CN116232570A - Method for protecting data flow security and data management system - Google Patents

Method for protecting data flow security and data management system Download PDF

Info

Publication number
CN116232570A
CN116232570A CN202211703681.9A CN202211703681A CN116232570A CN 116232570 A CN116232570 A CN 116232570A CN 202211703681 A CN202211703681 A CN 202211703681A CN 116232570 A CN116232570 A CN 116232570A
Authority
CN
China
Prior art keywords
quantum
key
security
derivative
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211703681.9A
Other languages
Chinese (zh)
Inventor
李成东
左崴东
辛华
杨勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cas Quantum Network Co ltd
Original Assignee
Cas Quantum Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cas Quantum Network Co ltd filed Critical Cas Quantum Network Co ltd
Priority to CN202211703681.9A priority Critical patent/CN116232570A/en
Publication of CN116232570A publication Critical patent/CN116232570A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of quantum communication, and discloses a method for protecting data flow security and a data management system. The method is suitable for a security situation awareness platform, the platform comprises a quantum middleware, a security agent at a first object side and a key engine at the security situation awareness platform side, and the method comprises the following steps: acquiring a first ciphertext obtained by encrypting returned data of a first object by using a first quantum derivative key; and decrypting the first ciphertext by using a second quantum derivative key to obtain returned data, wherein the first quantum derivative key and the second quantum derivative key are derived at least once based on the quantum root key, and the security agent and the key engine negotiate through a quantum middleware to obtain a shared quantum root key. According to the invention, the quantum key tree is derived for the returned data of the first objects, and the returned data is encrypted and decrypted correspondingly by utilizing the generated quantum derivative key, so that the data isolation between the first objects is realized, and the security of the data in the circulation process is effectively improved.

Description

Method for protecting data flow security and data management system
Technical Field
The invention relates to the technical field of quantum communication, in particular to a method for protecting data flow security and a data management system.
Background
In recent years, quantum information technology has been remarkably developed, and as the international telecommunications union (ITU-T) began to set up the "network-oriented quantum information technology" focal group-QIT 4N in 2019, broad cooperation across fields and multiple professions became common. Research on how quantum information technologies such as quantum computing, quantum communication and quantum random number serve traditional networks is of great significance in particular to the promotion of the fusion development of technologies such as quantum key distribution (Quantum Key Distribution, QKD) and the like and the field of information communication technology (Information and Communications Technology, ICT) and the like and the evolution of future quantum information networks and the like.
The QKD technology can be integrated with the emerging ICT technologies with wide application range such as the Internet of things and the Internet of vehicles, and the QKD is combined with different levels of the ICT, including a data link layer, a network layer, a transmission layer and an application layer, so that a ubiquitous quantum security network application scheme is formed. The ubiquitous quantum security network uses a quantum key service desk as a core, extends quantum key service to mobile terminals uncovered by a quantum private network, creates a cloud, pipe and end integrated information security scheme, and provides a security communication scheme with high mobility and high availability.
Under the new situation of rapid development of QKD and ICT fusion service, the flexible QKD network and ICT application/network interconnection scheme not only provides rapid, convenient and flexible application experience for users, but also greatly improves the safety performance of ICT application.
However, in the process of transmitting massive data of ICT applications, there is still a possibility that user data passing through the same device or network may be compromised. Therefore, how to further improve the security of data in the data transmission process and solve the technical problem of security responsibility logic and service/user isolation in the data circulation process is to be solved by the invention.
Disclosure of Invention
The invention aims at providing a processing method of user data and a data management system, wherein a quantum derivative key tree structure is adopted to store and manage quantum keys, and a derivative key is utilized to solve the security responsibility logic and service/user isolation in the data circulation process, so that the security of the data in the circulation process can be at least improved, and the problem of the security responsibility logic and service/user isolation in the data circulation process is better solved.
In order to achieve the above object, at least one embodiment of the present invention provides a method for protecting data flow security, which is applicable to a security posture awareness platform, wherein the security posture awareness platform includes a quantum middleware, a security agent disposed on a first object side, and a key engine disposed on the security posture awareness platform side, and includes: acquiring a first ciphertext of a first object, wherein the first ciphertext is formed by encrypting return data of the first object through a first quantum derivative key, and the first quantum derivative key is derived based on at least one time of quantum root key derivation; and decrypting the first ciphertext by using a second quantum derivative key to obtain the returned data, wherein the second quantum derivative key is generated by the key engine based on the quantum root key being derived at least once, and the security agent and the key engine negotiate to obtain a shared quantum root key through the quantum middleware.
In order to achieve the above object, at least one embodiment of the present invention further provides a data management system, including a security posture awareness platform, where the security posture awareness platform includes a quantum middleware, a security agent disposed on a first object side, and a key engine disposed on the security posture awareness platform side, where the security agent is further connected to a first quantum integrated machine, and where the key engine is further connected to a second quantum integrated machine, where the second quantum integrated machine is connected to the first quantum integrated machine through a quantum channel and a classical channel; the security situation awareness platform is used for realizing the method for protecting the security of data flow.
In at least one embodiment of the present invention, the security posture awareness platform includes quantum middleware, a security agent disposed on a first object side, and a key engine disposed on the security posture awareness platform side. And for the returned data of the first object, performing at least one derivatization based on the quantum root key, and encrypting the returned data by using the generated first quantum derivatization key to form a first ciphertext. And the security situation awareness platform acquires a first ciphertext, and further decrypts the first ciphertext by using a second quantum derived key to obtain the feedback data. Wherein the second quantum derived key is derived by the key engine based on the quantum root key derived at least once, the security agent and the key engine negotiating via the quantum middleware to obtain a shared quantum root key. It can be seen that, in the embodiment of the present invention, the first quantum derivative key for encrypting the returned data of the first object and the second quantum derivative key for decrypting can be derived based on the shared quantum root key by performing the derivation at least once for the returned data of the first object. The first quantum derivative key and the second quantum derivative key are derived from the returned data of the first object, so that the returned data of different first objects can be isolated from each other. Therefore, the problem of safety responsibility logic and data isolation in the data circulation process is solved, and the safety of the returned data is improved.
In at least one embodiment, the security agent is further connected to a first quantum all-in-one machine, the key engine is further connected to a second quantum all-in-one machine, the second quantum all-in-one machine is connected to the first quantum all-in-one machine through a quantum channel and a classical channel, the security agent is connected to the key engine through a traffic channel via the quantum middleware, and negotiating by the security agent and the key engine to obtain a shared quantum root key via the quantum middleware comprises: the security agent sequentially or randomly acquires an integrity protection key vector and an encryption key vector from the first quantum integrated machine, and processes the integrity protection key vector and the encryption key vector to form the quantum root key; and negotiating by the quantum middleware to enable a quantum root key at a first quantum integrated machine connected with the security agent to be shared to a second quantum integrated machine connected with the key engine through a quantum channel and a classical channel. In this embodiment, the first quantum all-in-one machine and the second quantum all-in-one machine share the quantum root key, based on which only the key engine connected with the second quantum all-in-one machine can derive the second quantum derivative key for decrypting the first ciphertext, so that the security of the returned data of the first object is ensured.
In at least one embodiment, the decrypting the first ciphertext using a second quantum derived key to obtain the return data comprises: processing the quantum root key, and/or an identification of a first object based on a KDF function to form a seventh quantum derived key, the identification of the first object comprising at least one of: network identification, user identification, service level identification, process identification and node identification in the data streaming process; an eighth quantum derivative key formed by processing the seventh quantum derivative key based on a KDF function, and processing the eighth quantum derivative key through a trunk function to form a second quantum derivative key; and decrypting the first ciphertext by using the second quantum derivative key formed by the seventh quantum derivative key and the eighth quantum derivative key derivative process sequentially by using the quantum root key to obtain the returned data. In this embodiment, a quantum key tree is formed through the derivation processes of the seventh quantum derivative key and the eighth quantum derivative key, and the first ciphertext is decrypted by using the finally derived second quantum derivative key. The quantum key tree structure can be utilized to store and manage the quantum key, so that not only is the storage resource occupied by the quantum key reduced, but also the problem of safety responsibility logic and data isolation in the data circulation process is solved.
In at least one embodiment, where the security agent processes the integrity protection key vector and the encryption key vector to form the quantum-root key, obtaining the first ciphertext of the first object comprises: the security agent deriving the first quantum-derived key based on the quantum-root key, the identity of the first object derived at least once; encrypting the return data with the first quantum derived key to obtain the first ciphertext. The first quantum derivative key used for encrypting the returned data of the first object is derived based on the identification of the first object, and based on the fact that the first objects cannot access each other, logical isolation and slicing protection of the data are achieved, and the safety of the data is effectively improved.
In at least one embodiment, encrypting the backhaul data with the first quantum derived key comprises: the security agent encrypts the return data with the first quantum derived key to obtain the first ciphertext; or the security agent transmits the derived first quantum derivative key to the key engine through a traffic channel, so that the key engine encrypts the returned data by using the first quantum derivative key to obtain the first ciphertext. The security agent delivers the first quantum derived key to the key engine to better protect the first object.
In at least one embodiment, where the security agent processes the integrity protection key vector and the encryption key vector to form the quantum root key, obtaining the first ciphertext of the first object further comprises: the security agent transmits the quantum-root key to the key engine via a traffic channel, the key engine deriving the first quantum-derived key based on the quantum-root key, the identity of the first object, at least once, the key engine encrypting the passback data with the first quantum-derived key to obtain the first ciphertext. The security agent delivers the quantum root key to the security engine, and the security engine derives the first quantum derivative key and encrypts the returned data by using the first quantum derivative key, so that the returned data of the first object can be better protected.
In at least one embodiment, the secure agent deriving the first quantum-derived key based on the quantum-root key, the identification of the first object, at least once, comprises: processing the quantum root key and/or an identification of a first object based on a KDF function to form a third quantum derived key, the identification of the first object including at least one of: network identification, user identification, service level identification, process identification and node identification in the data streaming process; a fourth quantum derivative key formed by processing the third quantum derivative key based on a KDF function, and a first quantum derivative key processed by the fourth quantum derivative key through a trunk function; and encrypting the returned data by using the quantum root key through the first quantum derivative key formed by the third quantum derivative key and the fourth quantum derivative key derivative process in sequence. In this embodiment, a quantum key tree is formed through the derivation processes of the third quantum derivative key and the fourth quantum derivative key, and the returned data is encrypted by using the finally derived first quantum derivative key. The quantum key tree structure can be utilized to store and manage the quantum key, so that not only is the storage resource occupied by the quantum key reduced, but also the problem of safety responsibility logic and data isolation in the data circulation process is solved.
In at least one embodiment, the processing of the integrity protection key vector and the encryption key vector by the security agent to form the quantum root key comprises: processing the integrity protection key vector and the encryption key vector based on a KDF function to form a quantum root key, wherein the quantum root key = KDF (integrity protection key vector and encryption key vector, salt, operations), the Salt comprising at least one of: service node ID, user ID, service ID, serial number and non-secret parameter, wherein the Iterations are preset iteration times; and processing a preset integrity protection identifier, an encryption identifier and the quantum root key by utilizing a KDF function to form a fifth quantum derivative key, and processing the fifth quantum derivative key by utilizing a trunk function to form a sixth quantum derivative key, wherein the sixth quantum derivative key is provided for a core network connected through an air interface. The cryptographic Salt is added as a parameter when the quantum root key is formed, so that the difficulty is increased for an attacker to crack the quantum root key, and the security of the quantum root key is improved. In addition, the sixth quantum key can ensure that ICT users or ICT services can access the core network through the air interface, and meanwhile, the data of the users or services connected through the air interface can also meet the isolation requirement.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which the figures do not depict a proportional limitation unless expressly stated otherwise.
FIG. 1 is a schematic diagram of a hardware environment of a data management system in accordance with at least one embodiment of the present invention;
FIG. 2 is a schematic diagram of a connection of a security agent to a first object in accordance with at least one embodiment of the present invention;
fig. 3 is a schematic structural diagram of a first object access network according to at least one embodiment of the present invention;
FIG. 4 is a flow chart of a method of securing data streams in accordance with at least one embodiment of the present invention;
FIG. 5 is a flow diagram of a security proxy process for forming a quantum root key in accordance with at least one embodiment of the present invention;
FIG. 6 is a flow diagram of a security agent deriving a first quantum derived key in accordance with at least one embodiment of the invention;
FIG. 7 is a schematic diagram of a quantum key tree in accordance with at least one embodiment of the present invention;
FIG. 8 is a flow diagram of decrypting a first ciphertext using a second quantum derived key in accordance with at least one embodiment of the invention;
Fig. 9 is a schematic diagram of a security posture awareness platform in accordance with at least one embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the following detailed description of the embodiments of the present invention will be given with reference to the accompanying drawings. However, those of ordinary skill in the art will understand that in various embodiments of the present invention, numerous technical details have been set forth in order to provide a better understanding of the present invention. However, the claimed invention may be practiced without these specific details and with various changes and modifications based on the following embodiments.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. The terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus. Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature.
The invention aims to store and manage the quantum key by adopting a quantum key tree structure, and solve the problems of security responsibility logic and service/user isolation of data circulation among nodes by utilizing the quantum key tree. The above object can be achieved by a data management system. The overall architecture of the data management system network can be divided into a core layer and a convergence layer, and the hardware environment of the data management system can be as shown in fig. 1.
The core layer corresponds to the centralized control station of the quantum networking shown in fig. 1. The centralized control station may specifically include a quantum key management service system server and a quantum network element management system. The quantum key management service system server is used for realizing the functions of quantum network all quantum equipment management, quantum key generation control, quantum key routing control and the like. In addition, the quantum network element management system is used for receiving the management of the quantum network element management system through the EMS northbound interface, and realizing the management function of quantum equipment of all sites of the quantum network. The centralized control station uplink can adopt a double-fiber link to complete the exit butt joint of the metropolitan area network and backbone network equipment, and the downlink is converged by an external network switch to access the user node. The centralized control station is mainly responsible for connecting a backbone network, tandem connection of service control layer equipment in the metropolitan area network and high-capacity and high-speed forwarding of messages among nodes of the network.
The convergence layer corresponds to the convergence station and the subscriber station of the quantum networking shown in fig. 1, and the convergence station can be divided into a classical network external network area and a quantum device network area. The classical network extranet area is used for realizing interconnection among Ethernet service data points, and the quantum equipment network area is used for realizing quantum key transmission among stations, and key and instruction information exchange among the quantum gateway in the stations and the key manager. The user node in the user station realizes quantum key distribution with quantum key distribution equipment (such as quantum integrated machine and single-receiving type quantum key distribution equipment QKD-B) through an optical quantum switch by deploying a quantum key generation and management terminal (such as quantum integrated machine), and realizes the functions of quantum key management, relay and the like. It should be noted that, the convergence station configures a switch to perform service convergence in each of the classical network extranet area and the quantum device network area, and interconnects the network areas, and performs area isolation by using a firewall. The user nodes in the subscriber station adopt a dual-fiber mode for the quantum channel (shown in dashed lines in fig. 1) and classical channel (shown in dashed lines in fig. 1), respectively. The user node is accessed to the quantum network through the quantum security encryption router, the quantum integrated machine (or the single-shot quantum key generation and management terminal) is connected to the centralized control station through the quantum channel, and the user access switch is connected to the centralized control station through the quantum classical channel.
Based on the software and hardware environment, at least one embodiment of the invention provides a method for protecting the security of data flow, which is suitable for a security situation awareness platform. The security situation awareness platform comprises an embedded quantum middleware, a security agent arranged on the first object side and a key engine arranged on the security situation awareness platform side, wherein the security agent is encapsulated in a quantum security gateway of the subscriber station, and the key engine is encapsulated in a quantum security gateway of the convergence station. The quantum middleware is used for carrying out centralized management and control on the security agent and the key engine, introducing traffic needing to be transmitted safely into the quantum encryption router in a static routing or policy routing mode, completing traffic encryption, introducing ciphertext traffic into the quantum security transmission channel, and then sending the traffic to the target node according to the government external network routing.
A security agent (see quantum security gateway in the subscriber station shown in fig. 1) is used to encapsulate the quantum keys into standard security capabilities, including keys, algorithms, cryptographic protocols, etc., and to provide the user nodes with functions of identity authentication, key agreement, cryptographic operations, key management, etc., in the form of standard APIs (Application Programming Interface, application programming interfaces). The security agent is deployed on the first object side. The first object referred to herein may be a provider of data, i.e. a user for whom the user station of the data management platform is intended. A schematic diagram of the connection of the security agent to the user/service (first object) may be referred to in fig. 2. A schematic structure of the first object access network may refer to fig. 3.
A key engine (see quantum security gateway in the convergence station shown in fig. 1) is deployed on the security posture platform side, which functions similarly to a security proxy, for encapsulating the quantum key into standard security capabilities and providing for use by the security posture awareness platform. In addition, the safety situation awareness platform further comprises a converging and diverging device, and the converging and diverging device comprises a flow data safety control platform and a flow acquisition monitoring probe unit. The flow data safety management and control platform constructs a unified flow data basic platform to support flow data delivery requirements, and can form a complete flow scheduling data delivery network by self-networking; the flow collection monitoring probe unit introduces an advanced SDN architecture to carry out bypass flow data management, and all ports of the flow collection monitoring probe unit support flow access/flow control output.
It should be noted that, before executing the steps included in the method for protecting the security of the data stream, the authorization and the network access process inside the first object may be first performed, including: a security agent deployed at a first object initiates a network access request to a quantum middleware embedded in a security situation awareness platform; the quantum middleware authenticates and authorizes the security agent; after successful authorization, the quantum middleware issues a service policy, a configuration policy and a quantum key tree policy (including traffic delivery, key delivery and the like) to the security agent; the security agent initializes information such as a service interface, configuration information, quantum key tree strategy and the like, and the middleware platform synchronously updates the security agent information; the user service at the first object is called with the security agent API through a software service bus or a task template of the master control program to realize the identity authentication of the first object and the confidentiality and integrity protection of the service and data.
It should be noted that, the authentication and key setting of the first object may be initiated by the security situation awareness platform and triggered by the authentication process.
The implementation details of the method for protecting data flow security in this embodiment are specifically described below, and the following is only for facilitating understanding of the implementation details of this embodiment, and is not necessary for implementing this embodiment. The specific flow is shown in fig. 4, and may include the following steps:
step 101, obtaining a first ciphertext of a first object, wherein the first ciphertext is formed by encrypting returned data of the first object through a first quantum derivative key, and the first quantum derivative key is derived based on at least one time of derivation of a quantum root key;
step 102, decrypting the first ciphertext using a second quantum derived key to obtain the returned data, wherein the second quantum derived key is derived by the key engine based on the quantum root key at least once.
According to the method, the quantum key tree structure is adopted to store and manage the quantum keys, and the derivative key tree (the first quantum derivative key and the second quantum derivative key) is utilized to solve the security responsibility logic and the service/user isolation problem of each transfer node in the data transfer process, so that the security of the data in the transfer process is improved.
In step 101, a first ciphertext of a first object is obtained. For convenience of description, only one first object is referred to in the foregoing description of the present embodiment, it will be understood that a subscriber station of the data management system may actually access a plurality of first objects, so as to protect security in the backhaul data stream of the plurality of first objects. The first object may be a provider of data, i.e. a user for which the subscriber station is directed, for example, each large communication carrier, each large government cloud platform service provider, etc. In this step, the first object obtains, at the network core layer, return data in a flow duplication or light splitting manner, where the return data is encrypted by the first quantum derivative key to form a first ciphertext, where the return data may be ICT service data such as the internet of things, the internet of vehicles, or cloud application data such as OA, CRM, ERP, MES, or security log information of the system and the security device.
In some embodiments, the security agent is also connected to a first quantum unitary (see quantum unitary in the subscriber station shown in fig. 1), and the key engine is also connected to a second quantum unitary (not shown in fig. 1) that is connected to the first quantum unitary through a quantum channel (shown in dashed lines in fig. 1) and a classical channel (shown in dashed lines in fig. 1), and the security agent is connected to the key engine through a traffic channel via the quantum middleware. The security agent and key engine of the present invention negotiates via quantum middleware to obtain a shared quantum root key, such as: the security agent sequentially or randomly acquires an integrity protection key vector and an encryption key vector from the first quantum integrated machine, and processes the integrity protection key vector and the encryption key vector to form a quantum root key; the quantum root secret key at the first quantum integrated machine connected with the security agent is shared to the second quantum integrated machine connected with the secret key engine through the quantum channel and the classical channel through the negotiation of the quantum middleware.
It should be noted that, the first quantum integrated machine related to the above embodiment may include three service units, where the three service units are connected to the subscriber access switch through RJ45 jumpers respectively (the subscriber access switch isolates the quantum service through VLAN technology); the first quantum integrated machine is connected into a quantum metropolitan area network through an uplink link to establish a classical channel of quantum communication, so that quantum devices at two ends can negotiate through the classical channel, and further management processes such as generation and storage of quantum keys and management of devices can be completed; the two-end quantum devices send and receive optical signals of quantum communication through the optical fiber link.
Optionally, the quantum root key is safely delivered to the security agent through a key output interface of the first quantum integrated machine and a key input interface of the security agent. In some embodiments, the security agent may sequentially or randomly obtain two tag keys from the first quantum integrated machine, timestamp information or other information on the two tag keys to form an integrity protection key vector and an encryption key vector, and process the integrity protection key vector and the encryption key vector to form a quantum root key, and then the quantum root key is delivered to a key input interface of the security agent through a key output interface. The encryption key vector is distorted relative to the integrity protection key vector, which corresponds to a scrambling code, with the purpose of improving timing recovery and confidentiality. The integrity protection key vector plays a role in error correction, and if the integrity protection key vector is not available, the problems of incapacity of error correction and incapacity of recognizing tampering can occur. As shown in fig. 5, the processing of the integrity protection key vector and the encryption key vector to form the quantum root key may include the steps of:
Step 201, processing the integrity protection key vector and the encryption key vector based on a KDF function to form a quantum root key, where the quantum root key=kdf (integrity protection key vector and encryption key vector, salt, interfaces), and Salt includes at least one of the following: service node ID, user ID, service ID, serial number, non-secret parameter, and iteration number preset by the iteration;
step 202, processing the preset integrity protection identifier, encryption identifier and quantum root key by using a KDF function to form a fifth quantum derivative key, and processing the fifth quantum derivative key by using a trunk function to form a sixth quantum derivative key, wherein the sixth quantum derivative key is provided to a core network connected through an air interface.
According to the method, the kdf function is utilized to derive the subkeys of different levels according to the user/service ID, the circulation node ID and the like, so that encryption of data of different levels (processes) of user service is realized, storage and management of quantum keys are better realized, and the problems of security responsibility logic and service/user isolation in the data circulation process are solved.
In step 201, the integrity protection key vector and the encryption key vector are processed based on a KDF function to form a quantum root key. The KDF (Key derivation function) function is a key derivation function. Dk=kdf (Key, salts, transactions), meaning that one or more derivative keys DK are derived from the master Key using a pseudo-random function, i.e. the KDF function can be used to extend the Key to longer keys or to obtain keys in the required format. In this step, the integrity protection key vector and the encryption key vector are used as master keys, and the DK is obtained as a quantum root key by using a KDF function. The Salt is a random number serving as a password Salt, and the effect of the Salt is equivalent to scrambling, so that the difficulty is increased for an attacker to crack the quantum root key, and the security of the quantum root key is improved; the Salt may comprise at least one of: the service node ID, user ID, service ID, serial number, non-secret parameters, which may prevent an attacker obtaining the quantum-root key from learning useful information about the input secret value or any other derived key. The Iterations are preset iteration times, and may correspond to different levels of ICT users/services (i.e., the first object), such as processes. It is worth mentioning that the values of Salt and transactions may be stored with the hashed password or transmitted in the clear of the encrypted message.
In step 202, a fifth quantum derivative key is formed by processing the preset integrity protection identifier, encryption identifier and quantum root key with a KDF function, and a sixth quantum derivative key is formed by processing the fifth quantum derivative key with a trunc function, wherein the sixth quantum derivative key is provided to a core network connected through an air interface. That is, after the quantum root key is generated, the invention can not only derive the first quantum derivative key for data encryption, but also derive the sixth quantum derivative key for the core network, and the data of the user or service connected by the core network through the air interface also meets the isolation requirement.
It is worth noting that if the integrity protection key vector and the encryption key vector require 128-bit keys as inputs, the keys will be truncated by the trunc function and use the 128-bit least significant bits; the trunc function accepts a 256-bit string as input and returns a predefined truncated output.
In some embodiments, the first quantum derived key used to encrypt the backhaul data of the first object may be derived by a key engine. In these embodiments, obtaining the first ciphertext of the first object may include: the security agent transmits the quantum root key to a key engine through a traffic channel, the key engine derives a first quantum derivative key based on the quantum root key and the identification of the first object at least once, and the key engine encrypts the returned data by using the first quantum derivative key to obtain a first ciphertext. This manner in which the security agent transmits the quantum root key to the key engine for the key engine to derive the quantum key tree may be referred to as a quantum key tree policy for the quantum root key delivery. It will be appreciated that the manner in which the quantum-root key is delivered is focused on protecting user traffic on the user node (first object).
In some embodiments, the first quantum derived key that encrypts the backhaul data of the first object may be derived from a security agent. In these embodiments, obtaining the first ciphertext of the first object may include: the security agent derives a first quantum derived key based on the quantum root key, the identity of the first object derived at least once; the returned data is encrypted using the first quantum derived key to obtain a first ciphertext. Because the first quantum derivative key is derived based on the identification of the first objects, based on the first quantum derivative key, the first objects cannot access each other, so that the logical isolation and the slicing protection of the data are realized, and the safety of the data is effectively improved.
Optionally, the security agent encrypts the returned data using the first quantum-derived key to obtain the first ciphertext. The manner in which the security agent derives the quantum key tree and encrypts the returned data to obtain the first ciphertext may be referred to as a quantum key tree policy for ciphertext delivery, focusing on protecting the data traffic. Optionally, the security agent transmits the derived first quantum derivative key to the key engine through the traffic channel via the quantum middleware, so that the key engine encrypts the returned data by using the first quantum derivative key to obtain the first ciphertext, which may be referred to as a quantum key tree policy for the delivery of the first quantum derivative key, focusing on protecting the user node (i.e., the first object). Referring to fig. 6, the security agent or key engine deriving a first quantum derived key based on the quantum root key, the identity of the first object derived at least once, may comprise the steps of:
Step 301, processing the quantum root key and/or the identification of the first object based on the KDF function to form a third quantum derivative key, where the identification of the first object includes at least one of: network identification, user identification, service level identification, process identification and node identification in the data streaming process;
step 302, a fourth quantum derivative key formed by processing the third quantum derivative key based on a KDF function, and a first quantum derivative key formed by processing the fourth quantum derivative key through a trunk function;
and step 303, encrypting the returned data by using the first quantum derivative key formed by the third quantum derivative key and the fourth quantum derivative key in turn through the derivative process of the quantum root key.
According to the method, the kdf function is utilized to derive the subkeys of different levels according to the user service ID, the circulation node ID and the like, so that the encryption of the data of different levels of the user service is realized, the storage and the management of the quantum keys are better realized, and the problems of security responsibility logic and service/user isolation in the data circulation process are solved. The first quantum derivative key and the sixth quantum derivative key are derived based on the quantum root key, and the structural schematic diagram of the derived quantum key tree is shown in fig. 7.
Given the large number of keys that can be generated when quantum encrypting large amounts of data for ICT applications, these keys can occupy a large amount of storage space, and thus how to store a large number of keys is now a significant challenge for users. The invention forms a quantum key tree through the derivation processes of the third quantum derivative key and the fourth quantum derivative key, and encrypts the returned data by utilizing the finally derived first quantum derivative key. The quantum key tree structure can be utilized to store and manage the quantum key, and the storage resources required by the quantum key are reduced. In addition, the KDF function is utilized to derive subkeys of different levels based on the identification of the first object, so that encryption of data of different levels (processes) of user service is realized, and the problems of security responsibility logic and service/user isolation in the data circulation process are solved.
In some embodiments, the invention can also be used as public key infrastructure, and a certificate and a public-private key system are introduced, namely, the security agency encrypts K1 by adopting a public key, the ciphertext is sent to the security engine through the Internet, the security engine decrypts the key by adopting a private key to obtain K1, and further, the two parties K1 and the first quantum derivative key are subjected to heterogeneous processing to form a working key KK. The security agent or key engine encrypts the clear text traffic using the working key KK.
In step 102, the second quantum derivative key is used to decrypt the first ciphertext to obtain the returned data, and after the returned data is obtained by decryption, the security situation awareness platform may further perform security monitoring analysis on the returned data obtained by decryption. The second quantum derived key is derived by the key engine based on the quantum root key derived at least once. For a quantum key tree strategy for ciphertext delivery, step 102 may include: the key engine derives a second quantum derivative key based on the shared quantum root key and decrypts the received first ciphertext by using the second quantum derivative key; for a quantum key tree policy for either first quantum derivative key delivery or quantum root key delivery, step 102 may include: the security agent decrypts the first ciphertext using the second quantum derived key.
In view of the fact that the security agent and the key engine obtain a shared quantum root key through quantum middleware negotiation, namely the quantum middleware can conduct centralized management control on the security agent and the key engine, the invention also creates a mechanism for cross-domain management of secret service (quantum middleware) and secret management (security agent and key engine). As shown in fig. 8, the process of decrypting the first ciphertext using the second quantum derived key to obtain the returned data, with reference to the flowchart, may include the following sub-steps:
Step 1021, processing the quantum root key and/or the identification of the first object based on the KDF function to form a seventh quantum derivative key, where the identification of the first object includes at least one of: network identification, user identification, service level identification, process identification and node identification in the data streaming process;
step 1022, processing the seventh quantum derivative key based on the KDF function to form an eighth quantum derivative key, and processing the eighth quantum derivative key via the trunk function to form a second quantum derivative key;
and 1023, decrypting the first ciphertext by using the second quantum derivative key formed by the seventh quantum derivative key and the eighth quantum derivative key derivative process by using the quantum root key to obtain the returned data.
It should be noted that, in this embodiment, the identifier of the first object used when deriving the second quantum derivative key may be transmitted by the security agent to the key engine through the classical channel by the quantum middleware. Based on the method for protecting data flow security provided by the embodiment, a quantum key tree can be configured on network equipment shared by two or more sets of networks, so that different ICT user services carried on the network equipment cannot be accessed mutually. The ICT user/service safety performance is improved by using the quantum key tree, and meanwhile, the ICT user service logic isolation and slicing protection are better realized, and the memory resource is less occupied.
In addition, the security situation awareness platform in the embodiment is responsible for constructing a multidimensional statistical model to analyze massive heterogeneous big data, form a security panoramic view, support security decisions, emergency response and issue security early warning and security patches. The network security risk assessment, security risk perception, monitoring and early warning, attack traceability evidence obtaining and emergency security reinforcement capability of government users can be effectively improved. The security situation awareness platform treats the network by taking the service as the center, and realizes a security toughness architecture by taking the service as the center. The system can be ensured to continuously ensure that the security targets such as confidentiality, integrity, availability and the like of the service are achieved when certain security conventions are not present (such as that threats cannot be eliminated, vulnerabilities cannot be repaired and part of security functions fail). Furthermore, the security posture awareness platform can provide integrity protection algorithm lists and encryption algorithm lists that are prioritized by the operator.
Furthermore, it is worth noting that the present invention allows the use of keys for AS encryption protection and NAS integrity protection that are 128 bits in length, and that the network interface supports 256-bit keys for future use.
Some embodiments of the invention also provide a data management system. The data management system at least comprises a security situation awareness platform, wherein the security situation awareness platform comprises a quantum middleware, a security agent arranged on a first object side and a key engine arranged on the security situation awareness platform side, the security agent is further connected with a first quantum integrated machine, the key engine is further connected with a second quantum integrated machine, and the second quantum integrated machine is connected with the first quantum integrated machine through a quantum channel and a classical channel; the security situation awareness platform is used for realizing the method for protecting the security of the data stream in the previous embodiment. The data management system according to the present embodiment may continue to refer to fig. 1.
In some embodiments, the first quantum integrated machine accesses the centralized control station through a user access switch, a user convergence switch and an external network switch, establishes a classical channel with the second quantum integrated machine, and establishes a quantum channel with the second quantum integrated machine through an optical quantum switch; the user access switch of the first object establishes a traffic channel between the first object and the security situation awareness platform through the first quantum security gateway and the second quantum security gateway.
Some embodiments of the present invention further provide a security posture awareness platform, as shown in fig. 9, including: a processor 901; and a memory 903 configured to store computer program instructions adapted to be loaded by the processor and to perform the method of protecting data flow security developed by the present invention. Optionally, at least one embodiment of the present invention further provides a computer readable nonvolatile storage medium storing computer program instructions, which when executed by a computer, perform the method for protecting data flow security developed by the present invention.
The processor 901 may be any suitable processor, for example, implemented as a central processing unit, a microprocessor, an embedded processor, etc., and may be in an X86, ARM, etc. architecture. The memory 903 may be any of a variety of suitable storage devices, such as non-volatile storage devices, including but not limited to magnetic storage devices, semiconductor storage devices, optical storage devices, etc., and may be arranged as a single storage device, an array of storage devices, or a distributed storage device, as embodiments of the present invention are not limited to such. It will be appreciated by those skilled in the art that the structure of the security posture awareness platform is merely illustrative, and is not limited to the structure of the device. For example, the security posture awareness platform may also include more or fewer components (e.g., transmission devices) than shown in fig. 9. The transmission device is used for receiving or transmitting data via a network. In one example, the transmission device is a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
It can be appreciated that the technical details and the technical effects that can be achieved in the foregoing embodiments are still applicable in this embodiment, and in order to reduce repetition, a description is omitted in this embodiment.
The embodiments described hereinabove are intended to provide those of ordinary skill in the art with a variety of modifications and variations to the embodiments described above without departing from the spirit of the invention, and therefore the scope of the invention is not limited to the embodiments described hereinabove, but is to be accorded the broadest scope consistent with the innovative features recited in the claims.

Claims (10)

1. The method for protecting the security of the data stream is suitable for a security situation awareness platform and is characterized in that the security situation awareness platform comprises a quantum middleware, a security agent deployed on a first object side and a key engine deployed on the security situation awareness platform side, and comprises the following steps:
acquiring a first ciphertext of a first object, wherein the first ciphertext is formed by encrypting return data of the first object through a first quantum derivative key, and the first quantum derivative key is derived based on at least one time of quantum root key derivation;
And decrypting the first ciphertext by using a second quantum derivative key to obtain the returned data, wherein the second quantum derivative key is generated by the key engine based on the quantum root key being derived at least once, and the security agent and the key engine negotiate to obtain a shared quantum root key through the quantum middleware.
2. The method of claim 1, wherein the security agent is further coupled to a first quantum unitary, wherein the key engine is further coupled to a second quantum unitary, wherein the second quantum unitary is coupled to the first quantum unitary via a quantum channel and a classical channel, wherein the security agent is coupled to the key engine via the quantum middleware via a traffic channel, wherein negotiating by the security agent and the key engine via the quantum middleware to obtain a shared quantum root key comprises:
the security agent sequentially or randomly acquires an integrity protection key vector and an encryption key vector from the first quantum integrated machine, and processes the integrity protection key vector and the encryption key vector to form the quantum root key;
and negotiating by the quantum middleware to enable a quantum root key at a first quantum integrated machine connected with the security agent to be shared to a second quantum integrated machine connected with the key engine through a quantum channel and a classical channel.
3. The method of claim 1, wherein decrypting the first ciphertext using a second quantum derived key to obtain the passback data comprises:
processing the quantum root key and/or an identification of a first object based on a KDF function to form a seventh quantum derivative key, the identification of the first object including at least one of: network identification, user identification, service level identification, process identification and node identification in the data streaming process;
an eighth quantum derivative key formed by processing the seventh quantum derivative key based on a KDF function, and processing the eighth quantum derivative key through a trunk function to form a second quantum derivative key;
and decrypting the first ciphertext by using the second quantum derivative key formed by the seventh quantum derivative key and the eighth quantum derivative key derivative process sequentially by using the quantum root key to obtain the returned data.
4. The method of claim 2, wherein obtaining the first ciphertext of the first object comprises:
the security agent deriving the first quantum-derived key based on the quantum-root key, the identity of the first object derived at least once;
Encrypting the return data with the first quantum derived key to obtain the first ciphertext.
5. The method of claim 4, wherein encrypting the backhaul data with the first quantum-derived key comprises:
the security agent encrypts the return data with the first quantum derived key to obtain the first ciphertext;
or the security agent transmits the derived first quantum derivative key to the key engine through a traffic channel, so that the key engine encrypts the returned data by using the first quantum derivative key to obtain the first ciphertext.
6. The method of claim 2, wherein obtaining the first ciphertext of the first object further comprises:
the security agent transmits the quantum-root key to the key engine via a traffic channel such that the key engine derives the first quantum-derived key based on the quantum-root key, the identity of the first object, at least once, the key engine encrypts the passback data with the first quantum-derived key to obtain the first ciphertext.
7. The method of claim 5 or 6, wherein deriving the first quantum-derived key based on the quantum-root key, the identification of the first object, at least once comprises:
Processing the quantum root key and/or an identification of a first object based on a KDF function to form a third quantum derived key, the identification of the first object including at least one of: network identification, user identification, service level identification, process identification and node identification in the data streaming process;
a fourth quantum derivative key formed by processing the third quantum derivative key based on a KDF function, and a first quantum derivative key formed by processing the fourth quantum derivative key through a trunk function;
and encrypting the returned data by using the quantum root key through the first quantum derivative key formed by the third quantum derivative key and the fourth quantum derivative key derivative process in sequence.
8. The method of claim 2, wherein the processing of the integrity protection key vector and the encryption key vector by the security agent to form the quantum-root key comprises:
processing the integrity protection key vector and the encryption key vector based on a KDF function to form a quantum root key, wherein the quantum root key = KDF (integrity protection key vector and encryption key vector, salt, operations), the Salt comprising at least one of: service node ID, user ID, service ID, serial number and non-secret parameter, wherein the Iterations are preset iteration times;
And processing a preset integrity protection identifier, an encryption identifier and the quantum root key by utilizing a KDF function to form a fifth quantum derivative key, and processing the fifth quantum derivative key by utilizing a trunk function to form a sixth quantum derivative key, wherein the sixth quantum derivative key is provided for a core network connected through an air interface.
9. The data management system is characterized by comprising a security situation awareness platform, wherein the security situation awareness platform comprises a quantum middleware, a security agent arranged on a first object side and a key engine arranged on the security situation awareness platform side, the security agent is further connected with a first quantum integrated machine, the key engine is further connected with a second quantum integrated machine, and the second quantum integrated machine is connected with the first quantum integrated machine through a quantum channel and a classical channel;
the security posture awareness platform is configured to implement the method for protecting data flow security according to any one of claims 1 to 8.
10. The data management system of claim 9, further comprising:
the first quantum integrated machine is accessed to a centralized control station through a user access switch, a user convergence switch and an external network switch, and establishes a classical channel with the second quantum integrated machine, and the first quantum integrated machine establishes a quantum channel with the second quantum integrated machine through an optical quantum switch;
The user access switch of the first object establishes a traffic channel between the first object and the security situation awareness platform through the first quantum security gateway and the second quantum security gateway.
CN202211703681.9A 2022-12-28 2022-12-28 Method for protecting data flow security and data management system Pending CN116232570A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211703681.9A CN116232570A (en) 2022-12-28 2022-12-28 Method for protecting data flow security and data management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211703681.9A CN116232570A (en) 2022-12-28 2022-12-28 Method for protecting data flow security and data management system

Publications (1)

Publication Number Publication Date
CN116232570A true CN116232570A (en) 2023-06-06

Family

ID=86572194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211703681.9A Pending CN116232570A (en) 2022-12-28 2022-12-28 Method for protecting data flow security and data management system

Country Status (1)

Country Link
CN (1) CN116232570A (en)

Similar Documents

Publication Publication Date Title
Fang et al. Security for 5G mobile wireless networks
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
US9461975B2 (en) Method and system for traffic engineering in secured networks
CN109088870B (en) Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform
US8112622B2 (en) Chaining port scheme for network security
CN111052672B (en) Secure key transfer protocol without certificate or pre-shared symmetric key
US20120008787A1 (en) Lightweight key distribution and management method for sensor networks
US20060233376A1 (en) Exchange of key material
CN108075890A (en) Data sending terminal, data receiver, data transmission method and system
Kong et al. Achieve secure handover session key management via mobile relay in LTE-advanced networks
KR101485279B1 (en) Switch equipment and data processing method for supporting link layer security transmission
WO2023082599A1 (en) Blockchain network security communication method based on quantum key
EP3691316A1 (en) Parameter protection method, device and system
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN113489586B (en) VPN network system compatible with quantum key negotiation
WO2023020164A1 (en) Method and apparatus for managing communication channel
Mehic et al. Quantum cryptography in 5g networks: A comprehensive overview
CN114285571A (en) Method, gateway device and system for using quantum key in IPSec protocol
Fujdiak et al. Security in low-power wide-area networks: State-of-the-art and development toward the 5G
CN115766002A (en) Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition
US20070055870A1 (en) Process for secure communication over a wireless network, related network and computer program product
US11652910B2 (en) Data transmission method, device, and system
Cho et al. Secure open fronthaul interface for 5G networks
CN116055091B (en) Method and system for realizing IPSec VPN by adopting software definition and quantum key distribution
CN116232570A (en) Method for protecting data flow security and data management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination