CN116055091A - Method and equipment for realizing IPSec VPN by adopting software definition and quantum key distribution - Google Patents

Method and equipment for realizing IPSec VPN by adopting software definition and quantum key distribution Download PDF

Info

Publication number
CN116055091A
CN116055091A CN202211427640.1A CN202211427640A CN116055091A CN 116055091 A CN116055091 A CN 116055091A CN 202211427640 A CN202211427640 A CN 202211427640A CN 116055091 A CN116055091 A CN 116055091A
Authority
CN
China
Prior art keywords
key
security
network
policy
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211427640.1A
Other languages
Chinese (zh)
Other versions
CN116055091B (en
Inventor
罗俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co ltd
Original Assignee
China Telecom Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co ltd filed Critical China Telecom Quantum Technology Co ltd
Priority to CN202211427640.1A priority Critical patent/CN116055091B/en
Publication of CN116055091A publication Critical patent/CN116055091A/en
Application granted granted Critical
Publication of CN116055091B publication Critical patent/CN116055091B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for realizing IPSec VPN by adopting software definition and quantum key distribution, which comprises the steps of generating an IPSec VPN security policy for an IPSec VPN gateway device node according to real-time flow information through a management and control platform, applying a session key to a vector subkey distribution network, reporting the flow information by the device node, and carrying out tunnel encapsulation and decapsulation and encryption and decryption processing of the IPSec VPN on a data stream. The invention also discloses a device for realizing IPSec VPN. In the scheme, the management and control platform is used as a unique centralized controller of the full security domain, the IPSec VPN gateway is only used as an execution point, and the system is used for a scene of dynamic change of network topology and has higher security and expansibility.

Description

Method and equipment for realizing IPSec VPN by adopting software definition and quantum key distribution
Technical Field
The invention belongs to the field of password application, in particular to the field of network password equipment application based on a key distribution system.
Background
At present, local area network interconnection of various enterprises and public institutions and branch institutions of party authorities is performed by establishing a secure encryption channel through an encryption gateway such as an IPSecVPN (virtual private network using IPSec protocol) device, different encryption gateways in the same secure domain issue digital certificates from the same certificate authority, and then a session key used for data communication is autonomously negotiated by adopting a key exchange protocol such as IKE (Internet key exchange ) and further data encryption communication is performed. This mode has the following problems:
1. The encryption gateways can autonomously carry out key negotiation based on the digital certificates, the central control strength is low, communication control can be carried out only through means such as issuing of access control strategies, and forced access control cannot be achieved.
2. The need to have a communication channel that allows direct key agreement makes implementation difficult for complex network environments such as NAT (Network Address Translation, network address exchange) and the like, especially where gateways at both ends of the communication need to perform NAT before surfing the internet.
3. The negotiation process is complex and has certain calculation and communication cost, so that the generated session key is generally used for a period of time, and one-time encryption cannot be achieved in terms of security.
4. The process of key agreement is based on asymmetric key pairs and digital certificates, and public keys for encrypting and transmitting session key materials are public, if the computing capacity of a quantum computer is improved, the possibility of being deciphered exists, and therefore the session keys to be transmitted are deciphered and stolen.
5. The IPSecVPN gateway needs a plurality of security functions such as bearing key management, key negotiation, policy management, data encryption and decryption, and the like, has high requirements on software and hardware resources, and has high realization cost and poor maintainability.
Disclosure of Invention
The invention aims to solve the technical problems that the IPSecVPN gateway can not directly negotiate the key under the complex network environments such as the security policy setting and session key distribution under the network topology dynamic transformation scene.
The invention solves the technical problems by the following technical means: a method for realizing IPSec VPN by software definition and quantum key distribution includes such steps as generating IPSec VPN security policy for IPSec VPN gateway device node according to real-time traffic information by management and control platform, applying session key to sub-key distribution network, reporting traffic information by device node, and performing tunnel encapsulation and decryption processing on data stream.
As a further optimized technical solution, before the controlling platform generates an IPSec VPN security policy for the IPSec VPN gateway device node according to the real-time traffic information and applies for the session key to the subkey distribution network, the method further includes the following steps:
s1: the management and control platform divides a security domain, a key is injected into a security storage medium through a quantum key distribution network, and quantum network nodes in the quantum key distribution network store master keys and master key IDs which are distributed to different equipment nodes in the security domain in a key pool in advance;
S2: injecting a pre-filled master key into a device node in the domain through a key injection module by a secure storage medium, and establishing a master key pool;
s3: the control platform configures network and security parameters for the equipment nodes according to the unified network planning in the full security domain;
s4: the device node registers with the management and control platform through the registration and key application module, after the management and control platform receives the registration information, the vector subkey distribution network requests the device ID and the device master key corresponding to the master key ID to carry out integrity verification, and the registration information of the device node is filled in after verification.
As a further optimized technical solution, the method includes generating, by a management and control platform, an IPSec VPN security policy for an IPSec VPN gateway device node according to real-time traffic information, applying a session key to a subkey distribution network, where the device node is only used to report the traffic information, and performing tunnel encapsulation and decapsulation and encryption and decryption processing on a data stream, and specifically includes the following steps:
s5: the equipment node receives an outbound network message from an internal network port, encapsulates and encrypts the network message by IPSecVPN or generates a real-time random number as a security parameter index SPI-I, and sends a strategy and key application message to a management and control platform;
S6: the management and control platform receives a strategy and Key application message of a source device node, requests a source device node master Key corresponding to the source device node ID and the master Key ID from a vector subkey distribution network, searches for a matched destination device node after integrity verification is carried out according to the returned master Key to form a security strategy I and a security association I, the vector subkey distribution network applies for two session keys Key-A and Key-B, randomly selects the master Key of the source device node to encrypt the session Key to form a session Key ciphertext Key I-A/Key I-B, randomly selects the master Key of the destination device node to encrypt the session Key to form a session Key ciphertext Key R-A/Key R-B, and then carries out password hash operation integrity verification on the security strategy I, the security association I and the session Key ciphertext Key R-A by the master Key of the destination device node to be distributed to the destination device node;
s7: after receiving the strategy and key distribution message and passing the integrity verification and the decryption of the key ciphertext, the destination equipment node processes the strategy and key distribution message and generates a real-time random number as a security parameter index SPI-R, and replies the security parameter index SPI-R to the management and control platform;
s8: after receiving and verifying the reply message, the management and control platform forms a security policy R and a security association R, randomly selects a master key of the source equipment node to carry out integrity verification of cryptographic hash operation on the security policies I and R, the security association I and R and the session key ciphertext Key I-A and Key I-B, and distributes the security policies I and R, the security association I and R and the session key ciphertext Key I-A and Key I-B to the source equipment node;
S9: the source equipment node receives the strategy and key distribution message sent by the management and control center, processes the strategy and key distribution message after passing the integrity verification and the decryption key ciphertext, and replies the successful state of the management and control platform;
s10: after receiving the reply of the source equipment node and verifying, the management and control platform randomly selects a master key of the target equipment node to carry out integrity verification of password hash operation on the security policy R, the security association R and the session key ciphertext Key R-B, and distributes the integrity verification to the target equipment node;
s11: and the target equipment node processes and returns the successful state of the management and control platform after receiving the strategy and key distribution message sent by the management and control platform and passing the integrity verification and the decryption of the key ciphertext.
As a further optimized technical solution, after the security policy and session key distribution process in steps S5 to S11 are completed, bidirectional encrypted tunnel communication can be directly performed between ipsec vpn gateways.
As a further optimized technical scheme, the bidirectional encryption tunnel communication process between the ipsec vpn gateways is as follows:
s12: the IPSecVPN gateway encapsulates and encrypts a network message received by the internal network port through an IPSec tunnel and then sends the network message from the external network port;
s13: and searching a matching item for the IPSecVPN message received by the external network port by the IPSecVPN gateway, and forwarding the message with the matching item found according to a conventional route.
As a further optimized technical solution, in step S3, the configuration data of each device node includes a device ID, a device IP address, protected network information, and a security level of the device.
As a further optimized technical solution, in step S3, the device IP address is filled in when the device node using the dynamic address is registered by the device, the protected network information of the device is reported by the device node when the device is registered, the security level of the device indicates the strength of the device when the device encrypts the network data, different security levels correspond to different key lengths of the symmetric encryption algorithm and different hash value lengths of the password hash algorithm, and the device nodes in the same security domain adopt the same symmetric encryption algorithm and the password hash algorithm, but can give different security levels, and the device nodes of different security levels cannot be forced to communicate through the distinction of the algorithm strength.
In step S4, the registration information includes the device IP address and the protected network information, and the registration information is subjected to the cryptographic hash operation with the key by the master key randomly selected by the ipsec vpn gateway to perform integrity protection and identity authentication.
As a further optimized technical solution, in step S5,
and the policy management module of the equipment node searches the forward policy flow table according to the five-tuple information of the network message, if no hit exists, the forward security policy flow table is continuously searched, if one of the two tables exists, the searched security association is adopted to carry out IPSecVPN packaging and encryption processing on the network message, if both tables do not exist, a real-time random number is generated as a security parameter index SPI-I, and a policy and key application message is sent to the management and control platform through the registration and key application module.
In step S5, the five-tuple information includes a source, a destination IP address, a source, a destination port and a protocol number, the forward policy flow table is composed of five tuples of different data flows and corresponding IPSec security associations, the IPSec security associations include encryption and hash algorithms, security parameter indexes, and source and destination IP addresses for encapsulation, the forward policy table is composed of protected network information of the source and the destination and corresponding IPSec security associations, the policy table is a linear chain table, the message includes security parameter indexes SPI-I and five-tuple information, and the information is subjected to integrity protection and identity authentication by cryptographic hash operation with a key by a master key randomly selected by the IPSec vpn gateway.
As a further optimized technical solution, in step S6, a matched destination device node is obtained by searching in the protected network information of each device node according to the destination IP in the quintuple, and it is ensured that the security level of the destination device node is the same as that of the source device node sending the application message, and the security policy I and the security association I are formed by the IP address SIP of the source device node, the protected network information NetS corresponding to the quintuple source IP, the IP address DIP of the hit destination device node, the protected network information NetD corresponding to the quintuple destination IP, the security parameter index SPI-I, and the symmetric encryption algorithm and the cryptographic hash algorithm corresponding to the security level.
In step S6, the quantum key distribution network randomly selects a master key of a source device node to encrypt a session key to form a session key ciphertext KeyI-a/KeyI-B, randomly selects a master key of a destination device node to encrypt the session key to form a session key ciphertext KeyR-a/KeyR-B, the master key used for encrypting the session key is invisible to the management and control platform, the management and control platform obtains a ciphertext of the session key from the quantum key distribution network, and then the management and control platform applies for the integrity verification of the security policy I, the security association I and the session key ciphertext KeyR-a by other master keys of the destination device node to the quantum key distribution network and distributes the encrypted session key ciphertext KeyR-B to the destination device node.
In step S7, after receiving the policy and Key distribution message and passing the integrity verification and decryption of the Key ciphertext, the policy management module adds the session Key-a to the security association I and adds the security association I to the security association table, and the security policy I is inserted into the reverse security policy table.
As a further optimized technical solution, in step S8, after receiving and verifying the reply message, the management and control platform composes a security policy R and a security association R from the IP address DIP of the destination device node, the protected network information NetD corresponding to the quintuple destination IP, the IP address SIP of the source device node, the protected network information NetS corresponding to the quintuple source IP, the security parameter index SPI-R, and the symmetric encryption algorithm and the cryptographic hash algorithm corresponding to the security level.
In step S9, after receiving the policy and Key distribution message sent by the management and control center and passing the integrity verification and decryption of the Key ciphertext, the policy management module adds the session Key-B to the security association R and adds the security association R to the security association table, inserts the security policy R into the reverse security policy table of the destination device, adds the session Key-a to the security association I and adds the security association I to the security association table, and inserts the security policy I into the forward security policy table.
In step S11, after receiving the policy and Key distribution message sent by the management and control platform and passing the integrity verification and decryption of the Key ciphertext, the policy management module adds the session Key-B to the security association R and adds the security association R to the security association table, and the security policy R is inserted into the forward security policy table.
As a further optimized technical scheme, in step S12, for a network packet received by an internal network port, a VPN tunnel processing module of the IPSec VPN gateway finds a security policy and a security association of a five-tuple of a matching packet from a forward policy flow table or a forward security policy table, and uses a security parameter index SPI, encapsulated source and destination IP addresses, an encryption algorithm, and a hash algorithm in the security association to perform IPSec tunnel encapsulation and encryption on the network packet, and then sends the network packet from an external network port.
As a further optimized technical solution, in step S12, if the forward security policy table is searched to obtain the security association, the five-tuple and the corresponding security association are added into the forward policy flow table, each entry in the forward policy flow table has a reference count, one is added for each hit, the entry is deleted if the reference count exceeds a threshold value, a timer is maintained to check each entry at regular time, entries which are not hit for a certain time are deleted, soft/hard life cycles are set for the forward security policy table, a timer is maintained, and when the soft life cycle expires, the policy and key re-application process is triggered, and the security policy exceeding the hard life cycle is deleted.
In step S13, the VPN gateway searches the matched security association in the security association table according to the security parameter index SPI, the destination IP address and the protocol number triplet of the VPN message received by the external portal, and uses the session key of the hit security association to perform integrity verification and decryption, searches the matching item in the reverse policy flow table or the reverse security policy table according to the five-tuple, and forwards the message with the matching item found according to the conventional route, if the matching item is found in the reverse policy table, adds the five-tuple into the reverse policy flow table, adds one reference count to each item in the reverse policy flow table, deletes the item if each reference count exceeds the threshold, simultaneously maintains a timer to check each item, deletes the item which is not hit in a certain time, sets a life cycle for the reverse security policy table, and maintains a timer if the security policy with the life cycle exceeded, deletes the security policy with the life cycle exceeding the life cycle, and the security policy with the reverse policy has the life cycle exceeding the life cycle.
The invention also provides a device for executing any technical scheme, which comprises an IPSecVPN gateway, a management and control platform and a quantum key distribution network, wherein:
IPSecVPN gateway: carrying out tunnel encapsulation and decapsulation and encryption and decryption processing of IPSecVPN on user network data transmitted through a network;
quantum key distribution network: the system comprises a plurality of quantum network nodes and a quantum network link control center, wherein all the quantum network nodes are connected to the quantum network link control center to realize services such as quantum key generation, quantum key relay, quantum key provision and the like;
and (3) a management and control platform: providing the corresponding relation of the IPSecVPN gateway, the key agent and the quantum network node, carrying out security domain division, providing the registration and identity binding service of the IPSec gateway, maintaining a global security parameter table, and directly distributing the security policy and the session key to the IPSecVPN gateway.
As a further optimized technical solution, the device further comprises a key agent: the proxy function of key flooding is provided in case the IPSec VPN gateway cannot directly perform key flooding at the quantum network node of the quantum key distribution network and the proxy function of key distribution is provided in case the encrypted communication network cannot directly connect to the quantum key distribution network.
As a further optimized solution, the apparatus further comprises a mass storage medium for offline pre-filling of a large number of master keys to each device node.
The invention has the advantages that:
in the scheme, a management and control platform is used as a unique centralized controller of a full security domain, related security parameters are maintained, an IPSec VPN security policy is generated for an IPSec VPN gateway according to real-time flow information, a session key is applied for in real time and distributed on line according to the requirement of the IPSec VPN gateway, and the security policy and the session key of the intra-domain IPSec VPN gateway are dynamically and uniformly managed and controlled; the IPSec VPN gateway only serves as an execution point, reports flow information, generates a security policy and applies a session key by a management and control platform based on security parameters and quintuple information of an actual data stream, and performs tunnel encapsulation and decapsulation and encryption and decryption processing of the IPSec VPN on the data stream by using the session key distributed in real time on line and the encryption tunnel security policy generated dynamically in real time, and has the following advantages:
1. the scheme realizes IPSec encryption communication and centralized dynamic policy management in a software-defined mode, is suitable for the scene of dynamic change of network topology, and has higher security and expansibility.
2. The IPSecVPN gateway does not need to have a communication channel capable of directly carrying out key negotiation, so that the problem that the IPSecVPN gateway cannot directly negotiate keys in complex network environments such as NAT is avoided, the problems of IPSecVPN security policy setting and session key distribution in a network topology dynamic transformation scene are solved, and the centralized management and control strength of encryption transmission when different local area networks are in secure interconnection and intercommunication through the IPSec VPN gateway is enhanced.
3. The problem that the security is reduced because the session key needs to be used for a period of time is avoided, and the IPSecVPN strategy and the key distribution process of the scheme adopt the pre-filled quantum master key for protection, so that one-time pad of the distribution process is realized, and the security is higher.
4. The key and the security policy are distributed in a mode of triggering according to network traffic and applying for equipment in real time, important security parameters are not managed by the management and control platform, the key is generated by the quantum key distribution network and distributed by the management and control platform, SPI security parameter indexes are respectively generated by IPSecVPN gateways of two communication parties and are exchanged by the management and control platform, the key is invisible to the management and control platform, and the management and control platform is only responsible for address searching and security policy and security association synthesis. Network parameters such as a protection subnet and the like can be automatically reported when the IPSecVPN gateway is registered, the management and control platform is not required to be preconfigured, and the network deployment of dynamic addresses can be adapted.
Drawings
FIG. 1 is a diagram of a device system architecture for implementing an IPSec VPN for quantum key distribution in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of the structure of an IPSec VPN gateway according to an embodiment of the invention;
FIGS. 3A and 3B are flowcharts of data message processing and key application according to embodiments of the present invention;
fig. 4 is a timing diagram of a method of implementing an IPSec VPN using software definition and key distribution in accordance with an embodiment of the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The present embodiment provides a method and apparatus for implementing an IPSec VPN using software definition and key distribution, as shown in fig. 1, where the apparatus for implementing an IPSec VPN using software definition and key distribution includes at least one IPSec VPN gateway, a management platform, a quantum key distribution network, and in some cases, a key proxy.
IPSecVPN gateway: the method comprises the steps of carrying out tunnel encapsulation and decapsulation and encryption and decryption processing of IPSecVPN on user network data transmitted through a network, wherein the IPSecVPN gateway comprises a VPN tunnel processing module, a strategy management module, a registration and key application module and a key injection module, and is provided with an internal network port connected with an internal network and an external network port connected with an external network, as shown in figure 2.
Wherein:
the policy management module is configured to retrieve a forward policy flow table and a forward security policy table according to five-tuple information (source, destination IP address, source, destination port, and protocol number) of a network packet, perform encapsulation and decapsulation and encryption/decryption processing on the network packet or generate a real-time random number as a security parameter index, and send a policy and key application packet to a management and control platform through a registration and key application module, where the forward policy flow table is composed of five-tuple of different data flows and corresponding IPSec security associations (actually indexes in the security association table), and the forward security policy table is composed of protected network information of source and destination and corresponding IPSec security associations (actually indexes in the security association table), and the forward security policy table is a linear linked list;
The VPN tunnel processing module is used for finding the security policy and the security association of the five-tuple of the matched message from the forward policy flow table or the forward security policy table (when the former is missed), searching the matched security association in the security association table, and carrying out IPSec tunnel encapsulation and decapsulation and encryption and decryption on the network message;
the registration and key application module is used for registering the IPSecVPN gateway to the management and control platform, receiving the strategy and key application message of the strategy management module and forwarding the strategy and key application message to the management and control platform;
the key injection module is configured to inject a pre-filled master key into the device node.
Quantum key distribution network: the system comprises a plurality of quantum network nodes and a quantum network link control center, wherein all the quantum network nodes are connected to the quantum network link control center to realize services such as quantum key generation, quantum key relay, quantum key provision and the like. Wherein, quantum network node: storing the generated quantum key, receiving a key application of a key agent or a management and control platform, and providing a key for the key agent or the management and control platform or directly providing a key filling and key distribution service; quantum network link control center: the quantum key distribution and relay links among the quantum network nodes can be established according to the quantum network node ID.
And (3) a management and control platform: providing the corresponding relation of the IPSecVPN gateway, the key agent and the quantum network node, carrying out security domain division, providing the registration and identity binding service of the IPSec gateway, maintaining a global security parameter table, and directly distributing the security policy and the session key to the IPSecVPN gateway.
Key agent: the proxy function of key flooding is provided in case the IPSec VPN gateway cannot directly perform key flooding at the quantum network node of the quantum key distribution network and the proxy function of key distribution is provided in case the encrypted communication network cannot directly connect to the quantum key distribution network.
High-capacity secure storage medium: such as a secure TF card or secure U shield, for offline pre-filling of a large number of master keys to each device node.
The working process of the equipment comprises the following steps:
firstly, the steps of security domain demarcation, key filling, network configuration and security parameter registration are needed:
s1: the management and control platform divides a security domain, and injects a key into a large-capacity security storage medium such as a security TF card or a security U shield through a quantum key distribution network, wherein a quantum network node in the quantum key distribution network stores a master key and a master key ID which are distributed to different equipment nodes in the security domain in a key pool;
S2: injecting a large amount of master keys into IPSecVPN gateway equipment nodes (hereinafter referred to as equipment nodes) in the domain through a key injection module by using a large-capacity secure storage medium to establish a master key pool, wherein the key formats are optionally 2-byte equipment ID+4-byte key ID+n-byte key and n-byte initialization vector (n is related to an encryption algorithm);
s3: and the management and control platform configures network and security parameters for the equipment nodes according to the unified network planning in the full security domain. The configuration data for each device node includes a device ID, a device IP address, protected network information, a security level of the device. Wherein the device IP address is populated when registered by the device for the device node that adopts the dynamic address. The protected network information may also be reported by the device node upon device registration, in the specific form of a subnet and mask, a subnet and subnet prefix, and an address range. The security level of the device represents the intensity of the device when encrypting network data, different security levels correspond to different key lengths of a symmetric encryption algorithm and different hash value lengths of a password hash algorithm (for example, AES/SM4-128/192/256 of the symmetric encryption algorithm respectively represents AES or SM4 algorithms of 128, 192 and 256 bit key lengths, SHA256/384/512 respectively represents different hash value lengths of SHA2 algorithm), the device nodes in the same security domain adopt the same symmetric encryption algorithm and the password hash algorithm, but can be endowed with different security levels, and the device nodes of different security levels cannot be forced to communicate by the distinction of algorithm intensities;
S4: the equipment node registers with the management and control platform through the registration and key application module, the registration information comprises equipment IP address and protected network information, and the registration information carries out cipher hash operation with a key by a master key randomly selected by the IPSecVPN gateway to carry out integrity protection and identity authentication. After receiving the registration information, the management and control platform requests a device main key corresponding to the device ID and the main key ID from the vector sub-key distribution network, performs integrity verification according to the device ID returned by the quantum key distribution network and the device main key corresponding to the main key ID, and returns registration success information to the device node after the verification passes through the registration information such as the IP address, the protected network information (if any) and the like filled in the device node;
after the steps of defining the security domain, filling the key, configuring the network and the security parameters and registering are completed, only security policies and session key distribution are needed before each message among the equipment nodes, and the steps of defining the security domain, filling the key, configuring the network and the security parameters and registering are not needed each time. The security policy and session key distribution steps are as follows:
s5: the device node receives the outbound network message from the internal network port, the policy management module retrieves the forward policy flow table (which is composed of five-tuple of different data flows and corresponding IPSec security association (actually index in the security association table) according to the five-tuple information (source, destination IP address and source, destination port and protocol number) of the message, the hash algorithm is not related to the file, the IPSec security association comprises encryption and hash algorithm, security parameter index, source and destination IP address for encapsulation, if no hit exists, the forward policy table (which is composed of protected network information of source and destination and corresponding IPSec security association (actually index in the security association table), the policy table is a linear chain table), and if one hit exists, the network message is encapsulated and encrypted by adopting the found security association. If both tables are not hit, a real-time random number is generated as a security parameter index SPI-I, a strategy and key application message is sent to a management and control platform through a registration and key application module, the message comprises the security parameter index SPI-I and five-tuple information, and the information is subjected to cryptographic hash operation with a key by a master key randomly selected by an IPSecVPN gateway to carry out integrity protection and identity authentication;
S6: after receiving the policy and key application message of the source device node and requesting the source device node master key corresponding to the source device node ID and the master key ID by the vector subkey distribution network, and carrying out integrity verification according to the device ID returned by the quantum key distribution network and the device master key corresponding to the master key ID, the management and control platform searches for a matched destination device node (destination device node) in the protected network information of each device node according to the destination IP in the quintuple, ensures that the security level of the destination device node is the same as that of the source device node sending the application message, and forms a security policy I (the content is that the IP of the source device node belongs to the NetS of the source device node and the security association I is processed by adopting the security association I), the IP address SIP of the source device node is equal to the protected network information NetS corresponding to the quintuple source IP, the IP address DIP of the hit destination device node is equal to the protected network information NetD corresponding to the quintuple source IP, and the symmetric encryption algorithm and the password hash algorithm corresponding to the security parameter index SPI-I are formed into a security policy I (the content is that the IP of the source device node belongs to the security association I is processed by adopting the security association I), and the security association I is decrypted by adopting the security association I as the security association channel, and the security key security algorithm is not visible as the security key of the security channel after the security channel is decrypted by the security channel node, and the security key is decrypted as the security key of the security key. The management and control platform applies for two session keys Key-A and Key-B to the quantum Key distribution network. The quantum key distribution network randomly selects a master key of a source equipment node to encrypt a session key to form a session key ciphertext Key I-A/Key I-B, the master key of a target equipment node is randomly selected to encrypt the session key to form a session key ciphertext Key R-A/Key R-B, the master key used for encrypting the session key is invisible to a management and control platform, and the management and control platform obtains a ciphertext of the session key from the quantum key distribution network. Then the management and control platform vector subkey distribution network applies for the integrity verification of the password hash operation of the security strategy I, the security association I and the session key ciphertext Key R-A by other master keys of the destination equipment node, and distributes the integrity verification to the destination equipment node;
S7: after the destination device node receives the policy and Key distribution message and passes the integrity verification and decryption Key ciphertext, its policy management module adds the session Key-a to the security association I and adds the security association I to the security association table (hash linked list based on the security parameter index SPI, the destination device node IP address and IPSec protocol number (ESP or AH) triplets, which is not referred to in this document), and the security policy I inserts the reverse security policy table (which has the same structure as the forward security policy table and is composed of the protected network information of the source and destination device nodes and the corresponding IPSec security association index, which is a linear linked list). The target equipment node simultaneously generates a real-time random number as a security parameter index SPI-R, replies the security parameter index SPI-R to the management and control platform through the registration and key application module, and adopts a randomly selected master key to carry out password hash operation for integrity protection;
s8: after receiving and verifying the reply message, the management and control platform forms a security policy R (the content is that the source IP belongs to the NetD and the data flow of the destination IP belongs to the NetS is processed by adopting the security association R) and a security association R (the content is that the IPSec tunnel encapsulation source IP is DIP, the destination IP is SIP, the security parameter index is SPI-R, the symmetric encryption algorithm is ENC_X, the password hash algorithm is HMAC_Y, and the session key yyyy is effective after the decryption of the device node) by using the IP address DIP of the destination device node, the protected network information NetD corresponding to the destination IP, the IP address SIP of the source device node, the protected network information NetS corresponding to the destination IP of the five-tuple, the security parameter index SPI-R, the symmetric encryption algorithm corresponding to the security level, and the password hash algorithm. Then randomly selecting a master key of the source equipment node to carry out integrity verification of password hash operation on the security policies I and R, the security association I and R and the session key ciphertext Key I-A and Key I-B, and then distributing the security policies I and R, the security association I and R and the session key ciphertext Key I-A and Key I-B to the source equipment node;
S9: after receiving the policy and Key distribution message sent by the management and control center and passing the integrity verification and decryption Key ciphertext, the source equipment node adds a session Key Key-B into a security association R and adds the security association R into a security association table, inserts the security policy R into a reverse security policy table of the destination equipment, adds a session Key Key-A into a security association I and adds the security association I into a security association table, inserts the security policy I into a forward security policy table, and returns a successful state of the management and control platform, wherein the state is protected by HMAC integrity by a master Key;
s10: after receiving the reply of the source equipment node and verifying, the management and control platform randomly selects a master key of the target equipment node to carry out integrity verification of password hash operation on the security policy R, the security association R and the session key ciphertext Key R-B, and distributes the integrity verification to the target equipment node;
s11: after receiving the policy and Key distribution message sent by the management and control platform and passing the integrity verification and decryption of the Key ciphertext, the target equipment node adds the session Key Key-B into the security association R and adds the security association R into the security association table, the security policy R is inserted into the forward security policy table, the successful state of the management and control platform can be replied or not replied, and if the successful state is replied, the HMAC integrity protection is carried out by using the master Key;
After the above-mentioned security policy and session key distribution process are completed, bidirectional encrypted tunnel communication can be performed between ipsec vpn gateways:
s12: for the network message received by the internal network port, the VPN tunnel processing module of the IPSecVPN gateway finds the security policy and the security association of the five-tuple of the matched message from the forward policy flow table or the forward security policy table (when the former is missed), and adopts the security parameter index SPI, the encapsulated source and destination IP addresses, the encryption algorithm and the hash algorithm in the security association to carry out IPSec tunnel encapsulation and encryption on the network message and then sends the network message from the external network port. If the forward security policy table is searched to obtain the security association, the five-tuple and the corresponding security association (actually, the index in the security association table) are added into the forward policy flow table. Each table item of the forward strategy flow table has a reference count, one is added for each hit, the table item is deleted when the threshold value is exceeded, and meanwhile, a timer is maintained to check each table item at regular time, and the table item which is not hit in a certain time is deleted. For the forward security policy table, soft/hard two life cycles are set and a timer is maintained, and when the soft life cycle (shorter than the hard life cycle) expires, the policy and key reissue process is triggered, and the security policy beyond the hard life cycle is deleted.
S13: for an IPSecVPN message received by an external network port, a VPN tunnel processing module searches a matched security association in a security association table according to a security parameter index SPI, a destination IP address and an IPSec protocol number (ESP or AH) triplet of the message, and adopts a session key of the hit security association to carry out integrity verification and decryption. And searching the matching item in the reverse strategy flow table or the reverse strategy table (when the former is missed) according to the five-tuple for the unpacked and decrypted original message, and forwarding the message with the matching item according to the conventional route. If the matching item is obtained by searching the reverse security policy table, the five-tuple is added into the reverse policy flow table. Each table item of the reverse strategy flow table has a reference count, one is added for each hit, the table item is deleted when the threshold value is exceeded, a timer is maintained to check each table item at regular time, and the table item which is not hit in a certain time is deleted. For the reverse security policy table, a life cycle is set and a timer is maintained, the security policy beyond the life cycle is deleted, and the life cycle of the reverse security policy table is longer than the hard life cycle of the forward security policy table.
The apparatus and method of the above embodiments are based on, but not limited to, QKD key distribution networks, and the key priming and online key distribution functions of the present invention can be implemented using any symmetric key management system and apparatus.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (22)

1. A method for implementing IPSec VPN using software definition and quantum key distribution, characterized by: and generating an IPSecVPN security policy for the IPSecVPN gateway equipment node according to the real-time flow information through the management and control platform, applying a session key to the vector subkey distribution network, taking the equipment node as an execution point for reporting the flow information, and carrying out tunnel encapsulation and decapsulation and encryption and decryption processing of the IPSecVPN on the data flow.
2. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 1, further comprising: before generating an IPSec VPN security policy for the IPSec VPN gateway device node according to the real-time traffic information and applying for the session key to the vector subkey distribution network through the management and control platform, the method further includes the following steps:
S1: the management and control platform divides a security domain, a key is injected into a security storage medium through a quantum key distribution network, and quantum network nodes in the quantum key distribution network store master keys and master key IDs which are distributed to different equipment nodes in the security domain in a key pool in advance;
s2: injecting a pre-filled master key into a device node in the domain through a key injection module by a secure storage medium, and establishing a master key pool;
s3: the control platform configures network and security parameters for the equipment nodes according to the unified network planning in the full security domain;
s4: the device node registers with the management and control platform through the registration and key application module, after the management and control platform receives the registration information, the vector subkey distribution network requests the device ID and the device master key corresponding to the master key ID to carry out integrity verification, and the registration information of the device node is filled in after verification.
3. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 1, further comprising: the method comprises the steps that an IPSecVPN security policy is generated for an IPSecVPN gateway device node according to real-time flow information through a management and control platform, a session key is applied to a vector subkey distribution network, the device node is only used as an execution point for reporting the flow information, and tunnel encapsulation and decapsulation and encryption and decryption processing of the IPSecVPN are carried out on a data flow, and the method specifically comprises the following steps:
S5: the equipment node receives an outbound network message from an internal network port, encapsulates and encrypts the network message by IPSecVPN or generates a real-time random number as a security parameter index SPI-I, and sends a strategy and key application message to a management and control platform;
s6: the management and control platform receives a strategy and Key application message of a source device node, requests a source device node master Key corresponding to the source device node ID and the master Key ID from a vector subkey distribution network, searches for a matched destination device node after integrity verification is carried out according to the returned master Key to form a security strategy I and a security association I, the vector subkey distribution network applies for two session keys Key-A and Key-B, randomly selects the master Key of the source device node to encrypt the session Key to form a session Key ciphertext Key I-A/Key I-B, randomly selects the master Key of the destination device node to encrypt the session Key to form a session Key ciphertext Key R-A/Key R-B, and then carries out password hash operation integrity verification on the security strategy I, the security association I and the session Key ciphertext Key R-A by the master Key of the destination device node to be distributed to the destination device node;
s7: after receiving the strategy and key distribution message and passing the integrity verification and the decryption of the key ciphertext, the destination equipment node processes the strategy and key distribution message and generates a real-time random number as a security parameter index SPI-R, and replies the security parameter index SPI-R to the management and control platform;
S8: after receiving and verifying the reply message, the management and control platform forms a security policy R and a security association R, randomly selects a master key of the source equipment node to carry out integrity verification of cryptographic hash operation on the security policies I and R, the security association I and R and the session key ciphertext Key I-A and Key I-B, and distributes the security policies I and R, the security association I and R and the session key ciphertext Key I-A and Key I-B to the source equipment node;
s9: the source equipment node receives the strategy and key distribution message sent by the management and control center, processes the strategy and key distribution message after passing the integrity verification and the decryption key ciphertext, and replies the successful state of the management and control platform;
s10: after receiving the reply of the source equipment node and verifying, the management and control platform randomly selects a master key of the target equipment node to carry out integrity verification of password hash operation on the security policy R, the security association R and the session key ciphertext Key R-B, and distributes the integrity verification to the target equipment node;
s11: and the target equipment node processes and returns the successful state of the management and control platform after receiving the strategy and key distribution message sent by the management and control platform and passing the integrity verification and the decryption of the key ciphertext.
4. A method of implementing an IPSec VPN using software definition and quantum key distribution as claimed in claim 3, characterized in that: after the security policy and session key distribution process of steps S5 to S11 are completed, bidirectional encrypted tunnel communication can be directly performed between the ipsec vpn gateways.
5. The method for implementing IPSec VPN using software definition and quantum key distribution according to claim 4, further comprising: the bidirectional encryption tunnel communication process between the IPSecVPN gateways is as follows:
s12: the IPSecVPN gateway encapsulates and encrypts a network message received by the internal network port through an IPSec tunnel and then sends the network message from the external network port;
s13: and searching a matching item for the IPSecVPN message received by the external network port by the IPSecVPN gateway, and forwarding the message with the matching item found according to a conventional route.
6. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 2, further comprising: in step S3, the configuration data of each device node includes a device ID, a device IP address, protected network information, and a security level of the device.
7. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 6, further comprising: in step S3, the device IP address is filled into the device node using the dynamic address when the device node is registered, the protected network information of the device is reported by the device node when the device is registered, the security level of the device indicates the strength of the device when the device encrypts the network data, the different security levels correspond to the different key lengths of the symmetric encryption algorithm and the different hash value lengths of the password hash algorithm, the device nodes in the same security domain adopt the same symmetric encryption algorithm and the same password hash algorithm, but can be endowed with different security levels, and the device nodes of different security levels cannot be forced to communicate by the distinction of the algorithm strength.
8. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 2, further comprising: in step S4, the registration information includes the device IP address and the protected network information, and the registration information is subjected to the cryptographic hash operation with the key by the master key randomly selected by the ipsec vpn gateway to perform integrity protection and identity authentication.
9. A method of implementing an IPSec VPN using software definition and quantum key distribution as claimed in claim 3, characterized in that: in the step S5 of the process,
and the policy management module of the equipment node searches the forward policy flow table according to the five-tuple information of the network message, if no hit exists, the forward security policy flow table is continuously searched, if one of the two tables exists, the searched security association is adopted to carry out IPSecVPN packaging and encryption processing on the network message, if both tables do not exist, a real-time random number is generated as a security parameter index SPI-I, and a policy and key application message is sent to the management and control platform through the registration and key application module.
10. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 9, further comprising: in step S5, the five-tuple information includes a source, a destination IP address, a source, a destination port and a protocol number, the forward policy flow table is composed of five tuples of different data flows and corresponding IPSec security associations, the IPSec security associations include encryption and hash algorithms, security parameter indexes, and source and destination IP addresses for encapsulation, the forward policy flow table is composed of protected network information of the source and the destination and corresponding IPSec security associations, the policy table is a linear chain table, the message includes security parameter indexes SPI-I and five-tuple information, and the information is subjected to cryptographic hash operation with keys by a master key randomly selected by the IPSec vpn gateway to perform integrity protection and identity authentication.
11. A method of implementing an IPSec VPN using software definition and quantum key distribution as claimed in claim 3, characterized in that: in step S6, a matched destination device node is obtained by searching in the protected network information of each device node according to the destination IP in the quintuple, and it is ensured that the security level of the destination device node is the same as that of the source device node sending the application message, and the security policy I and the security association I are formed by the IP address SIP of the source device node, the protected network information NetS corresponding to the source IP of the quintuple, the IP address DIP of the destination device node hit, the protected network information NetD corresponding to the destination IP of the quintuple, the security parameter index SPI-I, and the symmetric encryption algorithm and the cryptographic hash algorithm corresponding to the security level.
12. A method of implementing an IPSec VPN using software definition and quantum key distribution as claimed in claim 3, characterized in that: in step S6, the quantum key distribution network randomly selects a master key of a source device node to encrypt a session key to form a session key ciphertext KeyI-a/KeyI-B, randomly selects a master key of a destination device node to encrypt the session key to form a session key ciphertext KeyR-a/KeyR-B, the master key used for encrypting the session key is invisible to the management and control platform, the management and control platform obtains a ciphertext of the session key from the quantum key distribution network, and then the management and control platform applies for the integrity verification of the security policy I, the security association I and the session key ciphertext KeyR-a by other master keys of the destination device node by the vector sub-key distribution network, and distributes the encrypted ciphertext KeyR-a to the destination device node.
13. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 11, further comprising: in step S7, after receiving the policy and Key distribution message and passing the integrity verification and decryption of the Key ciphertext, the destination device node adds the session Key-a to the security association I and adds the security association I to the security association table, and the security policy I is inserted into the reverse security policy table.
14. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 13, further comprising: in step S8, after receiving and verifying the reply message, the management and control platform constructs a security policy R and a security association R from the IP address DIP of the destination device node, the protected network information NetD corresponding to the quintuple destination IP, the IP address SIP of the source device node, the protected network information NetS corresponding to the quintuple source IP, the security parameter index SPI-R, and the symmetric encryption algorithm and the cryptographic hash algorithm corresponding to the security level.
15. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 14, further comprising: in step S9, after receiving the policy and Key distribution message sent by the management and control center and passing the integrity verification and decryption Key ciphertext, the policy management module adds the session Key-B to the security association R and adds the security association R to the security association table, inserts the security policy R into the reverse security policy table of the destination device, adds the session Key-a to the security association I and adds the security association I to the security association table, and inserts the security policy I into the forward security policy table.
16. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 15, further comprising: in step S11, after receiving the policy and Key distribution message sent by the management and control platform and passing the integrity verification and decryption Key ciphertext, the policy management module adds the session Key-B to the security association R and adds the security association R to the security association table, and the security policy R is inserted into the forward security policy table.
17. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 5, further comprising: in step S12, for the network packet received by the internal network port, the VPN tunnel processing module finds the security policy and security association of the five-tuple of the matching packet from the forward policy flow table or the forward security policy table, and uses the security parameter index SPI, the encapsulated source and destination IP addresses, the encryption algorithm, and the hash algorithm in the security association to perform IPSec tunnel encapsulation and encryption on the network packet, and then sends the network packet from the external network port.
18. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 17, further comprising: in step S12, if the forward security policy table is searched to obtain the security association, the five-tuple and the corresponding security association are added into the forward policy flow table, each entry in the forward policy flow table has a reference count, one is added for each hit, the entry is deleted if the reference count exceeds a threshold value, a timer is maintained to check each entry at regular time, entries which are not hit in a certain time are deleted, a soft/hard life cycle is set for the forward security policy table, a timer is maintained, the policy and key re-application process is triggered if the soft life cycle expires, and the security policy exceeding the hard life cycle is deleted.
19. The method for implementing an IPSec VPN using software definition and quantum key distribution according to claim 18, further comprising: in step S13, for the ipsec VPN packet received by the external network port, the VPN tunnel processing module searches the matched security association in the security association table according to the security parameter index SPI, the destination IP address, and the protocol number triplet of the packet, and performs integrity verification and decryption by using the session key of the hit security association, searches the matching item in the reverse policy flow table or the reverse security policy table according to the five-tuple, and forwards the packet in which the matching item is found according to the conventional route, if the matching item is found in the reverse security policy table, adds the five-tuple into the reverse policy flow table, adds one reference count to each item in the reverse policy flow table, deletes the item if each hit exceeds the threshold, simultaneously maintains a timer to check each item at regular time, deletes the item which is not hit in a certain time, sets a life cycle for the reverse security policy table, maintains a timer to delete the security policy exceeding the life cycle, and the life cycle of the reverse security policy table is higher than the life cycle of the forward security policy.
20. An apparatus for performing the method of claims 1-19, characterized by: the system comprises an IPSecVPN gateway, a management and control platform and a quantum key distribution network, wherein:
IPSecVPN gateway: carrying out tunnel encapsulation and decapsulation and encryption and decryption processing of IPSecVPN on user network data transmitted through a network;
quantum key distribution network: the system comprises a plurality of quantum network nodes and a quantum network link control center, wherein all the quantum network nodes are connected to the quantum network link control center to realize services such as quantum key generation, quantum key relay, quantum key provision and the like;
and (3) a management and control platform: providing the corresponding relation of the IPSecVPN gateway, the key agent and the quantum network node, carrying out security domain division, providing the registration and identity binding service of the IPSec gateway, maintaining a global security parameter table, and directly distributing the security policy and the session key to the IPSecVPN gateway.
21. The apparatus as claimed in claim 20, wherein: the method also comprises the steps of: the proxy function of key flooding is provided in case the IPSec VPN gateway cannot directly perform key flooding at the quantum network node of the quantum key distribution network and the proxy function of key distribution is provided in case the encrypted communication network cannot directly connect to the quantum key distribution network.
22. The apparatus as claimed in claim 20, wherein: a mass secure storage medium is also included for offline pre-filling of a large number of master keys to each device node.
CN202211427640.1A 2022-11-15 2022-11-15 Method and system for realizing IPSec VPN by adopting software definition and quantum key distribution Active CN116055091B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211427640.1A CN116055091B (en) 2022-11-15 2022-11-15 Method and system for realizing IPSec VPN by adopting software definition and quantum key distribution

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211427640.1A CN116055091B (en) 2022-11-15 2022-11-15 Method and system for realizing IPSec VPN by adopting software definition and quantum key distribution

Publications (2)

Publication Number Publication Date
CN116055091A true CN116055091A (en) 2023-05-02
CN116055091B CN116055091B (en) 2024-01-09

Family

ID=86112214

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211427640.1A Active CN116055091B (en) 2022-11-15 2022-11-15 Method and system for realizing IPSec VPN by adopting software definition and quantum key distribution

Country Status (1)

Country Link
CN (1) CN116055091B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116743380A (en) * 2023-08-14 2023-09-12 中电信量子科技有限公司 OTN encryption communication method and system based on quantum key distribution
CN118631457A (en) * 2024-08-15 2024-09-10 中电信量子信息科技集团有限公司 Quantum-resistant security enhancement method of security assertion marking protocol
CN118659922A (en) * 2024-08-15 2024-09-17 中电信量子信息科技集团有限公司 Quantum security enhancement method for open authorization protocol

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070186281A1 (en) * 2006-01-06 2007-08-09 Mcalister Donald K Securing network traffic using distributed key generation and dissemination over secure tunnels
CN104660603A (en) * 2015-02-14 2015-05-27 山东量子科学技术研究院有限公司 Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network)
CN113824551A (en) * 2020-06-19 2021-12-21 中创为(成都)量子通信技术有限公司 Quantum key distribution scheme and device applied to secure storage system
CN114726523A (en) * 2022-05-18 2022-07-08 北京国科量子共创通信科技研究院有限公司 Password application service system and quantum security capability open platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070186281A1 (en) * 2006-01-06 2007-08-09 Mcalister Donald K Securing network traffic using distributed key generation and dissemination over secure tunnels
CN104660603A (en) * 2015-02-14 2015-05-27 山东量子科学技术研究院有限公司 Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network)
CN113824551A (en) * 2020-06-19 2021-12-21 中创为(成都)量子通信技术有限公司 Quantum key distribution scheme and device applied to secure storage system
CN114726523A (en) * 2022-05-18 2022-07-08 北京国科量子共创通信科技研究院有限公司 Password application service system and quantum security capability open platform

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116743380A (en) * 2023-08-14 2023-09-12 中电信量子科技有限公司 OTN encryption communication method and system based on quantum key distribution
CN116743380B (en) * 2023-08-14 2023-10-31 中电信量子科技有限公司 OTN encryption communication method and system based on quantum key distribution
CN118631457A (en) * 2024-08-15 2024-09-10 中电信量子信息科技集团有限公司 Quantum-resistant security enhancement method of security assertion marking protocol
CN118659922A (en) * 2024-08-15 2024-09-17 中电信量子信息科技集团有限公司 Quantum security enhancement method for open authorization protocol

Also Published As

Publication number Publication date
CN116055091B (en) 2024-01-09

Similar Documents

Publication Publication Date Title
CN116055091B (en) Method and system for realizing IPSec VPN by adopting software definition and quantum key distribution
US11240218B2 (en) Key distribution and authentication method and system, and apparatus
US20190068591A1 (en) Key Distribution And Authentication Method And System, And Apparatus
Aboba et al. Extensible authentication protocol (EAP) key management framework
US8559640B2 (en) Method of integrating quantum key distribution with internet key exchange protocol
CN115567210B (en) Method and system for realizing zero trust access by adopting quantum key distribution
US20090210699A1 (en) Method and apparatus for secure network enclaves
EP2767029B1 (en) Secure communication
CN103095710A (en) Broadcast encryption transmission method in network based on identification and centering on contents
WO2002068418A2 (en) Authentication and distribution of keys in mobile ip network
CN113364811B (en) Network layer safety protection system and method based on IKE protocol
CN104219217A (en) SA (security association) negotiation method, device and system
CN114285571A (en) Method, gateway device and system for using quantum key in IPSec protocol
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
Farinacci et al. Locator/ID separation protocol (LISP) data-plane confidentiality
CN103227742A (en) Method for IPSec (Internet protocol security) tunnel to rapidly process messages
CN115766002A (en) Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition
JP2011176395A (en) IPsec COMMUNICATION METHOD AND IPsec COMMUNICATION SYSTEM
CN103188228B (en) A kind of method, security gateway and system for realizing End-to-End Security protection
US10805082B2 (en) ID-based data plane security for identity-oriented networks
CN115567208B (en) Network session data stream fine-granularity transparent encryption and decryption method, gateway, management and control platform and system
CN115733683A (en) Method for realizing Ethernet link self-organizing encryption tunnel by adopting quantum key distribution
Li et al. Secure and Privacy-preserving Network Slicing in 3GPP 5G System Architecture
KR101329968B1 (en) Method and system for determining security policy among ipsec vpn devices
CN109361684B (en) Dynamic encryption method and system for VXLAN tunnel

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant