CN115276975A - Method and system for changing access base station of quantum security equipment - Google Patents

Method and system for changing access base station of quantum security equipment Download PDF

Info

Publication number
CN115276975A
CN115276975A CN202210875431.7A CN202210875431A CN115276975A CN 115276975 A CN115276975 A CN 115276975A CN 202210875431 A CN202210875431 A CN 202210875431A CN 115276975 A CN115276975 A CN 115276975A
Authority
CN
China
Prior art keywords
base station
key
quantum security
security device
encrypted data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210875431.7A
Other languages
Chinese (zh)
Inventor
傅波海
杨鸽
张仕峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Matrix Time Digital Technology Co Ltd
Original Assignee
Matrix Time Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Matrix Time Digital Technology Co Ltd filed Critical Matrix Time Digital Technology Co Ltd
Priority to CN202210875431.7A priority Critical patent/CN115276975A/en
Publication of CN115276975A publication Critical patent/CN115276975A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method and a system for changing an access base station by quantum security equipment, in the method, when the quantum security equipment changes an accessed first base station into a second base station, the quantum security equipment firstly acquires an IP address of the second base station and sends an access request to the second base station according to the IP address, wherein the access request carries an equipment ID, an access ID and a first random number; then sending to the first base station accessed before, the first base station selects one from the stored key set to encrypt the random number to form encrypted data, the quantum security device decrypts the encrypted data, and whether the decrypted encrypted data is the same as the random number generated by the quantum security device is verified to authenticate; the random number generated in the process is difficult to be counterfeited by the outside, so that the equipment which is not connected is difficult to pass the authentication, and the safety and the reliability of the subsequent base station in the key set synchronization process are improved in a simple and efficient mode.

Description

Method and system for changing access base station of quantum security equipment
Technical Field
The invention relates to the technical field of information security, in particular to a method and a system for changing access of quantum security equipment to a base station.
Background
The information security is the dynamic balance in the continuous fighting game between the attacking and defending parties. Due to the importance of information and information infrastructure in modern society, information security plays an increasingly important role. With the improvement of information security requirements, the quantum encryption technology gradually enters the field of view of the public, and better confidentiality guarantee can be realized through the quantum encryption technology.
For example, in the quantum key encryption technology, a security key generated by quantum key distribution can be combined with a classical symmetric encryption algorithm in addition to a unconditionally secure one-time pad encryption mode in principle, and the security and the communication rate are both considered.
Various quantum security devices developed based on the principle of quantum encryption technology have been gradually applied in a plurality of fields such as government affairs networks, smart cities, large data centers, smart cars, rail transit, and the like. The quantum security device needs to perform networking communication with external devices such as a base station, a server, an authentication center and the like during installation. After the quantum security device is connected with the base station, further operations such as key synchronization, relay and the like are required. How to perform security authentication on the quantum security device when the quantum security device changes an accessed base station into another base station does not have a mature solution in the related art. If unsafe equipment is accessed in the network in the process of changing the access base station by the quantum security equipment, serious potential safety hazard can be brought, so that the safety of the quantum security equipment when the currently accessed base station is changed and the reliability of key transmission between the subsequent old base station and the new base station are needed to be further improved.
Disclosure of Invention
In order to solve the problems, the invention discloses a method and a system for changing an access base station by quantum security equipment.
The application provides a method for changing an access base station by quantum security equipment, which is applied to a scene that the quantum security equipment changes the access base station from a first base station to a second base station, and comprises the following steps:
the quantum security device acquires an IP address of a second base station, and sends an access request to the second base station according to the IP address, wherein the access request carries a device ID, a network access ID and a first random number;
the second base station receives the access request and sends authentication request information carrying the equipment ID to an authentication end;
the authentication terminal receives the authentication request information, generates authentication result information according to the equipment ID carried in the authentication request information, and returns the authentication result information to the second base station;
and the second base station receives authentication result information and determines whether the quantum security device is allowed to be switched from the first base station to the second base station or not according to the authentication result information.
Further, before the quantum security device switches from the first base station to the second base station, synchronizing the same key set in the first base station and the quantum security device, and after the quantum security device switches from the first base station to the second base station, further performing the following operations:
the second base station sends a network access ID and a first random number to the first base station;
the first base station searches and determines a key set according to the network access ID, generates a second random number when the key set exists, selects one key set from the key set in the first base station as a first key, encrypts the first random number through the first key to form first encrypted data, encrypts the second random number to generate second encrypted data, and sends the first encrypted data, the second encrypted data and a first key identifier carrying first key index information to the quantum security equipment through the second base station;
the quantum security device receives first encrypted data, second encrypted data and a first key identifier, determines a first key according to the first key identifier to decrypt the first encrypted data and verify whether the first encrypted data is identical to a first random number or not, selects one key from a key set stored in the quantum security device as a second key when the verification result is identical, encrypts a second random number through the second key to form third encrypted data, and sends the third encrypted data and the second key identifier carrying second key index information to the second base station, wherein the second key is different from the first key;
the second base station receives the third encrypted data and the second key identification, and sends the third encrypted data and the second key identification to the first base station;
the first base station receives the third encrypted data and the second key identification, determines a second key in a key set stored by the first base station according to the second key identification to decrypt the third encrypted data and verify whether the third encrypted data is the same as the second random number or not to generate verification result information, and transmits the key set to the first base station when the verification result information identification is verification passing;
and the second base station sends key set acquisition result information to the quantum security equipment.
Further, the quantum security device obtains the IP address of the second base station through the first base station.
The application also provides a system for changing the quantum security device to access the base station, which comprises the quantum security device, a first base station, an authentication center and a second base station, wherein the quantum security device and the first base station are internally preset with the same key set;
the first base station is used for sending the IP address of the second base station to the quantum security device;
the quantum security device is used for receiving the IP address and sending an access request and a device ID corresponding to the quantum security device to the second base station according to the IP address;
the second base station is used for receiving the access request and the equipment ID and sending the equipment ID to the authentication center; receiving authentication result information from an authentication center, and determining whether to respond to the access request according to the authentication result information;
the authentication center is used for storing a security device list, receiving a device ID sent by the quantum security device, checking whether the device ID is in the security device list, generating authentication result information, and sending the authentication result information to the second base station.
Further, the quantum security device is further configured to generate a first random number for sending to the first base station, receive key data from the first base station, where the key data carries first encrypted data obtained by encrypting the first random number with a first key and a first key identifier for indicating an index position of the first key, and determine, according to the first key identifier, a first key to decrypt the first encrypted data and verify whether the first encrypted data is the same as the first random number and generate quantum security device verification result information for sending to the first base station;
the first base station is used for receiving the first random number; generating critical data for transmission to the quantum security device; and receiving quantum security device check result information, and determining whether to allow transmission of the key set to the second base station according to the quantum security device check result information.
Further, the first base station is further configured to generate a second random number, and encrypt the second random number by using the first key to obtain second encrypted data; receiving a second key identifier and third encrypted data from the quantum security device, searching the obtained second key in a key set stored in the first base station according to the second key identifier to decrypt the third encrypted data, verifying whether the decrypted third encrypted data is the same as a second random number, and determining whether to allow transmission of the key set to the second base station based on the verification result and the received verification result information of the quantum security device; if the verification result and the received quantum security device verification result information are both identified to be the same, allowing to transmit the key set to the second base station, otherwise refusing to transmit the key set to the second base station;
the quantum security device is further configured to receive second encrypted data, search the first key obtained from the stored key set according to the first key identifier to decrypt the second encrypted data to obtain a second random number, select another key from the stored key set as the second key, generate a second key identifier carrying index information of the second key, encrypt the second random number by the second key to generate third encrypted data, and send the second key identifier and the third encrypted data to the first base station.
Further, the second base station is specifically configured to transmit, between the quantum security device and the first base station: one or more of the first random number, the key data, the verification result information, the second encrypted data, the second key identification, and the third encrypted data.
Furthermore, the quantum security device, the first base station and the second base station are all internally provided with a true random number generator, the first random number is acquired by the quantum security device from a local true random number generator thereof, and the second random number is acquired by the first base station from the local true random number generator thereof.
Further, the quantum security device is further configured to send a network access ID to the second base station; the second base station is also used for receiving the network access ID and sending the network access ID to the first base station; and the first base station is also used for determining whether a corresponding key set in the quantum security device exists according to the network access ID.
Compared with the prior art, the invention has the beneficial effects that: the method can ensure that the quantum security equipment can be safely and quickly switched from the first base station to the second base station; the system comprises quantum security equipment, a first base station, an authentication center and a second base station; after the quantum security device is accessed to the second base station, the quantum security device acquires a local random number, then sends the local random number to a first base station which is accessed previously, the first base station selects one from a key set stored by the first base station as a first key to encrypt the random number generated by the quantum security device so as to form encrypted data, and then returns the encrypted data to the quantum security device, the quantum security device determines a decryption key from the key set stored by the quantum security device according to a key identifier, decrypts the encrypted data and verifies whether the encrypted data is the same as the random number generated by the quantum security device, so that key synchronization between the second base station and the first base station is authenticated; random numbers generated in the process are difficult to be counterfeited by the outside, encryption keys are selected from the key set synchronized between the quantum security device and the first base station, when the encryption keys of the two sides do not have a corresponding relation, subsequent verification is difficult to pass, therefore, the equipment which is not connected is difficult to pass authentication, and the security and the reliability of the subsequent base station in the process of synchronizing the key set are improved in a simple and efficient mode.
Drawings
Fig. 1 is a timing diagram of a quantum security device changing an access base station in an embodiment of the present application;
fig. 2 is a system block diagram of a quantum security device changing an access base station in an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating a process of changing an access base station by a quantum security device in an embodiment of the present application;
fig. 4 is a schematic flowchart of another quantum security device changing an access base station in this embodiment.
Detailed Description
To make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example 1: a method for changing an access base station by a quantum security device is applied to a scene that the quantum security device changes the access base station from a first base station to a second base station, and comprises the following steps:
the quantum security device acquires an IP address of a second base station, and sends an access request to the second base station according to the IP address, wherein the access request carries a device ID, a network access ID and a first random number; in the step, when the quantum security device prepares to be switched from a first base station to a second base station, the quantum security device sends the IP address of the second base station to be changed to the quantum security device through the first base station; in a possible implementation manner, the quantum security device may obtain the IP address of the second base station through the base station server, for example, the base station server may allocate a corresponding base station to the quantum security device according to an allocation policy such as a load and a distance of each base station, and send the IP address of the base station to the quantum security device. In addition, the IP address of the second base station can be manually input; in order to improve the security of the first random number during transmission, the first random number can be encrypted by a secret key and then sent, and the specific encryption secret key can be a secret key synchronized by the quantum security device and the first base station;
the second base station receives the access request and sends authentication request information carrying the equipment ID to an authentication end;
the authentication terminal receives the authentication request information, generates authentication result information according to the equipment ID carried in the authentication request information, and returns the authentication result information to the second base station; the authentication terminal judges whether the equipment ID carried in the authentication is in the safety equipment list or not according to the safety equipment list stored by the authentication terminal, if so, the generated authentication result information is identified as authentication success, otherwise, the generated authentication result information is identified as authentication failure;
and the second base station receives authentication result information, determines whether to allow the quantum security device to be switched from the first base station to the second base station according to the authentication result information, and specifically allows the quantum security device to be accessed to the second base station when the authentication result information is identified as successful authentication.
Before the quantum security device is switched from the first base station to the second base station, synchronizing the same key set in the first base station and the quantum security device, and after the quantum security device is switched from the first base station to the second base station, further performing the following operations:
the second base station sends a network access ID and a first random number to the first base station;
the first base station searches and determines a key set according to the network access ID, generates a second random number when the key set exists, selects one key set from the key set in the first base station as a first key, encrypts the first random number through the first key to form first encrypted data, encrypts the second random number to generate second encrypted data, and sends the first encrypted data, the second encrypted data and a first key identifier carrying first key index information to the quantum security equipment through the second base station;
the quantum security device receives first encrypted data, second encrypted data and a first key identifier, determines a first key according to the first key identifier to decrypt the first encrypted data and verify whether the first encrypted data is identical to a first random number or not, selects one key from a key set stored in the quantum security device as a second key when the verification result is identical, encrypts a second random number through the second key to form third encrypted data, and sends the third encrypted data and the second key identifier carrying second key index information to the second base station, wherein the second key is different from the first key so as to avoid the situation of repeated encryption verification by adopting the same key;
the second base station receives the third encrypted data and the second key identification, and sends the third encrypted data and the second key identification to the first base station;
the first base station receives the third encrypted data and the second key identification, determines a second key in a key set stored by the first base station according to the second key identification to decrypt the third encrypted data and verify whether the third encrypted data is the same as the second random number or not to generate verification result information, and transmits the key set to the first base station when the verification result information identification is verification passing;
and the second base station sends key set acquisition result information to the quantum security equipment.
In the above process of selecting the first key and the second key, the keys may be selected in sequence, such as storage sequence or time sequence.
In this embodiment, when the quantum security device 100 changes the accessed first base station 200 to the second base station 300, the method specifically includes the following steps: in this step, the generated first random number is denoted as random number a, and the generated second random number is denoted as random number B;
s101: the second base station 300 sends the IP address of the second base station 300 to the child security device 100;
s101: the quantum security device 100 sends an access request to the second base station 300 according to the IP address, where the access request carries a device ID, a network access ID, and a random number a obtained from a local true random number generator;
s102: the second base station 300 receives the access request and sends authentication request information carrying the device ID to the authentication center 400;
s103: the authentication center 400 receives the authentication request information, and verifies whether the authentication request information is in the safety equipment list or not according to the equipment ID in the authentication request information to generate authentication result information, wherein if the authentication request information is in the safety equipment list, the generated authentication result information is identified as authentication success, otherwise, the generated authentication result information is identified as authentication failure; and returns authentication result information to the second base station 300;
s104: the second base station 300 receives the authentication result information from the authentication center 400, allows the quantum security device to access if the authentication result information is identified as authentication success, and sends the network access ID and the random number a to the first base station 200; if the authentication result information is identified as authentication failure, the authentication result information is sent to the quantum security device 100, the quantum security device 100 is refused to access, and the subsequent steps are not executed;
s105: the first base station 200 receives the network access ID and the random number A, searches and determines a corresponding key set storage position according to the equipment ID, if a key set exists, a random number B is obtained from a local true random number generator, one of the found key sets is selected as a first key, the random number A is encrypted through the first key to obtain first encrypted data, the random number B is encrypted to obtain second encrypted data, a first key identification recorded with first key index information is generated, and the first encrypted data, the second encrypted data and the first key identification are sent to the second base station 300; if the device ID is judged to have no corresponding key set, it indicates that the authentication of the first base station 200 is not passed, generates first-time authentication information of the first base station, and sends the first-time authentication information to the quantum security device 100 through the second base station 300;
s106: the second base station 300 receives the first encrypted data, the second encrypted data and the first key identification from the first base station 200, and sends the first encrypted data, the second encrypted data and the first key identification to the quantum security device 100;
s107: after receiving the first encrypted data, the second encrypted data, and the first key identifier, the quantum security device 100 determines a key for decryption in the key set stored therein according to the first key identifier, decrypts the first encrypted data to obtain a first plaintext, decrypts the second encrypted data to form a second plaintext, verifies whether the first plaintext is the same as the random number a of the quantum security device, selects any one of the other cipher sets stored in the quantum security device 100 as a second key when the verification result is the same, generates a second key identifier carrying a second key index relationship, encrypts the second plaintext by using the second key to generate third encrypted data, and sends the second key identifier and the third encrypted data to the second base station 300;
s108: the second base station 300 receives the second key identifier and the third encrypted data from the quantum security device 100, and sends the second key identifier and the third encrypted data to the first base station 200;
s109: the first base station 200 receives the second key identifier and the third encrypted data; determining a decryption key in a key set stored in the second base station according to the second key identifier to decrypt the third encrypted data, verifying whether the decrypted third encrypted data is the same as the random number B of the second base station, transmitting the key set corresponding to the quantum security device 100 to the second base station 300 when the verification result is the same, and refusing the second base station 300 to download the key set if the verification result is different;
s110: the second base station 300 transmits key set acquisition result information to the child security device 100.
The key set acquisition result information is used to indicate whether the second base station 300 has completed the transmission of the key set with the first base station 200.
Example 2: a system for changing an access base station by quantum security equipment is applied to a scene that the quantum security equipment is firstly accessed into a certain base station, and after key synchronization operation is carried out with the base station, the accessed base station is changed into other base stations; the system comprises quantum security equipment, a first base station, an authentication center and a second base station, wherein the quantum security equipment and the first base station are preset with the same key set; the first base station is a base station which is accessed by the quantum security equipment, and the second base station is a base station which is prepared to be accessed by the quantum security equipment;
in the system, the quantum security equipment mainly refers to equipment which utilizes a quantum encryption technology to carry out communication, and at least comprises an external communication interface and a quantum encryption and decryption device for data encryption and decryption; for example, a network encryption device based on quantum keys is provided in a patent document with a Chinese patent application number of CN.201020537240.2;
the key set is composed of a plurality of quantum keys for encryption or decryption, and the quantum keys are generated by an existing quantum key generation device; when the quantum key surplus of the key set is insufficient, supplementary updating can be performed through corresponding key distribution equipment;
in actual use, a first base station usually stores a plurality of quantum security device key sets, and when searching for the key set position, the storage position of the corresponding key set can be determined according to the device ID of the quantum security device;
the first base station is used for sending the IP address of the second base station to the quantum security device;
the quantum security device is used for receiving the IP address and sending an access request and a device ID corresponding to the quantum security device to the second base station according to the IP address;
the second base station is used for receiving the access request and the equipment ID and sending the equipment ID to the authentication center; receiving authentication result information from an authentication center, and determining whether to respond to the access request according to the authentication result information;
the authentication center is used for storing a security device list, receiving a device ID sent by the quantum security device, checking whether the device ID is in the security device list, generating authentication result information, and sending the authentication result information to the second base station.
In addition, the quantum security device is further configured to generate a first random number for sending to the first base station, receive key data from the first base station, where the key data carries first encrypted data obtained by encrypting the first random number with a first key and a first key identifier for indicating an index position of the first key, determine, according to the first key identifier, a first key to decrypt the first encrypted data and check whether the first encrypted data is the same as the first random number, and generate quantum security device check result information for sending to the first base station;
specifically, the quantum security device, the first base station and the second base station are all internally provided with a true random number generator, the first random number is acquired by the quantum security device from a local true random number generator thereof, and the second random number is acquired by the first base station from the local true random number generator thereof; the first random number and the second random number can be generated in real time, and the random numbers generated each time are different and unpredictable; the true random number generator may be a true random number generator related to a patent document with a chinese patent application No. cn.201410478930.8.
The first base station is used for receiving the first random number; generating critical data for transmission to the quantum security device; receiving quantum security equipment checking result information, and determining whether to allow the key set to be transmitted to the second base station according to the quantum security equipment checking result information; if the plaintext obtained after the decryption of the first encrypted data is the same as the first random number, the check result information identifier of the quantum security device passes, otherwise, the check result information identifier of the quantum security device does not pass; when the quantum security device verification result information identification is passed, the first base station allows to transmit the key set to the second base station; otherwise, when the verification result information is identified as not passing, the first base station refuses to transmit the key set to the second base station;
the random number generated in the process is completely random, the outside cannot acquire and know the random number in advance, and the random number is difficult to counterfeit, the encryption key is selected from the key set synchronized between the quantum security device and the first base station, and when the encryption keys of the two sides do not have a corresponding relation, the subsequent quantum security device or the first base station cannot correctly decrypt and verify the random number, so that the subsequent verification cannot pass, and the non-connected device cannot pass the authentication easily; in the authentication process, only the identification of the encryption key, namely the index information of the key, is transmitted, and even if the encryption key is obtained from the outside in the case of leakage, the encryption key is difficult to determine according to the key index information, so that the safety and reliability of the subsequent base station in downloading the synchronous key set are greatly improved.
The above process can also be seen in the flow chart of S201-S204 in fig. 3.
Example 3: the difference from the embodiment 2 is that the security of the corresponding key set in the quantum security device synchronized by the second base station in the process of changing the quantum security device from the first base station to the second base station is further improved;
the first base station is further configured to generate a second random number, and encrypt the second random number through the first key to obtain second encrypted data; receiving a second key identifier and third encrypted data from the quantum security device, searching the obtained second key in a key set stored in the first base station according to the second key identifier to decrypt the third encrypted data, verifying whether the decrypted third encrypted data is the same as a second random number, and determining whether to allow transmission of the key set to the second base station based on the verification result and the received verification result information of the quantum security device; if the verification result and the received quantum security device verification result information are both identified to be the same, allowing to transmit the key set to the second base station, otherwise refusing to transmit the key set to the second base station;
the quantum security device is further configured to receive second encrypted data, search the first key obtained from the stored key set according to the first key identifier to decrypt the second encrypted data to obtain a second random number, select another key from the stored key set as the second key, generate a second key identifier carrying index information of the second key, encrypt the second random number by the second key to generate third encrypted data, and send the second key identifier and the third encrypted data to the first base station;
the second base station generates second encrypted data from the quantum security equipment, sends the second encrypted data to the first base station, and carries out secondary decryption verification through the first base station, the second base station is allowed to transmit the key set to the second base station when the second encrypted data is identical to the previous quantum security equipment verification result information, otherwise, the second base station is refused to transmit the key set, and therefore the safety and the reliability of the first base station to the second base station are further improved in a double verification mode;
in the above process, the second base station is specifically configured to transmit between the quantum security device and the first base station: one or more of the first random number, the key data, the verification result information, the second encrypted data, the second key identification, and the third encrypted data.
The second random number is generated in the same manner as described in example 2.
In addition, the quantum security device is further configured to send a network entry ID to the second base station; the second base station is further configured to receive the network access ID and send the network access ID to the first base station; the first base station is further used for determining whether a corresponding key set in the quantum security device exists according to the network access ID; the second base station sends the equipment ID to the authentication center and also sends the network access ID to the authentication center, and when the authentication center successfully authenticates, the network access ID of the quantum security equipment is recorded, so that a service provider can know which base station the quantum security equipment is currently accessed to.
After the first base station and the second base station complete the transmission of the key set, the first base station also performs deletion operation on the stored key set corresponding to the quantum security device, so as to avoid being acquired by other devices and increase the leakage risk.
The above process can also be seen in the flow chart of S301-S307 in FIG. 4.

Claims (9)

1. A method for changing an access base station by quantum security equipment is applied to a scene that the quantum security equipment changes the access base station from a first base station to a second base station, and is characterized in that: the method comprises the following steps:
the quantum security equipment acquires an IP address of a second base station, and sends an access request to the second base station according to the IP address, wherein the access request carries an equipment ID, a network access ID and a first random number;
the second base station receives the access request and sends authentication request information carrying the equipment ID to an authentication end;
the authentication terminal receives the authentication request information, generates authentication result information according to the equipment ID carried in the authentication request information, and returns the authentication result information to the second base station;
and the second base station receives authentication result information and determines whether the quantum security device is allowed to be switched from the first base station to the second base station or not according to the authentication result information.
2. The method of altering quantum security device access to a base station of claim 1, wherein: before the quantum security device is switched from the first base station to the second base station, synchronizing the same key set in the first base station and the quantum security device, and after the quantum security device is switched from the first base station to the second base station, further performing the following operations:
the second base station sends a network access ID and a first random number to the first base station;
the first base station searches and determines a key set according to the network access ID, generates a second random number when the key set exists, selects one key set from the key set in the first base station as a first key, encrypts the first random number through the first key to form first encrypted data, encrypts the second random number to generate second encrypted data, and sends the first encrypted data, the second encrypted data and a first key identifier carrying first key index information to the quantum security equipment through the second base station;
the quantum security device receives first encrypted data, second encrypted data and a first key identifier, determines a first key according to the first key identifier to decrypt the first encrypted data and verify whether the first encrypted data is identical to a first random number or not, selects one key from a key set stored in the quantum security device as a second key when the verification result is identical, encrypts a second random number through the second key to form third encrypted data, and sends the third encrypted data and the second key identifier carrying second key index information to the second base station, wherein the second key is different from the first key;
the second base station receives the third encrypted data and the second key identification and sends the third encrypted data and the second key identification to the first base station;
the first base station receives the third encrypted data and the second key identification, determines a second key in a key set stored by the first base station according to the second key identification to decrypt the third encrypted data and verify whether the third encrypted data is the same as the second random number or not to generate verification result information, and transmits the key set to the first base station when the verification result information identification is verification passing;
and the second base station sends key set acquisition result information to the quantum security equipment.
3. The method of altering quantum security device access to a base station of claim 1, wherein: and the quantum security equipment acquires the IP address of the second base station through the base station server.
4. A system for quantum safety equipment to change access base station is characterized in that: the system comprises quantum security equipment, a first base station, an authentication center and a second base station, wherein the quantum security equipment and the first base station are internally preset with the same key set;
the first base station is used for sending the IP address of the second base station to the quantum security device;
the quantum security device is used for receiving the IP address and sending an access request and a device ID corresponding to the quantum security device to the second base station according to the IP address;
the second base station is used for receiving the access request and the equipment ID and sending the equipment ID to the authentication center; receiving authentication result information from an authentication center, and determining whether to respond to the access request according to the authentication result information;
the authentication center is used for storing a security device list, receiving a device ID sent by the quantum security device, checking whether the device ID is in the security device list, generating authentication result information, and sending the authentication result information to the second base station.
5. The system for quantum security device change access to base station of claim 4, wherein:
the quantum security device is further configured to generate a first random number for sending to the first base station, receive key data from the first base station, where the key data carries first encrypted data obtained by encrypting the first random number with a first key and a first key identifier for indicating an index position of the first key, and determine, according to the first key identifier, a first key to decrypt the first encrypted data and verify whether the first encrypted data is the same as the first random number or not and generate quantum security device verification result information for sending to the first base station;
the first base station is used for receiving the first random number; generating critical data for transmission to the quantum security device; and receiving quantum security device verification result information, and determining whether to allow the key set to be transmitted to the second base station according to the quantum security device verification result information.
6. The system for quantum security device change access to base station of claim 5, wherein: the first base station is further configured to generate a second random number, and encrypt the second random number through the first key to obtain second encrypted data; receiving a second key identifier and third encrypted data from the quantum security device, searching the obtained second key in a key set stored in the first base station according to the second key identifier to decrypt the third encrypted data, verifying whether the decrypted third encrypted data is the same as a second random number or not, and determining whether to allow transmission of the key set to the second base station or not based on the verification result and the received quantum security device verification result information; if the verification result and the received quantum security device verification result information are both identified to be the same, allowing to transmit the key set to the second base station, otherwise refusing to transmit the key set to the second base station;
the quantum security device is further configured to receive second encrypted data, search the first key obtained from the stored key set according to the first key identifier to decrypt the second encrypted data to obtain a second random number, select another key from the stored key set as the second key, generate a second key identifier carrying index information of the second key, encrypt the second random number by the second key to generate third encrypted data, and send the second key identifier and the third encrypted data to the first base station.
7. The system for quantum security device change access to base station of claim 6, wherein: the second base station is specifically configured to transmit between the quantum security device and the first base station: one or more of the first random number, the key data, the verification result information, the second encrypted data, the second key identification, and the third encrypted data.
8. The system for quantum security device change access to base stations as claimed in claim 6, wherein: the quantum security device, the first base station and the second base station are all internally provided with a true random number generator, the first random number is acquired by the quantum security device from a local true random number generator thereof, and the second random number is acquired by the first base station from the local true random number generator thereof.
9. The system for quantum security device change access to base station of claim 6, wherein: the quantum security device is further configured to send a network access ID to the second base station; the second base station is further configured to receive the network access ID and send the network access ID to the first base station; and the first base station is also used for determining whether a corresponding key set in the quantum security device exists according to the network access ID.
CN202210875431.7A 2022-07-25 2022-07-25 Method and system for changing access base station of quantum security equipment Pending CN115276975A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210875431.7A CN115276975A (en) 2022-07-25 2022-07-25 Method and system for changing access base station of quantum security equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210875431.7A CN115276975A (en) 2022-07-25 2022-07-25 Method and system for changing access base station of quantum security equipment

Publications (1)

Publication Number Publication Date
CN115276975A true CN115276975A (en) 2022-11-01

Family

ID=83769562

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210875431.7A Pending CN115276975A (en) 2022-07-25 2022-07-25 Method and system for changing access base station of quantum security equipment

Country Status (1)

Country Link
CN (1) CN115276975A (en)

Similar Documents

Publication Publication Date Title
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
CN108809637B (en) LTE-R vehicle-ground communication non-access stratum authentication key agreement method based on mixed password
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
CN111194034B (en) Authentication method and device
CN111246477B (en) Access method, terminal, micro base station and access system
CN108964897B (en) Identity authentication system and method based on group communication
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
CN108964896B (en) Kerberos identity authentication system and method based on group key pool
CN113079022B (en) Secure transmission method and system based on SM2 key negotiation mechanism
CN108809633A (en) A kind of identity authentication method, apparatus and system
CN108632042A (en) A kind of class AKA identity authorization systems and method based on pool of symmetric keys
CN101420686A (en) Industrial wireless network security communication implementation method based on cipher key
CN108880799B (en) Multi-time identity authentication system and method based on group key pool
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
CN108737431B (en) Confusion-based hierarchical distributed authentication method, device and system in IoT (Internet of things) scene
CN111212425A (en) Access method, server and terminal
CN102264068B (en) Shared key consultation method, system, network platform and terminal
CN114826659B (en) Encryption communication method and system
FI107367B (en) Checking the accuracy of the transmission parties in a telecommunications network
KR20010047563A (en) Public key based mutual authentication method in wireless communication system
CN115913521A (en) Method for identity authentication based on quantum key
CN110248334B (en) LTE-R vehicle-ground communication non-access stratum authentication method
CN115276974A (en) Method and system for quantum security device to access base station
CN108965266B (en) User-to-User identity authentication system and method based on group key pool and Kerberos
CN108260125B (en) Secret key distribution method of content distribution application based on D2D communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination