicate with the quantum verification server before identity verification, the second identity identifier is sent to the file server, and the file server sends the second identity identifier to the quantum verification server. The quantum server can directly know which client and which file server need to transmit files, so that the identities of the client and the file server can be conveniently verified, and subsequent verification steps such as S204-S210 are convenient.
As a preferred embodiment, as shown in fig. 5, the steps before step S202 receives the service request information from the file server include:
step S502, acquiring and storing the binding relationship between the second identity and a fourth identity from the file server, wherein the fourth identity is used for describing the unique identity of the client communication subject.
In the process of registering by the client in the quantum verification server, the client sends the first identity of the client and the fourth identity of the communication main body of the client to the file server, the quantum verification server receives the first identity, the fourth identity and the corresponding relation of the file server, and the quantum verification server binds and stores the corresponding relation. When the file server sends the service request information to the sub-verification server, the sub-verification server verifies the client identity and the communication subject identity together, checks whether the client is a registered user and checks whether the communication subject of the client is the communication subject with the binding relationship during registration, and if the communication subject of the client is not the communication subject with the binding relationship during registration, the authentication of the client is not passed. Namely, one client can only run on one fixed communication main body, thereby further improving the safety.
As a preferred embodiment, the first quantum authentication information and the second quantum authentication information are valid for a set time period.
In this embodiment, effective durations are set for the first quantum verification information and the second quantum information, the first quantum verification information and the second quantum verification information take effect after the two are generated, and the first quantum verification information and the second quantum verification information lose effectiveness after the effective durations; on one hand, the client or the file server is prevented from not processing for a long time, and on the other hand, the complexity of verification information generation is reduced.
As shown in fig. 1, in one embodiment, a secure file transfer system is provided, which may specifically include:
the quantum authentication server is used for executing the quantum security verification method for the confidential document transmission provided by any embodiment;
the system comprises a file server, a quantum verification server and a client, wherein the file server is used for receiving file transmission request information from the client, sending the service request information to the quantum verification server according to the file transmission request information, receiving a first identity and first quantum verification information from the quantum verification server, sending the first quantum verification information to the client as fourth quantum verification information, receiving third quantum verification information from the client, and sending first verification request information to the quantum verification server, and the first verification request information comprises the first identity and the third quantum verification information;
the client is used for sending the file transmission request information to the file server, receiving a first quantum identification and second quantum verification information sent by the quantum verification server, sending the second quantum information serving as third quantum verification information to the file server, receiving fourth quantum verification information sent by the file server, and sending second verification request information by the quantum verification server, wherein the second verification request information comprises the first quantum identification and the fourth quantum verification information.
In this embodiment, the quantum authentication server, the client, and the file server can establish communication therebetween, and the client and the file server can transmit the confidential file after passing the verification of the quantum authentication server. The quantum verification server verifies the identities of the file server and the client through a service request of the file server, verifies that the communication between the file server and the client is credible through the first quantum verification information and the second quantum verification information and the first verification request information and the second verification request information, and sends a result to the file server after the verification is passed so as to transmit the file and ensure the security of the file.
As a preferred embodiment, when the service request information describes a file uploading request, the client sends a secure file to the file server after receiving second quantum verification information, and the file server temporarily stores the secure file and stores the secure file after receiving an instruction for determining to transmit the file to be transmitted;
when the service request information describes a file downloading request, the file terminal extracts and temporarily stores the confidential file corresponding to the first identity identification after receiving first quantum verification information, and sends the confidential file to the client terminal after receiving an instruction for determining to transmit the file to be transmitted.
In one embodiment, when a client needs to upload a secure file to a file server, after a quantum verification server passes verification, a command for determining to transmit the file to be transmitted is sent to the file server and is a command for storing the file to be transmitted, so that the file server receives the secure file uploaded by the client. The client side can send the file to be transmitted to the file server side together when sending the third quantum verification information to the file server side, the file server side caches the file to be transmitted first, and stores the cached file to be transmitted when receiving an instruction for determining to transmit the file to be transmitted, and therefore transmission efficiency of the confidential file is improved.
In one embodiment, when a client needs to download a confidential file from a file server, after the quantum verification server passes verification, an instruction for determining to transmit the file to be transmitted is sent to the file server, so that the client receives the file to be transmitted sent by the file server. The file server side can extract and cache the file to be transmitted when sending the fourth quantum verification information to the client side, and send the cached file to be transmitted to the client side when receiving the instruction for determining to transmit the file to be transmitted, so that the transmission efficiency of the confidential file is improved.
FIG. 8 is a diagram illustrating an internal structure of a computer device in one embodiment. The computer device may specifically be the quantum verification server in fig. 1. As shown in fig. 8, the computer apparatus includes a processor, a memory, a network interface, an input device, and a display screen connected through a system bus. Wherein the memory includes a non-volatile storage medium and an internal memory. The non-volatile storage medium of the computer device stores an operating system and also stores a computer program, and when the computer program is executed by a processor, the computer program can enable the processor to realize the quantum security verification method for confidential document transmission. The internal memory may also store a computer program, and when the computer program is executed by the processor, the computer program may cause the processor to perform a quantum security authentication method for secure file transmission. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the configuration shown in fig. 8 is a block diagram of only a portion of the configuration associated with the present application, and is not intended to limit the computing device to which the present application may be applied, and that a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, there is provided a quantum verification server comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
step S202, receiving service request information from a file server, wherein the service request information comprises a first identity identifier, a second identity identifier and a third identity identifier, and the first identity identifier is used for uniquely identifying the identity of a file to be transmitted; the second identity is used for uniquely identifying the identity of the client, and the third identity is used for uniquely identifying the identity of the file server;
step S204, generating a pair of first quantum verification information and second quantum verification information of mutual quantum authentication according to the service request information; the method comprises the steps of sending a first identity mark and first quantum verification information to a file server side, and sending the first identity mark and second quantum verification information to a client side;
step S206, receiving first verification request information from the file server, wherein the first verification request information comprises a first identity identifier and third quantum verification information received by the file server from the client;
step S208, receiving second verification request information from the client, wherein the second verification request information comprises a first identity identifier and fourth quantum verification information received by the client from the file server;
step S210, verifying whether the first quantum verification information and the third quantum verification information can carry out mutual quantum authentication or not, and whether the second quantum verification information and the fourth quantum verification information can carry out mutual quantum authentication or not; if the verification result is yes, the third quantum verification information and the second quantum verification information are the same verification information, and the fourth quantum verification information and the first quantum verification information are the same verification information; and sending an instruction for determining to transmit the file to be transmitted to the file server.
In one embodiment, a computer readable storage medium is provided, having a computer program stored thereon, which, when executed by a processor, causes the processor to perform the steps of:
step S202, receiving service request information from a file server, wherein the service request information comprises a first identity identifier, a second identity identifier and a third identity identifier, and the first identity identifier is used for uniquely identifying the identity of a file to be transmitted; the second identity mark is used for uniquely identifying the identity of the client, and the third identity mark is used for uniquely identifying the identity of the file server;
step S204, generating a pair of first quantum verification information and second quantum verification information mutually quantum-authenticated according to the service request information; the method comprises the steps of sending a first identity mark and first quantum verification information to a file server side, and sending the first identity mark and second quantum verification information to a client side;
step S206, receiving first verification request information from a file server, wherein the first verification request information comprises a first identity identifier and third quantum verification information received by the file server from a client;
step S208, receiving second verification request information from the client, wherein the second verification request information comprises a first identity identifier and fourth quantum verification information received by the client from the file server;
step S210, verifying whether the first quantum verification information and the third quantum verification information can carry out mutual quantum authentication, and whether the second quantum verification information and the fourth quantum verification information can carry out mutual quantum authentication; if the verification result is yes, the third quantum verification information and the second quantum verification information are the same verification information, and the fourth quantum verification information and the first quantum verification information are the same verification information; and sending an instruction for determining to transmit the file to be transmitted to the file server.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternatingly with other steps or at least a portion of sub-steps or stages of other steps.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the program is executed. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that various changes and modifications can be made by those skilled in the art without departing from the spirit of the invention, and these changes and modifications are all within the scope of the invention. Therefore, the protection scope of the present patent should be subject to the appended claims.