CN115632779B - Quantum encryption communication method and system based on power distribution network - Google Patents

Quantum encryption communication method and system based on power distribution network Download PDF

Info

Publication number
CN115632779B
CN115632779B CN202211652893.9A CN202211652893A CN115632779B CN 115632779 B CN115632779 B CN 115632779B CN 202211652893 A CN202211652893 A CN 202211652893A CN 115632779 B CN115632779 B CN 115632779B
Authority
CN
China
Prior art keywords
group
key
service
power distribution
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211652893.9A
Other languages
Chinese (zh)
Other versions
CN115632779A (en
Inventor
张磐
徐科
陈尊耀
魏然
王学富
吴磊
梁海深
郑悦
陈沼宇
张海丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Tianjin Electric Power Co Ltd
Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd
Quantumctek Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Tianjin Electric Power Co Ltd
Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd
Quantumctek Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Tianjin Electric Power Co Ltd, Electric Power Research Institute of State Grid Tianjin Electric Power Co Ltd, Quantumctek Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202211652893.9A priority Critical patent/CN115632779B/en
Publication of CN115632779A publication Critical patent/CN115632779A/en
Application granted granted Critical
Publication of CN115632779B publication Critical patent/CN115632779B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a quantum encryption communication method and system based on a power distribution network, wherein the method comprises the following steps: the power distribution master station creates at least one session group and configuration group member information, and sends the group member information of each session group to the password service platform; the cryptographic service platform generates a group key identifier of each session group and sends the group key identifier to the exchange cryptographic machine; the exchange cipher machine generates a group key according to the received group key identifier; after the group key is generated, the cryptographic service platform feeds back the group key identification of each session group to the power distribution master station, so that the power distribution master station issues the group key identification to each power distribution terminal; when the power distribution terminal initiates a service, the power distribution terminal applies for a corresponding group key from the password service platform according to the group key identification, and the group key is used as a session key to perform quantum encryption transmission of service data with a service receiver. The invention can solve the problem that the communication efficiency between the power distribution terminals is reduced when the existing quantum security service platform is used in a multi-node conversation mode of intelligent distributed feeder automation.

Description

Quantum encryption communication method and system based on power distribution network
Technical Field
The invention relates to the technical field of distribution automation, in particular to a quantum encryption communication method and system based on a power distribution network.
Background
With the deepened development of smart power grids and global energy internet, power distribution networks tend to be open and interactive more and more, information security problems are propagated continuously, and potential safety hazards such as identity counterfeiting, replay attack, information leakage and the like appear in network communication. Consequently, in order to ensure the operation of distribution network safety and stability, prior art installs quantum security terminal additional through building quantum security service platform in the side of the distribution main website, thereby for building a quantum encryption safety tunnel between distribution main website and the distribution terminal, with the security of reinforcing electric power business data transmission between distribution main website and the distribution terminal.
However, the current quantum security service platform mainly implements point-to-point distribution of quantum keys through a one-time pad encryption manner, which results in that the quantum security service platform is only applicable to a point-to-point session mode in centralized feeder automation in a power distribution network, and if a multi-node session mode of intelligent distributed feeder automation is encountered, a service request of one multi-node session is defaulted to be processed as multiple point-to-point service requests, which causes reduction in communication efficiency between power distribution terminals in intelligent distributed feeder automation. For example: when distribution terminal A initiated the business request to distribution terminal B and distribution terminal C simultaneously, current quantum security service platform can acquiesce for default with distribution terminal A and distribution terminal B's conversation, and, distribution terminal A and distribution terminal C's conversation is as two conversations, generate different two sets of session keys, lead to distribution terminal A when carrying out the quantum encryption conversation simultaneously with distribution terminal B and distribution terminal C, need use different two sets of session keys to carry out the encryption respectively and decryption, thereby to distribution terminal A, communication efficiency between distribution terminal B and the distribution terminal C causes the influence.
Disclosure of Invention
The invention provides a quantum encryption communication method and system based on a power distribution network, which can solve the problem that the communication efficiency between power distribution terminals is reduced when the conventional quantum security service platform is used in a multi-node session mode of intelligent distributed feeder automation.
The embodiment of the invention provides a quantum encryption communication method based on a power distribution network, which is suitable for the power distribution network; the power distribution network comprises a power distribution main station, a plurality of power distribution terminals and a quantum security service platform; the quantum security service platform comprises a password service platform and an exchange password machine; the method comprises the following steps:
the power distribution master station creates at least one session group according to service transmission requirements, the session group is used for carrying out communication between at least two power distribution terminals and configuring group member information of each session group, and a group member information and group key identification generation request of each session group is sent to the password service platform; the group member information comprises the identity identification of all the power distribution terminals in the group;
the cryptographic service platform stores the received group member information of each session group, generates a group key identifier of each session group in response to the group key identifier generation request, and sends the group key identifier and the group key generation request of each session group to the cryptographic exchange;
the exchange cipher machine responds to the group key generation request, generates a group key of each session group according to the received group key identification of each session group, and feeds back group key generation information to the cipher service platform; wherein the group key identification is used to determine where the group key is stored in the exchange cipher machine;
after receiving the group key generation information fed back by the exchange cipher machine, the cipher service platform feeds back the group key identifier of each conversation group to the power distribution master station, so that the power distribution master station issues the corresponding group key identifier to all the power distribution terminals in the group according to the group member information of each conversation group;
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals as service receivers, and applying a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identity of all the service receivers and the received group key identity to perform quantum encryption transmission of service data with all the service receivers as a session key.
As an improvement of the above scheme, when each of the power distribution terminals initiates a service, acquiring the identity of all power distribution terminals as service receivers, and applying for a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identities of all the service receivers, and the received group key identity, so as to perform quantum encryption transmission of service data with all the service receivers as a session key, including:
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals serving as service receivers, and sending the identity, the identity of all the service receivers, the received group key identity and the key application request to the password service platform;
the cipher service platform responds to the cipher key application request, determines that the service initiator and all the service receivers belong to the same session group according to the received identity identifier serving as the service initiator, the identity identifiers of all the service receivers and the prestored group member information of each session group, and then sends the identity identifier of the service initiator, the group cipher key identifier corresponding to the service initiator and a group cipher key acquisition request to the exchange cipher machine;
the exchange cipher machine responds to the group key acquisition request, inquires a group key of a session group where the service initiator is located according to a received group key identification corresponding to the service initiator, acquires a charging key according to the received identity identification of the service initiator, encrypts the group key of the service initiator through the charging key, and feeds back the encrypted group key to the cipher service platform so that the cipher service platform sends the encrypted group key to the service initiator;
and after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by taking the decrypted group key as a session key.
As an improvement of the above solution, after the cryptographic service platform responds to the key application request, if the cryptographic service platform determines that the service initiator and any one of the service receivers do not belong to the same session group according to the received identity identifier as the service initiator, the identity identifiers of all the service receivers, and the pre-stored group member information of each session group, the method further includes:
the cipher service platform creates a temporary group and configures group member information of the temporary group according to the received identity of the service initiator and the identity of all the service receivers, generates a temporary key identifier of the temporary group, and sends the temporary key identifier and a temporary key generation request to the cipher switching machine;
the exchange cipher machine responds to the temporary secret key generation request, generates a temporary secret key of the temporary grouping according to the received temporary secret key identification, and feeds back temporary secret key generation information to the cipher service platform; wherein the temporary key identifier is used to determine the location where the temporary key is stored in the switch crypto engine;
after receiving the temporary key generation information fed back by the exchange cipher machine, the cipher service platform feeds back the temporary key identification to the service initiator and all the service receivers;
and the power distribution terminals in the temporary grouping apply for the temporary key to the password service platform according to the identity identification and the received temporary key identification, and the quantum encryption transmission of service data is carried out through the temporary key and other power distribution terminals in the temporary grouping.
As an improvement of the above scheme, after receiving the encrypted group key, the service initiator obtains the charging key through a corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by using the decrypted group key as a session key, including:
after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium;
the service initiator decrypts the encrypted group key through the charging key, uses the decrypted group key as a session key, and encrypts and transmits service data and a group key identifier corresponding to the service initiator to all the service receivers according to the session key;
and each service receiver decrypts the encrypted group key identification of the service initiator after receiving the encrypted service data, and applies for a corresponding group key to the password service platform according to the decrypted group key identification and the identity identification of the service receiver so as to decrypt the encrypted service data.
As an improvement of the above scheme, a buffer space for storing a plurality of key blocks is arranged in the exchange cipher machine, and the key blocks in the buffer space are periodically obtained and updated from the quantum key generation system in real time by the exchange cipher machine; the group key identification comprises the identification of a key block where the group key is located, the serial number of the group key in the key block and the key length of the group key; then the process of the first step is carried out,
the cryptographic exchange machine responds to the group key generation request, generates a group key of each session group according to the received group key identification of each session group, and feeds back group key generation information to the cryptographic service platform, and the specific steps are as follows:
and the exchange cipher machine responds to the group key generation request, acquires the group key corresponding to each session group from the cache space according to the received group key identification of each session group, and feeds back group key generation information to the cipher service platform.
As an improvement of the above scheme, the group member information further includes the number of group members; then the process of the first step is carried out,
when the power distribution master station configures group member information, if the number of the power distribution terminals in the conversation group is less than the total number of the power distribution terminals, configuring the number of the group members as the number of the power distribution terminals in the conversation group; if the number of the power distribution terminals in the conversation group is equal to the total number of the power distribution terminals, configuring the number of the group members as a preset identifier; the preset identification is used for indicating that the group key of the current session group is opened to all the power distribution terminals to be called.
As an improvement of the above, the method further comprises:
the power distribution master station updates the group member information of the conversation group according to the changed identity of the power distribution terminal when determining that the power distribution terminal of any conversation group changes through network topology analysis, and sends the updated group member information of the conversation group to the password service platform;
after receiving the updated group member information of the session group, the password service platform correspondingly stores the updated group member information of the session group, generates a new group key identifier for the session group, and sends the new group key identifier to the exchange password machine;
after receiving the new group key identifier, the exchange cipher machine generates a new group key according to the new group key identifier and feeds back successful information of updating the first key to the cipher service platform;
and after receiving the information that the first key is successfully updated, the password service platform feeds the new group key identifier back to the power distribution master station, so that the power distribution master station issues the new group key identifier to all the power distribution terminals in the corresponding session group.
As an improvement of the above, the method further comprises:
the cryptographic service platform periodically updates the group key identifier of each session group and sends the updated group key identifier and group key update request of each session group to the exchange cryptographic machine;
the exchange cipher machine responds to the group key updating request, correspondingly updates the group key of each session group according to the received updated group key identification of each session group, and feeds back second key updating success information to the cipher service platform;
and after receiving the successful second key updating information, the cryptographic service platform feeds back the updated group key identifier of each session group to the power distribution master station, so that the power distribution master station issues the corresponding updated group key identifier to all power distribution terminals in the group according to the group member information of each session group.
Correspondingly, another embodiment of the invention provides a quantum encryption communication system based on a power distribution network, which comprises a power distribution main station, a plurality of power distribution terminals and a quantum security service platform; the quantum security service platform comprises a password service platform and an exchange password machine; wherein the content of the first and second substances,
the power distribution master station is used for creating at least one session group according to service transmission requirements, communicating between at least two power distribution terminals, configuring group member information of each session group, and sending group member information and a group key identifier generation request of each session group to the password service platform; the group member information comprises the identity identification of all the power distribution terminals in the group;
the cryptographic service platform is configured to store the received group member information of each session group, generate a group key identifier of each session group in response to the group key identifier generation request, and send the group key identifier and the group key generation request of each session group to the cryptographic exchange;
the exchange cipher machine is used for responding to the group key generation request, generating a group key of each session group according to the received group key identification of each session group, and feeding back group key generation information to the cipher service platform; wherein the group key identification is used to determine where the group key is stored in the exchange cipher machine;
the cipher service platform is further configured to feed back the group key identifier of each session group to the power distribution master station after receiving the group key generation information fed back by the cryptographic exchange machine, so that the power distribution master station issues the corresponding group key identifier to all power distribution terminals in a group according to the group member information of each session group;
each power distribution terminal is used for acquiring the identity of all power distribution terminals as service receivers when a service is initiated, and applying a corresponding group key to the password service platform according to the identity of the service initiator, the identities of all the service receivers and the received group key identity so as to perform quantum encryption transmission of service data with all the service receivers as a session key.
As an improvement of the above scheme, when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals as service receivers, and applying for a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identities of all the service receivers, and the received group key identity, so as to perform quantum encryption transmission of service data with all the service receivers as a session key, specifically including:
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals serving as service receivers, and sending the identity, the identity of all the service receivers, the received group key identity and a key application request to the password service platform;
the cipher service platform responds to the key application request, determines that the service initiator and all the service receivers belong to the same session group according to the received identity identifier serving as the service initiator, the identity identifiers of all the service receivers and the prestored group member information of each session group, and then sends the identity identifier of the service initiator, the group key identifier corresponding to the service initiator and a group key acquisition request to the exchange cipher machine;
the exchange cipher machine responds to the group key acquisition request, inquires a group key of a session group where the service initiator is located according to a received group key identification corresponding to the service initiator, acquires a charging key according to the received identity identification of the service initiator, encrypts the group key of the service initiator through the charging key, and feeds back the encrypted group key to the cipher service platform so that the cipher service platform sends the encrypted group key to the service initiator;
and after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by taking the decrypted group key as a session key.
Compared with the prior art, the quantum encryption communication method and system based on the power distribution network disclosed by the embodiment of the invention have the advantages that the power distribution master station creates at least one session group according to the service transmission requirements of all the power distribution terminals hung down for carrying out communication between at least two power distribution terminals and configuring the group member information of each session group, and sends the group member information and the group key identification generation request of each session group to the password service platform. And the cryptographic service platform generates a group key identifier for each session group and sends the group key identifier of each session group to the exchange cryptographic machine, so that the exchange cryptographic machine generates a group key of each session group according to the group key identifier of each session group. After the group key is generated, the cryptographic service platform feeds back the group key identifier of each session group to the power distribution master station, so that the power distribution master station issues the group key identifier of each session group to the power distribution terminals of each session group. Therefore, the power distribution terminals of the same session group can apply for the group key of the session group to the cryptographic service platform through the received group key identification to be used as the session key to carry out quantum encryption transmission of service data with other power distribution terminals in the group, so that a point-to-multipoint or multipoint-to-multipoint multi-node session mode is realized, the quantum security service platform can also be suitable for the multi-node session mode under intelligent distributed feeder automation, and the communication efficiency between the power distribution terminals under the intelligent distributed feeder automation is ensured.
Drawings
Fig. 1 is a schematic flow chart of a quantum encryption communication method based on a power distribution network according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of an application flow of a group key according to an embodiment of the present invention.
Fig. 3 is a schematic flowchart of a process of performing encrypted transmission of service data between power distribution terminals according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a quantum cryptography communication system based on a power distribution network according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a schematic flowchart of a quantum cryptography communication method based on a power distribution network according to an embodiment of the present invention.
Referring to fig. 1 and fig. 2, the quantum encryption communication method based on the power distribution network provided by the embodiment of the invention is suitable for the power distribution network; the power distribution network comprises a power distribution main station, a plurality of power distribution terminals and a quantum security service platform; the quantum security service platform comprises a password service platform and an exchange password machine; the method comprises the following steps:
s1, the power distribution master station creates at least one session group according to service transmission requirements, the session group is used for communication between at least two power distribution terminals and configuration of group member information of each session group, and a group member information and group key identification generation request of each session group is sent to the password service platform; the group member information comprises the identity identification of all the power distribution terminals in the group;
s2, the cryptographic service platform stores the received group member information of each session group, generates a group key identifier of each session group in response to the group key identifier generation request, and sends the group key identifier and the group key generation request of each session group to a cryptographic exchange;
s3, the exchange cipher machine responds to the group key generation request, generates a group key of each session group according to the received group key identification of each session group, and feeds back group key generation information to the cipher service platform; wherein the group key identification is used to determine where the group key is stored in the exchange cryptographic engine;
s4, after receiving the group key generation information fed back by the exchange cipher machine, the cipher service platform feeds back the group key identification of each conversation group to the power distribution main station, so that the power distribution main station sends the corresponding group key identification to all the power distribution terminals in the group according to the group member information of each conversation group;
and S5, when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals serving as service receivers, and applying a corresponding group key to the password service platform according to the identity of the service initiator, the identity of all the service receivers and the received group key identity to perform quantum encryption transmission of service data with all the service receivers as a session key.
It should be noted that the quantum security service platform mainly includes a quantum key generation system, a quantum key scheduling system, and a quantum key application system. The quantum key generation system mainly has the function of generating a quantum key by using a quantum principle to provide quantum key support for a front-end system. The quantum key scheduling system comprises a quantum key manager, an exchange cipher machine, a cipher service platform and a quantum key charging system, and has the main functions of: the quantum key manager is used for managing and storing the quantum key formed by the quantum key generation system; the exchange cipher machine is used for integrally controlling the storage and the output of the quantum key; the password service platform is used for realizing external scheduling and negotiation of the quantum key and ensuring that the quantum key can be safely and orderly distributed to a quantum key application system, namely a power distribution main station and a power distribution terminal; the quantum key charging system is used for charging quantum keys through a security medium such as a U shield/TF card and the like so as to be used by a quantum key application terminal at a power distribution terminal.
It is worth to be noted that the specific application process of the existing quantum security service platform is as follows: the quantum key charging system sends a charging key application to the exchange cipher machine through the cipher service platform, and the cipher service platform performs key charging control; the quantum random number generator generates a charging key, the charging key is returned to the quantum key charging system, and the quantum key charging system charges the key to the power distribution terminal; the exchange cipher machine carries out network access authentication on the power distribution terminal and the power distribution main station through calculating authentication MAC information; the cryptographic service platform applies for obtaining a session key from the exchange cryptographic machine and sends the session key to the mobile terminals, and the mobile terminals perform quantum encryption communication through the session key. However, the key distribution of the existing quantum security service platform adopts a distribution mechanism of "one-time pad" and "destroy after use", so that after any two mobile terminals obtain the session key from the cryptographic service platform, the cryptographic service platform destroys the original session key, and if one of the mobile terminals wants to perform service data transmission with other mobile terminals, the cryptographic service platform needs to apply for a new session key again, so that when the service data transmission is required between more than two mobile terminals, the existing quantum security service platform also treats one service request of the mobile terminals as a plurality of service requests in a form of grouping two by two.
For example, when the power distribution terminal a needs to send the same service data to the power distribution terminal B and the power distribution terminal C, the power distribution terminal a applies for a session key required for service encryption to the cryptographic service platform according to the identity of the power distribution terminal a and the identities of the power distribution terminal B and the power distribution terminal C, the power distribution terminal a encrypts the service data through the session key fed back by the cryptographic service platform and transmits the encrypted service data to the power distribution terminals B and C, if the power distribution terminal B applies for a corresponding session key to the cryptographic service platform first to decrypt the received service data, the cryptographic service platform deletes the stored session key after feeding back the session key to the power distribution terminal B, and the same session key cannot be obtained from the cryptographic service platform when the power distribution terminal C wants to apply for a corresponding session key to the cryptographic service platform to decrypt the service data. This also leads to the existing quantum security service platform, when processing a service request of a multi-node session, the service request of one multi-node session is treated as multiple point-to-point service requests by default, that is, two sets of session keys are generated for the power distribution terminal a and the power distribution terminal B, and for the power distribution terminal a and the power distribution terminal C, respectively, for example: the encryption and decryption of the service data are carried out between the power distribution terminal A and the power distribution terminal B through the first session key, the encryption and decryption of the service data are carried out between the power distribution terminal A and the power distribution terminal C through the second session key, and therefore the communication efficiency between the power distribution terminal A and the power distribution terminal B and between the power distribution terminal C is low, the more the number of the power distribution terminals in multi-node session is, the lower the communication efficiency is, and meanwhile, multiple problems such as compatibility, key use and the like can be faced. Therefore, the current quantum security service platform is only suitable for a point-to-center session mode from a power distribution terminal to a power distribution master station in a centralized feeder automation scene, but cannot be effectively applied to a point-to-multipoint or multipoint-to-multipoint multi-node session mode in an intelligent distributed feeder automation scene.
Based on the deficiency of the prior art, in the embodiment of the present invention, a session group is created for each power distribution terminal having a service transmission requirement through the power distribution master station, and a group key identifier is generated for each session group by the cryptographic service platform, so that the exchange cryptographic machine generates a corresponding group key according to the group key identifier, and caches the group key in the exchange cryptographic machine, and then the cryptographic service platform and the power distribution master station issue the group key identifier of each session group to the power distribution terminal of the corresponding session group. The power distribution terminals of the same session group can share the same group key, and the group key of the session group where the power distribution terminals are located is applied to the cryptographic service platform through the received group key identification to be used as the session key to perform quantum encryption transmission of service data with other power distribution terminals in the group, so that a point-to-multipoint or multipoint-multipoint multi-node session mode is realized, the quantum security service platform can also be suitable for the multi-node session mode under intelligent distributed feeder automation, and the communication efficiency between the power distribution terminals under the intelligent distributed feeder automation is ensured.
After the key combination scheme is improved, a power distribution network can simultaneously construct a power distribution main station to each power distribution terminal and a service encryption transmission channel between each power distribution terminal and each power distribution terminal based on a quantum security service platform, so that the conventional quantum security service platform can be suitable for a centralized feeder automation scene and is compatible with service data encryption transmission under an intelligent distributed feeder automation scene, and can be expanded to various types of power distribution service scene application to form a systematic power distribution quantum security service application solution, one set of platform meets the expansion application of multiple scenes, the complexity and construction cost of the quantum security service platform application in the power distribution network are greatly reduced, and the quantum key-based power distribution automation industrial control security technology is further promoted to construct a complete horizontal-longitudinal novel encryption authentication system.
Specifically, in step S1, the power distribution master station divides the power distribution terminals in the same area or the same area into a session group according to the service requirements of the power distribution terminals in the same area or the service requirements of the power distribution terminals in the same area.
It should be noted that, in this practical application, the service server of the power distribution main station is mainly used to create the information of the session group and the configuration group members. Referring to table 1, in an actual application process, the power distribution master station creates a session group and configures grouping information of the session group in the form of referring to table 1, so that corresponding entries are available for query and operation when operations such as adding, editing, modifying, deleting and the like are performed on the session group, and meanwhile, definitions and operations of the session group at different times and by people can be recorded, and a relevant log is provided for query.
TABLE 1 grouping information for Session groups
Figure 700588DEST_PATH_IMAGE001
Further, the cryptographic service platform stores the received group member information of each session group, generates a group key identifier of each session group in response to the group key identifier generation request, and sends the group key identifier and the group key generation request of each session group to the switching cryptographic machine, which specifically includes:
the cipher service platform stores the received group member information of each session group, responds to the group key identification generation request, verifies the identity identification of a requester of the group key identification generation request through the authentication management service, generates the group key identification of each session group through the session management service after the authentication is passed, and sends the group key identification and the group key generation request of each session group to the exchange cipher machine.
Specifically, when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals as service receivers, and applying for a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identities of all the service receivers, and the received group key identity, so as to perform quantum encryption transmission of service data with all the service receivers as a session key, including:
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals serving as service receivers, and sending the identity, the identity of all the service receivers, the received group key identity and a key application request to the password service platform;
the cipher service platform responds to the key application request, determines that the service initiator and all the service receivers belong to the same session group according to the received identity identifier serving as the service initiator, the identity identifiers of all the service receivers and the prestored group member information of each session group, and then sends the identity identifier of the service initiator, the group key identifier corresponding to the service initiator and a group key acquisition request to the exchange cipher machine;
the exchange cipher machine responds to the group key acquisition request, inquires a group key of a session group where the service initiator is located according to a received group key identification corresponding to the service initiator, acquires a charging key according to the received identity identification of the service initiator, encrypts the group key of the service initiator through the charging key, and feeds back the encrypted group key to the cipher service platform so that the cipher service platform sends the encrypted group key to the service initiator;
and after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by taking the decrypted group key as a session key.
Specifically, the identity of the power distribution terminal as a service receiver is obtained by the service initiator according to a pre-stored network topology information table; and the network topology information table of each power distribution terminal is provided with the identity of the power distribution terminal associated with the power distribution terminal. The transmission of the distribution terminal under intelligent distributed feeder automation can be referred to in specific situations.
It should be noted that, in response to the key application request, the cryptographic service platform determines that the service initiator and all the service receivers belong to the same session group according to the received identity identifier serving as the service initiator, the identity identifiers of all the service receivers, and the prestored group member information of each session group, and then sends the identity identifier of the service initiator, the group key identifier corresponding to the service initiator, and a group key acquisition request to the cryptographic switch, specifically:
responding to the key application request, determining that the service initiator and all the service receivers belong to the same session group according to the received identity identifier serving as the service initiator, the identity identifiers of all the service receivers and the prestored group member information of each session group, verifying the authority of the service initiator for accessing the group key corresponding to the group key identifier sent by the service initiator according to the identity identifier of the service initiator, and sending the identity identifier of the service initiator, the group key identifier corresponding to the service initiator and a group key acquisition request to the exchange cipher machine after the verification is successful.
In a specific embodiment, after the cryptographic service platform responds to the key application request, if the cryptographic service platform determines that the service initiator and any one of the service receivers do not belong to the same session group according to the received identity identifier serving as the service initiator, the identities of all the service receivers, and the pre-stored group member information of each session group, the method further includes:
the cipher service platform creates a temporary group and configures group member information of the temporary group according to the received identity of the service initiator and the identity of all the service receivers, generates a temporary key identifier of the temporary group, and sends the temporary key identifier and a temporary key generation request to the cipher switching machine;
the exchange cipher machine responds to the temporary secret key generation request, generates a temporary secret key of the temporary grouping according to the received temporary secret key identification, and feeds back temporary secret key generation information to the cipher service platform; wherein the temporary key identifier is used to determine the location where the temporary key is stored in the switch crypto engine;
after receiving the temporary key generation information fed back by the exchange cipher machine, the cipher service platform feeds back the temporary key identification to the service initiator and all the service receivers;
and the power distribution terminals in the temporary grouping apply for the temporary key to the password service platform according to the identity identification and the received temporary key identification, and the quantum encryption transmission of service data is carried out through the temporary key and other power distribution terminals in the temporary grouping.
Exemplarily, in an actual power distribution network intelligent distributed feeder automation scene, when a power distribution terminal detects that a feeder where the power distribution terminal is located has a fault, the power distribution terminal at the fault side initiates a service request containing fault information, the power distribution terminal at the fault side acquires the identity of the power distribution terminal at both sides of a fault point according to a network topology information table stored in advance, and the power distribution terminal at the fault side sends the identity, the identity of the power distribution terminal at both sides of the fault point, a received group key identity and a key application request to the cryptographic service platform; the cipher service platform responds to the cipher key application request, judges whether the power distribution terminal at the fault side and the power distribution terminals at the fault side belong to the same conversation group or not according to the received identity of the power distribution terminal at the fault side, the identity of the power distribution terminals at the fault point side and the prestored group member information of each conversation group, and sends the identity of the power distribution terminal at the fault side, the group cipher key identity and the group cipher key acquisition request received by the power distribution terminal at the fault side to the exchange cipher machine if the power distribution terminals at the fault side and the power distribution terminals at the fault point side belong to the same conversation group; the exchange cipher machine responds to the group key acquisition request, inquires a group key of a session group where the power distribution terminal at the fault side is located according to a group key identification received by the power distribution terminal at the fault side, acquires a charging key according to an identity identification of the power distribution terminal at the fault side, encrypts the group key through the charging key, and feeds back the encrypted group key to the cipher service platform so that the cipher service platform sends the encrypted group key to the power distribution terminal at the fault side; and after receiving the encrypted group key, the power distribution terminal on the fault side acquires the charging key through the corresponding safety medium, decrypts the encrypted group key through the charging key to be used as a session key to perform quantum encryption transmission of fault information with the power distribution terminals on the two sides of the fault point, so that the power distribution terminals on the two sides of the fault point disconnect the switches on the two sides of the fault point.
In addition, if the cryptographic service platform judges that the power distribution terminal on the fault side and the power distribution terminals on the two sides of the fault point do not belong to the same session group according to the received identity of the power distribution terminal on the fault side, the identities of the power distribution terminals on the two sides of the fault point and the prestored group member information of each session group, the cryptographic service platform creates a temporary group and configures the group member information of the temporary group according to the identity of the power distribution terminal on the fault side and the identities of the power distribution terminals on the two sides of the fault point, generates a temporary key identity of the temporary group, and sends the temporary key identity and a temporary key generation request to the switching cryptographic engine; the exchange cipher machine responds to the temporary secret key generation request, generates a temporary secret key of the temporary grouping according to the received temporary secret key identification, and feeds back temporary secret key generation information to the cipher service platform; after receiving the temporary key generation information fed back by the exchange cipher machine, the cipher service platform feeds back the temporary key identification to the power distribution terminal on the fault side and the power distribution terminals on the two sides of the fault point, so that the power distribution terminals on the fault side and the two sides of the fault point apply for the temporary key from the cipher service platform according to the temporary key identification to carry out quantum encryption transmission of fault information, and the power distribution terminals on the two sides of the fault point disconnect the switches on the two sides of the fault point.
It can be understood that, in an actual intelligent distributed feeder automation scenario, since the power grids of each station area or region are connected to each other, when the station areas or regions are grouped, some boundary devices may exist between two connected station areas or regions. Such as: the community is used as a grouping basis, the power distribution terminals 1-10 of the community A are a conversation group, the power distribution terminals 11-20 of the community B are a conversation group, and all the power distribution terminals are sequentially connected according to the coding sequence, so that the power distribution terminals 10 and the power distribution terminals 11 are regarded as boundary equipment. Taking distribution terminal 10 to break down as an example, when distribution terminal 10 breaks down, its trouble can influence distribution terminal 9 and 11 of adjacent both sides, then distribution terminal 10 can be according to its network topology information table, look for distribution terminal 9 and 11's identification, distribution terminal 10 sends self identification, distribution terminal 9's identification and distribution terminal 11's identification to cryptographic service platform in order to apply for the group key, if cryptographic service platform is according to the group member information of each conversation group of prestoring, discover distribution terminal 11 and distribution terminal 10 and do not belong to a group, then this moment cryptographic service platform need establish a temporary grouping and dispose temporary key identification, according to temporary key identification to exchange cryptographic machine applies for temporary key to supply to carry out the quantum encryption transmission of fault information between distribution terminal 9, 10, 11.
Specifically, after receiving the encrypted group key, the service initiator obtains the charging key through the corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by using the decrypted group key as a session key, including:
after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium;
the service initiator decrypts the encrypted group key through the charging key, uses the decrypted group key as a session key, and encrypts and transmits service data and a group key identifier corresponding to the service initiator to all the service receivers according to the session key;
and each service receiver decrypts the encrypted group key identification of the service initiator after receiving the encrypted service data, and applies for a corresponding group key to the password service platform according to the decrypted group key identification and the identity identification of the service receiver so as to decrypt the encrypted service data.
It should be noted that the session key may be used for establishing an Ipsec tunnel, and the service initiator encrypts and transmits service data and the group key identifier corresponding to the service initiator to all the service receivers through the Ipsec tunnel, and may also be used for an encryption protocol such as sslvpn, and encrypts and transmits the service data and the group key identifier corresponding to the service initiator to all the service receivers through the encryption protocol such as sslvpn. In addition, the session key may directly encrypt the service data to be transmitted and the group key identifier corresponding to the service initiator, and transmit the encrypted service data and group key identifier to all the service receivers, where the encryption manner in which the session key encrypts the service data to be transmitted and the group key identifier corresponding to the service initiator is not limited.
In a specific embodiment, the quantum security service platform further comprises a quantum key generation system; the quantum key generation system is used for generating a quantum key according to a quantum principle; the exchange cipher machine is provided with a cache space for storing a plurality of key blocks, and the key blocks in the cache space are periodically acquired from the quantum key generation system by the exchange cipher machine in real time and are updated; the group key identification comprises the identification of a key block where the group key is located, the serial number of the group key in the key block and the key length of the group key; then the process of the first step is carried out,
the cryptographic exchange responds to the group key generation request, generates a group key of each session group according to the received group key identification of each session group, and feeds back group key generation information to the cryptographic service platform, which specifically comprises the following steps:
and the exchange cipher machine responds to the group key generation request, acquires the group key corresponding to each conversation group from the cache space according to the received group key identification of each conversation group, and feeds back group key generation information to the cipher service platform.
Referring to table 2, in practical application, the group key identifier of each session group may be generated in the form of table 2.
Table 2 group key identification of conversation groups
Figure 577278DEST_PATH_IMAGE002
It should be noted that, in practical applications, a quantum random number generator of a quantum secure service platform generates a protection key, and stores the protection key in a corresponding exchange cipher machine, and a quantum key charging system in a quantum key scheduling system charges a protection key for a secure medium such as a U shield/TF card and the like in an intranet direct connection manner, that is, the charging key in the present invention, and feeds back related charging information to the cryptographic service platform. In the filling process, an operator needs to perform identity authentication based on a PIN code and an administrator Ukey, and then a filling key is transmitted to a quantum key filling system from an exchange cipher machine in a digital envelope mode and then is encrypted and stored in a security medium such as a U shield/TF card and the like.
In some optional embodiments, the group member information further includes a group member number; then the user can use the device to make a visual display,
when the power distribution master station configures group member information, if the number of the power distribution terminals in the conversation group is less than the total number of the power distribution terminals, configuring the number of the group members as the number of the power distribution terminals in the conversation group; if the number of the power distribution terminals in the conversation group is equal to the total number of the power distribution terminals, configuring the number of the group members as a preset identifier; the preset identification is used for indicating that the group key of the current session group is opened to all the power distribution terminals to be called.
Specifically, the preset identifier is-1. If the number of the group members of the session group is positive, the group key of the session group is called by limiting only the group members defined in the group member array to have the right; and if the number of the group members of the session group is negative, skipping the definition of the group member array, and opening the authority for all the network access devices to call the group key.
Referring to table 3, in practical applications, group member information of each of the talkgroups may be configured in the form of table 3; the group member number adopts a signed 32-bit integer type to describe the number of the power distribution terminals which are included in the conversation group; and the group member array writes the identity of the power distribution terminal in the conversation group into the array by calling the identity information configuration file of the power distribution terminal.
TABLE 3 group membership information for talkgroups
Figure 462057DEST_PATH_IMAGE003
Further, the method further comprises:
the power distribution master station updates the group member information of the conversation group according to the changed identity of the power distribution terminal when determining that the power distribution terminal of any conversation group changes through network topology analysis, and sends the updated group member information of the conversation group to the password service platform;
after receiving the updated group member information of the conversation group, the password service platform correspondingly stores the updated group member information of the conversation group, generates a new group key identifier for the conversation group and sends the new group key identifier to the exchange password machine;
after receiving the new group key identifier, the exchange cipher machine generates a new group key according to the new group key identifier and feeds back successful information of updating the first key to the cipher service platform;
and after receiving the information that the first key is successfully updated, the password service platform feeds the new group key identifier back to the power distribution master station, so that the power distribution master station issues the new group key identifier to all the power distribution terminals in the corresponding session group.
It should be noted that deletion of the group key and update of the group members need to be initiated after the service server of the power distribution master station acquires the corresponding management authority uniformly, the cryptographic service platform reconstructs the grouping and replaces the group key identifier and the group key after receiving the relevant request, and deletes the original group member information and the original group key identifier from the database, and feeds back the result to the service server of the power distribution master station, and the service server of the power distribution master station synchronizes to each power distribution terminal.
In some preferred embodiments, the method further comprises:
the cryptographic service platform periodically updates the group key identification of each session group and sends the updated group key identification of each session group and a group key updating request to the exchange cryptographic machine;
the exchange cipher machine responds to the group key updating request, correspondingly updates the group key of each conversation group according to the received updated group key identification of each conversation group, and feeds back second key updating success information to the cipher service platform;
and after receiving the successful second key updating information, the cryptographic service platform feeds back the updated group key identifier of each session group to the power distribution master station, so that the power distribution master station issues the corresponding updated group key identifier to all power distribution terminals in the group according to the group member information of each session group.
It should be noted that, in practical application, the group key may be updated by setting the update frequency of the group key according to the service requirement, the highest frequency may be set to update once per minute, and when the group key identifier is reapplied and a new group key is generated, the latest group information of the session group may be reloaded to the cryptographic service platform, and the historical group key information and the group information are still retained.
Referring to fig. 3, the following describes, in a specific embodiment, a quantum encryption communication method based on a power distribution network according to this embodiment:
1. and (3) group service initiation:
the power distribution terminal initiates a service transmission request and sends a group key application flow, and the power distribution terminal applies a corresponding group key to the password service platform by calling a corresponding quantum interface and using the group key identification, the identity identification of the group key identification and the identity identification of the power distribution terminal serving as a service receiver.
2. Applying for a group key:
after receiving the group key application of the power distribution terminal, the password service platform firstly verifies the identity of the service initiator, compares the group member configuration according to the identity of the service initiator and the identity of the service receiver to carry out permission verification, and initiates a group key generation request to the exchange password machine according to the identity of the service initiator and the group key identity after the permission verification.
3. And (3) issuing a group key:
and after receiving the group key generation request, the exchange cipher machine acquires a group key according to the group key identification, queries a corresponding charging key according to the identity identification of the service initiator, encrypts the group key by using the corresponding charging key to obtain a group key ciphertext, returns the group key ciphertext to the cipher service platform, and then transmits the group key ciphertext to the distribution terminal serving as the service initiator through the cipher service platform.
4. Encryption and decryption of service data:
after the power distribution terminal serving as a service initiator acquires the group key ciphertext, the corresponding charging key is used for decryption, an ipsec tunnel is established by using the decrypted group key, service data and the group key identifier are encrypted and transmitted to the power distribution terminal serving as a service receiver, the encrypted group key identifier is analyzed after the power distribution terminal serving as the service receiver receives the encrypted service data ciphertext, the corresponding group key is applied to the password service platform according to the group key identifier to decrypt the service data ciphertext, and a service data plaintext is obtained.
Fig. 4 is a schematic structural diagram of a quantum encryption communication system based on a power distribution network according to an embodiment of the present invention.
The quantum encryption communication system based on the power distribution network provided by the embodiment of the invention comprises: the system comprises a power distribution main station, a plurality of power distribution terminals and a quantum security service platform; the quantum security service platform comprises a password service platform and an exchange password machine; wherein, the first and the second end of the pipe are connected with each other,
the power distribution master station is used for creating at least one session group according to service transmission requirements, communicating between at least two power distribution terminals, configuring group member information of each session group, and sending group member information and a group key identifier generation request of each session group to the password service platform; the group member information comprises the identity identification of all the power distribution terminals in the group;
the cryptographic service platform is configured to store the received group member information of each session group, generate a group key identifier of each session group in response to the group key identifier generation request, and send the group key identifier and the group key generation request of each session group to the cryptographic exchange;
the exchange cipher machine is used for responding to the group key generation request, generating a group key of each session group according to the received group key identification of each session group, and feeding back group key generation information to the cipher service platform; wherein the group key identification is used to determine where the group key is stored in the exchange cipher machine;
the cipher service platform is further configured to feed back the group key identifier of each session group to the power distribution master station after receiving the group key generation information fed back by the cryptographic exchange machine, so that the power distribution master station issues the corresponding group key identifier to all power distribution terminals in a group according to the group member information of each session group;
each power distribution terminal is used for acquiring the identity of all power distribution terminals as service receivers when a service is initiated, and applying a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identities of all the service receivers and the received group key identity so as to perform quantum encryption transmission of service data with all the service receivers as a session key.
Specifically, when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals as service receivers, and applying for a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identity of all the service receivers, and the received group key identity, so as to perform quantum encryption transmission of service data with all the service receivers as a session key, specifically including:
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals serving as service receivers, and sending the identity, the identity of all the service receivers, the received group key identity and a key application request to the password service platform;
the cipher service platform responds to the key application request, determines that the service initiator and all the service receivers belong to the same session group according to the received identity identifier serving as the service initiator, the identity identifiers of all the service receivers and the prestored group member information of each session group, and then sends the identity identifier of the service initiator, the group key identifier corresponding to the service initiator and a group key acquisition request to the exchange cipher machine;
the exchange cipher machine responds to the group key acquisition request, inquires a group key of a session group where the service initiator is located according to a received group key identification corresponding to the service initiator, acquires a charging key according to the received identity identification of the service initiator, encrypts the group key of the service initiator through the charging key, and feeds back the encrypted group key to the cipher service platform so that the cipher service platform sends the encrypted group key to the service initiator;
and after receiving the encrypted group key, the power distribution terminal serving as a service initiator acquires the charging key through a corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all service receivers by using the decrypted group key as a session key.
As an improvement of the above solution, after the cryptographic service platform responds to the key application request, if the cryptographic service platform determines that the service initiator and any one of the service receivers do not belong to the same session group according to the received identity as the service initiator, the identities of all the service receivers, and the pre-stored group member information of each session group,
the cipher service platform is further configured to create a temporary group and configure group member information of the temporary group according to the received identity of the service initiator and the identities of all the service receivers, generate a temporary key identifier of the temporary group, and send the temporary key identifier and a temporary key generation request to the cryptographic exchange;
the exchange cipher machine is also used for responding to the temporary secret key generation request, generating a temporary secret key of the temporary grouping according to the received temporary secret key identification, and feeding back temporary secret key generation information to the cipher service platform; wherein the temporary key identifier is used to determine the location where the temporary key is stored in the switch crypto engine;
the cipher service platform is further configured to feed back the temporary key identifier to the service initiator and all the service receivers after receiving the temporary key generation information fed back by the cipher switching machine;
and the power distribution terminal in the temporary group is used for applying the temporary key to the password service platform according to the identity identification and the received temporary key identification, and performing quantum encryption transmission of service data through the temporary key and other power distribution terminals of the temporary group.
As a specific implementation manner, after receiving the encrypted group key, the service initiator obtains the charging key through a corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by using the decrypted group key as a session key, which specifically includes:
after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium;
the service initiator decrypts the encrypted group key through the charging key, takes the decrypted group key as a session key, and encrypts and transmits service data and a group key identifier corresponding to the service initiator to all the service receivers according to the session key so as to realize quantum encryption transmission of the service data between the service initiator and all the service receivers; then the process of the first step is carried out,
and each service receiver decrypts the encrypted group key identification of the service initiator after receiving the encrypted service data, and applies a corresponding group key to the password service platform according to the decrypted group key identification and the identity identification of the service receiver so as to decrypt the encrypted service data.
As a specific embodiment, the quantum security service platform further includes a quantum key generation system; the quantum key generation system is used for generating a quantum key according to a quantum principle; a buffer space for storing a plurality of key blocks is arranged in the exchange cipher machine, and the key blocks in the buffer space are periodically obtained and updated from the quantum key generation system in real time by the exchange cipher machine; the group key identification comprises the identification of a key block where the group key is located, the serial number of the group key in the key block and the key length of the group key; then the process of the first step is carried out,
the exchanging cipher machine responds to the group key generation request, generates a group key of each session group according to the received group key identification of each session group, and feeds back group key generation information to the cipher service platform, and specifically includes:
and the exchange cipher machine responds to the group key generation request, acquires the group key corresponding to each session group from the cache space according to the received group key identification of each session group, and feeds back group key generation information to the cipher service platform.
As a preferred embodiment, the group member information configured by the power distribution master station further includes a group member number; then the process of the first step is carried out,
when the power distribution master station is used for configuring group member information, if the number of the power distribution terminals in the conversation group is smaller than the total number of the power distribution terminals, configuring the number of the group members as the number of the power distribution terminals in the conversation group; if the number of the power distribution terminals in the conversation group is equal to the total number of the power distribution terminals, configuring the number of the group members as a preset identifier; the preset identification is used for indicating that the group key of the current session group is opened to all the power distribution terminals to be called.
As a preferred embodiment, the power distribution master station is further configured to, when determining that a power distribution terminal of any one of the talkgroups changes through network topology analysis, update group member information of the talkgroup according to the changed identity of the power distribution terminal, and send the updated group member information of the talkgroup to the cryptographic service platform; then the user can use the device to make a visual display,
the cryptographic service platform is further configured to, after receiving the updated group member information of the session group, correspondingly store the updated group member information of the session group, generate a new group key identifier for the session group, and send the new group key identifier to the cryptographic exchange;
the exchange cipher machine is also used for generating a new group key according to the new group key identification after receiving the new group key identification, and feeding back first key updating success information to the cipher service platform;
and the cryptographic service platform is further configured to feed back the new group key identifier to the power distribution master station after receiving the information that the first key is successfully updated, so that the power distribution master station issues the new group key identifier to all power distribution terminals in the corresponding session group.
As a preferred embodiment, the cryptographic service platform is further configured to periodically update the group key identifier of each session group, and send the updated group key identifier of each session group and a group key update request to the cryptographic exchange; then the process of the first step is carried out,
the exchange cipher machine is further configured to respond to the group key update request, update the group key of each session group correspondingly according to the received updated group key identifier of each session group, and feed back a second key update success message to the cipher service platform;
and the cryptographic service platform is further configured to, after receiving the second key update success information, feed back the updated group key identifier of each session group to the power distribution master station, so that the power distribution master station issues the corresponding updated group key identifier to all power distribution terminals in the group according to the group member information of each session group.
It should be noted that, for the specific description and the beneficial effects related to each embodiment of the quantum encryption communication system based on the power distribution network in this embodiment, reference may be made to the specific description and the beneficial effects related to each embodiment of the quantum encryption communication method based on the power distribution network, and details are not described here again.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (8)

1. A quantum encryption communication method based on a power distribution network is suitable for the power distribution network; the power distribution network comprises a power distribution main station, a plurality of power distribution terminals and a quantum security service platform; the quantum security service platform comprises a password service platform and an exchange password machine; characterized in that the method comprises:
the power distribution master station creates at least one session group according to service transmission requirements, the session group is used for carrying out communication between at least two power distribution terminals and configuring group member information of each session group, and a group member information and group key identification generation request of each session group is sent to the password service platform; the group member information comprises the identity identification of all the power distribution terminals in the group;
the cryptographic service platform stores the received group member information of each session group, generates a group key identifier of each session group in response to the group key identifier generation request, and sends the group key identifier and the group key generation request of each session group to the cryptographic exchange;
the exchange cipher machine responds to the group key generation request, generates a group key of each session group according to the received group key identification of each session group, and feeds back group key generation information to the cipher service platform; wherein the group key identification is used to determine where the group key is stored in the exchange cipher machine;
after receiving the group key generation information fed back by the exchange cipher machine, the cipher service platform feeds back the group key identifier of each conversation group to the power distribution master station, so that the power distribution master station issues the corresponding group key identifier to all the power distribution terminals in the group according to the group member information of each conversation group;
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals serving as service receivers, and applying a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identity of all the service receivers and the received group key identity to perform quantum encryption transmission of service data with all the service receivers as a session key;
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals as service receivers, and applying a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identity of all the service receivers and the received group key identity to perform quantum encryption transmission of service data with all the service receivers as a session key, including:
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals serving as service receivers, and sending the identity, the identity of all the service receivers, the received group key identity and the key application request to the password service platform;
the cipher service platform responds to the key application request, determines that the service initiator and all the service receivers belong to the same session group according to the received identity identifier serving as the service initiator, the identity identifiers of all the service receivers and the prestored group member information of each session group, and then sends the identity identifier of the service initiator, the group key identifier corresponding to the service initiator and a group key acquisition request to the exchange cipher machine;
the exchange cipher machine responds to the group key acquisition request, inquires a group key of a session group where the service initiator is located according to a received group key identification corresponding to the service initiator, acquires a charging key according to the received identity identification of the service initiator, encrypts the group key of the service initiator through the charging key, and feeds back the encrypted group key to the cipher service platform so that the cipher service platform sends the encrypted group key to the service initiator;
and after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by taking the decrypted group key as a session key.
2. The quantum encryption communication method based on the power distribution network according to claim 1, wherein after the cryptographic service platform responds to the key application request, if the cryptographic service platform determines that the service initiator and any one of the service receivers do not belong to the same session group according to the received identity as the service initiator, the identities of all the service receivers and the pre-stored group member information of each session group, the method further comprises:
the cipher service platform creates a temporary group and configures group member information of the temporary group according to the received identity of the service initiator and the identities of all the service receivers, generates a temporary key identifier of the temporary group, and sends the temporary key identifier and a temporary key generation request to the exchange cipher machine;
the exchange cipher machine responds to the temporary secret key generation request, generates a temporary secret key of the temporary grouping according to the received temporary secret key identification, and feeds back temporary secret key generation information to the cipher service platform; wherein the temporary key identifier is used to determine the location where the temporary key is stored in the switch crypto engine;
after receiving the temporary key generation information fed back by the exchange cipher machine, the cipher service platform feeds back the temporary key identification to the service initiator and all the service receivers;
and the power distribution terminals in the temporary grouping apply for the temporary key to the password service platform according to the identity identification and the received temporary key identification, and the quantum encryption transmission of service data is carried out through the temporary key and other power distribution terminals in the temporary grouping.
3. The quantum encryption communication method based on the power distribution network according to claim 1, wherein the service initiator obtains the charging key through its corresponding secure medium after receiving the encrypted group key, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by using the decrypted group key as a session key, including:
after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium;
the service initiator decrypts the encrypted group key through the charging key, uses the decrypted group key as a session key, and encrypts and transmits service data and a group key identifier corresponding to the service initiator to all the service receivers according to the session key;
and each service receiver decrypts the encrypted group key identification of the service initiator after receiving the encrypted service data, and applies for a corresponding group key to the password service platform according to the decrypted group key identification and the identity identification of the service receiver so as to decrypt the encrypted service data.
4. The quantum encryption communication method based on the power distribution network as claimed in claim 1, wherein a cache space for storing a plurality of key blocks is provided in the exchange cipher machine, and the key blocks in the cache space are periodically obtained and updated from the quantum key generation system in real time by the exchange cipher machine; the group key identification comprises the identification of a key block where the group key is located, the serial number of the group key in the key block and the key length of the group key; then the process of the first step is carried out,
the cryptographic exchange machine responds to the group key generation request, generates a group key of each session group according to the received group key identification of each session group, and feeds back group key generation information to the cryptographic service platform, and the specific steps are as follows:
and the exchange cipher machine responds to the group key generation request, acquires the group key corresponding to each session group from the cache space according to the received group key identification of each session group, and feeds back group key generation information to the cipher service platform.
5. The quantum encryption communication method based on the power distribution network according to claim 1, wherein the group member information further includes a group member number; then the process of the first step is carried out,
when the power distribution master station configures group member information, if the number of the power distribution terminals in the conversation group is less than the total number of the power distribution terminals, configuring the number of the group members as the number of the power distribution terminals in the conversation group; if the number of the power distribution terminals in the conversation group is equal to the total number of the power distribution terminals, configuring the number of the group members as a preset identifier; the preset identification is used for indicating that the group key of the current session group is opened to all the power distribution terminals to be called.
6. The power distribution network-based quantum cryptography communication method of claim 1, further comprising:
the power distribution master station updates the group member information of the conversation group according to the changed identity of the power distribution terminal when determining that the power distribution terminal of any conversation group changes through network topology analysis, and sends the updated group member information of the conversation group to the password service platform;
after receiving the updated group member information of the conversation group, the password service platform correspondingly stores the updated group member information of the conversation group, generates a new group key identifier for the conversation group and sends the new group key identifier to the exchange password machine;
after receiving the new group key identifier, the exchange cipher machine generates a new group key according to the new group key identifier and feeds back successful first key updating information to the cipher service platform;
and after receiving the information that the first key is successfully updated, the password service platform feeds the new group key identifier back to the power distribution master station, so that the power distribution master station issues the new group key identifier to all the power distribution terminals in the corresponding session group.
7. The power distribution network-based quantum cryptography communication method of claim 1, further comprising:
the cryptographic service platform periodically updates the group key identifier of each session group and sends the updated group key identifier and group key update request of each session group to the exchange cryptographic machine;
the exchange cipher machine responds to the group key updating request, correspondingly updates the group key of each session group according to the received updated group key identification of each session group, and feeds back second key updating success information to the cipher service platform;
and after receiving the successful second key updating information, the cryptographic service platform feeds back the updated group key identifier of each session group to the power distribution master station, so that the power distribution master station issues the corresponding updated group key identifier to all power distribution terminals in the group according to the group member information of each session group.
8. A quantum encryption communication system based on a power distribution network is characterized by comprising a power distribution main station, a plurality of power distribution terminals and a quantum security service platform; the quantum security service platform comprises a password service platform and an exchange password machine; wherein the content of the first and second substances,
the power distribution master station is used for creating at least one session group according to service transmission requirements, communicating between at least two power distribution terminals, configuring group member information of each session group, and sending group member information and a group key identifier generation request of each session group to the password service platform; the group member information comprises the identity identification of all the power distribution terminals in the group;
the cryptographic service platform is configured to store the received group member information of each session group, generate a group key identifier of each session group in response to the group key identifier generation request, and send the group key identifier and the group key generation request of each session group to the cryptographic exchange;
the exchange cipher machine is used for responding to the group key generation request, generating a group key of each session group according to the received group key identification of each session group, and feeding back group key generation information to the cipher service platform; wherein the group key identification is used to determine where the group key is stored in the exchange cryptographic engine;
the cryptographic service platform is further configured to feed back the group key identifier of each session group to the power distribution master station after receiving group key generation information fed back by the cryptographic exchange, so that the power distribution master station issues the corresponding group key identifier to all power distribution terminals in a group according to group member information of each session group;
each power distribution terminal is used for acquiring the identity of all power distribution terminals as service receivers when a service is initiated, and applying a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identities of all the service receivers and the received group key identity to perform quantum encryption transmission of service data with all the service receivers as a session key;
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals as service receivers, and applying a corresponding group key to the cryptographic service platform according to the identity of the service initiator, the identity of all the service receivers and the received group key identity, so as to perform quantum encryption transmission of service data with all the service receivers as a session key, specifically comprising:
when each power distribution terminal initiates a service, acquiring the identity of all power distribution terminals serving as service receivers, and sending the identity, the identity of all the service receivers, the received group key identity and a key application request to the password service platform;
the cipher service platform responds to the key application request, determines that the service initiator and all the service receivers belong to the same session group according to the received identity identifier serving as the service initiator, the identity identifiers of all the service receivers and the prestored group member information of each session group, and then sends the identity identifier of the service initiator, the group key identifier corresponding to the service initiator and a group key acquisition request to the exchange cipher machine;
the exchange cipher machine responds to the group key acquisition request, inquires a group key of a session group where the service initiator is located according to a received group key identification corresponding to the service initiator, acquires a charging key according to the received identity identification of the service initiator, encrypts the group key of the service initiator through the charging key, and feeds back the encrypted group key to the cipher service platform so that the cipher service platform sends the encrypted group key to the service initiator;
and after receiving the encrypted group key, the service initiator acquires the charging key through a corresponding secure medium, decrypts the encrypted group key through the charging key, and performs quantum encryption transmission of service data with all the service receivers by using the decrypted group key as a session key.
CN202211652893.9A 2022-12-22 2022-12-22 Quantum encryption communication method and system based on power distribution network Active CN115632779B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211652893.9A CN115632779B (en) 2022-12-22 2022-12-22 Quantum encryption communication method and system based on power distribution network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211652893.9A CN115632779B (en) 2022-12-22 2022-12-22 Quantum encryption communication method and system based on power distribution network

Publications (2)

Publication Number Publication Date
CN115632779A CN115632779A (en) 2023-01-20
CN115632779B true CN115632779B (en) 2023-03-28

Family

ID=84910792

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211652893.9A Active CN115632779B (en) 2022-12-22 2022-12-22 Quantum encryption communication method and system based on power distribution network

Country Status (1)

Country Link
CN (1) CN115632779B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117527228A (en) * 2023-12-06 2024-02-06 安徽省气象信息中心 Quantum security tunnel-based ground meteorological observation data transmission key negotiation method and system
CN117768118B (en) * 2023-12-31 2024-06-18 长江量子(武汉)科技有限公司 Key filling method and system
CN117579276B (en) * 2024-01-16 2024-03-29 浙江国盾量子电力科技有限公司 Quantum encryption method for feeder terminal and quantum board card module

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111475796A (en) * 2020-03-20 2020-07-31 南京如般量子科技有限公司 Anti-quantum computation identity authentication method and system based on secret sharing and quantum communication service station
CN112260832A (en) * 2020-12-17 2021-01-22 南京易科腾信息技术有限公司 Information encryption, decryption and control method and device and electronic equipment
CN114205084A (en) * 2022-02-16 2022-03-18 国网浙江省电力有限公司金华供电公司 Quantum key-based electronic mail multi-operation encryption method and device
CN114430328A (en) * 2020-10-14 2022-05-03 中国移动通信有限公司研究院 Key agreement method, device, equipment and storage medium
CN115459912A (en) * 2022-09-13 2022-12-09 浙江九州量子信息技术股份有限公司 Communication encryption method and system based on quantum key centralized management

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103634789A (en) * 2013-12-17 2014-03-12 北京网秦天下科技有限公司 Mobile terminal and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111475796A (en) * 2020-03-20 2020-07-31 南京如般量子科技有限公司 Anti-quantum computation identity authentication method and system based on secret sharing and quantum communication service station
CN114430328A (en) * 2020-10-14 2022-05-03 中国移动通信有限公司研究院 Key agreement method, device, equipment and storage medium
CN112260832A (en) * 2020-12-17 2021-01-22 南京易科腾信息技术有限公司 Information encryption, decryption and control method and device and electronic equipment
CN114205084A (en) * 2022-02-16 2022-03-18 国网浙江省电力有限公司金华供电公司 Quantum key-based electronic mail multi-operation encryption method and device
CN115459912A (en) * 2022-09-13 2022-12-09 浙江九州量子信息技术股份有限公司 Communication encryption method and system based on quantum key centralized management

Also Published As

Publication number Publication date
CN115632779A (en) 2023-01-20

Similar Documents

Publication Publication Date Title
CN115632779B (en) Quantum encryption communication method and system based on power distribution network
EP3432532B1 (en) Key distribution and authentication method, apparatus and system
CN109412794B (en) Quantum key automatic charging method and system suitable for power business
CN109995513B (en) Low-delay quantum key mobile service method
CN109842485B (en) Centralized quantum key service network system
US8838972B2 (en) Exchange of key material
US7978858B2 (en) Terminal device, group management server, network communication system, and method for generating encryption key
CN108462573B (en) Flexible quantum secure mobile communication method
CN101651539A (en) updating and distributing encryption keys
CN101420686B (en) Industrial wireless network security communication implementation method based on cipher key
KR20080104180A (en) Sim based authentication
CN109981584B (en) Block chain-based distributed social contact method
CN108847928B (en) Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card
WO2023082599A1 (en) Blockchain network security communication method based on quantum key
CN110808834B (en) Quantum key distribution method and quantum key distribution system
CN114401151A (en) Group message encryption method, device, equipment and storage medium
CN113612608A (en) Method and system for realizing cluster encryption of dual-mode interphone based on public network
CN110635894B (en) Quantum key output method and system based on frame protocol format
KR101760376B1 (en) Terminal and method for providing secure messenger service
CN112906032B (en) File secure transmission method, system and medium based on CP-ABE and block chain
CN113452514B (en) Key distribution method, device and system
CN112019553B (en) Data sharing method based on IBE/IBBE
CN112054905B (en) Secure communication method and system of mobile terminal
CN111224777A (en) SDN network multicast member information encryption method, system, terminal and storage medium
CN116996587B (en) Distributed sdp tunnel control method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant