CN115361129A - A method and system for securely distributing quantum keys based on the Internet of Things - Google Patents

A method and system for securely distributing quantum keys based on the Internet of Things Download PDF

Info

Publication number
CN115361129A
CN115361129A CN202211049438.XA CN202211049438A CN115361129A CN 115361129 A CN115361129 A CN 115361129A CN 202211049438 A CN202211049438 A CN 202211049438A CN 115361129 A CN115361129 A CN 115361129A
Authority
CN
China
Prior art keywords
key
terminal
initial
quantum
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211049438.XA
Other languages
Chinese (zh)
Inventor
韦峥
黄晓宁
梁康政
徐东
梁洪源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Hengtong Wentian Quantum Information Research Institute Co Ltd
Original Assignee
Jiangsu Hengtong Wentian Quantum Information Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Hengtong Wentian Quantum Information Research Institute Co Ltd filed Critical Jiangsu Hengtong Wentian Quantum Information Research Institute Co Ltd
Priority to CN202211049438.XA priority Critical patent/CN115361129A/en
Publication of CN115361129A publication Critical patent/CN115361129A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y30/00IoT infrastructure
    • G16Y30/10Security thereof
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种基于物联网的量子密钥安全分发系统,包括量子随机发生器、终端层、接入层与平台层;平台层包括量子密钥的服务模块、资源与信息管理模块、安全接入管理模块、安全编解码管理模块;应用于该系统的基于物联网的量子密钥安全分发方法从保护密钥安全的角度出发,设计符合物联网特征的基于量子随机数的组密钥与全局密钥,通过公钥加密分发到终端,由终端解密得到会话密钥,以便利用会话密钥解密获取指令。该方法将各模块部署在平台层,使物联网体系从传统的分级分层的加密策略变成专注于业务层级的安全加密,构建相同安全等级的安全体系时成本更低,传输时延更低。

Figure 202211049438

The invention relates to a quantum key security distribution system based on the Internet of Things, including a quantum random generator, a terminal layer, an access layer and a platform layer; the platform layer includes a quantum key service module, a resource and information management module, a security interface Incoming management module, secure encoding and decoding management module; the secure distribution method of quantum keys based on the Internet of Things applied to this system starts from the perspective of protecting key security, and designs a group key based on quantum random numbers and a global key that conforms to the characteristics of the Internet of Things The secret key is distributed to the terminal through public key encryption, and the terminal decrypts to obtain the session key, so that the session key can be used to decrypt and obtain instructions. This method deploys each module at the platform layer, so that the Internet of Things system changes from a traditional hierarchical encryption strategy to a security encryption focused on the business level, and the cost of building a security system with the same security level is lower, and the transmission delay is lower. .

Figure 202211049438

Description

一种基于物联网的量子密钥安全分发方法及系统A method and system for securely distributing quantum keys based on the Internet of Things

技术领域technical field

本发明涉及量子密钥分发技术领域,尤其是指一种基于物联网的量子密钥安全分发方法及系统。The present invention relates to the technical field of quantum key distribution, in particular to a method and system for secure distribution of quantum keys based on the Internet of Things.

背景技术Background technique

当前物联网平台的核心功能是海量设备的连接、端侧碎片化、安全的管理服务、可信的安全接入。当前海量设备连接主要通过负载均衡的技术,实现海量数据的分布式连接、采集、存储等,对海量安全密钥较少有完善的解决策略;解决端侧碎片化的主要手段是实现多接口、多归属接入,通过不同的接入方式来适配不同的设备场景;安全的管理服务主要从云服务、云计算等进行切片式管理,并且在切片分段融合安全特性;在安全接入方面,主要从终端的可信,网络的可信以及连接的稳定性来赋能安全体系,并且各层级与技术使用分层的隔离防护,针对不同的场景使用不同的技术来保证平台的安全性特征。The core functions of the current IoT platform are the connection of massive devices, end-to-side fragmentation, secure management services, and credible secure access. At present, massive device connections mainly use load balancing technology to realize distributed connection, collection, and storage of massive data, and there are few complete solutions for massive security keys; the main means to solve end-side fragmentation is to implement multiple interfaces, Multi-homing access, adapting to different device scenarios through different access methods; secure management services mainly perform slice management from cloud services, cloud computing, etc., and integrate security features in slices and segments; in terms of secure access , mainly from the trustworthiness of the terminal, the trustworthiness of the network, and the stability of the connection to empower the security system, and use layered isolation protection for each level and technology, and use different technologies for different scenarios to ensure the security features of the platform .

当前物联网平台以防病毒、防攻击为重点,纵向防护弱,缺少对密钥的安全管理以及针对物联网场景的分发机制。传统的物联网安全技术主要在传输层进行加密,业务层较少加密,未做到海量接入的安全管理,缺少纵向一体的安全防护体系。为了安全,只能在各层级上均叠加安全防护设备,从而导致整体成本高、时延高。传统的物联网网络体系,其安全策略分级分层防护,主要是从建立可信网络的角度构建VPN通道,对业务层,无法实现安全的加密策略。The current Internet of Things platform focuses on anti-virus and anti-attack, with weak vertical protection, lack of security management of keys and distribution mechanism for Internet of Things scenarios. The traditional IoT security technology mainly performs encryption at the transport layer, less encryption at the business layer, fails to achieve security management for massive access, and lacks a vertically integrated security protection system. For safety, safety protection devices can only be superimposed on all levels, resulting in high overall cost and high delay. In the traditional IoT network system, its security strategy is hierarchical and layered protection, mainly to build a VPN channel from the perspective of establishing a trusted network. For the business layer, it is impossible to implement a secure encryption strategy.

量子通信是量子信息学的一个重要分支。现有技术中的量子密钥分发主要以相互配合的量子密钥发生模块与量子密钥接收模块功能完成相应的密钥传输并且依赖于单独的信道来传递密钥信息,需要架设专线管理,成本较高。Quantum communication is an important branch of quantum information science. Quantum key distribution in the prior art mainly completes the corresponding key transmission with the functions of the quantum key generation module and the quantum key receiving module that cooperate with each other and relies on a separate channel to transmit key information, which requires dedicated line management and costs higher.

发明内容Contents of the invention

为此,本发明所要解决的技术问题在于克服现有技术中安全传输时分级分层加密,成本较高的问题。For this reason, the technical problem to be solved by the present invention is to overcome the problem of hierarchical and layered encryption during secure transmission and high cost in the prior art.

为解决上述技术问题,本发明提供了一种基于物联网的量子密钥安全分发方法,应用于平台层,包括:In order to solve the above technical problems, the present invention provides a quantum key security distribution method based on the Internet of Things, which is applied to the platform layer, including:

获取目标终端的初始终端编号,加密所述初始终端编号生成加密终端编号;Obtaining the initial terminal number of the target terminal, encrypting the initial terminal number to generate an encrypted terminal number;

获取所述加密终端编号与私钥证书封装成初始SDK;Obtain the encrypted terminal number and private key certificate and package it into an initial SDK;

获取所述目标终端的路由信息,根据所述路由信息构建同一路由组下所有终端初始SDK的集合;Obtain the routing information of the target terminal, and build a set of initial SDKs for all terminals under the same routing group according to the routing information;

根据所述初始SDK的集合获取解密终端编号集合,对比所述初始终端编号与所述解密终端编号集合,若所述解密终端编号集合中存在与所述初始终端编号一致的编号,为所述目标终端随机选取第一密钥;Obtain a decrypted terminal number set according to the initial SDK set, compare the initial terminal number with the decrypted terminal number set, if there is a number in the decrypted terminal number set that is consistent with the initial terminal number, it is the target The terminal randomly selects the first key;

根据所述目标终端的路由信息,将所述第一密钥利用公钥加密分发至所述目标终端,以便所述目标终端利用所述私钥证书解密来获取会话密钥;Encrypting and distributing the first key to the target terminal with a public key according to the routing information of the target terminal, so that the target terminal can obtain a session key by decrypting with the private key certificate;

其中,所述公钥、私钥证书与第一密钥均来自于量子随机发生器产生的量子密钥。Wherein, the public key, the private key certificate and the first key all come from a quantum key generated by a quantum random generator.

在本发明的一个实施例中,所述加密所述初始终端编号生成加密终端编号采用的是对称加密算法。In an embodiment of the present invention, the encryption of the initial terminal number to generate the encrypted terminal number adopts a symmetric encryption algorithm.

在本发明的一个实施例中,所述获取所述目标终端的路由信息包括当所述目标终端携带其初始SDK进行入网申请与路由归集时,获取路由归集过程中的路由信息;In one embodiment of the present invention, the acquiring the routing information of the target terminal includes acquiring the routing information during the routing aggregation process when the target terminal carries its initial SDK for network access application and routing aggregation;

其中,路由归集是在全局路由下利用Dijkstra算法进行最短路径选择归集。Among them, the route collection is to use the Dijkstra algorithm to select and collect the shortest path under the global route.

在本发明的一个实施例中,所述根据所述初始SDK的集合获取解密终端编号集合包括:利用对称加密算法解密所述初始SDK的集合中的加密终端编号获取解密终端编号集合。In an embodiment of the present invention, the obtaining the decrypted terminal number set according to the initial SDK set includes: using a symmetric encryption algorithm to decrypt the encrypted terminal numbers in the initial SDK set to obtain the decrypted terminal number set.

在本发明的一个实施例中,所述对比所述初始终端编号与所述解密终端编号集合,还包括若所述解密终端编号集合中不存在与所述初始终端编号一致的编号,则反馈入网失败,并舍弃该终端。In an embodiment of the present invention, the comparing the initial terminal number and the decrypted terminal number set further includes, if there is no number consistent with the initial terminal number in the decrypted terminal number set, feeding back the network access fails, and discards the terminal.

在本发明的一个实施例中,所述为所述目标终端随机选取第一密钥包括:In an embodiment of the present invention, the randomly selecting the first key for the target terminal includes:

当所述目标终端为末终端时,为所述末终端随机选取第一密钥作为组密钥,所述组密钥用于加密分发至末终端的单一指令;When the target terminal is an end terminal, randomly select a first key for the end terminal as a group key, and the group key is used to encrypt a single instruction distributed to the end terminal;

当所述目标终端为可信网络终端时,为所述可信网络终端随机选取第一密钥作为全局密钥,所述全局密钥用于加密分发至可信网络终端的组合指令;When the target terminal is a trusted network terminal, randomly selecting a first key for the trusted network terminal as a global key, the global key is used to encrypt and distribute combined instructions to the trusted network terminal;

其中,所述末终端是每个路由组中最末位的终端,所述可信网络终端是每个路由组中除末终端外的其余终端。Wherein, the end terminal is the last terminal in each routing group, and the trusted network terminals are all terminals in each routing group except the end terminal.

本发明还提供了一种基于物联网的量子密钥安全分发系统,包括:The present invention also provides a quantum key security distribution system based on the Internet of Things, including:

量子随机发生器,用于产生真随机数作为量子密钥;Quantum random generator for generating true random numbers as quantum keys;

终端层,包括末终端与可信网络终端,均携带初始SDK;The terminal layer, including terminal terminals and trusted network terminals, all carry the initial SDK;

接入层,包括网关,与所述终端层通讯连接;The access layer, including a gateway, communicates with the terminal layer;

平台层,应用如权利要求1至6任一项所述的基于物联网的量子密钥安全分发方法,用于与目标终端安全传输会话密钥进行数据传输,其包括:The platform layer, applying the Internet of Things-based quantum key security distribution method according to any one of claims 1 to 6, is used to securely transmit the session key with the target terminal for data transmission, which includes:

量子密钥的服务模块,用于获取并存储量子随机发生器推送的量子密钥,获取并加密初始终端编号生成加密终端编号,为验证通过的目标终端随机选取第一密钥;The quantum key service module is used to obtain and store the quantum key pushed by the quantum random generator, obtain and encrypt the initial terminal number to generate an encrypted terminal number, and randomly select the first key for the target terminal that has passed the verification;

资源与信息管理模块,用于获取并存储终端的私钥证书、初始终端编号与解密终端编号,封装初始SDK,对比所述初始终端编号与所述解密终端编号来验证目标终端是否安全;The resource and information management module is used to obtain and store the private key certificate of the terminal, the initial terminal number and the decrypted terminal number, encapsulate the initial SDK, and compare the initial terminal number and the decrypted terminal number to verify whether the target terminal is safe;

安全编解码管理模块,用于获取并解密初始SDK的集合获取解密终端编号集合;The security codec management module is used to obtain and decrypt the set of initial SDK to obtain the set of decrypted terminal numbers;

安全接入管理模块,用于获取所述目标终端的路由信息,构建同一路由组下所有终端的初始SDK的集合,加密第一密钥并根据路由信息分发至所述目标终端。The secure access management module is used to obtain the routing information of the target terminal, construct the initial SDK set of all terminals under the same routing group, encrypt the first key and distribute it to the target terminal according to the routing information.

在本发明的一个实施例中,所述量子密钥的服务模块获取量子随机发生器推送的量子密钥,并以队列的形式安全存储为密钥池。In one embodiment of the present invention, the quantum key service module obtains the quantum key pushed by the quantum random generator, and securely stores it as a key pool in the form of a queue.

在本发明的一个实施例中,所述末终端接收来自平台层的组密钥加密的单一指令密文,利用会话密钥解密获取单一指令。In an embodiment of the present invention, the end terminal receives the ciphertext of a single instruction encrypted by the group key from the platform layer, and uses the session key to decrypt and obtain the single instruction.

在本发明的一个实施例中,所述可信网络终端接收网关转发的来自平台层的组合指令密文,利用会话密钥解密获取组合指令;In one embodiment of the present invention, the trusted network terminal receives the combination instruction ciphertext from the platform layer forwarded by the gateway, and uses the session key to decrypt and obtain the combination instruction;

其中,网关转发包括网关获取平台层下发的全局密钥加密的组合指令后,使用全局密钥解密获取新的组合指令,并对新的组合指令再次利用全局密钥加密转发至可信网络终端。Among them, the forwarding of the gateway includes that after the gateway obtains the combination instruction encrypted by the global key issued by the platform layer, it uses the global key to decrypt and obtain a new combination instruction, and uses the global key to encrypt and forward the new combination instruction to the trusted network terminal again. .

本发明的上述技术方案相比现有技术具有以下优点:The above technical solution of the present invention has the following advantages compared with the prior art:

本发明所述的基于物联网的量子密钥安全分发方法将加密策略集中在平台层,通过将各模块部署在平台层将物联网体系从传统的分级分层的加密策略变成专注于业务层级的安全加密,在构建相同安全等级的安全体系时成本更低,传输时延更低;通过第一密钥实现了全局密钥与组密钥的设计,组密钥在保证安全的前提下减少了密钥交互的频次,提高了效率;全局密钥利用集中式网关进行广播解决了平台下行指令的密钥交互困难的问题;通过物联网进行量子密钥的分发,脱离了传统网络介质属性,可以在透明传输管道中进行分发,不对传输的业务消息体进行修改,保障了密钥传输的安全性。The quantum key security distribution method based on the Internet of Things described in the present invention concentrates the encryption strategy on the platform layer, and by deploying each module on the platform layer, the Internet of Things system is changed from the traditional hierarchical encryption strategy to focus on the business layer security encryption, lower cost and lower transmission delay when building a security system with the same security level; through the first key, the design of global key and group key is realized, and the group key is reduced under the premise of ensuring security The frequency of key interaction is improved, and the efficiency is improved; the global key is broadcast by a centralized gateway, which solves the problem of difficult key interaction of platform downlink instructions; the distribution of quantum keys through the Internet of Things breaks away from the traditional network media attributes, It can be distributed in a transparent transmission pipeline without modifying the transmitted business message body, which ensures the security of key transmission.

附图说明Description of drawings

为了使本发明的内容更容易被清楚的理解,下面根据本发明的具体实施例并结合附图,对本发明作进一步详细的说明,其中In order to make the content of the present invention more easily understood, the present invention will be described in further detail below according to specific embodiments of the present invention in conjunction with the accompanying drawings, wherein

图1是本发明实施例所提供的基于物联网的量子密钥安全分发方法的步骤流程图;Fig. 1 is the flow chart of steps of the method for securely distributing quantum keys based on the Internet of Things provided by the embodiment of the present invention;

图2是本发明实施例所提供的基于物联网的量子密钥安全分发系统的组成示意图。Fig. 2 is a schematic diagram of the composition of the quantum key security distribution system based on the Internet of Things provided by the embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图和具体实施例对本发明作进一步说明,以使本领域的技术人员可以更好地理解本发明并能予以实施,但所举实施例不作为对本发明的限定。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments, so that those skilled in the art can better understand the present invention and implement it, but the examples given are not intended to limit the present invention.

参照图1所示,本发明实施例所提供的基于物联网的量子密钥安全分发方法包括:Referring to Fig. 1, the quantum key security distribution method based on the Internet of Things provided by the embodiment of the present invention includes:

S1、获取目标终端的初始终端编号,加密所述初始终端编号生成加密终端编号。S1. Obtain an initial terminal number of a target terminal, and encrypt the initial terminal number to generate an encrypted terminal number.

S2、获取所述加密终端编号与私钥证书封装成初始SDK。S2. Obtain the encrypted terminal number and the private key certificate and package them into an initial SDK.

S3、所述目标终端携带其初始SDK进行入网申请与路由归集,获取路由归集过程中的路由信息,并根据所述路由信息构建同一路由组下所有终端初始SDK的集合;S3. The target terminal carries its initial SDK to apply for network access and route collection, obtain routing information in the process of route collection, and construct a set of initial SDKs of all terminals under the same routing group according to the routing information;

其中,路由归集是在全局路由下利用Dijkstra算法进行最短路径选择归集。Among them, the route collection is to use the Dijkstra algorithm to select and collect the shortest path under the global route.

S4、利用对称加密算法解密所述初始SDK的集合获取解密终端编号集合,对比所述初始终端编号与所述解密终端编号集合,若所述解密终端编号集合中存在与所述初始终端编号一致的编号,为所述目标终端随机选取第一密钥;S4. Use a symmetric encryption algorithm to decrypt the set of initial SDKs to obtain a set of decrypted terminal numbers, compare the set of initial terminal numbers with the set of decrypted terminal numbers, if there is a set of decrypted terminal numbers consistent with the set of initial terminal numbers number, randomly selecting a first key for the target terminal;

若所述解密终端编号集合中不存在与所述初始终端编号一致的编号,则反馈入网失败,并舍弃该终端。If there is no number consistent with the initial terminal number in the set of decrypted terminal numbers, it is fed back that network access fails, and the terminal is discarded.

S5、根据所述目标终端的路由信息,将所述第一密钥利用公钥加密分发至所述目标终端,以便所述目标终端利用所述私钥证书解密来获取会话密钥。S5. According to the routing information of the target terminal, encrypt and distribute the first key to the target terminal using a public key, so that the target terminal can decrypt using the private key certificate to obtain a session key.

其中,所述公钥、私钥证书与第一密钥均来自于量子随机发生器产生的量子密钥。第一密钥包括组密钥与全局密钥;组密钥,用于加密分发至末终端的单一指令;全局密钥,用于加密分发至可信网络终端的组合指令;所述末终端是每个路由组中最末位的终端,所述可信网络终端是每个路由组中除末终端外的其余终端。末终端接收来自平台层的组密钥加密的单一指令密文,利用会话密钥解密获取单一指令;可信网络终端接收网关转发的来自平台层的组合指令密文,利用会话密钥解密获取组合指令;网关转发包括网关获取平台层下发的全局密钥加密的组合指令后,使用全局密钥解密获取新的组合指令,并对新的组合指令再次利用全局密钥加密转发至可信网络终端。Wherein, the public key, the private key certificate and the first key all come from a quantum key generated by a quantum random generator. The first key includes a group key and a global key; the group key is used to encrypt a single instruction distributed to an end terminal; the global key is used to encrypt a combined instruction distributed to a trusted network terminal; the end terminal is The last terminal in each routing group, the trusted network terminal is the remaining terminals in each routing group except the last terminal. The end terminal receives the ciphertext of a single instruction encrypted by the group key from the platform layer, and uses the session key to decrypt it to obtain a single instruction; the trusted network terminal receives the ciphertext of the combined instruction forwarded by the gateway from the platform layer, and uses the session key to decrypt it to obtain the combined instruction. Instructions; the gateway forwards the combined instructions including the gateway’s acquisition of the global key encryption issued by the platform layer, uses the global key to decrypt the new combined instructions, and uses the global key to encrypt and forward the new combined instructions to the trusted network terminal .

通过根据路由信息随机选取第一密钥设计了全局密钥与组密钥;其中组密钥用于传输单一指令时,全局密钥用于下发组合指令时;组密钥,解决对一个路由集下终端上行信息所需密钥的安全问题,在保证安全的前提下减少了密钥交互的频次,提高来效率;传统的策略没有对密钥进行统一的管理,采用的是点对点的非对称加密,密钥的交互通常使用较为复杂分组算法进行密钥同步,而全局密钥解决了平台下行指令密钥交互困难的问题。The global key and the group key are designed by randomly selecting the first key according to the routing information; the group key is used to transmit a single instruction, and the global key is used to issue a combined instruction; the group key solves the problem of a route The security issue of the keys required for collecting the uplink information of the downlink terminal reduces the frequency of key interaction and improves the efficiency under the premise of ensuring security; the traditional strategy does not carry out unified management of keys, and adopts point-to-point asymmetric Encryption and key interaction usually use a more complex grouping algorithm for key synchronization, and the global key solves the problem of difficult key interaction for downlink commands on the platform.

参照图2所示,本发明的实施例所提供的基于物联网的量子密钥安全分发系统的组成包括:量子随机发生器,用于产生真随机数作为量子密钥;终端,包括末终端与可信网络终端,均携带初始SDK;平台层,应用上述的基于物联网的量子密钥安全分发方法,用于与所述终端安全传输会话密钥进行数据传输。Referring to Fig. 2, the composition of the quantum key security distribution system based on the Internet of Things provided by the embodiment of the present invention includes: a quantum random generator, which is used to generate a true random number as a quantum key; a terminal, including an end terminal and The trusted network terminals all carry the initial SDK; the platform layer applies the above-mentioned quantum key security distribution method based on the Internet of Things, and is used to securely transmit the session key with the terminal for data transmission.

其中,平台层包括:量子密钥的服务模块,用于获取量子随机发生器推送的量子密钥并以队列的形式安全存储为密钥池,获取并加密初始终端编号生成加密终端编号,为验证通过的终端随机选取第一密钥;资源与信息管理模块,用于获取并存储终端的私钥证书、初始终端编号与解密终端编号,封装初始SDK,对比初始终端编号与解密终端编号来验证终端是否安全;安全编解码管理模块,用于获取并解密初始SDK的集合获取解密终端编号集合;安全接入管理模块,用于获取终端的路由信息,构建同一路由组下所有终端的初始SDK的集合,加密第一密钥并根据路由信息分发至终端。Among them, the platform layer includes: the service module of the quantum key, which is used to obtain the quantum key pushed by the quantum random generator and securely store it as a key pool in the form of a queue, and obtain and encrypt the initial terminal number to generate an encrypted terminal number for verification. The terminal that passes through randomly selects the first key; the resource and information management module is used to obtain and store the private key certificate of the terminal, the initial terminal number and the decrypted terminal number, encapsulate the initial SDK, and verify the terminal by comparing the initial terminal number and the decrypted terminal number Whether it is safe or not; the security codec management module is used to obtain and decrypt the initial SDK set to obtain the decrypted terminal number set; the secure access management module is used to obtain the routing information of the terminal and build the initial SDK set of all terminals under the same routing group , encrypting the first key and distributing it to the terminal according to the routing information.

具体地,基于上述实施例,本发明实施例所提供的基于物联网的量子密钥安全分发方法应用在基于物联网的量子密钥安全分发系统上的具体步骤包括:Specifically, based on the above-mentioned embodiments, the specific steps of applying the Internet of Things-based quantum key security distribution method provided by the embodiment of the present invention to the Internet of Things-based quantum key security distribution system include:

在设备入网前,基于平台层构建可信网络,由量子随机发生器进行密钥分发,生成Qkey(n),量子密钥的服务模块以队列的形式进行安全存储形成密钥队列:Qkey(n)…Qkey(n+n)。Before the device enters the network, a trusted network is built based on the platform layer, and the key is distributed by the quantum random generator to generate Qkey(n), and the service module of the quantum key is safely stored in the form of a queue to form a key queue: Qkey(n )...Qkey(n+n).

资源与信息管理模块获取初始终端编号向量子密钥的服务模块申请加密,以便量子密钥的服务模块利用对称加密算法加密所述初始终端编号生成加密终端编号;获取量子密钥的服务模块分发至终端的私钥证书;将所述加密终端编号与所述私钥证书封装成初始SDK,并上报至安全接入管理模块。The resource and information management module obtains the initial terminal number and applies for encryption to the service module of the quantum key, so that the service module of the quantum key uses a symmetric encryption algorithm to encrypt the initial terminal number to generate an encrypted terminal number; the service module that obtains the quantum key is distributed to The private key certificate of the terminal; packaging the encrypted terminal number and the private key certificate into an initial SDK, and reporting to the security access management module.

终端携带自身初始SDK在网络层逐层上报,进行入网申请以及路由归集,安全接入管理模块对路由信息进行记录,同步上报至量子密钥的服务模块,实现两个模块间路由集的共享,并构建一个路由组下的所有终端初始SDK的集合编码集K1…Kn,上报至安全编解码管理模块。其中,路由归集是指在全局路由下利用Dijkstra算法进行最短路径选择归集。The terminal carries its own initial SDK and reports layer by layer at the network layer to apply for network access and route collection. The security access management module records the routing information and reports it to the quantum key service module synchronously to realize the sharing of routing sets between the two modules. , and construct a set code set K 1 ...K n of initial SDKs of all terminals under the routing group, and report it to the security codec management module. Wherein, the routing aggregation refers to the shortest path selection aggregation using the Dijkstra algorithm under the global routing.

安全编解码管理模块利用对称加密算法解密所述初始SDK的集合中的加密终端编号获取解密终端编号,并上报至资源与信息管理模块。The secure codec management module uses a symmetric encryption algorithm to decrypt the encrypted terminal number in the initial SDK set to obtain the decrypted terminal number, and reports it to the resource and information management module.

资源与信息管理模块所述初始终端编号与所述解密终端编号,若对比一致,则将所述初始终端编号上报至量子密钥的服务模块;若对比不一致,则反馈至安全接入管理模块,给终端反馈入网失败信息,并舍弃该终端。If the comparison between the initial terminal number and the decryption terminal number in the resource and information management module is consistent, report the initial terminal number to the quantum key service module; if the comparison is inconsistent, feed back to the security access management module, Feedback the network access failure information to the terminal, and discard the terminal.

量子密钥的服务模块根据所述初始终端编号,匹配路由信息,在密钥池Qkey(n)…Qkey(n+n)中随机选取第一密钥,第一密钥包括用于加密分发单一指令至末终端的组密钥与用于加密分发组合指令至可信网络终端的全局密钥;即每组随机生成新的组密钥Qkey(p1)…Qkey(pn),并在Qkey(n)中随机选取一个密钥生成全局密钥Qkey(q),并上报至安全接入管理模块。其中,末终端是每个路由组中最末位的终端,可信网络终端是每个路由组中除末终端外的其余终端。The quantum key service module matches the routing information according to the initial terminal number, randomly selects the first key from the key pool Qkey(n)...Qkey(n+n), and the first key includes a single The group key of the instruction to the end terminal and the global key used to encrypt and distribute the combined instruction to the trusted network terminal; that is, each group randomly generates a new group key Qkey(p 1 )...Qkey(p n ), and in Qkey In (n), randomly select a key to generate a global key Qkey(q), and report it to the security access management module. Wherein, the last terminal is the last terminal in each routing group, and the trusted network terminal is the remaining terminals in each routing group except the last terminal.

安全接入管理模块利用公钥对组密钥Qkey(p1)…Qkey(pn)进行加密后,根据原定路由分发至每一个路由集的末终端,同时将全局密钥Qkey(q)利用公钥加密后逐级分发至所以可信网络终端。The secure access management module encrypts the group keys Qkey(p 1 )...Qkey(p n ) with the public key, distributes them to the end terminals of each routing set according to the original route, and at the same time sends the global key Qkey(q) After being encrypted with the public key, it is distributed to all trusted network terminals step by step.

终端收到密钥信息后,利用私钥证书进行解密,解出对称密钥Qkey(p),即为会话密钥。解出会话密钥后,末终端接收来自平台层的单一指令密文,利用会话密钥解密获取单一指令;可信网络终端接收网关转发的来自平台层的组合指令密文,利用会话密钥解密获取组合指令。After receiving the key information, the terminal decrypts it with the private key certificate to extract the symmetric key Qkey(p), which is the session key. After deciphering the session key, the end terminal receives the single instruction ciphertext from the platform layer, and uses the session key to decrypt to obtain a single instruction; the trusted network terminal receives the combined instruction ciphertext from the platform layer forwarded by the gateway, and uses the session key to decrypt Get combined instructions.

在本实施例中,基于物联网的量子密钥安全分发系统在会话时采用的加密算法为对称算法,即平台层与终端采用相同的密钥进行加解密;整个系统所使用的公钥、私钥证书以及会话密钥都是来自量子随机发生器产生的真随机数。In this embodiment, the encryption algorithm used by the Internet of Things-based quantum key security distribution system during the session is a symmetric algorithm, that is, the platform layer and the terminal use the same key for encryption and decryption; the public key, private Both the key certificate and the session key are truly random numbers generated by a quantum random generator.

具体地,基于上述实施例,在单一指令的场景下,终端使用会话密钥Qkey(p)对通信数据data1加密,获取加密后的数据data2,根据安全接入管理模块中存储的路由信息将加密后的数据data2发送至平台层,并选择对应的会话密钥进行安全解密,提取还原出通信数据data1提交至平台层;当平台下发单一指令时,根据安全接入管理模块的路由信息选择对应的会话密钥Qkey(p)对下发数据data3加密,获取加密后的数据data4,终端利用其使用私钥证书解密得到的会话密钥Qkey(p)解密数据data4来获取下发数据data3。Specifically, based on the above embodiment, in the scenario of a single command, the terminal encrypts the communication data data1 using the session key Qkey(p), obtains the encrypted data data2, and encrypts the encrypted data according to the routing information stored in the security access management module. The final data data2 is sent to the platform layer, and the corresponding session key is selected for safe decryption, and the communication data data1 is extracted and restored and submitted to the platform layer; The session key Qkey(p) encrypts the sent data data3 to obtain the encrypted data data4, and the terminal uses the session key Qkey(p) obtained by decrypting the private key certificate to decrypt the data data4 to obtain the sent data data3.

在单一指令交互的业务流上,使用的加密解密密钥都是根据安全接入管理模块的路由信息选择的会话密钥Qkey(p1)…Qkey(pn)。单一指令场景下的会话密钥是终端将接收到的组密钥利用私钥证书进行解密获取的,组密钥解决了一个路由集下的所有终端上行信息所需密钥的安全问题,在保证安全的前提下减少了终端与平台的密钥交互频次,提高了通信效率,减少了通信开销。On the service flow of single instruction interaction, the encryption and decryption keys used are all session keys Qkey(p 1 )...Qkey(p n ) selected according to the routing information of the security access management module. The session key in the single command scenario is obtained by the terminal by decrypting the received group key with the private key certificate. The group key solves the security problem of the key required for the uplink information of all terminals under a routing set. Under the premise of security, the frequency of key interaction between the terminal and the platform is reduced, the communication efficiency is improved, and the communication overhead is reduced.

具体地,基于上述实施例,在平台下发组合指令的场景下,平台下发利用全局密钥加密后的组合指令至网关,由网关利用全局密钥解密获取组合指令并进行指令解析,将解析后的组合指令再次利用全局密钥加密,并下发至可信网络终端,可信网络终端接收到解析加密的组合指令后利用全局密钥解密,获取平台下发的组合指令。Specifically, based on the above-mentioned embodiments, in the scenario where the platform issues a combined command, the platform sends the combined command encrypted with the global key to the gateway, and the gateway uses the global key to decrypt the combined command and perform command analysis. The final combined command is encrypted again with the global key and sent to the trusted network terminal. After receiving the encrypted combined command, the trusted network terminal decrypts it with the global key to obtain the combined command issued by the platform.

全局密钥对同一网关下的密钥进行统一管理,在平台和各终端间利用集中式网关进行交互,减少了大规模密钥转发的网络压力,解决了平台下行指令密钥交互困难的问题。The global key manages the keys under the same gateway in a unified way, and uses the centralized gateway to interact between the platform and each terminal, which reduces the network pressure of large-scale key forwarding and solves the problem of difficult exchange of platform downlink command keys.

在本实施例中,量子密钥的分发基于物联网,脱离了网络介质属性,不依赖于网络信道,而是利用透明传输网络管道进行分发,传输过程中不对传输的业务消息体进行任何处理,一定程度上保障了业务消息体的传输安全性。In this embodiment, the distribution of quantum keys is based on the Internet of Things, which is separated from the properties of the network medium and does not depend on the network channel. Instead, it uses transparent transmission network channels for distribution, and does not perform any processing on the transmitted business message body during the transmission process. To a certain extent, the transmission security of the business message body is guaranteed.

显然,上述实施例仅仅是为清楚地说明所作的举例,并非对实施方式的限定。对于所属领域的普通技术人员来说,在上述说明的基础上还可以做出其它不同形式变化或变动。这里无需也无法对所有的实施方式予以穷举。而由此所引伸出的显而易见的变化或变动仍处于本发明创造的保护范围之中。Apparently, the above-mentioned embodiments are only examples for clear description, and are not intended to limit the implementation. For those of ordinary skill in the art, on the basis of the above description, other changes or changes in various forms can also be made. It is not necessary and impossible to exhaustively list all the implementation manners here. And the obvious changes or changes derived therefrom are still within the scope of protection of the present invention.

Claims (10)

1. A quantum key secure distribution method based on the Internet of things is applied to a platform layer and comprises the following steps:
acquiring an initial terminal number of a target terminal, and encrypting the initial terminal number to generate an encrypted terminal number;
acquiring the encryption terminal number and a private key certificate and packaging the encryption terminal number and the private key certificate into an initial SDK;
acquiring the routing information of the target terminal, and constructing a set of initial SDKs of all terminals in the same routing group according to the routing information;
acquiring a decryption terminal number set according to the initial SDK set, comparing the initial terminal number with the decryption terminal number set, and randomly selecting a first key for the target terminal if a number consistent with the initial terminal number exists in the decryption terminal number set;
according to the routing information of the target terminal, the first secret key is encrypted and distributed to the target terminal by using a public key, so that the target terminal can decrypt by using the private key certificate to obtain a session secret key;
the private key certificate, the first secret key and the public key are all from quantum secret keys generated by a quantum random generator.
2. The quantum key secure distribution method based on the internet of things as claimed in claim 1, wherein the encryption of the initial terminal number to generate the encrypted terminal number employs a symmetric encryption algorithm.
3. The method for securely distributing the quantum key based on the internet of things according to claim 1, wherein the obtaining the routing information of the target terminal comprises:
when the target terminal carries the initial SDK to carry out network access application and route collection, acquiring route information in the route collection process;
the route collection is the shortest path selection collection by utilizing Dijkstra algorithm under the global route.
4. The internet-of-things-based quantum key secure distribution method according to claim 1, wherein the obtaining a decryption terminal number set according to the initial SDK set comprises: and decrypting the encrypted terminal numbers in the initial SDK set by using a symmetric encryption algorithm to obtain a decrypted terminal number set.
5. The secure quantum key distribution method based on the internet of things of claim 1, wherein the comparing the initial terminal number with the set of decryption terminal numbers further comprises:
and if the number consistent with the initial terminal number does not exist in the decryption terminal number set, feeding back the network access failure, and abandoning the terminal.
6. The internet-of-things-based quantum key secure distribution method of claim 1, wherein the randomly selecting the first key for the target terminal comprises:
when the target terminal is a terminal, randomly selecting a first key as a group key for the terminal, wherein the group key is used for encrypting a single instruction distributed to the terminal;
when the target terminal is a trusted network terminal, randomly selecting a first key for the trusted network terminal as a global key, wherein the global key is used for encrypting a combined instruction distributed to the trusted network terminal;
the end terminal is the terminal at the last position in each routing group, and the trusted network terminals are the other terminals except the end terminal in each routing group.
7. The utility model provides a quantum key safety distribution system based on thing networking which characterized in that includes:
the quantum random generator is used for generating a true random number as a quantum key;
the terminal layer comprises a terminal and a trusted network terminal, and both carry the initial SDK;
the access layer comprises a gateway and is in communication connection with the terminal layer;
the platform layer, which applies the quantum key secure distribution method based on the internet of things as claimed in any one of claims 1 to 6, for data transmission with a target terminal secure transmission session key, and includes:
the quantum key service module is used for acquiring and storing the quantum key pushed by the quantum random generator, acquiring and encrypting the initial terminal number to generate an encrypted terminal number, and randomly selecting a first key for the target terminal passing the verification;
the resource and information management module is used for acquiring and storing a private key certificate of the terminal, an initial terminal number and a decryption terminal number, packaging an initial SDK, and comparing the initial terminal number with the decryption terminal number to verify whether a target terminal is safe or not;
the safety coding and decoding management module is used for acquiring and decrypting the set of the initial SDK to acquire a decryption terminal number set;
and the safety access management module is used for acquiring the routing information of the target terminal, constructing an initial SDK set of all terminals in the same routing group, encrypting the first key and distributing the first key to the target terminal according to the routing information.
8. The Internet of things-based quantum key secure distribution system of claim 7, wherein the quantum key service module obtains a quantum key pushed by a quantum random generator and securely stores the quantum key in a queue form as a key pool.
9. The quantum key secure distribution system based on the internet of things as claimed in claim 7, wherein the end terminal receives a single instruction ciphertext encrypted by a group key from a platform layer, and decrypts by using a session key to obtain the single instruction.
10. The quantum key secure distribution method based on the internet of things of claim 7, wherein the trusted network terminal receives a combined instruction ciphertext from a platform layer, which is forwarded by a gateway, and decrypts by using a session key to obtain a combined instruction;
after the gateway forwards the combined instruction which comprises the global key encryption and is issued by the gateway acquisition platform layer, the gateway decrypts the combined instruction by using the global key to acquire a new combined instruction, and the new combined instruction is forwarded to the trusted network terminal by using the global key encryption again.
CN202211049438.XA 2022-08-30 2022-08-30 A method and system for securely distributing quantum keys based on the Internet of Things Pending CN115361129A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211049438.XA CN115361129A (en) 2022-08-30 2022-08-30 A method and system for securely distributing quantum keys based on the Internet of Things

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211049438.XA CN115361129A (en) 2022-08-30 2022-08-30 A method and system for securely distributing quantum keys based on the Internet of Things

Publications (1)

Publication Number Publication Date
CN115361129A true CN115361129A (en) 2022-11-18

Family

ID=84005172

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211049438.XA Pending CN115361129A (en) 2022-08-30 2022-08-30 A method and system for securely distributing quantum keys based on the Internet of Things

Country Status (1)

Country Link
CN (1) CN115361129A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117749364A (en) * 2023-12-11 2024-03-22 矩阵时光数字科技有限公司 Wide area network networking method for quantum security
WO2024237976A1 (en) * 2023-05-15 2024-11-21 Qusecure, Inc A system for cryptographic agility with proxy task management

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997463A (en) * 2014-05-23 2014-08-20 中国人民解放军理工大学 Secure multicast method for overlay network at low expenses
CN104185176A (en) * 2014-08-28 2014-12-03 中国联合网络通信集团有限公司 Method and system for remote initialization of Internet of Things virtual subscriber identity module card
AU2020102026A4 (en) * 2020-08-28 2020-10-01 N Sandeep Chaitanya ELSM- Quantum Computing: EXTREMELY LARGE DATABASES STORE INTO A SMALL MEMORY USING QUANTUM COMPUTING.
CN113922956A (en) * 2021-10-09 2022-01-11 天翼物联科技有限公司 Quantum key based Internet of things data interaction method, system, device and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997463A (en) * 2014-05-23 2014-08-20 中国人民解放军理工大学 Secure multicast method for overlay network at low expenses
CN104185176A (en) * 2014-08-28 2014-12-03 中国联合网络通信集团有限公司 Method and system for remote initialization of Internet of Things virtual subscriber identity module card
AU2020102026A4 (en) * 2020-08-28 2020-10-01 N Sandeep Chaitanya ELSM- Quantum Computing: EXTREMELY LARGE DATABASES STORE INTO A SMALL MEMORY USING QUANTUM COMPUTING.
CN113922956A (en) * 2021-10-09 2022-01-11 天翼物联科技有限公司 Quantum key based Internet of things data interaction method, system, device and medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
马彰超等: "量子密钥分发网络架构及其标准化", 无线电通信技术, 23 September 2020 (2020-09-23) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024237976A1 (en) * 2023-05-15 2024-11-21 Qusecure, Inc A system for cryptographic agility with proxy task management
CN117749364A (en) * 2023-12-11 2024-03-22 矩阵时光数字科技有限公司 Wide area network networking method for quantum security

Similar Documents

Publication Publication Date Title
CN110581763B (en) Quantum key service block chain network system
CN106357396B (en) Digital signature method and system and quantum key card
CN106452741B (en) The communication system and communication means of the transmission of information encryption and decryption are realized based on quantum network
CN102685749B (en) Wireless safety authentication method orienting to mobile terminal
CN109639407A (en) A method of information is encrypted and decrypted based on quantum network
CN101420686B (en) Implementation method of secure communication in industrial wireless network based on key
CN108847928B (en) Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card
CN102333093A (en) Data encryption transmission method and system
CN102148798A (en) Method for efficiently, parallelly and safely encrypting and decrypting high-capacity data packets
CN103491540A (en) Wireless local area network two-way access authentication system and method based on identity certificates
CN104683304A (en) A processing method, device and system for secure communication services
CN104754581A (en) Public key password system based LTE wireless network security certification system
CN103166757B (en) A kind of method and system of dynamic protection privacy of user data
CN115361129A (en) A method and system for securely distributing quantum keys based on the Internet of Things
CN208986966U (en) An encrypted terminal and corresponding data transmission system
CN113079022B (en) Secure transmission method and system based on SM2 key negotiation mechanism
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN105721153A (en) System and method for key exchange based on authentication information
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN104200154A (en) Identity based installation package signing method and identity based installation package signing device
CN104683291A (en) IMS system based session key negotiating method
CN106713349B (en) Inter-group proxy re-encryption method capable of resisting attack of selecting cipher text
CN112332986B (en) Private encryption communication method and system based on authority control
CN115632779A (en) Quantum encryption communication method and system based on power distribution network
WO2023221856A1 (en) Quantum secure communication method and device, quantum password service network, and communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination