CN115276974A - Method and system for quantum security device to access base station - Google Patents

Method and system for quantum security device to access base station Download PDF

Info

Publication number
CN115276974A
CN115276974A CN202210875414.3A CN202210875414A CN115276974A CN 115276974 A CN115276974 A CN 115276974A CN 202210875414 A CN202210875414 A CN 202210875414A CN 115276974 A CN115276974 A CN 115276974A
Authority
CN
China
Prior art keywords
base station
key
quantum security
authentication
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210875414.3A
Other languages
Chinese (zh)
Inventor
傅波海
杨鸽
张仕峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Matrix Time Digital Technology Co Ltd
Original Assignee
Matrix Time Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Matrix Time Digital Technology Co Ltd filed Critical Matrix Time Digital Technology Co Ltd
Priority to CN202210875414.3A priority Critical patent/CN115276974A/en
Publication of CN115276974A publication Critical patent/CN115276974A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method and a system for quantum security equipment to access a base station, wherein the method comprises the following steps: the quantum security equipment acquires a base station IP address; the quantum security device sends access request information to the base station according to the IP address of the base station and carries a device ID; the base station receives the access request information and sends authentication request information carrying the equipment ID to a verification end; the method provides a method and an authentication scheme specially aiming at how the quantum security equipment accesses the base station, and can carry out security authentication on the quantum security equipment during access so as to ensure the validity of the identity of the quantum security equipment; meanwhile, random numbers generated in the subsequent synchronous key authentication process cannot be obtained and known in advance by the outside and are difficult to counterfeit, the encryption key is selected from the pre-configured root key group, the difficulty of external acquisition is increased, and the safety and reliability of the subsequent base station in downloading the synchronous root key group are greatly improved by combining the double authentication of the quantum security device and the root key center.

Description

Method and system for quantum security device to access base station
Technical Field
The invention relates to the technical field of information security, in particular to a method and a system for quantum security equipment to access a base station.
Background
Traditional information security is achieved through encryption algorithms that rely on computational complexity, however, as computing power has rapidly developed, traditional encryption algorithms that rely on computational complexity face increasingly more severe security risks.
With the society more and more paying attention to the security of communication, the quantum secret communication technology gets the attention of all parties. The method can perfectly overcome the potential safety hazard problem existing in the traditional communication technology, and ensure that the communication process has absolute safety and reliability.
Quantum secure communication is a quantum information technology that is first moved to practical and industrial applications. At present, a plurality of quantum security devices for guaranteeing information security appear on the market, and the quantum security devices can perform quantum encryption on data in use to guarantee high security of the data sent by the quantum security devices; when the multiple quantum security devices need to interact, networking communication with the base station is needed, so that services such as data transmission, key relay and the like are performed. At present, there is no mature method and system specially for quantum security device to access a base station safely, how to perform security authentication on the quantum security device before the quantum security device accesses the base station to ensure the validity of the identity of the quantum security device. If the quantum security device is arranged in an untrusted environment, the quantum security device is easily attacked by a malicious user, and a quantum security network and a user terminal are seriously threatened. Therefore, in the networking process of the quantum security device, a safe and complete authentication mechanism needs to be designed to ensure the security of the quantum security device.
Disclosure of Invention
In order to solve the problems, the invention discloses a method and a system for quantum security equipment to access a base station.
The application provides a method for quantum security equipment to access a base station, which comprises the following steps:
the quantum security equipment acquires a base station IP address, sends access request information to a base station according to the base station IP address and carries equipment ID;
the base station receives the access request information and sends authentication request information carrying the equipment ID to a verification end;
the base station receives first access authentication result information from the verification end, and when the first access authentication result information is identified as successful authentication, the quantum security equipment is allowed to access the base station; and if the equipment ID is in the safety equipment list of the verification end, the generated first access authentication result information is identified as authentication success, otherwise, the generated first access authentication result information is identified as authentication failure.
Further, the method for the quantum security device to obtain the IP address of the base station includes:
the quantum security device sends a base station request message to a base station extranet server;
and the base station extranet server receives the base station request message, allocates a base station for the quantum security equipment according to the access condition and the load condition of the current base station and returns a base station IP address corresponding to the base station to the quantum security equipment.
Further, before the quantum security device accesses the base station, the following operations are also performed:
a root key center acquires a root key group to be distributed to the quantum security device and distributes the root key group to the quantum security device;
after the quantum security device is accessed to the base station, the following operations are also executed:
when the quantum security device sends access request information to the base station, the access request information also carries first verification information;
the root key center receives first verification information from the quantum security device, determines whether a root key group exists according to a device ID in the first verification information, and generates second verification information when the root key group exists; selecting one from a root key group of the root key center as a first key, encrypting the first verification information through the first key to form a first ciphertext, encrypting the second verification information to generate a second ciphertext, and sending the first ciphertext, the second ciphertext and a first key index for determining the first key to the quantum security device;
the quantum security device receives a first ciphertext, a second ciphertext and a first key index, determines a first key according to the first key index to decrypt the first ciphertext and check whether the first ciphertext is the same as first verification information or not, selects one from a root key group stored by the quantum security device as a second key when the first ciphertext is the same as the first verification information, encrypts second verification information through the second key to form a third ciphertext, and sends the third ciphertext and the second key index for determining the second key to the base station, wherein the second key is different from the first key;
the base station receives the third ciphertext and the second key index and sends the third ciphertext and the second key index to the root key center;
the root key center receives the third ciphertext and the second key index, determines a second key according to the second key index to decrypt the third ciphertext and verify whether the third ciphertext is the same as second verification information or not to generate root key center authentication result information, and sends root key group storage position information corresponding to the quantum security device to the base station when the root key center authentication result information is identified as authentication passing;
and the base station receives the authentication result information of the root key center and the storage position information of the root key group, downloads the root key group corresponding to the quantum security equipment from the root key center according to the storage position information of the root key group, and returns the acquisition result information of the root key group to the quantum security equipment.
Under the scene that the quantum security device is connected to the base station again after being disconnected from the base station, the method comprises the following steps:
the quantum security device sends the access request information to the base station again according to the IP address of the base station, wherein the access request information also carries the current network access ID and third verification information;
the base station sends authentication request information to the authentication center again, the base station judges whether the current network access ID exists in the distribution record of the base station, and generates an updated network access ID for the quantum security device when the network access ID exists in the distribution record;
the authentication center determines whether the equipment ID is in a safety equipment list according to the equipment ID in the access request information to generate non-primary access authentication result information, and returns the non-primary access authentication result information to the base station;
if the base station identifies that the non-first-time access authentication result information is successfully authenticated, generating fourth authentication information, searching a root key group stored in the base station according to the received equipment ID, selecting one of the root key groups stored in the base station as a third key, encrypting the third authentication information through the third key to form a fourth ciphertext, encrypting the fourth authentication information to generate a fifth ciphertext, and regenerating a third key index corresponding to the third key; sending a fourth ciphertext, a fifth ciphertext, and a third key index to the quantum security device;
the quantum security device receives a fourth ciphertext, a fifth ciphertext and a third key index, determines a third key in a root key group stored in the quantum security device according to the third key index to decrypt the fourth ciphertext and check whether the third ciphertext is the same as third verification information or not to generate first verification result information, selects one of the root key group stored in the quantum security device as a fourth key when the first verification result information is the same in identification, generates a fourth key index corresponding to the fourth key, encrypts the fourth verification information through the fourth key to form a sixth ciphertext, and sends the sixth ciphertext and the fourth key index to the base station, wherein the fourth key is different from the third key;
the base station receives the sixth ciphertext and the fourth key index, determines a fourth key in a root key group stored in the base station according to the fourth key index to decrypt the sixth ciphertext and check whether the sixth ciphertext is the same as fourth verification information or not to generate second verification result information, and sends an access completion message to the quantum security device when the second verification result information is identified as the same, wherein the access completion message carries an updated network access ID;
and the quantum security equipment receives the access completion message and is connected with the base station through the updated network access ID in the access completion message.
Further, the first authentication information includes a first random number generated by the quantum security device, the second authentication information includes a second random number generated by the root key center, the third authentication information includes a third random number generated by the quantum security device, and the fourth authentication information includes a fourth random number generated by the base station.
Further, the first random number, the second random number, the third random number and the fourth random number are quantum true random numbers.
Further, the base station also allocates a network access ID to the quantum security device after recognizing that the authentication result information of the first access is successfully authenticated; the authentication center also records the network access ID.
The application also provides a system for accessing the quantum security equipment to the base station, wherein the system comprises the quantum security equipment, the base station and an authentication center;
the quantum security device is used for acquiring a base station IP address and sending access request information to the base station according to the base station IP address, wherein the access request information carries a device ID;
the base station is used for receiving the access request information, sending the equipment ID to the authentication center, receiving first access authentication result information from the authentication center, and allowing the quantum security equipment to access the base station when the first access authentication result information is identified as successful authentication;
the authentication center is used for receiving the equipment ID from the base station and generating first access authentication result information which is used for being sent to the base station, the first access authentication result information is generated according to whether the equipment ID is in a safety equipment list of the authentication center, if the equipment ID is in the safety equipment list of the authentication center, the generated first access authentication result information is marked as authentication success, and if not, the generated first access authentication result information is marked as authentication failure.
Further, the system also comprises a base station extranet server and a DNS server;
the base station external network server is used for receiving a base station request message from the quantum security equipment and distributing a base station to the quantum security equipment according to the access condition and the load condition of the current base station to return a base station IP address corresponding to the base station;
the DNS server is used for receiving an address query request from the quantum security equipment and sending an IP address of a base station extranet server to the quantum security equipment according to the address query request;
the quantum security device is also used for receiving an IP address of the base station extranet server and connecting the base station extranet server according to the IP address of the base station extranet server.
Compared with the prior art, the invention has the beneficial effects that: the method of the application provides a method and an authentication scheme specially aiming at how the quantum security equipment is accessed to the base station, and can carry out security authentication on the quantum security equipment during access so as to ensure the validity of the identity of the quantum security equipment;
the system comprises quantum security equipment, a base station and a root key center, wherein the same root key group is preset in the quantum security equipment and the root key center; the method comprises the steps that when the quantum security device and a root key center are accessed, random numbers generated by the opposite side are mutually encrypted, decryption keys are determined from respective root key groups, after decryption ciphertexts are successfully verified with the random numbers generated by the quantum security device and the root key center, generated authentication information is marked as authentication passing, and then a base station is allowed to download and synchronize the root key group corresponding to the quantum security device from the root key center; the random number generated in the process cannot be obtained and known in advance by the outside, cannot be predicted, and is difficult to counterfeit, the encryption key is selected from the root key set configured in advance, the difficulty of external acquisition is increased, and the security and the reliability of the subsequent base station in downloading the synchronous root key set are greatly improved by combining the dual authentication of the quantum security device and the root key center.
Drawings
Fig. 1 is a timing diagram of a quantum security device accessing a base station in an embodiment of the present application;
fig. 2 is a timing diagram in a scenario in which a quantum security device is disconnected from a base station and then re-accesses the base station in an embodiment of the present application;
fig. 3 is a system block diagram of a quantum security device accessing a base station in an embodiment of the present application;
fig. 4 is a flowchart of a method for a quantum security device to access a base station in this embodiment.
Detailed Description
In order to make the purpose, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example 1: a method for a quantum security device to access a base station, the method comprising:
the quantum security equipment sends a base station request message to a base station extranet server;
the base station external network server receives a base station request message, allocates a base station for the quantum security equipment according to the access condition and the load condition of the current base station and returns a base station IP address corresponding to the base station to the quantum security equipment; access conditions refer to base stations that are currently online or available for use; the load condition refers to the load condition of each current base station, and the base station external network server preferentially distributes base stations with lower loads to the quantum security equipment;
see steps S201-S203 in fig. 4: the quantum security device sends access request information to a base station according to the IP address of the base station and carries a device ID;
the base station receives the access request information and sends authentication request information carrying the equipment ID to a verification end;
the base station receives first access authentication result information from the verification end, and when the first access authentication result information is identified to be successful in authentication, the quantum security equipment is allowed to access the base station; and if the equipment ID is in the safety equipment list of the verification end, the generated first access authentication result information is identified as authentication success, otherwise, the generated first access authentication result information is identified as authentication failure.
In addition, the base station also allocates a network access ID to the quantum security device after recognizing that the first access authentication result information is successfully authenticated; the authentication center also records the network access ID, and the network access ID is recorded through the authentication center so that a service provider can know which base station the quantum security equipment is currently accessed to.
When the authentication result information is identified as that the authentication is successful, the authentication center also executes the following operations:
the authentication center sends storage position information of the root key group corresponding to the quantum security equipment to the base station, the base station is also used for synchronizing the root key group with the quantum security equipment after the quantum security equipment is accessed, and the base station searches and determines the position of the root key group corresponding to the quantum security equipment through the returned storage position information of the root key group.
The method for the base station to obtain the corresponding root key group in the quantum security device includes:
a root key center acquires a root key group to be distributed to the quantum security device and distributes the root key group to the quantum security device; specifically, an offline or online distribution mode can be used, and the root key group is formed by true random numbers generated by quantum true random numbers;
when the quantum security device sends access request information to the base station, the access request information also carries first verification information;
the root key center receives first verification information from the quantum security device, determines whether a root key group exists according to a device ID in the first verification information, and generates second verification information when the root key group exists; selecting one from a root key group of the root key center as a first key, encrypting the first verification information through the first key to form a first ciphertext, encrypting the second verification information to generate a second ciphertext, and sending the first ciphertext, the second ciphertext and a first key index for determining the first key to the quantum security device;
the quantum security device receives a first ciphertext, a second ciphertext and a first key index, determines a first key according to the first key index to decrypt the first ciphertext and check whether the first ciphertext is the same as first verification information or not, selects one from a root key group stored by the quantum security device as a second key when the first ciphertext is the same as the first verification information, encrypts second verification information through the second key to form a third ciphertext, and sends the third ciphertext and the second key index for determining the second key to the base station, wherein the second key is different from the first key;
the base station receives the third ciphertext and the second key index and sends the third ciphertext and the second key index to the root key center;
the root key center receives the third ciphertext and the second key index, determines a second key according to the second key index to decrypt the third ciphertext and verify whether the third ciphertext is the same as second verification information or not to generate root key center authentication result information, and sends root key group storage position information corresponding to the quantum security device to the base station when the root key center authentication result information is identified as authentication passing;
and the base station receives the authentication result information of the root key center and the storage position information of the root key group, downloads the root key group corresponding to the quantum security equipment from the root key center according to the storage position information of the root key group, and returns the acquisition result information of the root key group to the quantum security equipment.
The first authentication information comprises a first random number generated by the quantum security device, the second authentication information comprises a second random number generated by the root key center, and the first random number and the second random number are quantum true random numbers;
the first key and the second key adopt different keys, and the first key and the second key can be selected in sequence when being selected, such as storage sequence or time sequence; when the second key is selected, the previous first key can be removed from the root key group in advance, and then random selection is carried out from the rest root key groups; each key in the first root key set and the second root key set may have a corresponding identifier established in advance, and a key index is established according to the identifier to facilitate the lookup and determination of subsequent keys.
The random number generated in the authentication process is obtained by the two parties from the inside in real time, and the outside cannot know and predict in advance and is difficult to counterfeit; the encryption key is selected from a pre-configured root key group, external unsafe equipment is difficult to directly acquire the information of the root key group, only the index of the encryption key is transmitted in the authentication process, the key cannot be leaked even if the encryption key is acquired externally, and further the generated random number cannot be decrypted and verified through a correct key in the subsequent authentication process; therefore, by generating random numbers and combining a mutual encryption and decryption verification mode of the two parties and double authentication of the quantum security device and the root key center, the security and the reliability of the base station and the root key center when the root key group is synchronized can be greatly improved.
Example 2: the method comprises the following steps that in a scene that the quantum security device is disconnected with the base station and then is accessed into the base station again:
the quantum security device sends the access request information to the base station again according to the IP address of the base station, wherein the access request information also carries the current network access ID and third verification information;
the base station sends authentication request information to the authentication center again, the base station judges whether the current network access ID exists in the distribution record of the base station, and generates an updated network access ID for the quantum security device when the network access ID exists in the distribution record;
the authentication center determines whether the equipment ID is in a safety equipment list according to the equipment ID in the access request information to generate non-primary access authentication result information, and returns the non-primary access authentication result information to the base station;
if the base station identifies that the non-first-time access authentication result information is successfully authenticated, generating fourth authentication information, searching a root key group stored in the base station according to the received equipment ID, selecting one of the root key groups stored in the base station as a third key, encrypting the third authentication information through the third key to form a fourth ciphertext, encrypting the fourth authentication information to generate a fifth ciphertext, and regenerating a third key index corresponding to the third key; sending a fourth ciphertext, a fifth ciphertext, and a third key index to the quantum security device;
the quantum security device receives a fourth ciphertext, a fifth ciphertext and a third key index, determines a third key in a root key group stored in the quantum security device according to the third key index to decrypt the fourth ciphertext and check whether the third ciphertext is the same as third verification information or not to generate first verification result information, selects one of the root key group stored in the quantum security device as a fourth key when the first verification result information is the same in identification, generates a fourth key index corresponding to the fourth key, encrypts the fourth verification information through the fourth key to form a sixth ciphertext, and sends the sixth ciphertext and the fourth key index to the base station, wherein the fourth key is different from the third key;
the base station receives the sixth ciphertext and the fourth key index, determines a fourth key in a root key group stored in the base station according to the fourth key index to decrypt the sixth ciphertext and check whether the sixth ciphertext is the same as fourth verification information or not to generate second verification result information, and sends an access completion message to the quantum security device when the second verification result information is identified as the same, wherein the access completion message carries an updated network access ID;
and the quantum security equipment receives the access completion message and is connected with the base station through the updated network access ID in the access completion message.
The third verification information comprises a third random number generated by the quantum security device, the fourth verification information comprises a fourth random number generated by the base station, and the third random number and the fourth random number are quantum true random numbers;
in this scenario, the reason why authentication is also needed is that whether the quantum security device is allowed to access or not needs to be controlled in the hand of the service provider, rather than allowing access only when network communication and the key are normal.
In embodiment 1-2, the first authentication information includes a first random number generated by the quantum security device, the second authentication information includes a second random number generated by the root key center, the third authentication information includes a third random number generated by the quantum security device, and the fourth authentication information includes a fourth random number generated by the base station;
the first random number, the second random number, the third random number and the fourth random number are quantum true random numbers; the quantum true random number is generated through a quantum random number generator, and a completely unpredictable random sequence can be obtained through the quantum random number generator;
the base station also allocates a network access ID to the quantum security device after recognizing that the first access authentication result information is successfully authenticated;
the base station also carries a network access ID when sending the authentication request information to the authentication center;
and the authentication center records the network access ID after receiving the network access ID so as to enable a service provider to know which base station the quantum security equipment is currently accessed to.
Example 3: referring to fig. 1 to 3, the present application further provides a system for accessing a quantum security device to a base station, which is specifically applied to a scenario where the quantum security device 100 accesses the base station 200 for the first time or accesses the base station 200 again after being returned to a factory for reset, where the system includes the quantum security device 100, the base station 200, an authentication center 300, and a root key center 400, a second root key group is preset in the quantum security device 100, a first root key group is preset in the root key center 400, and the first root key group is the same as the second root key group;
the quantum security device 100 at least includes a quantum encryption/decryption apparatus based on quantum encryption/decryption technology and an external communication interface to implement quantum secure communication, for example, a quantum terminal mentioned in the patent application document with chinese patent application number CN 201611255339.1;
the root key group in the quantum security device 100 and the root key center 400 is composed of a plurality of quantum keys, and specifically may be a security key generated by a quantum key distribution apparatus, so as to be a "one-time pad" unconditionally secure in principle, wherein a second root key group in the quantum security device 100 is preset when leaving a factory; the root key center 400 usually stores a plurality of root key sets of the quantum security device 100, and in practical application, the storage location of the corresponding root key set may be determined according to the device ID of the quantum security device 100;
the quantum security device 100 is configured to obtain a base station IP address, and send access request information to the base station 200 according to the base station IP address, where the access request information carries a device ID;
the base station 200 is configured to receive the access request information, send the device ID to the authentication center 300, receive authentication result information of first access from the authentication center 300, and allow the quantum security device 100 to access the base station 200 when the authentication result information of first access is identified as authentication success;
the authentication center 300 is configured to receive the device ID and generate first access authentication result information for sending to the base station 200, where the first access authentication result information is generated according to whether the device ID is in the security device list of the authentication center 300, and if the device ID is in the security device list of the authentication center 300, the generated first access authentication result information is identified as authentication success, otherwise, the generated first access authentication result information is identified as authentication failure.
When the base station 200 needs to synchronize the root key group for the key relay service, the quantum security device 100 is further configured to generate a first message to be sent to the root key center 400, where the first message includes a first random number; acquiring a second message generated by the root key center 400, wherein the second message comprises a first key cable, a first ciphertext and a second ciphertext, determining the first key in a preset second root key group according to the first key index to decrypt the first ciphertext to obtain a first plaintext, decrypting the second ciphertext to obtain a second plaintext, verifying whether the first plaintext is the same as the first random number and generating first authentication information, selecting any one from the preset second root key group as a second key to generate a second key index corresponding to the second key, encrypting the second plaintext through the second key to generate a third ciphertext, and sending the first authentication information, the second key index and the third ciphertext to the root key center 400;
the first random number and the second random number are both generated through a quantum random number generator to ensure that a third party cannot predict and know, and the quantum random number generator can be a true random number generator related to a patent document with Chinese patent application No. CN.201410478930.8; the quantum security device 100, the root key center 400 and the base station 200 are all provided with a quantum random number generator, the first random number is obtained by the quantum security device 100 through a local quantum random number generator thereof, and the second random number is obtained by the root key center 400 through a local quantum random number generator thereof;
the root key center 400 is configured to receive the first message and generate a second message for sending to the quantum security device 100; the second message includes a first cipher text obtained by the root key center 400 by randomly selecting one of the preset first root key groups as a first key, encrypting a first random number by the first key, a second cipher text obtained by encrypting a second random number generated by the root key center 400, and a first key index corresponding to the first key; receiving the first authentication information, the second key index and the third ciphertext, determining a decryption key in a preset first root key group according to the second key index to decrypt the third ciphertext, checking whether the decrypted third ciphertext is the same as a second random number, generating second authentication information based on the check result and the first authentication information, and sending the second authentication information to the base station 200; when the verification result and the first authentication information are both identified to be the same, the second authentication information is identified to be authenticated; when the first authentication information mark is not passed, the verification of the third ciphertext is not needed subsequently, so that the program steps are saved; the first authentication information is identified as not passing, which indicates that the authentication between the quantum security device 100 and the root key center 400 is not passing, and the base station 200 does not perform further key downloading operation;
the base station 200 is configured to receive the second authentication information, download the first root key group from the root key center 400 when the second authentication information is identified as authentication pass, and send the acquisition result information of the first root key group to the vector sub security device 100; in the above process of the quantum security device 100 interacting with the root key center 400, the base station 200 is further configured to transmit key data between the quantum security device 100 and the root key center 400, where the key data includes one or more of the first message, the second message, the first authentication information, the second key index, and the third ciphertext.
After both the quantum security device 100 and the root key center 400 successfully check the random numbers generated by themselves, the generated second authentication information is identified as passing the authentication, and at this time, the base station 200 is allowed to download the first root key group from the root key center 400;
the random numbers generated in the authentication process are obtained by the two parties from the inside in real time, and the two parties cannot know the random numbers in advance and are difficult to counterfeit; the encryption key is selected from a pre-configured root key group, external unsafe equipment is difficult to directly acquire the information of the root key group, only the index of the encryption key is transmitted in the authentication process, the key cannot be leaked even if the encryption key is acquired externally, and further the generated random number cannot be decrypted and verified through a correct key in the subsequent authentication process; therefore, by generating a random number, combining a mutual encryption and decryption check of both sides, and performing double authentication between the quantum security device 100 and the root key center 400, the security and reliability of the synchronization of the root key group between the base station 200 and the root key center 400 can be greatly improved.
In a scenario where the quantum security device 100 is disconnected from the base station 200 and subsequently re-accesses the base station 200, the quantum security device 100 is further configured to acquire a base station IP and send an access request to the base station according to the base station IP; acquiring a current network access ID and a third random number to be sent to the base station 200; receiving a third message from the base station 200, where the third message includes a fourth cipher text obtained by the base station 200 by encrypting a third random number with a third key selected from the downloaded first root key group, a fifth cipher text obtained by encrypting the fourth random number generated by the base station 200 with the third key, and a third key index corresponding to the third key generated by the base station 200;
the quantum security device 100 determines a decryption key from the second root key group according to the third key index, decrypts the fourth ciphertext to obtain a fourth plaintext, decrypts the fifth ciphertext to obtain a fifth plaintext, verifies whether the fourth plaintext is the same as the third random number, and generates third authentication information for sending to the base station 200 based on the verification result; selecting any one of the other keys from a preset second root key group as a fourth key, generating a fourth key index corresponding to the fourth key, encrypting a fifth plaintext to form a sixth ciphertext, and sending the fourth key index, the sixth ciphertext and third authentication information to the base station 200; receiving an updated network access ID from the base station 200, replacing the current network access ID with the updated network access ID, and accessing the base station 200 by updating the network access ID;
the above manner of acquiring the base station IP by the quantum security device 100 may be specifically acquired by the base station extranet server 500, where the base station extranet server 500 is configured to receive a base station request message from the quantum security device 100, and return a base station IP address according to the base station request message; when the current network access ID in this scenario is first accessed to the base station 200 by the quantum security device 100, the base station 200 allocates it; the obtaining mode and type of the third random number and the fourth random number are the same as those of the first random number and the second random number, which are not described herein;
the base station 200 is further configured to receive the current network access ID and the third random number, determine a storage location of the downloaded root key according to the current network access ID, and generate a third message for sending to the quantum security device 100; receiving a fourth key index, a sixth ciphertext and third authentication information; determining a decryption key from the downloaded root key group according to the fourth key index, decrypting the sixth ciphertext to obtain a sixth plaintext, verifying whether the sixth plaintext is the same as the fourth random number, and allowing the quantum security device 100 to access and carrying an updated network access ID redistributed to the quantum security device 100 by the base station when the verification result and the third authentication information are both identified to be the same; that is, when the quantum security device 100 accesses the base station 200 again, the base station 200 reassigns the network access ID to the quantum security device 100, and the quantum security device 100 accesses the base station 200 again through the newly assigned network access ID.
Since the connection has been established between the quantum security device 100 and the root key center 400, the corresponding root key group in the quantum security device 100 is synchronized in the base station 200 connected before; meanwhile, the base station 200 may be connected with more than one quantum security device 100, so that root key groups corresponding to multiple quantum security devices 100 are stored in the base station 200, and each root key group may establish a corresponding relationship with the current network access ID of the quantum security device 100.
In the subsequent access process of the quantum security device 100 and the base station 200, the two parties respectively generate corresponding random numbers, then the random numbers generated by the other party are mutually encrypted through a root key in a preset root key group, and after decryption, whether the respective random numbers are the same or legal is verified, the random numbers and the encryption keys in the process are difficult to obtain and know in advance, and the security and the reliability of the subsequent quantum security device 100 when the quantum security device 100 is accessed to the base station 200 again are greatly improved by combining the double authentication of the quantum security device 100 and the base station 200.
The root key center 400 is further configured to delete the first key corresponding to the first key index in the first root key group stored in the vector child security device 100 after the vector child security device 100 sends the first key index;
the quantum security device 100 is further configured to, after sending the second key index to the root key center, perform a deletion operation on a second key corresponding to the second key index in a second root key group stored in the root key center, and after sending the fourth key index to the base station, perform a deletion operation on a fourth key corresponding to the fourth key index in the root key group stored in the root key group;
the base station 200 is further configured to, after the vector sub security device sends the third key index, perform a deletion operation on a third key corresponding to the third key index in the first root key group downloaded under the vector sub security device;
namely, after the first key, the second key, the third key and the fourth key are all used, the first key, the second key, the third key and the fourth key are deleted from the corresponding root key group; so as to avoid subsequent repeated use or leakage and reduce safety.
The system further comprises a DNS server 600, wherein the DNS server 600 is configured to receive an address query request from the quantum security device 100, and send an IP address of an external network base station server to the quantum security device 100 according to the address query request, and the quantum security device 100 is further configured to send a base station request message to the external network base station server 500 according to the IP address of the external network base station server; namely, when accessing the base station, the domain name can be input, the domain name is resolved by the DNS server 600, the vector sub security device 100 returns the IP address of the base station external network server, and then the subsequent operation is performed, so that the user can use the domain name flexibly according to the needs.
When the quantum security device 100 first accesses the base station 200 or accesses the base station 200 again after being reset by a factory, the method specifically includes the following steps: wherein, the first random number is a random number s, and the second random number is a random number v;
s101: the quantum security device 100 sends an address query request to the DNS server 600;
s102: the DNS server 600 sends the IP address of the base station extranet server to the child security device 100 according to the address query request;
s103: the quantum security device 100 sends a base station request message to the extranet base station server 500 according to the extranet base station server IP address;
s104: the base station extranet server 500 receives the base station request message from the quantum security device 100, and returns a base station IP address according to the base station request message;
in steps S101 to S104, the quantum security device 100 finds the base station extranet server 500 through the DNS server 600, and then obtains the base station IP address to be accessed through the base station extranet server 500, where interaction between the quantum security device 100 and the DNS server 600 is an unnecessary link, and in practical application, the access may also be performed by directly inputting the base station IP address;
s105: the quantum security device 100 receives a base station IP address, and sends an access request and a first message to the base station 200 according to the base station IP address, wherein the first message carries a device ID corresponding to the quantum security device 100 and a random number s acquired from local;
s106: the base station 200 receives the first message, sends authentication request information to the authentication center 300, and carries the device ID in the first message;
s107: the authentication center 300 receives the device ID, checks whether the device ID is in a security device list which can pass authentication according to the device ID, judges whether the quantum security device 100 is allowed to access, and returns first access authentication result information to the base station 200 according to an authentication result;
s108: the base station 200 receives the first access authentication result information from the authentication center 300, and sends a first message to the root key center 400 if the first access authentication result information is identified as authentication success, and sends the first access authentication result information to the quantum security device 100 if the authentication result information is identified as authentication failure;
s109: if the root key center 400 receives a first message from the base station 200, the storage location of the corresponding root key group is determined according to the device ID in the first message, if the root key group exists, a random number v is obtained locally, one of the first root key group is selected as a first key, a first ciphertext is obtained by encrypting a random number s through the first key, a second ciphertext is obtained by encrypting the random number v, a first key index corresponding to the first key is generated to form a second message, and the second message is sent to the base station 200; if the root key group does not exist, the authentication is not passed, and the root key center authentication result information is generated and sent to the base station 200;
s110: the base station 200 receives the second message and the authentication result information of the root key center from the root key center 400, and sends the second message and the authentication result information of the root key center to the quantum security device 100;
s111: the quantum security device 100 receives the second message and the authentication result information of the root key center, determines a key for decryption in a preset second root key group according to the first key index when the authentication result information of the root key center 400 is identified as pass, decrypts the first ciphertext to form a first plaintext, decrypts the second ciphertext to form a second plaintext, verifies whether the first plaintext is the same as the random number s of the first plaintext, generates first authentication information based on the verification result, selects any one of other random numbers from the preset second root key group as a second key, generates a second key index corresponding to the second key, encrypts the second plaintext through the second key to generate a third ciphertext, and sends the first authentication information, the second key index and the third ciphertext to the base station 200;
when the authentication result information of the root key center is marked as failed, the subsequent steps are not executed;
s112: the base station 200 receives the first authentication information, the second key index and the third ciphertext from the quantum security device 100, and sends the first authentication information, the second key index and the third ciphertext to the root key center 400;
s113: the root key center 400 receives the first authentication information, the second key index and the third ciphertext; determining a decryption key in a preset first root key group according to the second key index to decrypt a third ciphertext, verifying whether the decrypted third ciphertext is the same as the random number v of the third ciphertext, generating second authentication information based on the verification result and the first authentication information, and sending the second authentication information to the base station 200, if the root key center 400 passes the second authentication information identifier, allowing the base station 200 to download the first root key group, otherwise, refusing the base station 200 to download the first root key group; when the check result and the first authentication information are both identified to be the same, the second authentication information is identified to pass the authentication, otherwise, the second authentication information is identified to not pass the authentication; the process further improves the safety in the authentication process in a double verification mode;
s114: the base station 200 receives the second authentication information from the root key center 400, and downloads the first root key group from the root key center 400 when the second authentication information is identified as authentication pass, and the vector sub security device 100 sends the first root key group acquisition result information;
the quantum security device 100 receives the first root key group acquisition result information, and identifies whether the base station 200 and the root key center 400 complete the synchronization operation of the root key according to the first root key group acquisition result information.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (9)

1. A method for quantum safety equipment to access a base station is characterized in that: the method comprises the following steps:
the quantum security device acquires a base station IP address, sends access request information to a base station according to the base station IP address and carries a device ID;
the base station receives the access request information and sends authentication request information carrying the equipment ID to a verification end;
the base station receives first access authentication result information from the verification end, and when the first access authentication result information is identified as successful authentication, the quantum security equipment is allowed to access the base station; and if the equipment ID is in the safety equipment list of the verification end, the generated first access authentication result information is identified as authentication success, otherwise, the generated first access authentication result information is identified as authentication failure.
2. The method for the quantum security device to access the base station according to claim 1, wherein: the method for the quantum security device to acquire the IP address of the base station comprises the following steps:
the quantum security equipment sends a base station request message to a base station extranet server;
and the base station extranet server receives the base station request message, allocates a base station for the quantum security equipment according to the access condition and the load condition of the current base station and returns a base station IP address corresponding to the base station to the quantum security equipment.
3. The method for the quantum security device to access the base station according to claim 1 or 2, wherein: before the quantum security device accesses the base station, the following operations are also executed:
a root key center acquires a root key group to be distributed to the quantum security device and distributes the root key group to the quantum security device;
after the quantum security device is accessed to the base station, the following operations are also executed:
when the quantum security device sends access request information to the base station, the access request information also carries first verification information;
the root key center receives first verification information from the quantum security equipment, determines whether a root key group exists according to equipment ID in the first verification information, and generates second verification information when the root key group exists; selecting one from a root key group of the root key center as a first key, encrypting the first verification information through the first key to form a first ciphertext, encrypting the second verification information to generate a second ciphertext, and sending the first ciphertext, the second ciphertext and a first key index for determining the first key to the quantum security equipment;
the quantum security equipment receives a first ciphertext, a second ciphertext and a first key index, determines a first key according to the first key index to decrypt the first ciphertext and check whether the first ciphertext is identical to first verification information or not, selects one from a root key group stored in the quantum security equipment as a second key when a check result is identical, encrypts second verification information through the second key to form a third ciphertext, and sends the third ciphertext and the second key index for determining the second key to the base station, wherein the second key is different from the first key;
the base station receives the third ciphertext and the second key index and sends the third ciphertext and the second key index to the root key center;
the root key center receives the third ciphertext and the second key index, determines a second key according to the second key index to decrypt the third ciphertext and verify whether the third ciphertext is the same as second verification information or not to generate root key center authentication result information, and sends root key group storage position information corresponding to the quantum security device to the base station when the root key center authentication result information is identified as authentication passing;
and the base station receives the authentication result information of the root key center and the storage position information of the root key group, downloads the root key group corresponding to the quantum security equipment from the root key center according to the storage position information of the root key group, and returns the acquisition result information of the root key group to the quantum security equipment.
4. A method for accessing a quantum security device to a base station is applied to a scene that the quantum security device is disconnected with the base station and then is accessed to the base station again, and is characterized in that: the method comprises the following steps:
the quantum security device sends the access request information to the base station again according to the IP address of the base station, wherein the access request information carries a device ID, a current network access ID and third verification information;
the base station sends authentication request information to the authentication center again, the base station judges whether the current network access ID exists in the distribution record of the base station, and generates an updated network access ID for the quantum security device when the network access ID exists in the distribution record;
the authentication center determines whether the equipment ID is in a safety equipment list according to the equipment ID in the access request information to generate non-primary access authentication result information, and returns the non-primary access authentication result information to the base station;
if the base station identifies that the non-first-time access authentication result information is successfully authenticated, generating fourth authentication information, searching a root key group stored in the base station according to the received equipment ID, selecting one of the root key groups stored in the base station as a third key, encrypting the third authentication information through the third key to form a fourth ciphertext, encrypting the fourth authentication information to generate a fifth ciphertext, and regenerating a third key index corresponding to the third key; sending a fourth ciphertext, a fifth ciphertext, and a third key index to the quantum security device;
the quantum security device receives a fourth ciphertext, a fifth ciphertext and a third key index, determines a third key in a root key group stored in the quantum security device according to the third key index to decrypt the fourth ciphertext and check whether the third ciphertext is the same as third verification information or not to generate first verification result information, selects one of the root key group stored in the quantum security device as a fourth key when the first verification result information is the same in identification, generates a fourth key index corresponding to the fourth key, encrypts the fourth verification information through the fourth key to form a sixth ciphertext, and sends the sixth ciphertext and the fourth key index to the base station, wherein the fourth key is different from the third key;
the base station receives the sixth ciphertext and the fourth key index, determines a fourth key in a root key group stored in the base station according to the fourth key index to decrypt the sixth ciphertext and check whether the sixth ciphertext is the same as fourth verification information or not to generate second verification result information, and sends an access completion message to the quantum security device when the second verification result information is identified as the same, wherein the access completion message carries an updated network access ID;
and the quantum security equipment receives the access completion message and is connected with the base station through the updated network access ID in the access completion message.
5. The method for the quantum security device to access the base station according to claim 4, wherein: the first authentication information includes a first random number generated by the quantum security device, the second authentication information includes a second random number generated by the root key center, the third authentication information includes a third random number generated by the quantum security device, and the fourth authentication information includes a fourth random number generated by the base station.
6. The method for quantum security device to access base station as claimed in claim 4, characterized in that: the first random number, the second random number, the third random number and the fourth random number are quantum true random numbers.
7. The method for accessing the base station by the quantum security device as claimed in claim 3, wherein: the base station also allocates a network access ID to the quantum security device after recognizing that the first access authentication result information is successfully authenticated; the authentication center also records the network access ID.
8. A system for quantum safety equipment to access a base station is characterized in that: the system comprises quantum security equipment, a base station and an authentication center;
the quantum security device is used for acquiring a base station IP address and sending access request information to the base station according to the base station IP address, wherein the access request information carries a device ID;
the base station is used for receiving the access request information, sending the equipment ID to the authentication center, receiving first access authentication result information from the authentication center, and allowing the quantum security equipment to access the base station when the first access authentication result information is identified as successful authentication;
the authentication center is used for receiving the equipment ID from the base station and generating first access authentication result information which is used for being sent to the base station, the first access authentication result information is generated according to whether the equipment ID is in a safety equipment list of the authentication center, if the equipment ID is in the safety equipment list of the authentication center, the generated first access authentication result information is identified as authentication success, and if not, the generated first access authentication result information is identified as authentication failure.
9. The system for accessing the quantum security device to the base station according to claim 8, wherein: the system also comprises a base station extranet server and a DNS server;
the base station external network server is used for receiving a base station request message from the quantum security equipment and distributing a base station to the quantum security equipment according to the access condition and the load condition of the current base station to return a base station IP address corresponding to the base station;
the DNS server is used for receiving an address query request from the quantum security equipment and sending an IP address of a base station extranet server to the quantum security equipment according to the address query request;
the quantum security device is also used for receiving an IP address of the base station extranet server and connecting the base station extranet server according to the IP address of the base station extranet server.
CN202210875414.3A 2022-07-25 2022-07-25 Method and system for quantum security device to access base station Pending CN115276974A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210875414.3A CN115276974A (en) 2022-07-25 2022-07-25 Method and system for quantum security device to access base station

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210875414.3A CN115276974A (en) 2022-07-25 2022-07-25 Method and system for quantum security device to access base station

Publications (1)

Publication Number Publication Date
CN115276974A true CN115276974A (en) 2022-11-01

Family

ID=83769065

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210875414.3A Pending CN115276974A (en) 2022-07-25 2022-07-25 Method and system for quantum security device to access base station

Country Status (1)

Country Link
CN (1) CN115276974A (en)

Similar Documents

Publication Publication Date Title
CN106357649B (en) User identity authentication system and method
CN111050314B (en) Client registration method, device and system
CN107800539B (en) Authentication method, authentication device and authentication system
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
CN106603485A (en) Secret key negotiation method and device
CN100512201C (en) Method for dealing inserted-requested message of business in groups
CN108809633B (en) Identity authentication method, device and system
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
CN101605137A (en) Safe distribution file system
CN109525565B (en) Defense method and system for short message interception attack
CN108183798A (en) Real name identification method, server, mobile terminal and the readable storage medium storing program for executing of application
CN108632042A (en) A kind of class AKA identity authorization systems and method based on pool of symmetric keys
CN110493162A (en) Identity identifying method and system based on wearable device
CN102264068B (en) Shared key consultation method, system, network platform and terminal
CN113572788A (en) BACnet/IP protocol equipment authentication safety method
CN108206738B (en) Quantum key output method and system
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
CN103152326A (en) Distributed authentication method and authentication system
CN100499453C (en) Method of the authentication at client end
CN106209384B (en) Use the client terminal of security mechanism and the communication authentication method of charging unit
CN114765543A (en) Encryption communication method and system of quantum cryptography network expansion equipment
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN108737087B (en) Protection method for mailbox account password and computer readable storage medium
JP2001344214A (en) Method for certifying terminal and cipher communication system
CN102014136B (en) Peer to peer (P2P) network secure communication method based on random handshake

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination