CN115567205A - Method and system for realizing encryption and decryption of network session data stream by quantum key distribution - Google Patents

Method and system for realizing encryption and decryption of network session data stream by quantum key distribution Download PDF

Info

Publication number
CN115567205A
CN115567205A CN202211198225.3A CN202211198225A CN115567205A CN 115567205 A CN115567205 A CN 115567205A CN 202211198225 A CN202211198225 A CN 202211198225A CN 115567205 A CN115567205 A CN 115567205A
Authority
CN
China
Prior art keywords
key
data
encryption
master key
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211198225.3A
Other languages
Chinese (zh)
Inventor
罗俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co ltd
Original Assignee
China Telecom Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co ltd filed Critical China Telecom Quantum Technology Co ltd
Priority to CN202211198225.3A priority Critical patent/CN115567205A/en
Publication of CN115567205A publication Critical patent/CN115567205A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Abstract

The invention discloses a method and a system for realizing encryption and decryption of network session data stream by quantum key distribution, which comprises the steps of reading a master key from a connected secure storage medium, establishing a master key pool, and indicating whether the master key is used by using a key bitmap; encrypting the outbound data message by using a data encryption key to obtain an encrypted data message; randomly selecting an unused master key from a master key pool based on a key bitmap, and putting a ciphertext obtained by encrypting a data encryption key by using the master key and the ID (identity) of the master key into a security message header of a data message after encryption processing to obtain an outbound encrypted message; and sending the outbound encrypted message from a network interface connected with the external network. The invention solves the problem that the encryption gateway can not negotiate the session key for the data streams of different network sessions under the complex network environments of bidirectional NAT and the like and the problem of one-session (stream) -one-secret key synchronization.

Description

Method and system for realizing encryption and decryption of network session data stream by quantum key distribution
Technical Field
The invention relates to the technical field of password application, in particular to a method and a system for realizing encryption and decryption of network session data streams by quantum key distribution.
Background
The concept of network session generally refers to a quintuple of a network data packet, i.e., a network connection uniquely determined by a source IP address, a destination IP address, a protocol number, a source transport layer port, and a destination transport layer port number, and a network session data stream, i.e., a network data stream uniquely determined by the quintuple of the network session. The network session and the network session data stream have a certain life cycle, exist during the existence of the user network service associated with the session, and are closed or destroyed after the associated user network service is terminated.
At present, when local area networks of various branches are interconnected and intercommunicated, network session data streams of different services are transmitted by establishing a secure encrypted channel through an encryption gateway such as VPN equipment, and before the network session data streams are transmitted, key exchange protocols such as IKE are required to be adopted between the encryption gateways to negotiate session keys used by different network data streams. This mode has the following problems:
(1) A communication channel for directly performing key negotiation is required between the encryption gateways, which is difficult to implement in complex network environments such as NAT and the like, especially in the case that the gateways at both ends of communication need to perform NAT before surfing the internet.
(2) The negotiation process is complex and has certain calculation and communication costs, so the generated session key is generally used for a period of time, and a plurality of network sessions use the same key, so that the network sessions cannot be one-class-one-secret in terms of security.
(3) The key negotiation process is based on an asymmetric key pair and a digital certificate, a public key used for encrypting and transmitting session key materials is public, if different session keys are adopted for different network sessions, the use frequency of the key negotiation and the public-private key pair is too high, and the possibility of being decoded exists along with the improvement of the computing capacity of a quantum computer, so that the session key to be transmitted is decoded and stolen.
In the related art, chinese invention patent document No. CN107453869A describes a method for implementing quantum security IPSec VPN, which adds a QKD security interface in an IPSec VPN gateway, adds a quantum key access and application mechanism in an IPSec VPN security policy, adds a one-time pad encryption option based on a quantum key in an IPSec encryption module, and adds a policy that a quantum key is preferentially used as a pre-shared key, a session key of a data encryption algorithm, and a shared key of an HMAC algorithm; the fusion application of QKD and quantum encryption and IPSec protocol is realized, and the quantum security of identity authentication, message authentication and data encryption of the IPSec VPN system is improved.
But the scheme needs key negotiation, and the network topology structure is complex; and the pre-shared key is directly used as an encryption key, so that the security of the key is low.
Chinese patent publication No. CN114338019A describes a network communication method, system, apparatus and storage medium based on quantum key distribution, and the method includes: a terminal agent on user equipment sends a dynamic port request to a gateway; the gateway sends a quantum random number request to a quantum key distribution server based on the dynamic port request; the quantum key distribution server generates a pair of quantum random numbers based on the quantum random number request, and sends one quantum random number to the terminal proxy and the other quantum random number to the gateway so as to trigger the terminal proxy and the gateway to determine the same dynamic port number based on the quantum random numbers; and the terminal agent and the gateway perform data communication on the port corresponding to the dynamic port number to acquire the target data resource. The scheme is mainly characterized in that: (1) Generating a dynamic port of a user terminal access gateway based on the quantum random number; (2) And protecting the communication between the user terminal and the gateway based on the prestored quantum key and one-packet-one-secret encryption.
Disclosure of Invention
The technical problem to be solved by the invention is how to realize the key synchronization of the end-to-end encryption communication of the network session data stream among different local area networks through the encryption gateway.
The invention solves the technical problems through the following technical means:
the invention provides a method for realizing encryption and decryption of network session data streams by quantum key distribution, which is applied to an encryption gateway, wherein the encryption gateway is connected with a secure storage medium, and the method comprises the following steps:
reading a master key from a connected secure storage medium, establishing a master key pool, and indicating whether the master key is used or not by using a key bitmap, wherein the master key is pre-filled into the secure storage medium for a quantum key distribution network;
acquiring an outbound data message from a network interface connected with an intranet, and encrypting the outbound data message by using a data encryption key to obtain an encrypted data message, wherein the data encryption key is a random number generated in real time;
randomly selecting the unused master key from the master key pool based on the key bitmap, and putting a ciphertext obtained by encrypting the data encryption key by using the master key and the ID (identity) of the master key into a safety message header of the encrypted data message to obtain an outbound encrypted message;
and sending the outbound encrypted message from a network interface connected with an external network.
The encryption gateways are deployed at the entrances and exits of different local area networks, and the problem that the encryption gateways cannot negotiate session keys for data streams of different network sessions and the key synchronization problem of one session (stream) and one secret is solved by using a large-capacity master key generated by a quantum key distribution system in the encryption gateways and adopting a disposable master key for the data streams of the different network sessions under complex network environments such as bidirectional NAT; the actually used data encryption key is generated when the data encryption key is packed densely, and has stronger key security compared with the method of directly using a prestored key, the pre-filled key is used for protecting the actual data encryption key and is a key protection key, one network session data stream uses an exclusive main key to protect the data encryption key, the main key is invalid after being used up, and the method has the front-back security; in addition, based on the pre-filled master key, the data ciphertext and the key ciphertext of the encrypted data are transmitted together in a digital envelope mode, so that the method has strong adaptability and fault tolerance; therefore, the scheme can enhance the security of network session data stream transmission when the local area networks are interconnected and intercommunicated, and realize end-to-end key synchronization and encryption communication protection of the network session data streams between different local area networks by adopting the encryption gateway.
Further, when performing first-stream one-secret encryption processing on the outbound data packet, the method, based on the key bitmap, randomly selects an unused master key from the master key pool, and places a ciphertext obtained by encrypting the data encryption key using the master key and the ID of the master key into a security packet header of the data packet after encryption processing to obtain the outbound encrypted packet, further includes:
establishing a data flow table for the outbound data message according to the data flow determined by the quintuple, establishing association between the data flow table and the ID (identity) of the master key in the master key pool, and marking the key bitmap of the master key as occupied;
and for subsequent data messages after the first packet of the same data stream, the data encryption key is encrypted by adopting the main key corresponding to the ID through retrieving the ID of the main key associated with the data stream table.
Further, after the establishing a data flow table for the outbound data packet according to the data flow determined by the five-tuple, the method further includes:
establishing timeout time for each table entry in the data flow table;
when some entry is not accessed within the timeout time, the entry is deleted, and key updating is carried out based on the associated master key.
Further, the performing key update based on the associated master key includes:
encrypting the ID identification of the master key by using the associated master key to obtain a key updating request;
sending the key updating request to the quantum key distribution network so as to enable the quantum key distribution network to generate a key updating message, wherein the key updating message comprises a key ciphertext obtained by encrypting a new master key and an ID (identity) identifier thereof by using the master key originally associated with the table entry and the ID identifier of the new master key;
receiving the key updating message, and decrypting the key ciphertext by using the master key originally associated with the table entry to obtain the ID (identity) of a new master key;
and when the ID identification of the new master key is correctly compared, replacing the master key originally associated with the table entry with the new master key, and marking the key bitmap of the new master key as unused.
Further, after the outbound data packet is obtained from the network interface connected to the intranet, the method further includes:
judging whether the data length MSS of the outbound data message exceeds the length of the maximum data part allowed to be transmitted or not;
if yes, modifying the data length MSS = MSS-4-n of the outbound data message, wherein n is the length of a key or an initialization vector;
if not, the outbound data message is encrypted by using the data encryption key to obtain the encrypted data message.
Further, before the sending the outbound encrypted message from the network interface connected to the external network, the method further includes:
judging whether the outbound encrypted message exceeds an MTU (maximum transmission unit);
if yes, carrying out fragmentation processing on the outbound encrypted message;
and if not, sending the outbound encrypted message from a network interface connected with the external network.
Further, prior to the reading the master key from the secure storage medium, the method further comprises:
sending a registration request to a management and control platform to bind to corresponding security domains, wherein the security domains are divided by the management and control platform;
sending a key charging request to the management and control platform so that the management and control platform forwards the key charging request to the quantum key distribution network, wherein the quantum key distribution network stores security domain division information and encryption gateway information in each security domain;
and charging the master key into the secure storage medium offline through a key agent or a quantum network node, wherein the ID identifications of the master keys charged into the secure storage medium connected with each encryption gateway in the same secure domain are the same.
Further, when the encryption gateway is used as a receiving end, after receiving the outbound encryption packet from a network interface connected to an external network, the method further includes:
judging whether the outbound encrypted message is a fragmented message;
if yes, carrying out laminating treatment;
if not, selecting a master key corresponding to the ID identification of the master key from a master key pool to decrypt the ciphertext to obtain the data encryption key;
and decrypting the encrypted data message by using the data encryption key.
In addition, the invention also provides a gateway for realizing network session data stream encryption and decryption by adopting quantum key distribution, wherein the gateway comprises a data encryption and decryption processing module and a key injection module, the key injection module is connected with a safe storage medium, and a master key pre-filled by a quantum key distribution network is stored in the safe storage medium;
the key injection module is used for reading a master key from the connected secure storage medium, establishing a master key pool, and indicating whether the master key is used by using a key bitmap, wherein the master key is pre-filled into the secure storage medium for a quantum key distribution network;
the data encryption and decryption processing module is used for acquiring an outbound data message from a network interface connected with an intranet, and encrypting the outbound data message by using a data encryption key to obtain an encrypted data message, wherein the data encryption key is a random number generated in real time;
and the system is used for randomly selecting the unused master key from the master key pool based on the key bitmap, and putting a cipher text obtained by encrypting the data encryption key by using the master key and the ID (identity) of the master key into a safety message header of the encrypted data message to obtain an outbound encrypted message;
and the system is used for sending the outbound encrypted message from a network interface connected with an external network.
Further, the gateway further includes a flow table management module, wherein:
the flow table management module is used for establishing a data flow table for the outbound data message according to the data flow determined by the quintuple, establishing association between the data flow table and the ID (identity) of the master key in the master key pool, and marking the key bitmap of the master key as occupied;
and the data encryption and decryption processing module is also used for encrypting the data encryption key by using the main key corresponding to the ID identification through retrieving the ID identification of the main key associated with the data flow table for the subsequent data message after the first packet of the same data flow.
Further, the gateway further comprises a key update module, wherein:
and the key updating module is used for establishing timeout time for each table entry in the data flow table, deleting a table entry when the table entry is not accessed within the timeout time, and updating the key based on the associated master key.
In addition, the invention also provides a system for realizing encryption and decryption of network session data streams by adopting quantum key distribution, which comprises a first encryption gateway, a second encryption gateway, a control platform and a quantum key distribution network, wherein the first encryption gateway, the second encryption gateway and the quantum key distribution network are all connected with the control platform, the first encryption gateway and the second encryption gateway are all connected with the quantum key distribution network, the first encryption gateway and the second encryption gateway respectively comprise a data encryption and decryption processing module and a key injection module, the key injection module is connected with a secure storage medium, and a master key which is pre-charged by the quantum key distribution network is stored in the secure storage medium;
the management and control platform is used for performing security domain division and registration and identity binding services of the first encryption gateway and the second encryption gateway;
the quantum key distribution network is used for pre-charging a master key to the secure storage medium;
the key injection module is used for reading a master key from the connected secure storage medium, establishing a master key pool, and indicating whether the master key is used by using a key bitmap, wherein the master key is a quantum key distribution network and is pre-filled into the secure storage medium;
the data encryption and decryption processing module is used for acquiring an outbound data message from a network interface connected with an intranet and encrypting the outbound data message by using a data encryption key to obtain the encrypted data message, wherein the data encryption key is a random number generated in real time;
and the system is used for randomly selecting the unused master key from the master key pool based on the key bitmap, and putting a ciphertext obtained by encrypting the data encryption key by using the master key and the ID of the master key into a safe message header of the data message after encryption processing to obtain an outbound encrypted message;
and the system is used for sending the outbound encrypted message from a network interface connected with an external network.
The invention has the advantages that:
(1) The encryption gateways are deployed at the entrances and exits of different local area networks, and the problem that the encryption gateways cannot negotiate session keys for data streams of different network sessions and the key synchronization problem of one session (stream) and one secret is solved by using a large-capacity master key generated by a quantum key distribution system in the encryption gateways and adopting a disposable master key for the data streams of different network sessions under complex network environments such as bidirectional NAT; the actually used data encryption key is generated when the data encryption key is packed densely, and has stronger key security compared with the method of directly using a prestored key, the pre-filled key is used for protecting the actual data encryption key and is a key protection key, one network session data stream uses an exclusive main key to protect the data encryption key, the main key is invalid after being used up, and the method has the front-back security; in addition, based on the pre-filled master key, the data cipher text and the key cipher text of the encrypted data are transmitted together in a digital envelope mode, so that the method has strong adaptability and fault tolerance; therefore, the scheme can enhance the security of network session data stream transmission during interconnection and intercommunication among local area networks, and realize end-to-end key synchronization and encryption communication protection of network session data streams among different local area networks by adopting the encryption gateway.
(2) The main key is not reused and is regularly updated online through the encryption channel, so that safe use and timely update of a large number of keys can be guaranteed.
(3) The master key is synchronized among all encryption gateways in the same security domain which can be interconnected and intercommunicated, key retrieval is carried out by the key ID with uniform number, complex security strategy configuration and key distribution mechanisms are not needed, and the whole domain encryption communication in the security domain is simply and flexibly realized without reducing the security.
(4) The problems of safety intercommunication and key updating under the condition that the encryption gateway does not directly exchange key information are solved, and the related interactive information of encryption and decryption of the network data stream based on the session can be obviously reduced.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a schematic flowchart of a method for implementing encryption and decryption of a network session data stream by quantum key distribution according to a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of a gateway for implementing encryption and decryption of a network session data stream by quantum key distribution according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a system for implementing encryption and decryption of network session data streams by quantum key distribution according to a third embodiment of the present invention;
fig. 4 is a schematic diagram of a workflow of implementing a network session data stream encryption and decryption system by quantum key distribution according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
Example 1
As shown in fig. 1, a first embodiment of the present invention provides a method for implementing encryption and decryption of a network session data stream by quantum key distribution, which is applied to an encryption gateway, where the encryption gateway is connected to a secure storage medium, and the method includes the following steps:
s101, reading a master key from a connected secure storage medium, establishing a master key pool, and indicating whether the master key is used or not by using a key bitmap, wherein the master key is a quantum key distribution network and is pre-filled into the secure storage medium;
it should be noted that the format of the master key is 4-byte key ID + n-byte key and n-byte initialization vector, n is related to the encryption algorithm, and each device in the same security domain shares the same master key identified by the same key ID.
S102, acquiring an outbound data message from a network interface connected with an intranet, and encrypting the outbound data message by using a data encryption key to obtain an encrypted data message, wherein the data encryption key is a random number generated in real time;
s103, based on the key bitmap, randomly selecting the unused master key from the master key pool, and putting a ciphertext obtained by encrypting the data encryption key by using the master key and the ID (identity) of the master key into a safe message header of the encrypted data message to obtain an outbound encrypted message;
it should be noted that, the encryption gateway uses the data encryption key to perform first-class one-secret encryption processing on the outbound data message, that is, the same master key is used for the data stream uniquely determined by the quintuple (source and destination IP addresses, protocol number, source and destination transport layer port numbers), the encryption key of the data is a random number generated in real time, the encryption mode is CBC (integral multiple of algorithm packet) + CFB (remainder part except integral multiple of algorithm packet), and a secure packet header is added to each data message, the data encryption key is encrypted by the pre-filled master key and then placed in the packet header, the master key is randomly selected from the master key pool and is not used, and the selected key bitmap is marked as used.
And S104, sending the outbound encrypted message from a network interface connected with an external network.
In this embodiment, encryption gateways are deployed at different local area network entrances and exits, and a large-capacity master key generated by a quantum key distribution system is used in the encryption gateways, and a disposable master key is used for data streams of different network sessions, so that the problem that the encryption gateways cannot negotiate session keys for the data streams of different network sessions in complex network environments such as bidirectional NAT (network address translation) and the problem of key synchronization of one session (stream) and one secret are solved; the actually used data encryption key is generated when the data encryption key is densely packed, and has stronger key safety compared with the method of directly using a prestored key, and the pre-charging key is used for protecting the actual data encryption key and is a key protection key; in addition, based on the pre-filled master key, the data ciphertext and the key ciphertext of the encrypted data are transmitted together in a digital envelope mode, so that the method has strong adaptability and fault tolerance; therefore, the scheme can enhance the security of network session data stream transmission when the local area networks are interconnected and intercommunicated, and realize end-to-end key synchronization and encryption communication protection of the network session data streams between different local area networks by adopting the encryption gateway.
In an embodiment, when performing first-stream one-secret encryption processing on the outbound data packet, the method, based on the key bitmap, randomly selects an unused master key from the master key pool, and places a ciphertext obtained by encrypting the data encryption key using the master key and an ID of the master key into a security packet header of the encrypted data packet to obtain the outbound encrypted packet, further includes the following steps:
establishing a data flow table for the outbound data message according to the data flow determined by the quintuple, establishing association between the data flow table and the ID (identity) of the master key in the master key pool, and marking the key bitmap of the master key as occupied;
and for subsequent data messages after the first packet of the same data stream, the data encryption key is encrypted by adopting the main key corresponding to the ID through retrieving the ID of the main key associated with the data stream table.
In an embodiment, after the establishing a data flow table for the outbound data packet according to the data flow determined by the five-tuple, the method further includes the following steps:
establishing timeout time for each table entry in the data flow table;
when some table entry is not accessed within the timeout time, the table entry is deleted, and the key is updated based on the associated master key.
In one embodiment, the performing key update based on the master key associated therewith includes:
encrypting the ID identification of the master key by using the associated master key to obtain a key updating request;
sending the key updating request to the quantum key distribution network so that the quantum key distribution network generates a key updating message, wherein the key updating message comprises a key ciphertext obtained by encrypting a new master key and an ID (identity) of the new master key by using a master key originally associated with the table entry and an ID identity of the new master key;
receiving the key updating message, and decrypting the key ciphertext by using the master key originally associated with the table entry to obtain the ID (identity) of a new master key;
and when the ID identification of the new master key is correctly compared, replacing the master key originally associated with the table entry with the new master key, and marking the key bitmap of the new master key as unused.
Each entry in the data flow table of this embodiment represents a data flow, and a timeout period is established for the data flow, and when the data flow entry is not accessed within the timeout period, the data flow entry is deleted and an update flow of an associated master key is started: the master key ID number is encrypted by the master key, a key updating request is sent to the vector sub-key distribution system QKD, the request simultaneously comprises the master key ID numbers of the plaintext and the ciphertext, after the QKD decrypts, the error is not found in comparison with the master key ID numbers, a key updating message is generated and sent to all encryption gateway equipment nodes in the domain, and the key updating message comprises a new master key and a master key ID which are encrypted by the old master key and a master key ID of the plaintext. And after the encryption gateway equipment node receives the key updating message, the encryption gateway equipment node uses the old key to decrypt and compares the ID number of the main key without errors, and then uses the new key to replace the old key and marks the old key as unused.
Further, in order to reduce the traffic overhead, the QKD may accumulate a certain number of key update messages and then issue them in bulk.
In this embodiment, a master key is used for a network session data stream defined by a five-tuple, one data stream corresponds to one master key, an encryption state of the data stream is related to the master key used by the data stream, and the master key is not reused and needs to be updated online. The main key is not reused and is regularly updated online through the encryption channel, so that safe use and timely update of a large number of keys can be guaranteed.
In one embodiment, in the step S102: after the outbound data message is acquired from the network interface connected with the intranet, the method further comprises the following steps:
judging whether the data length MSS of the outbound data message exceeds the length of the maximum data part allowed to be transmitted or not;
if yes, modifying the data length MSS = MSS-4-n of the outbound data message, wherein n is the length of a key or an initialization vector;
if not, the outbound data message is encrypted by using the data encryption key to obtain an encrypted data message.
It should be noted that, the encryption gateway device node modifies the MSS data content in the outbound TCP connection establishment phase, and the new MSS = MSS-4-n, so as to avoid re-fragmentation of the packet after adding the security packet header.
In one embodiment, in the step S104: before sending the outbound encrypted message from the network interface connected to the external network, the method further comprises the steps of:
judging whether the outbound encrypted message exceeds an MTU (maximum transmission unit);
if yes, carrying out fragmentation processing on the outbound encrypted message;
if not, the outbound encrypted message is sent from a network interface connected with an external network.
It should be noted that, after adding the security header to the non-TCP packet, if the packet length exceeds the MTU, fragmentation processing is performed.
In an embodiment, before the step S101, the method further includes the steps of:
sending a registration request to a management and control platform so as to bind to corresponding security domains, wherein the security domains are divided by the management and control platform;
sending a key charging request to the management and control platform so that the management and control platform forwards the key charging request to the quantum key distribution network, wherein the quantum key distribution network stores security domain division information and encryption gateway information in each security domain;
and charging the master key into the secure storage medium offline through a key agent or a quantum network node, wherein the ID identifications of the master keys charged into the secure storage medium connected with each encryption gateway in the same secure domain are the same.
In an embodiment, when the encryption gateway serves as a receiving end, the method further includes:
receiving the outbound encrypted message from a network interface connected with an external network;
judging whether the outbound encrypted message is a fragmented message;
if yes, carrying out laminating treatment;
if not, selecting a master key corresponding to the ID identification of the master key from a master key pool to decrypt the ciphertext to obtain the data encryption key;
and decrypting the encrypted data message by using the data encryption key.
The data encryption key is randomly generated in real time by the encryption gateway according to a one-packet-one-secret mode and is safely transmitted to other encryption gateways together with data, the encryption gateways do not have an end-to-end corresponding relation, a security domain is used as a boundary, a main key ID is used as an index of a key protection key, and the encryption gateways in the domain share a large-capacity main key and update on line, so that free and safe flow of network session data streams among the encryption gateways is realized.
Example 2
As shown in fig. 2, a second embodiment of the present invention provides a gateway for implementing encryption and decryption of a network session data stream by quantum key distribution, where the gateway includes a data encryption and decryption processing module 11 and a key injection module 12, the key injection module 12 is connected to a secure storage medium, and a master key pre-charged through a quantum key distribution network 4 is stored in the secure storage medium;
the key injection module 12 is configured to read a master key from a connected secure storage medium, establish a master key pool, and use a key bitmap to indicate whether the master key is used, where the master key is pre-filled into the secure storage medium for the quantum key distribution network 4;
the data encryption and decryption processing module 11 is configured to obtain an outbound data packet from a network interface connected to an intranet, and encrypt the outbound data packet by using a data encryption key to obtain an encrypted data packet, where the data encryption key is a random number generated in real time;
randomly selecting the unused master key from the master key pool based on the key bitmap, and putting a ciphertext obtained by encrypting the data encryption key by using the master key and the ID of the master key into a safe message header of the encrypted data message to obtain an outbound encrypted message;
and sending the outbound encrypted message from a network interface connected with an external network.
In this embodiment, encryption gateways are deployed at different local area network entrances and exits, and a large-capacity master key generated by a quantum key distribution system is used in the encryption gateways, and a disposable master key is used for data streams of different network sessions, so that the problem that the encryption gateways cannot negotiate session keys for the data streams of different network sessions in complex network environments such as bidirectional NAT (network address translation) and the problem of key synchronization of one session (stream) and one secret are solved; the actually used data encryption key is generated when the data encryption key is packed densely, and has stronger key security compared with the method of directly using a pre-stored key, while the pre-filled key is used for protecting the actual data encryption key and is a key protection key, a network session data stream uses an exclusive main key to protect the data encryption key, the main key is invalid after being used up, and the method has the safety in the front and back directions; in addition, based on the pre-filled main key, the data ciphertext and the key ciphertext of the encrypted data are transmitted together in a digital envelope mode, so that one packet and one cipher are realized, and the method has strong adaptability and fault tolerance; therefore, the scheme can enhance the security of network session data stream transmission when the local area networks are interconnected and intercommunicated, and realize end-to-end key synchronization and encryption communication protection of the network session data streams between different local area networks by adopting the encryption gateway.
In an embodiment, the gateway further comprises a flow table management module 13, wherein:
the flow table management module 13 is configured to establish a data flow table for the outbound data packet according to the data flow determined by the quintuple, establish a correlation between the data flow table and an ID identifier of the master key in the master key pool, and mark a key bitmap of the master key as occupied;
the data encryption and decryption processing module 11 is further configured to, for a subsequent data packet after the first packet of the same data stream, encrypt the data encryption key by using the master key corresponding to the ID identifier by retrieving the master key ID associated with the data stream table.
In an embodiment, the gateway further comprises a key update module 14, wherein:
the key updating module 14 is configured to establish a timeout period for each entry in the data flow table, delete an entry when there is an entry that is not accessed within the timeout period, and update a key based on a master key associated with the entry.
Further, the key update module 14 is specifically configured to perform the following steps:
encrypting the ID identification of the master key by adopting the associated master key to obtain a key updating request;
sending the key updating request to the quantum key distribution network 4 so that the quantum key distribution network 4 generates a key updating message, wherein the key updating message comprises a key ciphertext obtained by encrypting a new master key and an ID identifier thereof by using a master key originally associated with the table entry and the ID identifier of the new master key;
receiving the key updating message, and decrypting the key ciphertext by using the master key originally associated with the table entry to obtain the ID (identity) of a new master key;
and when the ID identification of the new master key is correctly compared, replacing the master key originally associated with the table entry with the new master key, and marking the key bitmap of the new master key as unused.
In this embodiment, a master key is used for a network session data stream defined by a five-tuple, one data stream corresponds to one master key, an encryption state of the data stream is related to the master key used by the data stream, and the master key is not reused and needs to be updated online. The main key is not reused and is regularly updated online through the encryption channel, so that safe use and timely update of a large number of keys can be guaranteed.
In one embodiment, the gateway further comprises:
a data length judging module, configured to judge whether a data length MSS of the outbound data packet exceeds a length of a maximum data portion allowed to be transmitted;
a data length modification module, configured to modify the data length MSS = MSS-4-n of the outbound data packet when the data length determination module outputs a yes result, where n is a length of a key or an initialization vector;
and the data encryption and decryption processing module 11 is configured to encrypt the outbound data packet by using the data encryption key when the output result of the data length determination module is negative, so as to obtain an encrypted data packet.
It should be noted that, the encryption gateway device node modifies the MSS data content in the outbound TCP connection establishment phase, and the new MSS = MSS-4-n, so as to avoid re-fragmentation of the packet after adding the security packet header.
In one embodiment, the gateway further comprises:
the message length judging module is used for judging whether the outbound encrypted message exceeds the MTU or not;
the fragment processing module is used for carrying out fragment processing on the outbound encrypted message when the message length judgment module outputs a positive result;
the data encryption and decryption processing module 11 is further configured to send the outbound encrypted message from a network interface connected to an external network if the result output by the message length determining module is negative.
It should be noted that, after adding the security message header to the non-TCP message, if the message length exceeds the MTU, fragmentation processing is performed.
In one embodiment, the gateway further comprises:
the registration module is configured to send a registration request to a management and control platform 3 to bind to corresponding security domains, where the security domains are partitioned by the management and control platform 3;
a key charging request module, configured to send a key charging request to the management and control platform 3, so that the management and control platform 3 forwards the key charging request to the quantum key distribution network 4, where the quantum key distribution network 4 charges the master key to the secure storage medium offline through a key agent or a quantum network node, and the ID identifications of the master keys charged in the secure storage media connected to each encryption gateway in the same secure domain are the same; the quantum key distribution network 4 stores security domain division information and encryption gateway information in each security domain.
It should be noted that, other embodiments or implementation methods for implementing the network session data stream encryption/decryption gateway by using quantum key distribution according to the present invention may refer to the above method embodiments, and no redundancy is provided here.
Example 3
As shown in fig. 3, a third embodiment of the present invention further provides a system for implementing encryption and decryption of a network session data stream by quantum key distribution, where the system includes a first encryption gateway 1, a second encryption network 2, a management and control platform 3, and a quantum key distribution network 4, the first encryption gateway 1, the second encryption network 2, and the quantum key distribution network 4 are all connected to the management and control platform 3, and the first encryption gateway 1 and the second encryption network 2 are all connected to the quantum key distribution network 4, where the first encryption gateway 1 and the second encryption network 2 each include a data encryption and decryption processing module 11 and a key injection module 12, the key injection module 12 is connected to a secure storage medium, and the secure storage medium stores therein a master key that is pre-charged by the quantum key distribution network 4;
the management and control platform 3 is used for performing security domain division, registration of the first encryption gateway 1 and the second encryption network 2 and identity binding service;
the quantum key distribution network 4 is used for pre-charging a master key into the secure storage medium;
the key injection module 12 is configured to read a master key from a connected secure storage medium, establish a master key pool, and use a key bitmap to indicate whether the master key is used, where the master key is pre-filled into the secure storage medium for the quantum key distribution network 4;
the data encryption and decryption processing module 11 is configured to obtain an outbound data packet from a network interface connected to an intranet, and encrypt the outbound data packet by using a data encryption key to obtain an encrypted data packet, where the data encryption key is a random number generated in real time;
randomly selecting the unused master key from the master key pool based on the key bitmap, and putting a ciphertext obtained by encrypting the data encryption key by using the master key and the ID of the master key into a safe message header of the encrypted data message to obtain an outbound encrypted message;
and sending the outbound encrypted message from a network interface connected with an external network.
In this embodiment, encryption gateways are deployed at different local area network entrances and exits, and a large-capacity master key generated by a quantum key distribution system is used in the encryption gateways, and a disposable master key is used for data streams of different network sessions, so that the problem that the encryption gateways cannot negotiate session keys for the data streams of different network sessions in complex network environments such as bidirectional NAT (network address translation) and the problem of key synchronization of one session (stream) and one secret are solved; the actually used data encryption key is generated when the data encryption key is packed densely, and has stronger key security compared with the method of directly using a pre-stored key, while the pre-filled key is used for protecting the actual data encryption key and is a key protection key, a network session data stream uses an exclusive main key to protect the data encryption key, the main key is invalid after being used up, and the method has the safety in the front and back directions; in addition, based on the pre-filled master key, the data cipher text and the key cipher text of the encrypted data are transmitted together in a digital envelope mode, so that one pack and one cipher are realized, and the method has strong adaptability and fault tolerance; therefore, the scheme can enhance the security of network session data stream transmission when the local area networks are interconnected and intercommunicated, and realize end-to-end key synchronization and encryption communication protection of the network session data streams between different local area networks by adopting the encryption gateway.
Specifically, in this embodiment, the encryption gateway: the system is used for encrypting and decrypting user session data which is streamed through a network and comprises modules such as data encryption and decryption processing, a data flow table, key updating, key injection and the like;
the management and control platform 3: the system comprises a security domain module, a key agent module, a quantum network node module and a gateway module, wherein the security domain module is used for providing a corresponding relation among an encryption gateway, a key agent and the quantum network node, dividing a security domain and providing registration and identity binding services of the encryption gateway;
and (3) key agent: a proxy function for providing key-charging and online key distribution in case the nodes of the quantum key distribution network 4 cannot directly provide key-charging and online key distribution services;
quantum key distribution network 4: the system comprises quantum network nodes and a quantum network link control center, and services such as quantum key generation and online distribution, quantum key relay, quantum key provision and the like are realized;
quantum network node: the system is used for storing the generated quantum key, receiving a key application of a key agent, and providing the key to the key agent or directly providing key charging and key online distribution service;
quantum network link control center: quantum key distribution and relay links among the nodes can be established according to the quantum network node IDs.
It should be noted that the quantum key distribution device in this embodiment includes, but is not limited to, a QKD key distribution network, and the key pre-charging and online key distribution functions related to the present invention may be implemented by using any symmetric key management system and device.
In an embodiment, the gateway further comprises a flow table management module 13, wherein:
the flow table management module 13 is configured to establish a data flow table for the outbound data packet according to the data flow determined by the quintuple, establish association between the data flow table and an ID identifier of the master key in the master key pool, and mark a key bitmap of the master key as being occupied;
the data encryption and decryption processing module 11 is further configured to, for a subsequent data packet after the first packet of the same data stream, retrieve a master key ID identifier associated with the data stream table, and encrypt the data encryption key by using a master key corresponding to the ID identifier.
In an embodiment, the gateway further comprises a key update module 14, wherein:
the key updating module 14 is configured to establish a timeout period for each entry in the data flow table, delete an entry when there is an entry that is not accessed within the timeout period, and update a key based on a master key associated with the entry.
Further, the key update module 14 is specifically configured to perform the following steps:
encrypting the ID identification of the master key by adopting the associated master key to obtain a key updating request;
sending the key updating request to the quantum key distribution network 4 so that the quantum key distribution network 4 generates a key updating message, wherein the key updating message comprises a key ciphertext obtained by encrypting a new master key and an ID identifier thereof by using a master key originally associated with the table entry and the ID identifier of the new master key;
receiving the key updating message, and decrypting the key ciphertext by using the master key originally associated with the table entry to obtain the ID (identity) of a new master key;
and when the ID identification of the new master key is correctly compared, replacing the master key originally associated with the table entry with the new master key, and marking the key bitmap of the new master key as unused.
In this embodiment, a network session data stream defined by a five-tuple is used as a master key, one data stream corresponds to one master key, the encryption state of the data stream is related to the master key used by the data stream, and the master key is not reused and needs to be updated online. The main key is not reused and is regularly updated online through the encryption channel, so that safe use and timely update of a large number of keys can be guaranteed.
In one embodiment, the gateway further comprises:
a data length judging module, configured to judge whether a data length MSS of the outbound data packet exceeds a length of a maximum data portion allowed to be transmitted;
a data length modification module, configured to modify the data length MSS = MSS-4-n of the outbound data packet when the data length determination module outputs a yes result, where n is a length of a key or an initialization vector;
and the data encryption and decryption processing module 11 is configured to encrypt the outbound data packet with the data encryption key when the output result of the data length determination module is negative, so as to obtain an encrypted data packet.
It should be noted that, the encryption gateway device node modifies the MSS data content in the outbound TCP connection establishment phase, and the new MSS = MSS-4-n, so as to avoid re-fragmentation of the packet after adding the security packet header.
In one embodiment, the gateway further comprises:
the message length judging module is used for judging whether the outbound encrypted message exceeds the MTU or not;
the fragment processing module is used for carrying out fragment processing on the outbound encrypted message when the message length judgment module outputs a positive result;
the data encryption and decryption processing module 11 is further configured to send the outbound encrypted message from a network interface connected to an external network if the result output by the message length determining module is negative.
It should be noted that, after adding the security header to the non-TCP packet, if the packet length exceeds the MTU, fragmentation processing is performed.
In one embodiment, the gateway further comprises:
the registration module is configured to send a registration request to the management and control platform 3 to bind to corresponding security domains, where the security domains are partitioned by the management and control platform 3;
a key charging request module, configured to send a key charging request to the management and control platform 3, so that the management and control platform 3 forwards the key charging request to the quantum key distribution network 4, where the quantum key distribution network 4 charges the master key to the secure storage medium offline through a key agent or a quantum network node, and ID identifications of master keys charged in the secure storage media connected to each encryption gateway in the same secure domain are the same; the quantum key distribution network 4 stores security domain division information and encryption gateway information in each security domain.
It should be noted that, as shown in fig. 4, the working flow of implementing the network session data stream encryption and decryption system by quantum key distribution proposed in this embodiment is as follows:
(1) The method comprises the steps that a security domain is defined by a control platform, a large number of main keys are pre-filled into each encryption gateway device node in the security domain in an off-line manner through a quantum key distribution network QKD by using a high-capacity security storage medium such as a security TF card or a security U shield, a main key pool is established, a key bitmap is used for indicating whether the key is used, and all devices in the same security domain share the same main key identified by the same key ID;
the key format is 4 bytes key ID + n bytes key and n bytes initialization vector, n being related to the encryption algorithm.
(2) The encryption gateway equipment node modifies MSS data content in the outbound TCP connection establishment stage, and the new MSS = MSS-4-n, so as to avoid message re-fragmentation caused by adding a security message header.
(3) The encryption gateway equipment node adopts a data encryption key to carry out first-stream one-secret encryption processing on outbound network session data messages, namely, the same master key is adopted for data streams uniquely determined by quintuple (source and destination IP addresses, protocol numbers, source and destination transmission layer port numbers), the encryption key of the data is a random number generated in real time, and the encryption mode is CBC (integral multiple of algorithm grouping) + CFB (remainder part except integral multiple of algorithm grouping); and each data message is added with a safety message header, a data encryption key is encrypted by a pre-filled master key and then is put into the message header, the master key randomly selects unused keys from a master key pool, the selected key bitmap is marked as used, and the safety message header format is as follows: 4 bytes key ID + n bytes key ciphertext (n is related to the encryption algorithm).
(4) The encryption gateway equipment node establishes a flow table for the newly outbound data message according to the data flow uniquely determined by the quintuple (source and destination IP addresses, protocol numbers, source and destination transmission layer port numbers) of the newly outbound data message, establishes association with the master key ID, and processes subsequent data messages after the first packet of the same data flow by using the same master key through retrieving the associated master key ID of the data flow table.
(5) And after the non-TCP message and the safety message header are added, if the non-TCP message exceeds the MTU, the fragmentation processing is carried out.
(6) The encryption gateway equipment node decrypts the inbound data message (the fragment message is firstly combined), takes out the key and the initialization vector from the master key pool according to the key ID of the safety message header, and decrypts the message data after decrypting the data encryption key.
Further, the workflow further includes representing a data flow for each entry in the data flow table, establishing a timeout time for the data flow, and when the data flow entry is not accessed within the timeout time, deleting the data flow entry and starting an update process of an associated master key: the main key is used for encrypting the ID number of the main key, a key updating request is sent to the QKD, the request simultaneously comprises the ID numbers of the main keys of the plaintext and the ciphertext, the QKD decrypts and then does not have errors compared with the ID number of the main key, a key updating message is generated and sent to all the encryption gateway equipment nodes in the domain, and the key updating message comprises a new main key and a main key ID which are encrypted by the old main key and the main key ID of the plaintext. And after the encryption gateway equipment node receives the key updating message, the encryption gateway equipment node uses the old key to decrypt and compares the ID number of the main key without errors, and then uses the new key to replace the old key and marks the old key as unused.
The embodiment solves the transmission protection problem of the network session data stream by using the encryption gateway fusing quantum key distribution, realizes the traditional data stream encryption scheme of the handshake-free network communication session which cannot be solved based on the asymmetric cipher and the IKE protocol, and avoids the safety risk in the handshake process. Different from the technology of key agreement based on public key cryptography, a network session secure communication method for realizing one-stream one-secret based on a large-capacity symmetric pre-shared key provided by a quantum key distribution technology is constructed; the problems of safety intercommunication and key updating under the condition that the encryption gateway does not directly exchange key information are solved, and the related interactive information of encryption and decryption of the network data stream based on conversation can be obviously reduced.
In the scheme, the data encryption key is randomly generated in real time by the encryption gateway in a one-packet-one-secret mode and is safely transmitted to other encryption gateways together with the data, the encryption gateways do not have an end-to-end corresponding relation, a security domain is taken as a boundary, a main key ID is taken as an index of a key protection key, and the encryption gateways in the domain share the large-capacity main key and update on line, so that free and safe flow of network session data streams among the encryption gateways is realized. The method mainly aims at the application scene that end-to-end key negotiation is not carried out between encryption gateways and online key distribution is not carried out by a centralized key management system.
It should be noted that the logic and/or steps shown in the flowcharts or otherwise described herein, such as an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (12)

1. A method for realizing encryption and decryption of network session data stream by quantum key distribution is characterized in that the method is applied to an encryption gateway, the encryption gateway is connected with a secure storage medium, and the method comprises the following steps:
reading a master key from a connected secure storage medium, establishing a master key pool, and indicating whether the master key is used or not by using a key bitmap, wherein the master key is pre-filled into the secure storage medium for a quantum key distribution network;
acquiring an outbound data message from a network interface connected with an intranet, and encrypting the outbound data message by using a data encryption key to obtain an encrypted data message, wherein the data encryption key is a random number generated in real time;
randomly selecting the unused master key from the master key pool based on the key bitmap, and putting a ciphertext obtained by encrypting the data encryption key by using the master key and the ID (identity) of the master key into a safety message header of the encrypted data message to obtain an outbound encrypted message;
and sending the outbound encrypted message from a network interface connected with an external network.
2. The method for implementing encryption and decryption of network session data streams by quantum key distribution according to claim 1, wherein when a stream-one-secret encryption process is performed on the outbound data packet, the method randomly selects an unused master key from the master key pool based on the key bitmap, and places a ciphertext obtained by encrypting the data encryption key using the master key and an ID of the master key into a security packet header of the data packet after the encryption process, so as to obtain the outbound encrypted packet, further comprising:
establishing a data flow table for the outbound data message according to the data flow determined by the quintuple, establishing association between the data flow table and the ID (identity) of the master key in the master key pool, and marking the key bitmap of the master key as occupied;
and for subsequent data messages after the first packet of the same data stream, the data encryption key is encrypted by adopting the main key corresponding to the ID through retrieving the ID of the main key associated with the data stream table.
3. The method for implementing encryption and decryption of network session data streams by quantum key distribution according to claim 2, wherein after the establishing of the data stream table for the outbound data packet according to the data stream determined by the quintuple, the method further comprises:
establishing timeout time for each table entry in the data flow table;
when some table entry is not accessed within the timeout time, the table entry is deleted, and the key is updated based on the associated master key.
4. The method for encryption and decryption of network session data stream by quantum key distribution according to claim 3, wherein the updating of the key based on the associated master key comprises:
encrypting the ID identification of the master key by using the associated master key to obtain a key updating request;
sending the key updating request to the quantum key distribution network so that the quantum key distribution network generates a key updating message, wherein the key updating message comprises a key ciphertext obtained by encrypting a new master key and an ID (identity) of the new master key by using a master key originally associated with the table entry and an ID identity of the new master key;
receiving the key updating message, and decrypting the key ciphertext by using the master key originally associated with the table entry to obtain the ID (identity) of a new master key;
and when the ID identification of the new master key is correctly compared, replacing the master key originally associated with the table entry with the new master key, and marking the key bitmap of the new master key as unused.
5. The method for implementing encryption and decryption of network session data streams by quantum key distribution according to claim 1, wherein after acquiring outbound data packets from the network interface connected to the intranet, the method further comprises:
judging whether the data length MSS of the outbound data message exceeds the length of the maximum data part allowed to be transmitted or not;
if yes, modifying the data length MSS = MSS-4-n of the outbound data message, wherein n is the length of a key or an initialization vector;
if not, the outbound data message is encrypted by using the data encryption key to obtain the encrypted data message.
6. The method for encryption and decryption of network session data streams using quantum key distribution according to claim 1, wherein before the sending of the outbound encrypted packets from the extranet-connected network interface, the method further comprises:
judging whether the outbound encrypted message exceeds an MTU (maximum transmission unit);
if yes, carrying out fragmentation processing on the outbound encrypted message;
and if not, sending the outbound encrypted message from a network interface connected with the external network.
7. The method for encryption and decryption of a network session data stream using quantum key distribution as claimed in claim 1, wherein prior to said reading the master key from the secure storage medium, the method further comprises:
sending a registration request to a management and control platform to bind to corresponding security domains, wherein the security domains are divided by the management and control platform;
sending a key charging request to the management and control platform so that the management and control platform forwards the key charging request to the quantum key distribution network, wherein the quantum key distribution network stores security domain division information and encryption gateway information in each security domain;
and charging the master key into the secure storage medium offline through a key agent or a quantum network node, wherein the ID identifications of the master keys charged into the secure storage medium connected with each encryption gateway in the same secure domain are the same.
8. The method for implementing encryption and decryption of network session data streams by quantum key distribution according to claim 1, wherein when the encryption gateway is used as a receiving end, after receiving the outbound encryption packet from a network interface connected to an external network, the method further comprises:
judging whether the outbound encrypted message is a fragmented message;
if yes, carrying out laminating treatment;
if not, selecting a master key corresponding to the ID identification of the master key from a master key pool to decrypt the ciphertext to obtain the data encryption key;
and decrypting the encrypted data message by using the data encryption key.
9. A gateway for realizing encryption and decryption of network session data streams by adopting quantum key distribution is characterized by comprising a data encryption and decryption processing module and a key injection module, wherein the key injection module is connected with a secure storage medium, and a master key pre-filled by a quantum key distribution network is stored in the secure storage medium;
the key injection module is used for reading a master key from the connected secure storage medium, establishing a master key pool, and indicating whether the master key is used by using a key bitmap, wherein the master key is a quantum key distribution network and is pre-filled into the secure storage medium;
the data encryption and decryption processing module is used for acquiring an outbound data message from a network interface connected with an intranet, and encrypting the outbound data message by using a data encryption key to obtain an encrypted data message, wherein the data encryption key is a random number generated in real time;
and the system is used for randomly selecting the unused master key from the master key pool based on the key bitmap, and putting a cipher text obtained by encrypting the data encryption key by using the master key and the ID (identity) of the master key into a safety message header of the encrypted data message to obtain an outbound encrypted message;
and the system is used for sending the outbound encrypted message from a network interface connected with an external network.
10. The gateway for encrypting and decrypting network session data streams by quantum key distribution according to claim 9, wherein the gateway further comprises a stream table management module, wherein:
the flow table management module is used for establishing a data flow table for the outbound data message according to the data flow determined by the quintuple, establishing association between the data flow table and the ID (identity) of the master key in the master key pool, and marking the key bitmap of the master key as occupied;
and the data encryption and decryption processing module is also used for encrypting the data encryption key by using the main key corresponding to the ID identification through retrieving the main key ID identification associated with the data flow table for the subsequent data message after the first packet of the same data flow.
11. The gateway for implementing encryption and decryption of network session data streams using quantum key distribution according to claim 9, wherein the gateway further comprises a key update module, wherein:
and the key updating module is used for establishing timeout time for each table entry in the data flow table, deleting a table entry when the table entry is not accessed within the timeout time, and updating a key based on the associated master key.
12. A system for realizing encryption and decryption of network session data streams by adopting quantum key distribution is characterized by comprising a first encryption gateway, a second encryption gateway, a control platform and a quantum key distribution network, wherein the first encryption gateway, the second encryption gateway and the quantum key distribution network are all connected with the control platform, the first encryption gateway and the second encryption gateway are all connected with the quantum key distribution network, the first encryption gateway and the second encryption gateway respectively comprise a data encryption and decryption processing module and a key injection module, the key injection module is connected with a secure storage medium, and a master key which is pre-charged through the quantum key distribution network is stored in the secure storage medium;
the management and control platform is used for performing security domain division, registration of the first encryption gateway and the second encryption gateway and identity binding service;
the quantum key distribution network is used for pre-charging a master key into the secure storage medium;
the key injection module is used for reading a master key from the connected secure storage medium, establishing a master key pool, and indicating whether the master key is used by using a key bitmap, wherein the master key is pre-filled into the secure storage medium for a quantum key distribution network;
the data encryption and decryption processing module is used for acquiring an outbound data message from a network interface connected with an intranet and encrypting the outbound data message by using a data encryption key to obtain the encrypted data message, wherein the data encryption key is a random number generated in real time;
and the system is used for randomly selecting the unused master key from the master key pool based on the key bitmap, and putting a cipher text obtained by encrypting the data encryption key by using the master key and the ID (identity) of the master key into a safety message header of the encrypted data message to obtain an outbound encrypted message;
and the system is used for sending the outbound encrypted message from a network interface connected with an external network.
CN202211198225.3A 2022-09-29 2022-09-29 Method and system for realizing encryption and decryption of network session data stream by quantum key distribution Pending CN115567205A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211198225.3A CN115567205A (en) 2022-09-29 2022-09-29 Method and system for realizing encryption and decryption of network session data stream by quantum key distribution

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211198225.3A CN115567205A (en) 2022-09-29 2022-09-29 Method and system for realizing encryption and decryption of network session data stream by quantum key distribution

Publications (1)

Publication Number Publication Date
CN115567205A true CN115567205A (en) 2023-01-03

Family

ID=84742437

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211198225.3A Pending CN115567205A (en) 2022-09-29 2022-09-29 Method and system for realizing encryption and decryption of network session data stream by quantum key distribution

Country Status (1)

Country Link
CN (1) CN115567205A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116668007A (en) * 2023-08-01 2023-08-29 中电信量子科技有限公司 Encryption communication method, terminal and system based on white-box SM4 algorithm
CN116743380A (en) * 2023-08-14 2023-09-12 中电信量子科技有限公司 OTN encryption communication method and system based on quantum key distribution

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116668007A (en) * 2023-08-01 2023-08-29 中电信量子科技有限公司 Encryption communication method, terminal and system based on white-box SM4 algorithm
CN116668007B (en) * 2023-08-01 2023-10-31 中电信量子科技有限公司 Encryption communication method, terminal and system based on white-box SM4 algorithm
CN116743380A (en) * 2023-08-14 2023-09-12 中电信量子科技有限公司 OTN encryption communication method and system based on quantum key distribution
CN116743380B (en) * 2023-08-14 2023-10-31 中电信量子科技有限公司 OTN encryption communication method and system based on quantum key distribution

Similar Documents

Publication Publication Date Title
JP4159328B2 (en) Network, IPsec setting server device, IPsec processing device, and IPsec setting method used therefor
JP4515411B2 (en) Reusing security associations to improve handover performance
US20100138649A1 (en) Transmission of packet data over a network with security protocol
EP1374533B1 (en) Facilitating legal interception of ip connections
CN115567205A (en) Method and system for realizing encryption and decryption of network session data stream by quantum key distribution
CN115567206A (en) Method and system for realizing encryption and decryption of network data message by quantum distribution key
JP2004524768A (en) System and method for distributing protection processing functions for network applications
WO2009082889A1 (en) A method for internet key exchange negotiation and device, system thereof
CN105516062B (en) Method for realizing L2 TP over IPsec access
CN113726795B (en) Message forwarding method and device, electronic equipment and readable storage medium
CN110808834B (en) Quantum key distribution method and quantum key distribution system
CN113904809B (en) Communication method, device, electronic equipment and storage medium
US11637699B2 (en) Rollover of encryption keys in a packet-compatible network
CN115567210A (en) Method and system for realizing zero trust access by quantum key distribution
CN112332986B (en) Private encryption communication method and system based on authority control
CN115766002A (en) Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition
CN114285571A (en) Method, gateway device and system for using quantum key in IPSec protocol
KR20090102050A (en) Security method of mobile internet protocol based server
CN114143050B (en) Video data encryption system
CN115459912A (en) Communication encryption method and system based on quantum key centralized management
CN115567209A (en) Method for realizing VoIP encryption and decryption by adopting transparent proxy and quantum key pre-charging
JP2011176395A (en) IPsec COMMUNICATION METHOD AND IPsec COMMUNICATION SYSTEM
CN108040071A (en) A kind of VoIP audio-video encryptions key dynamic switching method
JP2006019975A (en) Cipher packet communication system, receiving device and transmitting device with which same is equipped , and communication method, receiving method, transmitting method, receiving program and transmitting program for cipher packet which are applied thereto
CN114095423A (en) MPLS-based power communication backbone network data security protection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination