CN115766002A

CN115766002A - Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition

Info

Publication number: CN115766002A
Application number: CN202211426006.6A
Authority: CN
Inventors: 罗俊
Original assignee: China Telecom Quantum Technology Co ltd
Current assignee: China Telecom Quantum Technology Co ltd
Priority date: 2022-11-15
Filing date: 2022-11-15
Publication date: 2023-03-07

Abstract

The invention discloses a method for realizing Ethernet data encryption by quantum key distribution and software definition, which comprises the following steps: taking MAC address information in a local encryption strategy MAC table as a source MAC address and sending the source MAC address to a control platform; receiving a first key distribution message returned by the management and control platform, wherein the first key distribution message comprises a source MAC address and a corresponding session key; putting a session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table, and refreshing the encryption strategy MAC table; and taking out the session key matched with the source MAC address of the Ethernet data frame from the encryption strategy MAC table, and encrypting the Ethernet data frame to obtain an encrypted message. The invention realizes the automatic generation and centralized distribution of the session key and the encryption strategy, and safely and efficiently solves the problems of the security strategy distribution and the key management among the Ethernet equipment with the encryption intercommunication requirement.

Description

Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition

Technical Field

The invention relates to the technical field of password application, in particular to a method for realizing encryption and decryption of Ethernet data by quantum key distribution and software definition.

Background

IEEE802.1AE-Media Access Control (MAC) Security defines a MAC layer Security standard, and by inserting a Security tag into an Ethernet packet and performing symmetric encryption and Integrity verification (ICV) on Ethernet frames except MAC addresses, confidentiality and Integrity of the Ethernet frames are protected, and certain replay attack resistance is provided. The mac sec key agreement protocol (MKA) in ieee802.1x-Port-base network access Control defines the way of entity key negotiation in ethernet networks, and is used for establishing 802.1AE MACsec encryption and integrity protection keys. The two sets of protocols combine to form a security solution for IEEE at the ethernet MAC layer.

However, in the actual use process, the deployment and implementation of the two sets of protocols are not extensive, and the following problems exist:

(1) Due to the insertion of a longer security tag and the addition of the ICV part, the ethernet frame may exceed the MTU maximum transmission unit of the interface, further resulting in packet dropping.

(2) The key used to encrypt the ethernet packet frames is assigned to the entity implementing the MACsec protocol, rather than to each source entity having a MAC address, and multiple sources share an ethernet frame protection key and the key is associated only with the entity implementing the MACsec protocol.

(3) The MKA shares a symmetric key used for protecting the negotiation process in a group, the key can be updated after the key is used for a period of time, and certain repeatability is achieved in use.

(4) The key distribution is directly carried out on a two-layer link based on Ethernet frames, a key distribution server is generated between network bridges through election, and the reliability of the key distribution process cannot be guaranteed.

In the related art, chinese patent application publication No. CN111787025A describes an encryption and decryption method, apparatus, system and data protection gateway, where the method includes: receiving an encrypted first service message sent by the edge data protection gateway; acquiring a source terminal MAC address and service characteristic information in the first service message, and matching the source terminal MAC address and the service characteristic information with a pre-configured decryption strategy; and when the source terminal MAC address and the service characteristic information are matched with the decryption strategy, the first service message is decrypted and then forwarded to the destination server.

Chinese patent application publication No. CN111787025A provides an encryption and decryption method, apparatus, and system, which receives an encrypted first service packet sent by the edge data protection gateway; acquiring a source terminal MAC address and service characteristic information in the first service message, and matching the source terminal MAC address and the service characteristic information with a pre-configured decryption strategy; and when the source terminal MAC address and the service characteristic information are matched with the decryption strategy, the first service message is decrypted and then forwarded to the destination server. The scheme is directed at an encryption gateway, data are processed in an IP network layer, and the MAC address of the data sent from the gateway is the MAC address of the gateway, but not the original MAC address; and the MAC information for the matching policy is not from the ethernet frame but exists inside the traffic packet.

Chinese patent application publication No. CN102130768A describes a terminal device with link layer encryption and decryption capability and a data processing method thereof, the terminal device includes a link layer processing module, the link layer processing module includes a control module, a data frame encryption processing module, a data frame decryption processing module, a key management module, an algorithm module, a sending port and a receiving port; the control module is accessed to the sending port through the data frame encryption processing module; the receiving port is accessed to the control module through the data frame decryption processing module; the control module is connected with the key management module; the data frame encryption processing module is connected with the data frame decryption processing module through the key management module; the data frame encryption processing module is connected with the data frame decryption processing module through the algorithm module. The approach proposed by this scheme is based on pre-shared keys and pre-configured encryption policies, but no specific key distribution protocol is provided.

Disclosure of Invention

The technical problem to be solved by the invention is how to provide an efficient, safe and manageable and controllable ethernet data frame encryption transmission mode.

The invention solves the technical problems through the following technical means:

in a first aspect, the present invention provides a method for implementing ethernet data encryption by quantum key distribution and software definition, which is applied to a first encryption bridge, and the method includes:

taking MAC address information in a local encryption strategy MAC table as a source MAC address and sending the source MAC address to a control platform, wherein the encryption strategy MAC table comprises the MAC address information and a corresponding session key, and the session key is initially empty;

receiving a first key distribution message returned by the control platform, wherein the first key distribution message comprises a source MAC address and a corresponding session key;

putting a session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table, and refreshing the encryption strategy MAC table;

and taking out the session key matched with the source MAC address of the Ethernet data frame from the encryption strategy MAC table, and encrypting the Ethernet data frame to obtain an encrypted message.

According to the invention, the source MAC address is automatically learned through the encryption bridge port, the learned source MAC address information is sent to the control platform, different session keys are generated by the control platform based on different source MAC addresses, and are distributed to other encryption bridges with an association relationship through the control platform, so that the automatic generation and centralized distribution of the session keys and encryption strategies are realized, and the problems of security strategy distribution and key management among Ethernet equipment with encryption intercommunication requirements are safely and efficiently solved. Mainly aiming at the application scene of two-layer Ethernet frame encryption of a centralized distribution key and an encryption strategy, data encryption and decryption are carried out based on a source MAC address and automatic learning is carried out to form a strategy element, and the synchronization of a session key and an encryption strategy between related encryption bridge equipment nodes is realized through a software defined encryption strategy and a centralized distribution mode.

Furthermore, a master key pool is arranged in the first encryption bridge, and a master key ID pre-filled by a quantum key distribution system are stored in the master key pool;

correspondingly, the sending the MAC address information in the local encryption policy MAC table as the source MAC address to the management and control platform includes:

and sending an MAC address message to the control platform irregularly, wherein the MAC address message carries information including a master key ID, an encryption strategy MAC table addition count, an added source MAC address, an encryption strategy MAC table deletion count, a deleted source MAC address and a first integrity check value.

Further, the information carried by the first key distribution packet includes an encryption policy MAC table addition count, a master key ID, an added source MAC address, a corresponding session key ciphertext, and a second integrity check value;

correspondingly, the step of placing the session key corresponding to each source MAC address into the source MAC address table entry in the local encryption policy MAC table to refresh the encryption policy MAC table includes:

acquiring a corresponding master key from a master key pool by using the master key ID, performing integrity check on the second integrity check value, and decrypting the session key ciphertext to obtain a session key corresponding to each source MAC address;

and putting the session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table, and refreshing the encryption strategy MAC table.

Further, the obtaining a session key matching the source MAC address of the ethernet data frame from the encryption policy MAC table, and encrypting the ethernet data frame to obtain an encrypted packet includes:

taking out a session key matched with the Ethernet data frame source MAC address from the encryption strategy MAC table;

and encrypting the frame data of the Ethernet data frames except for the frame head by using the session key, wherein the encryption mode adopts a CBC algorithm combined with a CFB algorithm.

Further, before the taking the MAC address information in the local encryption policy MAC table as the source MAC address and sending the source MAC address to the management and control platform, the method further includes:

the management and control platform is connected through a management channel, and a registration message is sent, wherein the format of the registration message is as follows: the first encryption bridge ID | | the first encryption bridge manages the IP | | random number R | | KeyID | | HMAC (Key, the first encryption bridge ID | | the first encryption bridge manages the IP | | random number R | | KeyID), wherein HMAC (Key, data) indicates that a keyed hash operation is performed on data with a Key, which is a randomly selected master Key corresponding to the first encryption bridge identification KeyID.

Further, before the step of sending the MAC address information in the local encryption policy MAC table to the management and control platform as the source MAC address, the method further includes:

and defining the Ethernet interface type of the first encryption bridge, wherein the interface which is not connected with other encryption bridges of the same type is defined as a secret port, the interface which is connected with other encryption bridges of the same type is defined as a clear port, and the secret port is used for adding the source MAC address learned by the port into a local encryption strategy MAC table.

a vector sub-key distribution network or a key agent sends a key filling request;

and receiving the master key filled by the quantum key distribution network through a first secure storage medium, establishing a master key pool, and identifying whether each master key is used or not by adopting a key bitmap, wherein the quantum key distribution network stores the master keys and master key IDs (identities) distributed to various encryption bridges in different security domains.

In a second aspect, the present invention provides a method for implementing ethernet data decryption by quantum key distribution and software definition, which is applied to a second encryption bridge, and the method includes:

receiving a second key distribution message returned by the management and control platform, wherein the second key distribution message comprises a source MAC address and a corresponding session key;

each source MAC address and the corresponding session key are placed into a local decryption strategy MAC table;

receiving an encrypted message sent by a first encrypted network bridge, wherein the encrypted message is obtained by the first encrypted network bridge extracting a session key matched with an Ethernet data frame source MAC address from a local encryption strategy MAC table of the first encrypted network bridge and encrypting an Ethernet data frame;

and taking out the session key matched with the Ethernet data frame source MAC address from the decryption strategy MAC table, and decrypting the encrypted message.

Further, a master key pool is provided in the second encryption bridge, and the master key pool stores a master key and a master key ID pre-charged by the quantum key distribution system, and the method further includes:

receiving an MAC deletion message returned by the control platform, wherein the MAC deletion message carries information including encryption strategy MAC table newly-added count, a master key ID, a deleted source MAC address and a third integrity check value;

according to the master key ID, selecting a corresponding master key from the master key pool to carry out integrity check on the third integrity check value;

and sequentially deleting the table entries of the corresponding source MAC addresses in the decryption strategy MAC table according to each source MAC address in the MAC deletion message, and refreshing the decryption strategy MAC table.

Further, before receiving a second key distribution packet returned by the management and control platform, where the second key distribution packet includes a source MAC address and a corresponding session key, the method further includes:

the management and control platform is connected through a management channel, and a registration message is sent, wherein the format of the registration message is as follows: the second encryption bridge ID | | the second encryption bridge manages the IP | | random number R | | KeyID | | HMAC (Key, the second encryption bridge ID | | plus the second encryption bridge manages the IP | | | random number R | | | KeyID), wherein HMAC (Key, data) represents that a Key is used to perform keyed hash operation on data, and Key is a randomly selected master Key corresponding to the second encryption bridge identification KeyID.

and defining the Ethernet interface type of the first encryption bridge, wherein the interface which is not connected with other encryption bridges of the same type is defined as a secret port, and the interface connected with other encryption bridges of the same type is defined as a clear port.

Further, before the receiving a second key distribution packet returned by the management and control platform, where the second key distribution packet includes a source MAC address and a corresponding session key, the method further includes:

and receiving the main key filled by the quantum key distribution network through a second secure storage medium, establishing a main key pool, and identifying whether each main key is used or not by adopting a key bitmap, wherein the quantum key distribution network stores the main key and the main key ID distributed to each encryption bridge in different secure domains.

In a third aspect, the present invention provides a method for distributing an encryption policy and a session key, which is applied to a management and control platform, and the method includes:

receiving a source MAC address report message sent by a first encryption bridge, wherein the source MAC address report message carries information including a master key ID corresponding to the first encryption bridge and a source MAC address in an encryption strategy MAC table;

applying for a corresponding session key from the quantum key distribution network for each received newly added source MAC address;

and respectively generating a first key distribution message and a second key distribution message based on the session key, and distributing the messages to the first encryption bridge and the second encryption bridge, wherein the second encryption bridge is directly connected with the first encryption bridge.

Further, the source MAC address report packet carries information including a master key ID, an encryption policy MAC table addition count, an added source MAC address, an encryption policy MAC table deletion count, a deleted source MAC address, and a first integrity check value;

accordingly, before the applying for a corresponding session key from the quantum key distribution network for each received source MAC address, the method further comprises:

and acquiring a master key corresponding to the first encryption bridge from the quantum key distribution network, and verifying the first integrity check value by using the master key.

Further, the generating a first key distribution packet and a second key distribution packet based on the session key respectively includes:

encrypting the session key by using a master key corresponding to the first encryption bridge to generate a first key distribution message;

encrypting the session key by using a master key corresponding to the second encryption bridge to generate a second key distribution message;

the information carried by the first key distribution message and the second key distribution message comprises encryption strategy MAC table newly added count, master key ID, newly added source MAC address, corresponding session key ciphertext and a second integrity check value.

Further, before the receiving the source MAC address report packet sent by the first encrypted bridge, the method further includes:

establishing an encryption bridge association table for a security domain, wherein the encryption bridge association table is a two-dimensional matrix T [ K ] [ K ], K is the number of encryption bridges belonging to the security domain, T [ i ] [ j ] =1 indicates that the bridge i and the bridge j are associated, and the encryption bridges with the association are directly connected;

correspondingly, before said applying for a corresponding session key from the quantum key distribution network for each received source MAC address, the method further includes:

based on the encryption bridge association table, obtaining a second encryption bridge associated with the first encryption bridge.

Further, after the applying for a corresponding session key from the quantum key distribution network for each new source MAC address received, the method further includes:

and sending an MAC deletion message to the second encryption network bridge, wherein the MAC deletion message carries information including encryption strategy MAC table newly-added count, master key ID, deleted source MAC address and third integrity check value.

In a fourth aspect, the present invention provides a method for implementing ethernet data encryption and decryption by quantum key distribution and software definition, where the method includes:

the method comprises the steps that a first encryption bridge takes MAC address information in a local encryption strategy MAC table as a source MAC address and sends the source MAC address to a control platform, the encryption strategy MAC table comprises the MAC address information and a corresponding session key, and the session key is initially empty;

the management and control platform applies for a corresponding session key for each received source MAC address, generates a first key distribution message and a second key distribution message, and distributes the messages to the first encryption bridge and the second encryption bridge, wherein the second encryption bridge is directly connected with the first encryption bridge;

the first encryption network bridge receives the first key distribution message, puts the session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table, and refreshes the encryption strategy MAC table;

the second encryption network bridge receives the second key distribution message and places each source MAC address and the corresponding session key into a local decryption strategy MAC table;

the first encryption bridge takes out a session key matched with an Ethernet data frame source MAC address from the encryption strategy MAC table, and encrypts the outbound Ethernet data frame to obtain an encrypted message;

and the second encryption bridge takes out the session key matched with the Ethernet data frame source MAC address from the decryption strategy MAC table and decrypts the inbound encrypted message.

In a fifth aspect, the present invention provides an encryption bridge, comprising:

the source MAC address message sending module is used for sending MAC address information in a local encryption strategy MAC table to the control platform as a source MAC address, wherein the encryption strategy MAC table comprises the MAC address information and a corresponding session key, and the session key is initially empty;

a first key distribution message receiving module, configured to receive a first key distribution message returned by the management and control platform, where the first key distribution message includes a source MAC address and a corresponding session key;

the first encryption and decryption strategy MAC table management module is used for placing the session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table and refreshing the encryption strategy MAC table;

and the first data encryption and decryption module is used for taking out the session key matched with the Ethernet data frame source MAC address from the encryption strategy MAC table, and encrypting the Ethernet data frame to obtain an encrypted message.

In a sixth aspect, the present invention provides an encryption bridge, comprising:

the second key distribution message receiving module is used for receiving a second key distribution message returned by the control platform, wherein the second key distribution message comprises a source MAC address and a corresponding session key;

the second encryption and decryption strategy MAC table management module is used for placing each source MAC address and the corresponding session key into a local decryption strategy MAC table;

the encryption message receiving module is used for receiving an encryption message sent by a first encryption network bridge, wherein the encryption message is obtained by taking a session key matched with an Ethernet data frame source MAC address from a local encryption strategy MAC table of the first encryption network bridge and encrypting an Ethernet data frame;

and the second data encryption and decryption module is used for taking out the session key matched with the Ethernet data frame source MAC address from the decryption strategy MAC table and decrypting the encrypted message.

In a seventh aspect, the present invention provides a management and control platform, where the management and control platform includes:

the message receiving module is used for receiving a source MAC address report message sent by the first encryption bridge, wherein the source MAC address report message carrying information comprises a master key ID corresponding to the first encryption bridge and a source MAC address in an encryption strategy MAC table;

the session key application module is used for applying a corresponding session key from the quantum key distribution network aiming at each received newly added source MAC address;

and the key distribution message generation module is used for respectively generating a first key distribution message and a second key distribution message based on the session key, and distributing the first key distribution message and the second key distribution message to the first encryption network bridge and the second encryption network bridge, wherein the second encryption network bridge is directly connected with the first encryption network bridge.

In an eighth aspect, the invention provides a system for implementing ethernet data encryption and decryption by using quantum key distribution and software definition, where the system includes a first encryption bridge, a second encryption bridge, a control platform and a quantum key distribution system, the first encryption bridge and the second encryption bridge are associated with each other and are both connected to the control platform and the quantum key distribution system, the control platform is connected to the quantum key distribution system, and the first encryption bridge and the second encryption bridge are respectively integrated with a secure storage medium;

the management and control platform is used for distributing an encryption strategy and a session key based on the source MAC address information reported by the first encryption network bridge;

the quantum key distribution network is used for performing master key distribution on the management and control platform and the secure storage medium;

the first encryption bridge and the second encryption bridge are used for encrypting and decrypting user Ethernet data frames transmitted through the bridges.

The invention has the advantages that:

(1) According to the invention, the source MAC address is automatically learned through the encryption bridge port, the learned source MAC address information is sent to the control platform, different session keys are generated by the control platform based on different source MAC addresses, and are distributed to other encryption bridges with incidence relation through the control platform, so that the automatic generation and centralized distribution of the session keys and encryption strategies are realized, and the problems of security strategy distribution and key management among Ethernet equipment with encryption intercommunication requirements are safely and efficiently solved. Mainly aiming at the application scene of two-layer Ethernet frame encryption for centrally distributing keys and encryption strategies, data encryption and decryption are carried out based on a source MAC address and automatic learning is carried out to form strategy elements, and the synchronization of session keys and encryption strategies among related encryption bridge equipment nodes is realized through software defined encryption strategies and a centralized distribution mode.

(2) The encryption strategy realizes encryption according to needs by dynamically adding or deleting the MAC address, and improves the effective utilization of the resources of the encryption bridge equipment.

(3) By dividing the security domain, pre-filling a large number of same master keys for each equipment node in the security domain and randomly using the master keys, and pre-filling a large number of master keys to realize one-time key in the session key distribution process and identity authentication of equipment in the domain, the problems of identity authentication and key distribution protection between a bridge equipment node and a management and control platform with encryption requirements are safely and efficiently solved, and therefore safe, efficient and manageable and controllable Ethernet data frame encryption transmission is realized.

Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.

Drawings

Fig. 1 is a schematic flowchart of a method for implementing ethernet data encryption by quantum key distribution and software definition according to a first embodiment of the present invention;

fig. 2 is a schematic flowchart of a method for implementing ethernet data decryption by quantum key distribution and software definition according to a second embodiment of the present invention;

fig. 3 is a flowchart illustrating a distribution method of an encryption policy and a session key according to a third embodiment of the present invention;

fig. 4 is a schematic flowchart of a method for implementing ethernet data encryption and decryption by quantum key distribution and software definition according to a fourth embodiment of the present invention;

fig. 5 is a schematic diagram of an encryption bridge according to a fifth embodiment of the present invention;

fig. 6 is a schematic diagram of an encryption bridge according to a sixth embodiment of the present invention;

fig. 7 is a schematic structural diagram of a management and control platform according to a seventh embodiment of the present invention;

fig. 8 is a schematic structural diagram of a system for implementing ethernet data encryption and decryption by quantum key distribution and software definition according to an eighth embodiment of the present invention;

FIG. 9 is a schematic diagram of an encryption bridge in an eighth embodiment of the present invention;

fig. 10 is a schematic workflow diagram of a system for implementing ethernet data encryption and decryption by quantum key distribution and software definition according to an eighth embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example 1

As shown in fig. 1, a first embodiment of the present invention provides a method for implementing ethernet data encryption by quantum key distribution and software definition, which is applied to a first encryption bridge, and includes the following steps:

s101, taking MAC address information in a local encryption strategy MAC table as a source MAC address and sending the source MAC address to a control platform, wherein the encryption strategy MAC table comprises the MAC address information and a corresponding session key, and the session key is initially empty;

it should be noted that the first encryption bridge is an encryption bridge for reporting a message to the management and control platform, the entry of the local encryption policy MAC table of the first encryption bridge is composed of an MAC address and a corresponding session key, the session key is used for encrypting an ethernet data frame using the MAC address as a source MAC, the session key is initially empty and distributed by the management and control platform, and the life cycle of the entry of the encryption policy MAC table is the same as that of the entry of the ordinary MAC table.

S102, receiving a first key distribution message returned by the control platform, wherein the first key distribution message comprises a source MAC address and a corresponding session key;

it should be noted that the management and control platform receives the source MAC address information, applies for a corresponding session key from the quantum key distribution network for the newly added source MAC address, returns each source MAC address and the corresponding session key to the encryption bridge, and refreshes the local encryption policy MAC table of the encryption bridge.

S103, a session key corresponding to each source MAC address is placed into a source MAC address table entry in a local encryption strategy MAC table, and the encryption strategy MAC table is refreshed;

s104, taking out the session key matched with the Ethernet data frame source MAC address from the encryption strategy MAC table, and encrypting the Ethernet data frame to obtain an encrypted message.

The embodiment of the invention automatically learns the source MAC address through the encryption bridge port, sends the learned source MAC address information to the control platform, generates different session keys based on different source MAC addresses by the control platform, and distributes the session keys and encryption strategies to other encryption bridges with incidence relation through the control platform, thereby realizing automatic generation and centralized distribution of the session keys and the encryption strategies, and safely and efficiently solving the problems of security strategy distribution and key management among Ethernet devices with encryption intercommunication requirements. The embodiment mainly aims at the application scene of two-layer Ethernet frame encryption for centrally distributing keys and encryption strategies, carries out data encryption and decryption based on a source MAC address and automatically learns to form strategy elements, and realizes the synchronization of session keys and encryption strategies between related encryption bridge equipment nodes by defining the encryption strategies and a centralized distribution mode through software.

In addition, the method provided by the embodiment is applied to an encryption bridge, and directly matches the original MAC, and performs encryption, decryption, and forwarding on the ethernet frame without changing the original MAC information. The encryption strategy proposed by this embodiment is based on the source MAC of the ethernet frame and is automatically collected and reported by the source-end bridge, the session key is generated in real time by the quantum key distribution network, the real-time management and control center is mainly responsible for application and issue of the session key, and the pre-shared quantum key is used to protect distribution of the session key and identity authentication during bridge registration. In this embodiment, the management and control center serves as a controller, and does not need to configure a large amount of policy information, and only needs to configure the association relationship between bridges, so that the whole policy generation, key application, policy and key distribution process is highly autonomous, the efficiency is high, and the management burden is light.

In one embodiment, a master key pool is arranged in the first encryption bridge, and a master key ID pre-charged by a quantum key distribution system are stored in the master key pool;

correspondingly, in step S101, the sending the MAC address information in the local encryption policy MAC table as the source MAC address to the management and control platform specifically includes:

and sending an MAC address message to the control platform at irregular intervals, wherein the MAC address message carries information including a master key ID, an encryption strategy MAC table addition count, an added source MAC address, an encryption strategy MAC table deletion count, a deleted source MAC address and a first integrity check value.

It should be noted that, in this embodiment, the first encryption bridge does not report the MAC address information of the local encryption policy MAC table of the first encryption bridge to the management and control platform periodically, and a message format of the MAC address message is as follows:

4 bytes master key ID +2 bytes encryption strategy MAC table adding count + k1 (adding source MAC address) +2 bytes encryption strategy MAC table deleting count + k2 (deleting source MAC address) + ICV (first integrity check value)

Wherein, the master key ID is randomly selected from a master key pool of the first encryption bridge, and the ICV is an HMAC (Hash-based message authentication Code, key-related Hash operation message authentication Code) for calculating the whole MAC address message by adopting the master key corresponding to the master key ID; k1 and k2 represent the number of newly added source MACs and deleted source MACs, respectively.

It should be noted that, in this embodiment, the first encryption bridge sends the MAC address packet to the management and control platform at irregular intervals, specifically: after the first encryption bridge is started each time, after a port learns the MAC address for a period of time, a management channel is established to the control platform, the whole encryption strategy MAC table is registered and reported, and the deletion count in the reported message is zero at the moment. When the content of the encryption strategy MAC table changes every time, a newly added or expired source MAC address exists, and a report MAC address message is sent to the management and control platform, wherein the content comprises the newly added and deleted source MAC addresses.

In an embodiment, in step S102, the process of generating the first key distribution packet by the management and control platform is as follows: the management and control platform applies for a session key from a Quantum key distribution network (QKD) for each newly added source MAC address, encrypts by using a master key (obtained from the Quantum key distribution network) corresponding to a first encryption bridge (a bridge that reports a message) to form a first session key ciphertext distributed to the first encryption bridge, and performs ICV (second integrity check value) calculation on the first key distribution message by using the master key.

In an embodiment, the first key distribution packet carries information including an encryption policy MAC table addition count, a master key ID, an added source MAC address, a corresponding session key ciphertext, and a second integrity check value;

accordingly, the step S103: the method comprises the following steps of putting a session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table, and refreshing the encryption strategy MAC table, wherein the method specifically comprises the following steps:

s131, acquiring a corresponding master key from a master key pool by using the master key ID, performing integrity check on the second integrity check value, and decrypting the session key ciphertext to obtain a session key corresponding to each source MAC address;

it should be noted that the master key pool stores a large number of master keys pre-filled by the quantum key distribution system.

It should be noted that, after the integrity check is passed, the session key ciphertext is decrypted, and if the integrity check is not passed, the data transmission process is terminated.

S132, a session key corresponding to each source MAC address is placed into a source MAC address table entry in a local encryption strategy MAC table, and the encryption strategy MAC table is refreshed.

It should be noted that, the encryption strategy realizes on-demand encryption by dynamically adding or deleting the learning MAC address, and improves the effective utilization of the resources of the encryption bridge device.

In one embodiment, the step S104: and taking out the session key matched with the source MAC address of the Ethernet data frame from the encryption strategy MAC table, and encrypting the Ethernet data frame to obtain an encrypted message, wherein the method specifically comprises the following steps:

s141, taking out a session key matched with the Ethernet data frame source MAC address from the encryption strategy MAC table;

and S142, encrypting the frame data of the Ethernet data frame except the frame header by using the session key, wherein the encryption mode adopts a CBC algorithm combined with a CFB algorithm.

It should be noted that, the device node of the first encryption bridge encrypts the outbound ethernet data frame whose source MAC address matches the encryption policy MAC table, that is, takes out the session key in the entry matching the source MAC address of the frame from the encryption policy MAC table, and encrypts the frame data except the ethernet header, where the encryption mode is CBC (integer multiple of algorithm packet) + CFB (remainder part except integer multiple of algorithm packet), and no additional data is added.

In one embodiment, in the step S101: before the MAC address information in the local encryption policy MAC table is used as a source MAC address and sent to the management and control platform, the method further includes:

the management and control platform is connected through a management channel, and a registration message is sent, wherein the format of the registration message is as follows: the first encryption bridge ID | | the first encryption bridge manages the IP | | random number R | | KeyID | | HMAC (Key, the first encryption bridge ID | | the first encryption bridge manages the IP | | random number R | | KeyID), wherein HMAC (Key, data) represents that a Key is adopted to perform keyed hash operation on data, and Key is a randomly selected master Key corresponding to the first encryption bridge identification KeyID.

It should be noted that, when the first encryption bridge is started, the first encryption bridge is connected to the management and control platform through the management channel (the port capable of configuring the IP), establishes a reliable connection (TCP long connection), and registers the connection; and after receiving the registration request, the management and control platform acquires a master key corresponding to the first encryption bridge identifier KeyID from the quantum key distribution network, verifies the registration message, returns a registration success notification to the first encryption bridge when the verification is passed, and returns a registration failure notification if the verification is not passed.

and defining the Ethernet interface type of the first encryption bridge, wherein the interface which is not connected with other encryption bridges of the same type is defined as a secret port, the interface which is connected with other encryption bridges of the same type is defined as a bright port, and the secret port is used for adding the source MAC address learned by the port into a local encryption strategy MAC table.

It should be noted that, in this embodiment, the clear port and the secret port of the first encryption bridge perform the functions of the ordinary bridge port, and the secret port adds the source MAC address learned by the port to the local encryption policy MAC table, so that the outbound ethernet data frame can be forwarded through any clear port.

In one embodiment, in the step S101: before the MAC address information in the local encryption strategy MAC table is used as a source MAC address and sent to the management and control platform, the method also comprises the following steps:

and receiving the main key filled by the quantum key distribution network through a first secure storage medium, establishing a main key pool, and identifying whether each main key is used or not by adopting a key bitmap, wherein the quantum key distribution network stores the main key and the main key ID distributed to each encryption bridge in different secure domains.

It should be noted that, the first encryption network bridge integrates a first secure storage medium, the first secure storage medium may adopt a large-capacity secure storage medium including but not limited to a secure TF card or a secure U-shield, and the first encryption network bridge is pre-charged with a large number of master keys through the first secure storage medium, the key format is 4-byte key ID + n-byte key and n-byte initialization vector (n is related to an encryption algorithm), the first encryption network bridge constructs a master key pool according to the key format, and the quantum key distribution network stores the master keys and key IDs distributed to each device node in different security domains in the key pool.

It should be noted that, when the first encryption bridge generates the MAC address packet, the adopted master key is randomly selected from the master key pool and is not used, and the key bitmap of the selected master key is marked as used.

It should be noted that, the one-time pad in the session key distribution process and the identity authentication of the devices in the domain are realized by pre-charging a large number of master keys, so that the secure, efficient and manageable ethernet data frame encryption transmission is realized.

Example 2

As shown in fig. 2, a second embodiment of the present invention provides a method for implementing ethernet data decryption by quantum key distribution and software definition, which is applied to a second encryption bridge, and includes the following steps:

s201, receiving a second key distribution message returned by the management and control platform, wherein the second key distribution message comprises a source MAC address and a corresponding session key;

it should be noted that, for each newly added source MAC address, the management and control platform applies for a session key from the quantum key distribution network, and encrypts the session key by using a master key (randomly selected from the quantum key distribution network) corresponding to the second encryption bridge to form a second session key ciphertext distributed to the second encryption bridge, where the master key is also used to perform ICV (third integrity check value) calculation on the second key distribution packet.

The format of the second key distribution message is as follows:

the new count of the 2-byte encryption strategy MAC table + 4-byte master key ID + k1 (the new source MAC address + session key ciphertext) + ICV (third integrity check value), wherein k1 represents the number of the new source MAC.

S202, each source MAC address and the corresponding session key are placed into a local decryption strategy MAC table;

it should be noted that, for the second encryption bridge associated with the first encryption bridge, each source MAC address and the corresponding session key in the second key distribution message are added to the decryption policy MAC table, where the table entries are the source MAC address and the corresponding session key, and the source MAC address is the source MAC address in the second key distribution message.

S203, receiving an encrypted message sent by a first encrypted network bridge, wherein the encrypted message is obtained by the first encrypted network bridge extracting a session key matched with an Ethernet data frame source MAC address from a local encryption strategy MAC table of the first encrypted network bridge and encrypting an Ethernet data frame;

s204, the session key matched with the Ethernet data frame source MAC address is taken out from the decryption strategy MAC table, and the encrypted message is decrypted.

In the embodiment of the invention, the second encryption network bridge is associated with the first encryption network bridge reporting the MAC address message, the control platform generates different session keys based on different source MAC addresses, and distributes the session keys and the encryption strategy to other second encryption network bridges in association with the first encryption network bridge through the control platform, so that the automatic generation and centralized distribution of the session keys and the encryption strategy are realized, and the problems of security strategy distribution and key management between Ethernet equipment with encryption intercommunication requirements are solved safely and efficiently. In this embodiment, mainly for an application scenario of two-layer ethernet frame encryption in which keys and encryption policies are distributed centrally, data encryption and decryption are performed based on a source MAC address and policy elements are automatically learned, and synchronization between session keys and encryption policies between associated encryption bridge device nodes is achieved by defining encryption policies and centralized distribution manners through software.

In one embodiment, the second cryptographic bridge is provided with a master key pool, and the master key pool stores a master key and a master key ID pre-charged by a quantum key distribution system, and the method further includes the following steps:

according to the master key ID, selecting a corresponding master key from the master key pool to perform integrity check on the third integrity check value;

It should be noted that the message format of the MAC deletion message is as follows:

the 2-byte encryption policy MAC table add count + 4-byte master key ID + k2 (deleted source MAC address) + ICV (fourth integrity check value), where k2 represents the number of deleted source MAC addresses.

And when the completeness check is passed, sequentially deleting the table entries of the corresponding source MAC addresses in the decryption strategy MAC table according to each source MAC address in the MAC deletion message, and if the completeness check is not passed, terminating the transmission process.

In the embodiment, the encryption strategy realizes encryption according to needs by dynamically adding or deleting the MAC address, and the effective utilization of the resources of the encryption bridge equipment is improved.

In one embodiment, in the step S201: receiving a second key distribution message returned by the management and control platform, wherein before the second key distribution message includes a source MAC address and a corresponding session key, the method further includes:

It should be noted that, when the second encryption bridge is started, the second encryption bridge is connected to the management and control platform through the management channel (the port capable of configuring the IP), establishes a reliable connection (TCP long connection), and registers the connection; and after receiving the registration request, the management and control platform acquires a master key corresponding to the first encryption bridge identifier KeyID from the quantum key distribution network, verifies the registration message, returns a registration success notification to the first encryption bridge when the verification is passed, and returns a registration failure notification if the verification is not passed.

It should be noted that in this embodiment, the clear port and the secret port of the second encryption bridge may perform the functions of the ordinary bridge ports, and the inbound ethernet data frame may be forwarded through any clear port.

It should be noted that the second encryption network bridge integrates a second secure storage medium, the first secure storage medium may adopt a large-capacity secure storage medium including but not limited to a secure TF card or a secure U-shield, the first secure storage medium is used to pre-charge a large number of master keys for the first encryption network bridge, the key format is 4 byte key ID + n byte keys and n byte initialization vectors (n is related to the encryption algorithm), the second encryption network bridge constructs a master key pool according to the key format, and the quantum key distribution network stores the master keys and key IDs distributed to each device node in different security domains in the key pool.

In the embodiment, the one-time pad in the session key distribution process and the identity authentication of the devices in the domain are realized by pre-filling a large number of master keys, so that safe, efficient and controllable Ethernet data frame encryption transmission is realized.

Example 3

As shown in fig. 3, a third embodiment of the present invention provides a method for distributing an encryption policy and a session key, which is applied to a management and control platform, and the method includes the following steps:

s301, receiving a source MAC address report message sent by a first encryption bridge, wherein the source MAC address report message carries information including a master key ID corresponding to the first encryption bridge and a source MAC address in an encryption strategy MAC table;

s302, aiming at each newly added source MAC address, a corresponding session key is applied from the quantum key distribution network;

and S303, respectively generating a first key distribution message and a second key distribution message based on the session key, and distributing the messages to the first encryption bridge and the second encryption bridge, wherein the second encryption bridge is directly connected with the first encryption bridge.

In the embodiment, the automatic learning of the MAC address is performed through the bridge port, the management and control platform generates different session keys based on different source MAC addresses, and the management and control platform distributes the session keys and encryption strategies to the first encryption bridge and other second encryption bridges having an association relationship with the first encryption bridge, so that the automatic generation and centralized distribution of the session keys and the encryption strategies are realized, and the problems of security strategy distribution and key management between ethernet devices having encryption intercommunication requirements are solved safely and efficiently.

In an embodiment, the source MAC address report packet carries information including a master key ID, an encryption policy MAC table addition count, an added source MAC address, an encryption policy MAC table deletion count, a deleted source MAC address, and a first integrity check value;

accordingly, in the step S302: before applying for a corresponding session key from the quantum key distribution network for each received source MAC address, the method further includes:

It should be understood that when the integrity check passes, the session key corresponding to the source MAC address is obtained from the quantum key distribution network, and if the integrity check fails, the data transmission process is terminated.

In an embodiment, in step S303, generating a first key distribution packet and a second key distribution packet based on the session key respectively includes the following steps:

s331, encrypting the session key by using a master key corresponding to the first encryption bridge to generate a first key distribution message;

s332, encrypting the session key by using the master key corresponding to the second encryption bridge to generate a second key distribution message;

It should be noted that the master key corresponding to the first encryption bridge and the master key corresponding to the second encryption bridge are both obtained from the quantum key distribution network.

In one embodiment, in the step S302: after applying for a corresponding session key from the quantum key distribution network for each received newly added source MAC address, the method further includes:

It should be noted that the encryption strategy distributed by the management and control platform is dynamically added or deleted through the learning of the MAC address, so that on-demand encryption is realized, and the effective utilization of the resources of the encryption bridge device is improved.

In one embodiment, in the step S301: before receiving a source MAC address report message sent by a first encryption bridge, the method further comprises the following steps:

accordingly, in the step S302: before each received source MAC address is applied for a corresponding session key from a quantum key distribution network, the method also comprises the following steps:

obtaining a second cryptographic bridge associated with the first cryptographic bridge based on the cryptographic bridge association table.

Specifically, the management and control platform refreshes an encryption policy MAC table corresponding to the encryption bridge according to the source MAC reported by the first encryption bridge, and triggers a key distribution process for the encryption bridge:

1) Obtaining other second encryption bridge lists associated with the first encryption bridge according to the association table;

2) For each newly added source MAC address, applying for a session key from the quantum key distribution network, and encrypting by using the master keys (random selection) of the first encryption bridge (the bridge reporting the message) and other associated second encryption bridges respectively to form session key ciphertexts distributed to different encryption bridges, wherein the master key is also used for carrying out ICV (integrity check value) calculation on the key distribution message in the step 3);

3) Sending a first key distribution message and a second key distribution message to the first encryption bridge and the associated second encryption bridge in sequence, distributing a session key and a corresponding source MAC address, wherein the message format is as follows:

2 byte encryption strategy MAC table newly added count +4 byte master key ID + k1 (newly added source MAC address + session key ciphertext) + ICV (integrity check value)

4) And sequentially sending MAC deletion messages to the associated second encryption network bridge, wherein the message format is as follows:

2 byte encryption strategy MAC table new addition count +4 byte master key ID + k2 (deleted source MAC address) + ICV (integrity check value)

5) For each associated second encryption bridge, the management and control platform randomly acquires a master key of the bridge from the quantum key distribution network and performs ICV calculation by using the master key.

In one embodiment, in the step S301: before receiving a source MAC address reporting message sent by a first encryption network bridge, the method further comprises the following steps:

and receiving registration messages sent by the first encryption network bridge and the second encryption network bridge, respectively acquiring master keys corresponding to the first encryption network bridge and the second encryption network bridge from a quantum key distribution network based on the registration messages, and verifying the registration messages.

a security domain is defined for the cryptographic bridge.

In the embodiment, by dividing the security domain, pre-filling a large number of the same master keys into each device node in the security domain and randomly using the master keys, the problems of identity authentication and key distribution protection between the bridge device node and the management and control platform with encryption requirements are safely and efficiently solved.

Example 4

As shown in fig. 4, a fourth embodiment of the present invention provides a method for implementing ethernet data encryption and decryption by quantum key distribution and software definition, where the method includes the following steps:

s401, the first encryption bridge takes MAC address information in a local encryption strategy MAC table as a source MAC address and sends the source MAC address to a control platform, the encryption strategy MAC table comprises the MAC address information and a corresponding session key, and the session key is initially empty;

s402, the management and control platform applies for a corresponding session key for each received source MAC address, generates a first key distribution message and a second key distribution message, and distributes the messages to the first encryption bridge and the second encryption bridge, wherein the second encryption bridge is directly connected with the first encryption bridge;

s403, the first encryption bridge receives the first key distribution message, places the session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table, and refreshes the encryption strategy MAC table;

s404, the second encryption network bridge receives the second key distribution message and places each source MAC address and the corresponding session key into a local decryption strategy MAC table;

s405, the first encryption bridge takes out the session key matched with the Ethernet data frame source MAC address from the encryption strategy MAC table, and encrypts the outbound Ethernet data frame to obtain an encrypted message;

s406, the second encryption bridge takes out the session key matched with the Ethernet data frame source MAC address from the decryption strategy MAC table, and decrypts the inbound encrypted message.

In the embodiment, the source MAC address is automatically learned through the port of the encryption bridge, the learned source MAC address information is sent to the control platform, different session keys are generated by the control platform based on different source MAC addresses, and are distributed to other encryption bridges with association through the control platform, so that the automatic generation and centralized distribution of the session keys and encryption strategies are realized, and the problems of security strategy distribution and key management among Ethernet equipment with encryption intercommunication requirements are solved safely and efficiently. In this embodiment, mainly for an application scenario of two-layer ethernet frame encryption in which keys and encryption policies are distributed centrally, data encryption and decryption are performed based on a source MAC address and policy elements are automatically learned, and synchronization between session keys and encryption policies between associated encryption bridge device nodes is achieved by defining encryption policies and centralized distribution manners through software.

In one embodiment, each ethernet interface of the cryptographic bridge defines a type: the interface without other same type of encryption bridges is defined as a secret port, and the interface with other same type of encryption bridges is defined as a clear port. The secret port adds the source MAC address learned by the port into a local encryption strategy MAC table, the table entry consists of the MAC address and a corresponding session key (for encrypting an Ethernet frame taking the MAC address as the source MAC), the life cycle of the table entry is the same as that of the table entry of the common MAC table, and the session key is initially empty and is distributed by a management and control platform.

In an embodiment, the step S401: the first encryption bridge takes MAC address information in a local encryption strategy MAC table as a source MAC address and sends the source MAC address to the management and control platform, and the method comprises the following steps:

the first encryption bridge reports the MAC address information of the local encryption strategy MAC table of the first encryption bridge to the control platform in an irregular mode, and the message format is as follows: a 4-byte master key ID + 2-byte encryption policy MAC table add count + k1 (added source MAC address) + 2-byte encryption policy MAC table delete count + k2 (deleted source MAC address) + ICV (first integrity check value).

The master key ID is randomly selected from a master key pool of the first encryption bridge, and the ICV is used for calculating the HMAC of the whole message by adopting the master key corresponding to the master key ID.

It should be noted that after each startup of the encryption bridge, after a period of port learning, a management channel is established to the management and control platform, the whole encryption policy MAC table is registered and reported, and at this time, the deletion count in the reported message is zero; when the content of the MAC table of the encryption strategy changes every time, namely a newly added or expired source MAC address exists, a report message is sent to the management and control platform, wherein the content comprises the newly added and deleted MAC addresses.

In an embodiment, in step S402, the method for generating a first key distribution packet and a second key distribution packet by applying for a corresponding session key for each received source MAC address by the management and control platform, and distributing the generated first key distribution packet and second key distribution packet to the first encryption bridge and the second encryption bridge includes the following steps:

s421, acquiring other second encryption bridge lists associated with the first encryption bridge according to a pre-constructed encryption bridge association table;

s422, for each newly added source MAC address, applying for a session key from the quantum key distribution network, and acquiring a master key corresponding to the first encryption bridge from the quantum key distribution network to encrypt the session key to obtain a first session key ciphertext; randomly acquiring a master key corresponding to a second encryption bridge from the quantum key distribution network to encrypt the session key, so as to obtain a second session key ciphertext; calculating ICV (integrity check value) of the first key distribution message and the second key distribution message by using the corresponding master key;

s423, sending the first key distribution packet and the second key distribution packet to the first encryption bridge and the associated second encryption bridge in sequence, distributing the session key and the corresponding MAC address, where the packet format is: a new count of a 2-byte encryption strategy MAC table + 4-byte master key ID + k1 (a new source MAC address + a session key ciphertext) + ICV (an integrity check value);

s424, the MAC deleting messages are sent to the associated second encryption network bridge in sequence, and the message format is as follows: a new count of a 2-byte encryption strategy MAC table + 4-byte master key ID + k2 (deleted source MAC address) + ICV (integrity check value);

and for each associated second encryption bridge, the management and control platform randomly acquires a master key corresponding to the bridge from the quantum key distribution network and uses the master key to perform ICV calculation.

It should be noted that after receiving the encryption policy MAC table message of the first encryption bridge, the management and control platform first obtains the master key corresponding to the KeyID of the first encryption bridge from the quantum key distribution network, and is configured to verify the MAC table message, generate a key distribution message when the verification passes, and terminate the data transmission process if the verification fails.

In an embodiment, the encryption bridge association table is established by the management and control platform as a security domain, the table is a two-dimensional matrix and can be represented by a two-dimensional array, that is, T [ K ] (K is the number of encryption bridges belonging to the security domain), T [ i ] [ j ] =1 represents that an association exists between a bridge i and a bridge j, and data frames between the bridges having the association can be directly reached without the transfer of other encryption bridges. The association relation is uniformly set by an administrator according to the network topology.

In an embodiment, the step S403: the first encryption bridge receives the first key distribution message, places the session key corresponding to each source MAC address into a source MAC address table entry in a local encryption policy MAC table, and refreshes the encryption policy MAC table, including:

after receiving the first key distribution message, the first encryption bridge takes out the corresponding master key according to the master key ID to carry out integrity check and decryption on the frame;

and placing the session key corresponding to the source MAC address in the first key distribution message into a source MAC address table entry corresponding to the encryption strategy MAC table.

In one embodiment, the step S404: the second encryption bridge receives the second key distribution message and places each source MAC address and the corresponding session key into a local decryption strategy MAC table, and the method comprises the following steps:

after receiving the second key distribution message, the second encryption bridge takes out the corresponding master key according to the master key ID to carry out integrity check and decryption on the frame;

and adding each source MAC address and the corresponding session key in the second key distribution message into a decryption strategy MAC table, wherein the table entries are the source MAC address and the corresponding session key, and the source MAC address is the source MAC address in the key distribution message.

In an embodiment, the step S405: the first encryption bridge takes out the session key matched with the source MAC address of the Ethernet data frame from the encryption strategy MAC table, encrypts the outbound Ethernet data frame to obtain an encrypted message, and comprises the following steps:

the first encryption bridge device node encrypts the outbound Ethernet data frame (forwarded through any clear port) with the source MAC address matching the encryption strategy MAC table, namely, a session key in an item matching the source MAC address of the frame is taken out from the encryption strategy MAC table, frame data except an Ethernet frame header is encrypted, the encryption mode is CBC (integral multiple of algorithm grouping) + CFB (remainder part except integral multiple of algorithm grouping), and no additional data is added.

S406, the second encryption bridge takes out the session key matched with the Ethernet data frame source MAC address from the decryption strategy MAC table, and decrypts the inbound encrypted message, and the method comprises the following steps:

the second encryption bridge device node decrypts the inbound (received through the arbitrary clear port) ethernet data frame of the source MAC address matching decryption policy MAC table, that is, takes out the session key in the entry matching the source MAC address of the frame from the decryption policy MAC table, and decrypts the frame data except the ethernet frame header.

In an embodiment, the method further comprises: and after receiving the MAC deletion message, the second encryption network bridge takes out the master key according to the ID of the master key to carry out integrity check on the frame, and then sequentially deletes the table entry of the corresponding source MAC address in the decryption strategy MAC table according to each source MAC address in the message.

In one embodiment, in the step S401: before the first encryption bridge uses the MAC address information in the local encryption policy MAC table as a source MAC address and sends the source MAC address to the management and control platform, the method further includes:

the first encryption bridge and the second encryption bridge in the security domain are started, and are connected with the management and control platform through a management channel (a port capable of configuring an IP), reliable connection (TCP long connection) is established and registered, and the format of a registration message is as follows: the encrypting bridge ID | | encrypting bridge manages IP | | random number R | | | KeyID | | HMAC (Key, encrypting bridge ID | | | encrypting bridge manages IP | | random number R | | KeyID);

in the above equation, HMAC (Key, data) indicates that a Key is used to perform keyed hash operation on data, where Key is a master Key corresponding to a randomly selected KeyID. After receiving the registration request, the management and control platform acquires a master key corresponding to the KeyID of the encrypted network bridge from the QKD network and verifies the registration message.

defining a security domain by a control platform;

the first encryption bridge and the second encryption bridge send out key charging requests to the quantum key distribution network, a large number of main keys are pre-filled into the storage medium of each equipment node by using large-capacity safe storage media such as a safe TF card or a safe U shield, the key format is 4-byte key ID + n-byte key and n-byte initialization vector (n is related to an encryption algorithm), and the quantum key distribution network QKD stores the main keys and the key IDs distributed to the equipment nodes in different security domains in a key pool.

And injecting a pre-filled master key into the encryption bridge device node in the domain by the secure storage medium, establishing a master key pool, and indicating whether the key is used or not by using a key bitmap.

In the embodiment, by dividing the security domain, and pre-filling a large number of the same master keys for each device node in the security domain and randomly using the master keys, the problems of identity authentication and key distribution protection between the bridge device node with the encryption requirement and the management and control platform are safely and efficiently solved.

The embodiment mainly aims at the application scene of two-layer Ethernet frame encryption for centrally distributing keys and encryption strategies, data encryption and decryption are carried out based on source MAC addresses and automatic learning is carried out to form strategy elements, synchronization of session keys and encryption strategies among related encryption bridge equipment nodes is realized through software defined encryption strategies and a centralized distribution mode, and one-time pad in the session key distribution process and identity authentication of equipment in a domain are realized through pre-filling a large number of main keys, so that safe, efficient and controllable Ethernet data frame encryption transmission is realized.

Example 5

As shown in fig. 5, a fifth embodiment of the present invention proposes an encryption bridge, comprising:

a source MAC address message sending module 11, configured to send, to the management and control platform, MAC address information in a local encryption policy MAC table as a source MAC address, where the encryption policy MAC table includes the MAC address information and a corresponding session key, and the session key is initially empty;

a first key distribution message receiving module 12, configured to receive a first key distribution message returned by the management and control platform, where the first key distribution message includes a source MAC address and a corresponding session key;

a first encryption and decryption policy MAC table management module 13, configured to put a session key corresponding to each source MAC address into a source MAC address table entry in a local encryption policy MAC table, and refresh the encryption policy MAC table;

and the first data encryption and decryption module 14 is configured to take out the session key matching the source MAC address of the ethernet data frame from the encryption policy MAC table, and encrypt the ethernet data frame to obtain an encrypted message.

In the embodiment, the source MAC address is automatically learned through the encryption bridge port, the learned source MAC address information is sent to the control platform, different session keys are generated by the control platform based on different source MAC addresses, and are distributed to other encryption bridges with incidence relations through the control platform, so that the session keys and encryption strategies are automatically generated and distributed in a centralized manner, and the problems of security strategy distribution and key management among Ethernet devices with encryption intercommunication requirements are solved safely and efficiently. In this embodiment, mainly for an application scenario of two-layer ethernet frame encryption in which keys and encryption policies are distributed centrally, data encryption and decryption are performed based on a source MAC address and policy elements are automatically learned, and synchronization between session keys and encryption policies between associated encryption bridge device nodes is achieved by defining encryption policies and centralized distribution manners through software.

correspondingly, the source MAC address packet sending module 11 is specifically configured to execute the following steps:

It should be noted that the source MAC address packet sending module 11 is configured to report the MAC address information of the local encryption policy MAC table of the network bridge to the management and control platform at irregular intervals, where a packet format of the MAC address packet is as follows:

the 4-byte master key ID + 2-byte encryption policy MAC table addition count + k1 (newly added source MAC address) + 2-byte encryption policy MAC table deletion count + k2 (deleted source MAC address) + ICV (first integrity check value), where k1 and k2 respectively represent the number of newly added source MAC addresses and the number of deleted source MAC addresses.

In an embodiment, the first encryption and decryption policy MAC table management module 13 specifically includes:

a first check decryption unit, configured to obtain a corresponding master key from a master key pool of the first check decryption unit by using the master key ID, perform integrity check on the second integrity check value, and decrypt the session key ciphertext to obtain a session key corresponding to each source MAC address;

and the first encryption strategy MAC table refreshing unit is used for placing the session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table and refreshing the encryption strategy MAC table.

In an embodiment, the first data encryption and decryption module 14 specifically includes:

a first session key reading unit, configured to take out a session key matching an ethernet data frame source MAC address from the encryption policy MAC table;

and the first data encryption and decryption unit is used for encrypting the frame data of the Ethernet data frames except the frame headers by using the session key, wherein the encryption mode adopts a CBC algorithm combined with a CFB algorithm.

In an embodiment, the encryption bridge further includes a registration message sending module, configured to:

In one embodiment, the cryptographic bridge further comprises a port type definition module to:

In one embodiment, the cryptographic bridge further comprises a key application module configured to:

It should be noted that other embodiments or implementations of the encryption bridge according to the present invention can refer to the above method embodiment 1, and no redundancy is necessary here.

Example 6

As shown in fig. 6, a sixth embodiment of the present invention proposes an encryption bridge, comprising:

a second key distribution message receiving module 21, configured to receive a second key distribution message returned by the management and control platform, where the second key distribution message includes a source MAC address and a corresponding session key;

the second encryption and decryption policy MAC table management module 22 is configured to place each source MAC address and the corresponding session key into a local decryption policy MAC table;

an encrypted message receiving module 23, configured to receive an encrypted message sent by a first encrypted network bridge, where the encrypted message is obtained by the first encrypted network bridge extracting a session key matching an ethernet data frame source MAC address from a local encryption policy MAC table of the first encrypted network bridge, and encrypting an ethernet data frame;

and a second data encryption and decryption module 24, configured to take out a session key that matches the ethernet frame source MAC address from the decryption policy MAC table, and decrypt the encrypted packet.

The encryption bridge in the embodiment is used as a receiver and is associated with the encryption bridge of the sender, the control platform generates different session keys based on different source MAC addresses, and the session keys and encryption strategies are distributed to other receiver encryption bridges in association relation with the encryption bridge of the sender through the control platform, so that automatic generation and centralized distribution of the session keys and the encryption strategies are realized, and the problems of security strategy distribution and key management among Ethernet devices with encryption intercommunication requirements are solved safely and efficiently. In this embodiment, mainly for an application scenario of two-layer ethernet frame encryption in which keys and encryption policies are distributed centrally, data encryption and decryption are performed based on a source MAC address and policy elements are automatically learned, and synchronization between session keys and encryption policies between associated encryption bridge device nodes is achieved by defining encryption policies and centralized distribution manners through software.

In one embodiment, the cryptographic bridge further comprises:

a deleted message receiving module, configured to receive an MAC deleted message returned by the management and control platform, where information carried in the MAC deleted message includes an encryption policy MAC table addition count, a master key ID, a deleted source MAC address, and a third integrity check value;

a checking module for selecting a corresponding master key from the master key pool according to the master key ID to perform integrity check on the third integrity check value;

and the decryption strategy MAC table refreshing module is used for sequentially deleting the table entries of the corresponding source MAC addresses in the decryption strategy MAC table according to each source MAC address in the MAC deleting message and refreshing the decryption strategy MAC table.

In the embodiment, the encryption strategy realizes encryption according to needs by dynamically increasing or deleting the MAC address, and the effective utilization of the resources of the encryption network bridge equipment is improved.

In one embodiment, the cryptographic bridge further comprises a port definition module to:

and defining the Ethernet interface type of the first encryption bridge, wherein the interface which is not connected with other encryption bridges of the same type is defined as a secret port, and the interface connected with other encryption bridges of the same type is defined as a bright port.

It should be noted that in this embodiment, the clear port and the encrypted port of the second encryption bridge may perform the functions of the ports of the normal bridge, and the inbound ethernet data frame may be forwarded through any clear port.

sending a key filling request to a vector subkey distribution network or a key agent;

and receiving the master key filled by the quantum key distribution network through a second secure storage medium, establishing a master key pool, and identifying whether each master key is used or not by adopting a key bitmap, wherein the quantum key distribution network stores the master keys and master key IDs (identity) distributed to various encryption bridges in different secure domains.

It should be noted that, the encryption network bridge as the receiving party integrates the second secure storage medium, the first secure storage medium may adopt a large-capacity secure storage medium including but not limited to a secure TF card or a secure U-shield, the first secure storage medium is used to pre-charge a large number of master keys for the first encryption network bridge, the key format is 4 byte key ID + n byte keys and n byte initialization vectors (n is related to the encryption algorithm), the second encryption network bridge constructs a master key pool according to the key format, and the quantum key distribution network stores the master keys and key IDs distributed to each device node in different security domains in the key pool.

In the embodiment, the one-time pad in the session key distribution process and the identity authentication of the equipment in the domain are realized by pre-filling a large number of master keys, so that the safe, efficient and manageable ethernet data frame encryption transmission is realized.

It should be noted that other embodiments or methods of implementing the encryption bridge of the present invention can refer to method embodiment 2 described above, and will not be redundant here.

Example 7

As shown in fig. 7, a seventh embodiment of the present invention provides a management and control platform, where the management and control platform includes:

the message receiving module 31 is configured to receive a source MAC address report message sent by a first encryption bridge, where the source MAC address report message carries information that includes a master key ID corresponding to the first encryption bridge and a source MAC address in an encryption policy MAC table;

a session key application module 32, configured to apply for a corresponding session key from the quantum key distribution network for each received newly added source MAC address;

and a key distribution message generation module 33, configured to generate a first key distribution message and a second key distribution message based on the session key, and distribute the first key distribution message and the second key distribution message to the first encryption bridge and the second encryption bridge, where the second encryption bridge is directly connected to the first encryption bridge.

In one embodiment, the session key application module 32 includes:

the verification unit is used for acquiring a master key corresponding to the first encryption network bridge from a quantum key distribution network and verifying the first integrity check value by using the master key;

and the session key application unit is used for applying a corresponding session key from the quantum key distribution network aiming at each received newly added source MAC address.

In an embodiment, the key distribution packet generating module 33 includes:

a first key distribution unit, configured to encrypt the session key using a master key corresponding to the first encryption bridge, and generate a first key distribution packet;

a second key distribution unit, configured to encrypt the session key using a master key corresponding to the second encryption bridge, and generate a second key distribution packet;

In an embodiment, the management and control platform further includes a delete message sending module, configured to:

and sending an MAC deletion message to the second encryption network bridge, wherein the MAC deletion message carries information including encryption strategy MAC table newly-added count, a master key ID, a deleted source MAC address and a third integrity check value.

In an embodiment, the management and control platform further includes an association table establishing module, configured to:

and establishing an encryption bridge association table for the security domain, wherein the encryption bridge association table is a two-dimensional matrix T [ K ] [ K ], K is the number of encryption bridges belonging to the security domain, T [ i ] [ j ] =1 indicates that the bridge i and the bridge j have association, and the encryption bridges having the association are directly connected.

In an embodiment, the management and control platform further includes a registration module, configured to:

In an embodiment, the management and control platform further includes a security domain delineation module configured to:

a security domain is defined for the cryptographic bridge.

It should be noted that other embodiments or methods of implementing the encryption bridge of the present invention can refer to method embodiment 3 described above, and will not be redundant here.

Example 8

As shown in fig. 8, an eighth embodiment of the present invention further provides a system for implementing ethernet encryption and decryption by quantum key distribution and software definition, where the system includes a first encryption bridge 1, a second encryption bridge 2, a management and control platform 3, and a quantum key distribution system 4, where the first encryption bridge 1 is associated with the second encryption bridge 2 and is connected to the management and control platform 3 and the quantum key distribution system 4, the management and control platform 3 is connected to the quantum key distribution system 4, and both the first encryption bridge 1 and the second encryption bridge 2 integrate a secure storage medium;

It should be noted that the management and control platform: providing a corresponding relation among an encryption bridge, a key agent and quantum network nodes, distributing an encryption strategy and a session key, dividing a security domain, and providing registration and identity binding services of the encryption bridge;

and (3) key agent: the proxy function of key charging and key online distribution is provided under the condition that the nodes of the quantum key distribution network cannot directly provide key charging and online key distribution services;

quantum key distribution network: the system comprises quantum network nodes and a quantum network link control center, and services such as quantum key generation and online distribution, quantum key relay, quantum key provision and the like are realized;

quantum network node: storing the generated quantum key, receiving a key application of a key agent, and providing the key to the key agent or directly providing key charging and key online distribution service;

quantum network link control center: quantum key distribution and relay links among the nodes can be established according to the quantum network node ID;

encryption bridge: the encryption and decryption processing is carried out on the user Ethernet data frame transmitted through the network bridge, and the encryption and decryption processing module comprises a data encryption and decryption processing module, an encryption and decryption strategy MAC table management module, a registration and management agent module, a secret key injection module and the like.

It should be understood that the key distribution device involved in this embodiment includes, but is not limited to, a QKD key distribution network, the key pre-charging function involved may be implemented using any symmetric key management system and device, and the symmetric cryptographic algorithm and cryptographic hash algorithm involved may be implemented using any algorithm that complies with the national cryptographic management regulations.

In an embodiment, as shown in fig. 9, the registration and management agent module is configured to send a registration packet to the management and control platform to complete registration, send a key application to the vector sub-key distribution system, and obtain, through the secure storage medium, a master key pre-charged through the quantum key distribution network;

the key injection module is used for constructing a master key pool according to the master key in the secure storage medium;

the data encryption and decryption processing module is used for taking out a session key matched with an Ethernet data frame source MAC address from the encryption strategy MAC table, and encrypting the outbound Ethernet data frame to obtain an encrypted message; and a session key for retrieving the matching Ethernet data frame source MAC address from the decryption policy MAC table, and decrypting the inbound encrypted message;

the encryption and decryption strategy MAC table management module is used for placing the session key corresponding to each source MAC address into a source MAC address table entry in a local encryption strategy MAC table according to a key distribution message returned by the control platform and refreshing the encryption strategy MAC table; the system comprises a management and control platform, a session key distribution table and a decryption strategy MAC table, wherein the management and control platform is used for sending a key distribution message to the source MAC address; and the table entry corresponding to the source MAC address in the decryption strategy MAC table is sequentially deleted according to each source MAC address in the message according to the MAC deletion message returned by the management and control platform.

In one embodiment, each ethernet interface of the cryptographic bridge defines a type: the interface without other same type of encryption bridges is defined as a secret port, and the interface with other same type of encryption bridges is defined as a clear port. The clear/secret port can be used for forwarding the Ethernet data frame of the main station and the inbound Ethernet data frame except for executing the function of the common bridge port, the secret port adds the source MAC address learned by the port into a local encryption strategy MAC table, table items of the table are composed of MAC addresses and corresponding session keys (the Ethernet frames taking the MAC addresses as the source MAC are encrypted), the life cycle of the table items is the same as that of the table items of the common MAC table, and the session keys are initially empty and distributed by a control platform.

In one embodiment, the governing platform comprises:

and the association table establishing module is used for establishing an encryption bridge association table for the security domain, the table is a two-dimensional matrix and can be represented by a two-dimensional array, namely T [ K ] [ K ] (K is the number of encryption bridges belonging to the security domain), T [ i ] [ j ] =1 represents that the association exists between the bridge i and the bridge j, and the data frame between the bridges with the association can be directly reached without the transfer of other encryption bridges. The incidence relation is uniformly set by an administrator according to the network topology;

and the encryption and decryption strategy MAC table refreshing module is used for applying for a corresponding session key for each received source MAC address, generating a first key distribution message, a second key distribution message and a deletion message, distributing the messages to the encryption bridge of the sender and the encryption bridge of the receiver, and sending the deletion message to the encryption bridge of the receiver.

It should be noted that other embodiments or implementations of the encryption bridge and the policing platform according to the present invention can refer to the above embodiments 5 to 7, and no redundancy is provided here.

It should be noted that, as shown in fig. 10, the working flow of the system for implementing ethernet data encryption and decryption by quantum key distribution and software definition proposed in this embodiment is as follows:

(1) The security domain is defined by the control platform, a security storage medium is used for pre-filling a large number of main keys into the storage medium of each encryption bridge device node through a quantum key distribution network, the key format is 4-byte key ID + n-byte key and n-byte initialization vector (n is related to an encryption algorithm), and the quantum key distribution network QKD stores the main keys and the key IDs distributed to the device nodes in different security domains in a key pool.

(2) And injecting a pre-filled master key into the encryption bridge device nodes in the domain, establishing a master key pool, and indicating whether the key is used or not by using a key bitmap.

(3) An encryption bridge association table is established for a security domain by a control platform, the table is a two-dimensional matrix and can be represented by a two-dimensional array, namely T [ K ] [ K ] (K is the number of encryption bridges belonging to the security domain), T [ i ] [ j ] =1 indicates that association exists between a bridge i and a bridge j, data frames between the bridges with the association can be directly reached, and transfer of other encryption bridges is not needed. The association relation is uniformly set by an administrator according to the network topology.

An encryption strategy MAC table is established for each encryption bridge on a control platform, wherein the table comprises a source MAC address of equipment directly connected with the encryption bridge (without being forwarded through other encryption bridges) and a session key adopted for encrypting an Ethernet frame with the MAC address as a source address, and the key is obtained by applying the control platform to a network.

(4) When the encryption bridge in the security domain is started, the management and control platform is connected through a management channel (a port capable of configuring an IP).

Establishing reliable connection (TCP long connection) and registering, wherein the format of a registration message is as follows:

encryption bridge ID encryption bridge manages IP random number R KeyID HMAC (Key, encryption bridge ID encryption bridge manages IP random number R KeyID)

In the above formula, HMAC (Key, data) indicates that a Key is used to perform a keyed hash operation on data, where Key is a master Key corresponding to a randomly selected KeyID. After receiving the registration request, the management and control platform acquires a master key corresponding to the KeyID of the encrypted network bridge from the QKD network and verifies the registration message.

(5) The respective ethernet interface of the cryptographic bridge defines a type: the interface without other same type of encryption bridges is defined as a secret port, and the interface with other same type of encryption bridges is defined as a clear port. The secret port adds the source MAC address learned by the port into a local encryption strategy MAC table except for executing the function of a common bridge port, the table entry consists of an MAC address and a corresponding session key (an Ethernet frame taking the MAC address as the source MAC is encrypted), the life cycle of the table entry is the same as that of the table entry of the common MAC table, and the session key is initially null and distributed by a control platform.

(6) The first encryption network bridge serving as a sender reports the MAC address information of the local encryption strategy MAC table of the network bridge to the management and control platform irregularly, and the message format is as follows:

4 bytes master key ID +2 bytes encryption strategy MAC table new increment count + k1 (new source MAC address) +2 bytes encryption strategy MAC table delete count + k2 (deleted source MAC address) + ICV (integrity check value)

And randomly selecting the ID of the master key, wherein the ICV calculates the HMAC of the whole message by adopting the master key corresponding to the ID of the master key.

After a first encryption bridge serving as a sender is started every time and port learning is carried out for a period of time, a management channel is established to a control platform, a whole encryption strategy MAC table is registered and reported, and at the moment, the deletion count in a reported message is zero; when the content of the encryption strategy MAC table changes every time, namely a newly added or expired source MAC address exists, a report message is sent to the management and control platform, wherein the content comprises the newly added and deleted MAC addresses.

(7) After receiving an encryption strategy MAC table report message of a first encryption bridge serving as a sender, the management and control platform acquires a master key corresponding to the KeyID of the encryption bridge from the QKD network, and verifies the report message. Then, the management and control platform refreshes an encryption strategy MAC table corresponding to the encryption bridge according to the reported source MAC, and triggers a key distribution process aiming at the encryption bridge:

1) Acquiring other encryption bridge lists associated with the encryption bridges according to the association table;

2) For each newly added source MAC address, applying for a session key from the QKD network, and encrypting by using the main keys (randomly selected) of the local bridge (the bridge reporting the message) and other associated bridges respectively to form session key ciphertexts distributed to different encryption bridges, wherein the main key is also used for carrying out ICV (integrity check value) calculation on the key distribution message in the step 3);

3) And sequentially sending a key distribution message to the first encryption bridge and the associated second encryption bridge, distributing a session key and a corresponding MAC address, wherein the message format is as follows:

4) And sequentially sending MAC deletion messages to the associated encryption network bridge, wherein the message format is as follows:

For each associated cryptographic bridge, the governing platform randomly obtains the bridge's master key from the QKD network and performs ICV computations using the master key.

(8) And after the encryption bridge in the security domain receives the key distribution message, taking out the master key according to the master key ID to carry out integrity check and decryption on the frame. For a sender encryption bridge sending a report message, a session key corresponding to a source MAC address in a key distribution message is placed into a source MAC address table item corresponding to an encryption strategy MAC table; and for the encryption bridge associated with the encryption bridge of the sender, adding each source MAC address and the corresponding session key in the distribution message into a decryption strategy MAC table, wherein the table entries are the source MAC address and the corresponding session key, and the source MAC address is the source MAC address in the key distribution message.

(9) After the associated encryption network bridge receives the MAC deleting message, the master key is taken out according to the master key ID to carry out integrity check on the frame, and then the table entry of the corresponding source MAC address in the decryption strategy MAC table is sequentially deleted according to each source MAC address in the message.

(10) The first encryption bridge device node as the sender encrypts the outbound (forwarded through any clear port) ethernet data frame with the source MAC address matching the encryption policy MAC table, that is, takes out the session key in the item matching the source MAC address of the frame from the encryption policy MAC table, and encrypts the frame data except the ethernet frame header, wherein the encryption mode is CBC (integer multiple of algorithm packet) + CFB (remainder part except integer multiple of algorithm packet), and no additional data is added.

(11) The second encryption bridge device node as the receiving party decrypts the inbound (received through the arbitrary clear port) ethernet data frame of the source MAC address matching decryption policy MAC table, that is, takes out the session key in the item matching the source MAC address of the frame from the decryption policy MAC table, and decrypts the frame data except the ethernet frame header.

The technical effect that this embodiment scheme had lies in:

(1) By dividing a security domain, pre-filling a large number of same main keys into each equipment node in the security domain and randomly using the main keys, the problems of identity authentication and key distribution protection between a bridge equipment node with encryption requirements and a control center are safely and efficiently solved;

(2) The automatic generation and centralized distribution of the session key and the encryption strategy are realized by automatically learning the MAC of the bridge port and generating different session keys based on different source MACs and distributing the session keys to other encryption bridges with incidence relation through the control center, and the problems of security strategy distribution and key management among Ethernet devices with encryption intercommunication requirements are safely and efficiently solved.

(3) The encryption strategy realizes encryption according to needs by dynamically increasing or deleting the MAC address, and improves the effective utilization of the resources of the encryption network bridge equipment.

The embodiment mainly aims at the application scene of two-layer Ethernet frame encryption of a centralized distribution key and an encryption strategy, data encryption and decryption are carried out based on a source MAC address, the strategy elements are formed through automatic learning, the synchronization of a session key and an encryption strategy between related encryption bridge equipment nodes is realized through a software defined encryption strategy and a centralized distribution mode, and the identity authentication of a one-time key and intra-domain equipment in the session key distribution process is realized through pre-filling a large number of main keys, so that safe, efficient and controllable Ethernet data frame encryption transmission is realized.

It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, such as an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Further, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

In the description of the specification, reference to the description of "one embodiment," "some embodiments," "an example," "a specific example," or "some examples" or the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims

1. A method for realizing Ethernet data encryption by quantum key distribution and software definition is applied to a first encryption bridge, and comprises the following steps:

2. The method for implementing ethernet data encryption by quantum key distribution and software definition according to claim 1, wherein a master key pool is provided in the first encryption bridge, and the master key pool stores a master key and a master key ID pre-filled by a quantum key distribution system;

3. The method for implementing ethernet data encryption by quantum key distribution and software definition according to claim 1, wherein the first key distribution packet carries information including encryption policy MAC table addition count, master key ID, added source MAC address, corresponding session key ciphertext, and second integrity check value;

acquiring a corresponding master key from a master key pool by using the master key ID, performing integrity check on the second integrity check value and decrypting the session key ciphertext to obtain a session key corresponding to each source MAC address;

4. The method for implementing ethernet data encryption by quantum key distribution and software definition according to claim 1, wherein the step of taking out the session key matching the source MAC address of the ethernet data frame from the encryption policy MAC table, and encrypting the ethernet data frame to obtain the encrypted packet comprises:

and encrypting the frame data of the Ethernet data frames except the frame headers by using the session key, wherein the encryption mode adopts a CBC algorithm combined with a CFB algorithm.

5. The method for implementing ethernet data encryption using quantum key distribution and software definition according to claim 1, wherein before the step of sending the MAC address information in the local encryption policy MAC table to the management and control platform as the source MAC address, the method further comprises:

6. The method for implementing ethernet data encryption using quantum key distribution and software definition according to claim 1, wherein before said sending the MAC address information in the local encryption policy MAC table as the source MAC address to the management and control platform, the method further comprises:

7. The method for implementing ethernet data encryption using quantum key distribution and software definition according to claim 1, wherein before said sending the MAC address information in the local encryption policy MAC table as the source MAC address to the management and control platform, the method further comprises:

8. A method for realizing Ethernet data decryption by quantum key distribution and software definition is applied to a second encryption bridge, and comprises the following steps:

9. The method for implementing ethernet data decryption using quantum key distribution and software definition according to claim 8, wherein a master key pool is provided in the second encryption bridge, and the master key pool stores a master key and a master key ID pre-charged by the quantum key distribution system, and the method further comprises:

receiving an MAC deletion message returned by the control platform, wherein the MAC deletion message carries information including encryption strategy MAC table newly-added count, master key ID, deleted source MAC address and a third integrity check value;

10. The method for implementing ethernet data decryption by quantum key distribution and software definition according to claim 8, wherein before receiving a second key distribution packet returned by the management and control platform, where the second key distribution packet includes a source MAC address and a corresponding session key, the method further includes:

11. The method for implementing ethernet data decryption by using quantum key distribution and software definition according to claim 8, wherein before receiving a second key distribution packet returned by the management and control platform, where the second key distribution packet includes a source MAC address and a corresponding session key, the method further includes:

12. The method for implementing ethernet data decryption by using quantum key distribution and software definition according to claim 8, wherein before receiving a second key distribution packet returned by the management and control platform, where the second key distribution packet includes a source MAC address and a corresponding session key, the method further includes:

13. A distribution method of an encryption policy and a session key is applied to a management and control platform, and comprises the following steps:

applying a corresponding session key from the quantum key distribution network aiming at each received newly added source MAC address;

14. The distribution method of encryption strategy and session key according to claim 13, wherein the source MAC address report packet carrying information includes a master key ID, an encryption strategy MAC table addition count, an added source MAC address, an encryption strategy MAC table deletion count, a deleted source MAC address and a first integrity check value;

15. The encryption policy and session key distribution method according to claim 13, wherein the generating a first key distribution packet and a second key distribution packet based on the session key, respectively, comprises:

16. The method for distributing encryption policy and session key according to claim 13, wherein before receiving the source MAC address report message sent by the first encryption bridge, the method further comprises:

establishing an encryption bridge association table for a security domain, wherein the encryption bridge association table is a two-dimensional matrix T [ K ] [ K ], K is the number of encryption bridges belonging to the security domain, T [ i ] [ j ] =1 indicates that the bridge i and the bridge j have association, and the encryption bridges having association are directly connected;

17. The method for distributing encryption policies and session keys according to claim 13, wherein after said applying for a corresponding session key from the quantum key distribution network for each new source MAC address received, the method further comprises:

18. A method for realizing Ethernet data encryption and decryption by quantum key distribution and software definition is characterized by comprising the following steps:

the method comprises the steps that a first encryption bridge takes MAC address information in a local encryption strategy MAC table as a source MAC address and sends the source MAC address to a control platform, the encryption strategy MAC table comprises the MAC address information and a corresponding session key, and the session key is empty initially;

19. An encryption bridge, comprising:

20. An encryption bridge, comprising:

21. The utility model provides a management and control platform which characterized in that, management and control platform includes:

the message receiving module is used for receiving a source MAC address report message sent by a first encryption bridge, wherein the source MAC address report message carries information including a master key ID corresponding to the first encryption bridge and a source MAC address in an encryption strategy MAC table;

and the key distribution message generation module is used for respectively generating a first key distribution message and a second key distribution message based on the session key and distributing the messages to the first encryption bridge and the second encryption bridge, and the second encryption bridge is directly connected with the first encryption bridge.

22. A system for realizing Ethernet data encryption and decryption by adopting quantum key distribution and software definition is characterized by comprising a first encryption bridge, a second encryption bridge, a control platform and a quantum key distribution system, wherein the first encryption bridge is associated with the second encryption bridge and is connected with the control platform and the quantum key distribution system;