CN116527259B - Cross-domain identity authentication method and system based on quantum key distribution network - Google Patents

Cross-domain identity authentication method and system based on quantum key distribution network Download PDF

Info

Publication number
CN116527259B
CN116527259B CN202310799391.7A CN202310799391A CN116527259B CN 116527259 B CN116527259 B CN 116527259B CN 202310799391 A CN202310799391 A CN 202310799391A CN 116527259 B CN116527259 B CN 116527259B
Authority
CN
China
Prior art keywords
key
authentication
identity authentication
service system
quantum key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310799391.7A
Other languages
Chinese (zh)
Other versions
CN116527259A (en
Inventor
胡缙
杨浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co ltd
Original Assignee
China Telecom Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co ltd filed Critical China Telecom Quantum Technology Co ltd
Priority to CN202310799391.7A priority Critical patent/CN116527259B/en
Publication of CN116527259A publication Critical patent/CN116527259A/en
Application granted granted Critical
Publication of CN116527259B publication Critical patent/CN116527259B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cross-domain identity authentication method and a system based on a quantum key distribution network, comprising the following steps: sending a key negotiation request to a corresponding quantum key management system, and forwarding the key negotiation request to a quantum key generation system by the quantum key management system so that the quantum key generation system establishes a relay key negotiation link between quantum key terminals and generates a symmetric authentication key; receiving an authentication request sent by a corresponding user side terminal, and distributing an identification of the authentication key to the user side terminal based on the authentication request; receiving login request information sent by a corresponding user side terminal, and responding to a constructed token ciphertext to the user side terminal based on the login request information so as to forward the token ciphertext to a cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system; the invention solves the centralization problem existing in the cross-domain identity authentication, and improves the confidentiality and the integrity of the authentication credential data distribution.

Description

Cross-domain identity authentication method and system based on quantum key distribution network
Technical Field
The invention relates to the technical field of security application, in particular to a cross-domain identity authentication method and system based on a quantum key distribution network.
Background
With the rapid development of internet technology and the expansion of the scale of network application systems, various services and resources are distributed into different domains. Different services and resources are distinguished according to the division and authority management of the domains, so that users of different domains can use the different services and resources according to different requirements, and the mode of accessing the services and the resources under the same domain involves cross-domain access.
In the traditional cross-domain access method, data such as cross-domain authentication credentials, identity tokens and the like are usually maintained by adopting a central or centralized database, an agent and the like, so that authentication and verification of user identities are realized. However, the existing central identity authentication method used by cross-domain access has the following problems in the actual application process: (1) The reliability of the centralized management identity authentication data is poor, the user access is easy to generate a bottleneck, once the user fails to affect the global situation, and the flexibility of expansion is lacking; (2) When the same user accesses other identity authentication service systems under the cross-domain, the data such as identity authentication credentials, identity tokens and the like are required to be synchronized among the identity authentication service systems of the cross-domain, and the risk of being stolen and tampered in the process of distributing the identity authentication data exists.
In the related technology, the Chinese patent application document with the application publication number of CN114362947A discloses a wide area quantum key service method and a system, the scheme describes a method for generating a key between any nodes in local and cross-domain scenes, key relay and unified management of the QKD network are realized through QKD link network virtualization and unified service interfaces, quantum key service is realized among different QKD networks through a unified platform, and the platform adopts a cascade architecture.
Disclosure of Invention
The technical problem to be solved by the invention is how to improve confidentiality and integrity of authentication credential data distribution.
The invention solves the technical problems by the following technical means:
in a first aspect, the present invention provides a cross-domain identity authentication method based on a quantum key distribution network, which is applied to an identity authentication service system, and the method comprises the following steps:
sending a key negotiation request to a corresponding quantum key management system, and forwarding the key negotiation request to a quantum key generation system by the quantum key management system so that the quantum key generation system establishes a relay key negotiation link between quantum key terminals KM and generates a symmetric authentication key;
Receiving an authentication request sent by a corresponding user side terminal, and distributing an identification of the authentication key to the user side terminal based on the authentication request, so that when the user side terminal accesses a cross-domain identity authentication service system, the authentication key is applied to a quantum key management system corresponding to the cross-domain identity authentication service system based on the identification of the authentication key;
receiving login request information sent by a corresponding user side terminal, and responding to the constructed token ciphertext to the user side terminal based on the login request information so as to forward the token ciphertext to a cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system.
Further, before the sending the key negotiation request to the corresponding quantum key management system, the method further comprises:
sending an internet access authentication request to the corresponding quantum key management system so that the quantum key management system generates a signature public-private key pair and returns the signature public-private key pair to the identity authentication service system;
signing the authentication data by using the private key in the public-private key pair to obtain signature data and sending the signature data to the quantum key management system so that the quantum key management system verifies the authentication information of the signature data based on the public key;
And after the quantum key management system passes the verification, receiving an authentication token handle returned by the quantum key management system.
Further, the sending a key negotiation request to a corresponding quantum key management system, and forwarding, by the quantum key management system, to a quantum key generation system, so that the quantum key generation system establishes an inter-KM relay key negotiation link and generates a symmetric authentication key, including:
sending a key negotiation request to the corresponding quantum key management system, wherein the information carried by the key negotiation request is QMID-A I KMID-A I QMID-B I KMID-B, wherein QMID-A is a virtual unique identifier of the quantum key management system A, KMID-A is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system A, QMID-B is a virtual unique identifier of the quantum key management system B, KMID-B is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system B, and I is a virtual unique identifier representing logic and characters;
and the quantum key management system sends the key negotiation request to the quantum key generation system, so that the quantum key generation system triggers the relay key negotiation among KMs, generates the symmetrical authentication key and stores the authentication key in a relay key pool corresponding to each relay.
Further, after the sending the key negotiation request to the corresponding quantum key management system, the method further comprises:
sending a batch key request to the quantum key management system, wherein the batch key request carries information including the authentication token handle, the QMID-B and the KMID-B;
and receiving the identification readkeyID of the authentication key returned by the quantum key management system, wherein the cross-domain identity authentication service system is used as a passive end to monitor and wait for the quantum key management system corresponding to the local end to return the identification readkeyID of the authentication key.
Further, the authentication request carried information sent by the user side terminal includes a user master key, a user master key identifier and a security chip ID, where the user master key is stored in the security chip, and the security chip is set in the user side terminal.
Further, the receiving the login request information sent by the corresponding user side terminal and responding the constructed token ciphertext to the user side terminal based on the login request information includes:
receiving corresponding login request information sent by the user side terminal, wherein the login request information comprises an identification of the authentication key and login information ciphertext encrypted by the authentication key;
Requesting the quantum key management system to acquire the authentication key based on the identification of the authentication key;
and verifying the login request information based on the authentication key, and generating the token ciphertext after verification is passed.
Further, verifying the login request information based on the authentication key, and generating the token ciphertext after verification is passed, includes:
after the login information passes verification, an identity Token is generated;
calculating ciphertext data of the identity Token by adopting the authentication key in combination with an encryption algorithm;
calculating the MAC value of the ciphertext data of the identity Token by using hash operation in combination with the authentication key;
and generating the Token ciphertext based on the ciphertext data of the identity Token and the MAC value of the Token.
Further, the method further comprises:
receiving login request information sent by a user side terminal corresponding to a cross-domain identity authentication service system, wherein the login request information carries the token ciphertext;
sending the token ciphertext to a corresponding quantum key management system so that the quantum key management system searches an authentication key;
and receiving the authentication key and decrypting the token ciphertext by using the authentication key to obtain a cross-domain authentication result.
Further, when receiving login request information sent by a user side terminal corresponding to a cross-domain identity authentication service system, if the login request information does not carry the token ciphertext, the method further includes:
responding to the connection failure information and the authentication redirection information to the user side terminal corresponding to the cross-domain identity authentication service system, wherein the authentication redirection information comprises parameter information of the cross-domain identity authentication service system.
Further, the cross-domain authentication service system comprises at least one cross-domain authentication service system.
In a second aspect, the present invention also provides a cross-domain identity authentication method based on a quantum key distribution network, applied to a user terminal, the method comprising the following steps:
sending an authentication request to a corresponding identity authentication service system to acquire an authentication key identifier distributed by the identity authentication service system;
sending an authentication key application request to a corresponding quantum key management system based on the authentication key identification so as to acquire an authentication key returned by the quantum key management system;
sending login request information to the identity authentication service system so that the identity authentication service system generates a token ciphertext based on the login request information, wherein the login request information is obtained by encrypting the authentication key;
And receiving the token ciphertext, and sending a login request to the cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system, wherein the login request carries the token ciphertext.
Further, the user side terminal is provided with a security chip, a quantum key preset by a quantum key distribution system is stored in the security chip as a user master key, and an authentication request is sent to a corresponding identity authentication service system to obtain an authentication key identifier distributed by the identity authentication service system, including:
sending an authentication request to the identity authentication service system, wherein the authentication request carries information including a user master key, a user master key identifier and a security chip ID;
and establishing a session with the identity authentication service system and receiving an authentication key identifier (ReadkeyID) distributed by the identity authentication service system.
Further, the sending an authentication key application request to the corresponding quantum key management system based on the authentication key identifier to obtain an authentication key returned by the quantum key management system includes:
constructing authentication key request information and sending the authentication key request information to a corresponding quantum key management system, wherein the authentication key request information comprises the user master key identification and request information encrypted by adopting the user master key, and the request information is: the security chip ID QMID-A KMID-A ReadkeyID, QMSID-A is a virtual unique identifier of the quantum key management system A, KMID-A is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system A, and ReadkeyID is the authentication key identifier;
After the quantum key management system successfully decrypts the authentication key request information by searching the corresponding user master key according to the user master key identification, receiving an authentication key encryption message returned by the quantum key management system, wherein the authentication key encryption message is obtained by encrypting an authentication key by the quantum key management system by adopting a user master key;
and searching a corresponding user master key according to the user master key identifier, and decrypting the authentication key encryption message to obtain the authentication key.
Further, the receiving the token ciphertext, when the user terminal accesses the cross-domain identity authentication service system, sending a login request to the cross-domain identity authentication service system, where the login request carries the token ciphertext, includes:
receiving the token ciphertext, decrypting and verifying the token ciphertext by adopting the authentication key, and confirming that response authentication is completed;
when a user side terminal accesses a cross-domain identity authentication service system, forwarding the token ciphertext to a quantum key management system corresponding to the cross-domain identity authentication service system;
and receiving a cross-domain authentication result returned by the quantum key management system corresponding to the cross-domain identity authentication service system.
Further, accessing a cross-domain identity authentication service system at a user side terminal, and sending a login request to the cross-domain identity authentication service system, wherein if the login request does not carry the token ciphertext, the method further comprises the steps of:
receiving a connection failure message and a redirection message returned by a cross-domain identity authentication service system, wherein the redirection message comprises parameter information of the identity authentication service system in the local domain;
and initiating an identity authentication flow to the identity authentication service system in the local domain based on the parameter information of the identity authentication service system in the local domain.
In a third aspect, the present invention also proposes an authentication service system, the system comprising:
the key negotiation request sending module is used for sending a key negotiation request to a corresponding quantum key management system and forwarding the key negotiation request to the quantum key generation system by the quantum key management system so that the quantum key generation system establishes a relay key negotiation link between the KMs and generates a symmetrical authentication key;
the request receiving module is used for receiving an authentication request sent by a corresponding user side terminal, distributing an identification of the authentication key to the user side terminal based on the authentication request, and applying the authentication key to a quantum key management system corresponding to the cross-domain identity authentication service system based on the identification of the authentication key when the user side terminal accesses the cross-domain identity authentication service system;
The identity authentication module is used for receiving login request information sent by the corresponding user side terminal, responding the constructed token ciphertext to the user side terminal based on the login request information, and forwarding the token ciphertext to the cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system.
In a fourth aspect, the present invention further provides a user terminal, where the terminal includes:
the authentication request module is used for sending an authentication request to a corresponding identity authentication service system so as to acquire an authentication key identifier distributed by the identity authentication service system;
the authentication key application module is used for sending an authentication key application request to the corresponding quantum key management system based on the authentication key identification so as to acquire an authentication key returned by the quantum key management system;
a login request module for sending login request information to the identity authentication service system so that the identity authentication service system generates a token ciphertext based on the login request information, wherein the login request information is obtained by encrypting the authentication key;
the cross-domain authentication module is used for receiving the token ciphertext, and sending a login request to the cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system, wherein the login request carries the token ciphertext.
In a fifth aspect, the present invention further provides a cross-domain identity authentication system based on a quantum key distribution network, where the system includes a user side terminal, a quantum key generation system, an identity authentication service system a in the user side terminal home domain, and an identity authentication service system B in the user side terminal cross domain, where the identity authentication service system a is connected to a quantum key management system a, the identity authentication service system B is connected to a quantum key management system B, and both the quantum key management system a and the quantum key management system B are connected to the quantum key generation system, where:
the identity authentication service system A and the identity authentication service system B are used for sending a key negotiation request to the quantum key generation system, establishing a relay key negotiation link between KMs in the quantum key generation system and generating a symmetrical authentication key;
the user side terminal sends an authentication request to the identity authentication service system A and receives an authentication key identifier returned by the identity authentication service system A;
the user side terminal sends login request information to the identity authentication service system A and receives a token ciphertext responded by the identity authentication service system A;
And the user side terminal accesses the identity authentication service system B based on the token ciphertext.
The invention has the advantages that:
(1) The identity authentication service system initiates a cross-domain key negotiation request by adopting a configurable key application mode vector subkey management system, establishes a relay key link between KMs in a quantum key generation system, realizes key negotiation between the cross-domain quantum key management systems, and solves the problem of key synchronization of a quantum key distribution network between the cross-domain identity authentication service systems; the identity authentication service system receives an authentication request sent by a user side terminal, responds to the constructed token ciphertext to the user side terminal, does not need to intensively maintain user identity tokens among a plurality of cross-domain identity authentication service systems, and directly forwards the identity token ciphertext generated in the user side to a corresponding cross-domain identity authentication service system to finish decryption and verification when the user needs to access other cross-domain identity authentication service systems, and after the user side passes through the cross-domain identity authentication service system, the problem that the traditional cross-domain identity authentication service system needs to intensively maintain the identity tokens is solved.
(2) Based on the quantum key distribution network, the authentication key is safely distributed, the authentication key is used for realizing the encryption of the identity authentication data, and the data integrity is ensured through the HMAC.
(3) Based on the security of the quantum key distribution information, the negotiation and generation of the quantum symmetric key are realized, and the quantum symmetric key is still safe even under the condition that quantum computing has infinite computing resources; the quantum symmetric key is used as an authentication key for encrypting identity authentication data, and the symmetric algorithm is combined to replace the existing public key cryptographic algorithm which is easy to attack by quantum computing, so that the threat of quantum computing on classical cryptographic security is prevented.
(4) The user side terminal adopts a security chip preset key as a user master key, applies an authentication key for encrypting login information based on a user master key vector subkey distribution network, decrypts and verifies validity after the identity authentication service system receives the login encryption information, and solves the problem that traditional identity authentication credential data is not encrypted or encryption depends on a public key algorithm.
(5) The whole scheme has small system change, and a mature safety chip integration scheme is used at the user side to provide key storage and cryptographic algorithm functions; the authentication server directly interfaces with the quantum key distribution network through the key interface to apply for the key, which is easy to realize and does not worry about the problem of large key consumption of the server.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a schematic flow chart of a cross-domain identity authentication method based on a quantum key distribution network according to an embodiment of the present invention;
fig. 2 is a flow chart of a cross-domain identity authentication method based on a quantum key distribution network according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an authentication service system according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a user side terminal according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a cross-domain identity authentication system based on a quantum key distribution network according to a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a cross-domain identity authentication system based on a quantum key distribution network according to a sixth embodiment of the present invention;
fig. 7 is a schematic structural diagram of a cross-domain identity authentication system based on a quantum key distribution network according to a seventh embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, a first embodiment of the present invention proposes a cross-domain identity authentication method based on a quantum key distribution network, applied to an identity authentication service system, the method comprising the steps of:
s101, sending a key negotiation request to a corresponding quantum key management system, and forwarding the key negotiation request to a quantum key generation system by the quantum key management system, so that the quantum key generation system establishes a relay key negotiation link between KMs and generates a symmetric authentication key;
s102, receiving an authentication request sent by a corresponding user side terminal, and distributing an identification of an authentication key to the user side terminal based on the authentication request, so that when the user side terminal accesses a cross-domain identity authentication service system, the authentication key is applied to a quantum key management system corresponding to the cross-domain identity authentication service system based on the identification of the authentication key;
s103, receiving login request information sent by a corresponding user side terminal, and responding the constructed token ciphertext to the user side terminal based on the login request information so as to forward the token ciphertext to a cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system.
It should be noted that, in this embodiment, the user side terminal may send a login request to the authentication service system in the local domain and the authentication service system across domains, where each authentication service system is correspondingly connected to a quantum key management system, and each quantum key management system is connected to the quantum key generation system. The identity authentication service system initiates a cross-domain key negotiation request by adopting a configurable key application mode vector subkey management system, establishes a relay key link between KMs in the quantum key generation system, realizes key negotiation between the cross-domain quantum key management systems, and solves the problem of key synchronization between the cross-domain identity authentication service systems based on a quantum key distribution network; the identity authentication service system receives an authentication request sent by a user side terminal, responds to the constructed token ciphertext to the user side terminal, does not need to intensively maintain user identity tokens among a plurality of identity authentication service systems of cross domains, and when a user needs to access other identity authentication service systems of cross domains, the user side directly forwards the identity token ciphertext generated in the user side to the corresponding cross-domain identity authentication service system to finish decryption and verification, and after the authentication is passed, cross-domain authentication is finished, so that the problem that the traditional cross-domain identity authentication service system needs to intensively maintain the identity tokens is solved, and the risks of stealing and falsifying in the process of distributing identity authentication data are avoided.
It should be noted that, in this embodiment, the quantum key distribution network already has the capability of providing the quantum key from end to end, the multiple quantum key management systems directly acquire the quantum key and cache the symmetric key pool, there is no limitation on the relay implementation manner of the quantum key, the multiple quantum key management systems are in a decoupling state instead of a cascading architecture, and the user side terminal realizes cross-domain identity authentication based on the security chip, so as to solve the problems of cross-domain identity authentication decentralization and authentication credential data distribution realization confidentiality and integrity.
In one embodiment, in the step S101: before sending the key negotiation request to the corresponding quantum key management system, the method further comprises the following steps:
sending an internet access authentication request to the corresponding quantum key management system so that the quantum key management system generates a signature public-private key pair and returns the signature public-private key pair to the identity authentication service system;
signing the authentication data by using the private key in the public-private key pair to obtain signature data and sending the signature data to the quantum key management system so that the quantum key management system verifies the authentication information of the signature data based on the public key;
And after the quantum key management system passes the verification, receiving an authentication token handle returned by the quantum key management system.
It should be noted that, the identity authentication service system a in the user terminal local domain is connected with the quantum key management system a to complete initialization configuration, and then the authentication service system a is used as a key application server to send an access authentication request to the quantum key management system a connected with the authentication service system a, so that the quantum key management system a generates a signature public-private key pair Kp and Ks and imports the signature public-private key pair Kp and Ks to the identity authentication service system a. The identity authentication service system A signs authentication data by using a private key Ks and sends the authentication data to the quantum key management system A, the quantum key management system A verifies the signed authentication information by using a preset public key Kp, and after the authentication is passed, the authentication is returned to pass. The quantum key management system A returns an authentication token handle-A, and the identity authentication service system A caches the authentication token handle-A.
The identity authentication service system B in the cross domain of the user side terminal acquires an authentication token handle-B returned by the quantum key management system B according to the same steps.
In one embodiment, the step S101: the method comprises the steps that a key negotiation request is sent to a corresponding quantum key management system, and the key negotiation request is forwarded to a quantum key generation system by the quantum key management system, so that the quantum key generation system establishes a relay key negotiation link between KMs and generates a symmetrical authentication key, and the method comprises the following steps:
Sending a key negotiation request to the corresponding quantum key management system, wherein the information carried by the key negotiation request is QMID-A I KMID-A I QMID-B I KMID-B, wherein QMID-A is a virtual unique identifier of the quantum key management system A, KMID-A is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system A, QMID-B is a virtual unique identifier of the quantum key management system B, KMID-B is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system B, and I is a virtual unique identifier representing logic and characters;
and the quantum key management system sends the key negotiation request to the quantum key generation system, so that the quantum key generation system triggers the relay key negotiation among KMs, generates the symmetrical authentication key and stores the authentication key in a relay key pool corresponding to each relay.
Specifically, an identity authentication service system A initiates a key negotiation request to a vector subkey management system A, and a quantum key management system A recognizes the key negotiation request as a cross-domain key negotiation mode and sends the key negotiation request to a quantum key generation system; andtriggeringrelaykeynegotiationflowsofthequantumkeyterminalsKM-AandKM-Baccordingtothekeynegotiationrequestinformationbythequantumkeygenerationsystem,respectivelygeneratingsymmetricalkeysbytheKM-AandtheKM-Bafterthenegotiationflowsarecompleted,andstoringthesymmetricalkeysinacorrespondingrelaykeypoolRelayABandarelaykeypoolRelayBA.
In one embodiment, in the step S101: after sending the key negotiation request to the corresponding quantum key management system, the method further comprises the following steps:
sending a batch key request to the quantum key management system, wherein the batch key request carries information including the authentication token handle, the QMID-B and the KMID-B;
and receiving the identification readkeyID of the authentication key returned by the quantum key management system, wherein the cross-domain identity authentication service system is used as a passive end to monitor and wait for the quantum key management system corresponding to the local end to return the identification readkeyID of the authentication key.
Specifically, the authentication service system A applies for batch keys in advance to the sub-key management system A, inputs an authentication token handle-A, QMSID-B, KMID-B, and returns an acquisition notice and an authentication key identification ReadKeyID. The cross-domain identity authentication service system B is used as a passive end to monitor and wait for the local end quantum key management system B to return key information.
In an embodiment, the authentication request carried information sent by the user side terminal includes a user master key, a user master key identifier and a security chip ID, where the user master key is stored in the security chip, the security chip is set in the user side terminal, and the user master key is preset in the security chip for the quantum key generating system.
In an embodiment, in step S102, an authentication request sent by a corresponding user side terminal is received, and an identifier of the authentication key is allocated to the user side terminal based on the authentication request, so that when the user side terminal accesses a cross-domain identity authentication service system, the authentication key is applied to a quantum key management system corresponding to the cross-domain identity authentication service system based on the identifier of the authentication key, and specifically includes:
the identity authentication service system A receives an authentication request initiated by a user side terminal, wherein the authentication request carries a user master key UMK-1, a key identifier NUMK-1 and a chip ID obtained from a security chip;
the user terminal establishes a session with the identity authentication service system A, and the identity authentication service system A distributes a key identification ReadkeyID to the user terminal.
In an embodiment, the step S103: receiving login request information sent by a corresponding user side terminal, and responding to the constructed token ciphertext to the user side terminal based on the login request information, wherein the method comprises the following steps:
s131, receiving corresponding login request information sent by the user side terminal, wherein the login request information comprises an identification of the authentication key and login information ciphertext encrypted by the authentication key;
theidentityauthenticationservicesystemAreceiveslogininformationciphertextandReadkeyIDsentbyAusersideterminal,whereinthelogininformationciphertextisobtainedbyencryptinglogininformationbytheusersideterminalbyusinganauthenticationkeyWK-A,andtheauthenticationkeyWK-AisderivedfromArelaykeypoolRelayABofKM-A.
S132, requesting the quantum key management system to acquire the authentication key based on the identification of the authentication key;
and S133, verifying the login request information based on the authentication key, and generating the token ciphertext after verification is passed.
Specifically, the identity authentication service system A receives login information ciphertext, acquires an authentication key WK-A from the quantum key management system A based on an authentication key identification ReadkeyID, verifies login information after decryption, and generates token ciphertext after verification passes.
In one embodiment, the step S133: verifying the login request information based on the authentication key, and generating the token ciphertext after verification is passed, wherein the method specifically comprises the following steps of:
after the login information passes verification, an identity Token is generated;
calculating ciphertext data of the identity Token by adopting the authentication key in combination with an encryption algorithm;
Calculating the MAC value of the ciphertext data of the identity Token by using hash operation in combination with the authentication key;
and generating the Token ciphertext based on the ciphertext data of the identity Token and the MAC value of the Token.
Specifically, the identity authentication service system A calculates ciphertext datA of the Token by using an authentication key WK-A in combination with A national encryption SM4 algorithm, and calculates the MAC value of the ciphertext datA of the Token by using an HMAC-SM3 algorithm in combination with the authentication key. And forwarding the ciphertext data and the MAC value of the Token to the user side terminal. And the user side terminal receives the ciphertext datA and the MAC value of the Token, finishes decryption by using the authentication key WK-A, compares the message codes consistently and responds to the completion of authentication.
In an embodiment, when the authentication service system receives the login request information sent by the cross-domain user side terminal, the method further includes the following steps:
receiving login request information sent by a user side terminal corresponding to a cross-domain identity authentication service system, wherein the login request information carries the token ciphertext;
sending the token ciphertext to a corresponding quantum key management system so that the quantum key management system searches an authentication key;
and receiving the authentication key and decrypting the token ciphertext by using the authentication key to obtain a cross-domain authentication result.
When the identity authentication service system B is accessed by a cross-domain user side terminal, ciphertext data, a MAC value and ReadkeyID, QMSID-A, KMID-A of Token sent by the user side terminal are received; the identity authentication service system B transmits the corresponding authentication key WK-A to the vector subkey management system B to ReadkeyID, QMSID-A, KMID-A, tokenHandle-B so that the quantum key management system B searches the corresponding authentication key WK-A from the relay key pool Relay BA and returns the authentication key WK-A to the identity authentication service system B; the identity authentication service system B acquires the authentication key WK-A, decrypts the ciphertext datA and the MAC value of the Token, and responds to the cross-domain authentication completion if the decryption is passed, and responds to the authentication failure if the decryption is not passed.
In an embodiment, when receiving login request information sent by a user side terminal corresponding to a cross-domain identity authentication service system, if the login request information does not carry the token ciphertext, the method further includes:
responding to the connection failure information and the authentication redirection information to the user side terminal corresponding to the cross-domain identity authentication service system, wherein the authentication redirection information comprises parameter information of the cross-domain identity authentication service system.
It should be noted that, in this embodiment, the identity authentication process is that the user terminal needs to obtain the identity Token from the identity authentication service system a of the domain, and then the cross-domain identity authentication process can be completed, which has a definite authentication precondition.
Therefore, this embodiment adds a judgment mechanism to the cross-domain identity authentication process, so that when the user terminal first initiates a login request to the cross-domain identity authentication service system B, the identity authentication service system B recognizes that the user is a cross-domain first-time login user, the identity authentication service system B returns a redirection message to the user terminal, and the user terminal re-initiates the identity authentication process to the identity authentication service system a in the home domain.
In an embodiment, the cross-domain authentication service system includes at least one cross-domain authentication service system.
It should be noted that, in this embodiment, the authentication service system a is used as an authentication service system in the local domain of the user terminal, and the cross-domain authentication service system may include an authentication service system B, an authentication service system C, and the like, where each authentication service system is connected to a corresponding quantum key management system.
Example 2
As shown in fig. 2, the second embodiment of the present invention further provides a cross-domain identity authentication method based on a quantum key distribution network, which is applied to a user terminal, and the method includes the following steps:
s201, sending an authentication request to a corresponding identity authentication service system to acquire an authentication key identifier distributed by the identity authentication service system;
S202, sending an authentication key application request to a corresponding quantum key management system based on the authentication key identification so as to acquire an authentication key returned by the quantum key management system;
s203, sending login request information to the identity authentication service system so that the identity authentication service system generates a token ciphertext based on the login request information, wherein the login request information is obtained by encrypting the authentication key;
s204, receiving the token ciphertext, and sending a login request to the cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system, wherein the login request carries the token ciphertext.
In the embodiment, the user side terminal vector subkey generation system applies for an authentication key for encrypting login request information and then sends the authentication key to the identity authentication service system, and the identity authentication service system decrypts and verifies validity after receiving the login request information to generate a token ciphertext, so that the problem that traditional identity authentication credential data is not encrypted or encryption depends on a public key algorithm is solved; the user identity token does not need to be maintained in a centralized way among the cross-domain multiple identity authentication service systems, when the user side terminal needs to access other cross-domain identity authentication service systems, the user side terminal directly forwards the identity token ciphertext generated in the user side terminal to the corresponding cross-domain identity authentication service system to finish decryption and verification, and after the decryption and verification pass, the cross-domain authentication is finished, so that the problem that the traditional cross-domain identity authentication service system needs to maintain the identity token in a centralized way is solved.
In an embodiment, the user side terminal is provided with a security chip, in which a quantum key preset by the quantum key distribution system is stored as a user master key, and step S201: sending an authentication request to a corresponding identity authentication service system to obtain an authentication key identifier distributed by the identity authentication service system, wherein the authentication key identifier comprises the following steps:
s211, sending an authentication request to the identity authentication service system, wherein the authentication request carries information including a user master key, a user master key identifier and a security chip ID;
s212, establishing a session with the identity authentication service system and receiving an authentication key identification ReadkeyID distributed by the identity authentication service system.
It should be noted that, the user side terminal sends a key filling request to the quantum key management system a connected to the identity authentication service system a in the home domain, so that the quantum key management system a presets a quantum key to the security chip of the user side terminal as a user master key, and the quantum key management system a stores the correspondence between the user master key and the security chip. The user terminal initiates an authentication request to the identity authentication service system A in the local domain, and obtains a user master key UMK-1, a key identifier NUMK-1 and a chip ID from the security chip. Then the user terminal establishes a session with the identity authentication service system A, and the identity authentication service system A distributes an authentication key identification ReadkeyID.
In the embodiment, the preset key of the security chip is used as the user master key, and the authentication key is applied for encrypting login information based on the user master key vector subkey distribution network, so that the security is improved.
In one embodiment, the step S202: sending an authentication key application request to a corresponding quantum key management system based on the authentication key identifier so as to acquire an authentication key returned by the quantum key management system, wherein the authentication key application request comprises the following steps:
s221, constructing authentication key request information and sending the authentication key request information to the corresponding quantum key management system, wherein the authentication key request information comprises the user master key identification and request information encrypted by adopting the user master key, and the request information is: the security chip ID QMID-A KMID-A ReadkeyID, QMSID-A is a virtual unique identifier of the quantum key management system A, KMID-A is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system A, and ReadkeyID is the authentication key identifier;
s222, after the quantum key management system searches the corresponding user master key according to the user master key identification and successfully decrypts the authentication key request information, receiving an authentication key encryption message returned by the quantum key management system, wherein the authentication key encryption message is obtained by encrypting an authentication key by the quantum key management system by adopting the user master key;
S223, searching a corresponding user master key according to the user master key identification, and decrypting the authentication key encryption message to obtain the authentication key.
Specifically, when the user terminal accesses the identity authentication service system a in the local domain, the vector subkey management system a initiates an authentication key application request, and the constructed authentication key request information is: the user master key UMK-1 is encrypted (chip ID QMID-A KMID-A readkeyID) +the key identifies NUMK-1. thequantumkeymanagementsystemAsearchesthecorrespondingkeyaccordingtothekeyidentificationNUMK-1tofinishdecryptionoftheauthenticationkeyrequestinformation,andappliesfortheauthenticationkeyWK-AaccordingtotheReadkeyID,whereintheauthenticationkeyisderivedfromArelaykeypoolRelayABofKM-A. The authentication key WK-A is distributed to the user side terminal after being encrypted by the user master key UMK-1, the user side terminal searches the corresponding user master key UMK-1 according to the key identification NUMK-1 to finish decryption, the user side terminal obtains the authentication key WK-A, and the user side terminal maintains the relationship datA of the authentication key WK-A, readkeyID, QMSID-A, KMID-A.
It should be noted that, the user side terminal obtains the authentication key based on the secure chip vector subkey management system. When a user side terminal accesses a cross-domain identity authentication service system, a symmetric authentication key is acquired by a cross-domain quantum key management system based on an authentication key unique identifier maintained by a quantum key distribution network.
In one embodiment, the step S203: sending login request information to the identity authentication service system so that the identity authentication service system generates a token ciphertext based on the login request information, wherein the login request information is obtained by encrypting the authentication key, and the method specifically comprises the following steps of:
the user side terminal encrypts login information by using an authentication key WK-A, sends login information ciphertext and A readkeyID to the identity authentication service system A, enables the identity authentication service system A to receive the login information ciphertext, obtains the authentication key WK-A from the quantum key management system A based on the readkeyID, verifies the login information after decryption, and generates A token ciphertext after verification passes by the identity authentication service system A.
In one embodiment, the step S204: receiving the token ciphertext, and sending a login request to a cross-domain identity authentication service system when a user side terminal accesses the cross-domain identity authentication service system, wherein the login request carries the token ciphertext and comprises the following steps of:
s241, receiving the token ciphertext, decrypting and verifying the token ciphertext by adopting the authentication key, and confirming that response authentication is completed;
the user terminal receives the ciphertext datA and the MAC value of Token returned by the identity authentication service system A, so that the authentication key WK-A finishes decryption, the message codes are consistent in comparison, and the response authentication is finished.
S242, when the user terminal accesses the cross-domain identity authentication service system, forwarding the token ciphertext to a quantum key management system corresponding to the cross-domain identity authentication service system;
it should be noted that, when the user terminal needs to access the cross-domain authentication service system B, the user terminal sends the ciphertext data, the MAC value and ReadkeyID, QMSID-A, KMID-a of Token to the authentication service system B.
S243, receiving a cross-domain authentication result returned by the quantum key management system corresponding to the cross-domain identity authentication service system.
When the identity authentication service system B receives login request information sent by A user side terminal, the identity authentication service system B transmits ReadkeyID, QMSID-A, KMID-A, tokenHandle-B to the vector subkey management system B, and the quantum key management system B searches A corresponding authentication key WK-A from A relay key pool Relay BA and returns the authentication key WK-A to the identity authentication service system B; the identity authentication service system B acquires an authentication key WK-A, decrypts the ciphertext datA and the MAC value of the Token, and completes decryption by responding to cross-domain authentication without responding to authentication failure.
In an embodiment, the user terminal accesses the cross-domain identity authentication service system and sends a login request to the cross-domain identity authentication service system, and if the login request does not carry the token ciphertext, the method further includes:
Receiving a connection failure message and a redirection message returned by a cross-domain identity authentication service system, wherein the redirection message comprises parameter information of the identity authentication service system in the local domain;
and initiating an identity authentication flow to the identity authentication service system in the local domain based on the parameter information of the identity authentication service system in the local domain.
It should be noted that, in this embodiment, the identity authentication process is that the user terminal needs to obtain the identity Token from the identity authentication service system a of the domain, and then the cross-domain identity authentication process can be completed, which has a definite authentication precondition.
Therefore, this embodiment adds a judgment mechanism to the cross-domain identity authentication process, so that when the user terminal first initiates a login request to the cross-domain identity authentication service system B, the identity authentication service system B recognizes that the user is a cross-domain first-time login user, the identity authentication service system B returns a redirection message to the user terminal, and the user terminal re-initiates the identity authentication process to the identity authentication service system a in the home domain.
Example 3
As shown in fig. 3, a third embodiment of the present invention proposes an authentication service system, including:
A key negotiation request sending module 21, configured to send a key negotiation request to a corresponding quantum key management system, and forward the key negotiation request to a quantum key generation system by the quantum key management system, so that the quantum key generation system establishes an inter-KM relay key negotiation link and generates a symmetric authentication key;
the request receiving module 22 is configured to receive an authentication request sent by a corresponding user side terminal, and allocate an identifier of the authentication key to the user side terminal based on the authentication request, so that when the user side terminal accesses a cross-domain identity authentication service system, the authentication key is applied to a quantum key management system corresponding to the cross-domain identity authentication service system based on the identifier of the authentication key;
the identity authentication module 23 is configured to receive login request information sent by a corresponding user side terminal, and respond to the constructed token ciphertext to the user side terminal based on the login request information, so as to forward the token ciphertext to a cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system.
In the embodiment, the identity authentication service system initiates a cross-domain key negotiation request by adopting a configurable key application mode vector sub-key management system, establishes a relay key link between KMs in a quantum key generation system, realizes key negotiation between the cross-domain quantum key management systems, and solves the problem of key synchronization between the cross-domain identity authentication service systems based on a quantum key distribution network; the identity authentication service system receives an authentication request sent by a user side terminal, responds to the constructed token ciphertext to the user side terminal, does not need to intensively maintain user identity tokens among a plurality of cross-domain identity authentication service systems, and when a user needs to access other cross-domain identity authentication service systems, the user side directly forwards the identity token ciphertext generated in the user side to the corresponding cross-domain identity authentication service system to finish decryption and verification, and after the decryption and verification pass, the cross-domain authentication is finished, so that the problem that the traditional cross-domain identity authentication service system needs to intensively maintain the identity tokens is solved.
In an embodiment, the authentication service system further includes a network access request module, specifically configured to execute the following steps:
sending an internet access authentication request to the corresponding quantum key management system so that the quantum key management system generates a signature public-private key pair and returns the signature public-private key pair to the identity authentication service system;
signing the authentication data by using the private key in the public-private key pair to obtain signature data and sending the signature data to the quantum key management system so that the quantum key management system verifies the authentication information of the signature data based on the public key;
and after the quantum key management system passes the verification, receiving an authentication token handle returned by the quantum key management system.
In one embodiment, the key negotiation request sending module 21 is specifically configured to perform the following steps:
sending a key negotiation request to the corresponding quantum key management system, wherein the information carried by the key negotiation request is QMID-A I KMID-A I QMID-B I KMID-B, wherein QMID-A is a virtual unique identifier of the quantum key management system A, KMID-A is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system A, QMID-B is a virtual unique identifier of the quantum key management system B, KMID-B is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system B, and I is a virtual unique identifier representing logic and characters;
And the quantum key management system sends the key negotiation request to the quantum key generation system, so that the quantum key generation system triggers the relay key negotiation among KMs, generates the symmetrical authentication key and stores the authentication key in a relay key pool corresponding to each relay.
In an embodiment, the authentication service system further includes a batch key request module, specifically configured to perform the following steps:
sending a batch key request to the quantum key management system, wherein the batch key request carries information including the authentication token handle, the QMID-B and the KMID-B;
and receiving the identification readkeyID of the authentication key returned by the quantum key management system, wherein the cross-domain identity authentication service system is used as a passive end to monitor and wait for the quantum key management system corresponding to the local end to return the identification readkeyID of the authentication key.
In an embodiment, the authentication request carried information sent by the user side terminal includes a user master key, a user master key identifier and a security chip ID, where the user master key is stored in the security chip, the security chip is set in the user side terminal, and the user master key is preset in the security chip for the quantum key generating system.
In one embodiment, the request receiving module 22 is specifically configured to perform the following steps:
the identity authentication service system A receives an authentication request initiated by a user side terminal, wherein the authentication request carries a user master key UMK-1, a key identifier NUMK-1 and a chip ID obtained from a security chip;
the user terminal establishes a session with the identity authentication service system A, and the identity authentication service system A distributes a key identification ReadkeyID to the user terminal.
In one embodiment, the identity authentication module 23 includes:
a login request information receiving unit, configured to receive login request information sent by a corresponding user terminal, where the login request information includes an identifier of the authentication key and a login information ciphertext encrypted by using the authentication key;
an authentication key request unit for requesting the quantum key management system to acquire the authentication key based on the identification of the authentication key;
and the token ciphertext generating unit is used for verifying the login request information based on the authentication key and generating the token ciphertext after the verification is passed.
In an embodiment, the token ciphertext generating unit is configured to perform the following steps:
after the login information passes verification, an identity Token is generated;
Calculating ciphertext data of the identity Token by adopting the authentication key in combination with an encryption algorithm;
calculating the MAC value of the ciphertext data of the identity Token by using hash operation in combination with the authentication key;
and generating the Token ciphertext based on the ciphertext data of the identity Token and the MAC value of the Token.
In an embodiment, the authentication service system further includes a cross-domain login authentication module, configured to perform the following steps:
receiving login request information sent by a user side terminal corresponding to a cross-domain identity authentication service system, wherein the login request information carries the token ciphertext;
sending the token ciphertext to a corresponding quantum key management system so that the quantum key management system searches an authentication key;
and receiving the authentication key and decrypting the token ciphertext by using the authentication key to obtain a cross-domain authentication result.
In an embodiment, the identity authentication service system further comprises an authentication redirection module for performing the steps of:
responding to the connection failure information and the authentication redirection information to the user side terminal corresponding to the cross-domain identity authentication service system, wherein the authentication redirection information comprises parameter information of the cross-domain identity authentication service system.
It should be noted that, in other embodiments of the authentication service system or the implementation method thereof, reference may be made to the above-mentioned method embodiment 1, and no redundant description is provided herein.
Example 4
As shown in fig. 4, a fourth embodiment of the present invention proposes a user side terminal, including:
an authentication request module 11, configured to send an authentication request to a corresponding identity authentication service system, so as to obtain an authentication key identifier allocated by the identity authentication service system;
an authentication key application module 12, configured to send an authentication key application request to a corresponding quantum key management system based on the authentication key identifier, so as to obtain an authentication key returned by the quantum key management system;
a login request module 13, configured to send login request information to the authentication service system, so that the authentication service system generates a token ciphertext based on the login request information, where the login request information is obtained by encrypting the authentication key;
the cross-domain authentication module 14 is configured to receive the token ciphertext, and when the user terminal accesses the cross-domain authentication service system, send a login request to the cross-domain authentication service system, where the login request carries the token ciphertext.
In the embodiment, the user side terminal vector subkey generation system applies for an authentication key for encrypting login request information and then sends the authentication key to the identity authentication service system, and the identity authentication service system decrypts and verifies validity after receiving the login request information to generate a token ciphertext, so that the problem that traditional identity authentication credential data is not encrypted or encryption depends on a public key algorithm is solved; the user identity token does not need to be maintained in a centralized way among the cross-domain multiple identity authentication service systems, when the user side terminal needs to access other cross-domain identity authentication service systems, the user side terminal directly forwards the identity token ciphertext generated in the user side terminal to the corresponding cross-domain identity authentication service system to finish decryption and verification, and after the decryption and verification pass, the cross-domain authentication is finished, so that the problem that the traditional cross-domain identity authentication service system needs to maintain the identity token in a centralized way is solved.
In an embodiment, the user side terminal is provided with a security chip, in which a quantum key preset by the quantum key distribution system is stored as a user master key, and the authentication request module 11 is specifically configured to execute the following steps:
sending an authentication request to the identity authentication service system, wherein the authentication request carries information including a user master key, a user master key identifier and a security chip ID;
And establishing a session with the identity authentication service system and receiving an authentication key identifier (ReadkeyID) distributed by the identity authentication service system.
In one embodiment, the authentication key application module 12 is specifically configured to perform the following steps:
constructing authentication key request information and sending the authentication key request information to a corresponding quantum key management system, wherein the authentication key request information comprises the user master key identification and request information encrypted by adopting the user master key, and the request information is: the security chip ID QMID-A KMID-A ReadkeyID, QMSID-A is a virtual unique identifier of the quantum key management system A, KMID-A is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system A, and ReadkeyID is the authentication key identifier;
after the quantum key management system successfully decrypts the authentication key request information by searching the corresponding user master key according to the user master key identification, receiving an authentication key encryption message returned by the quantum key management system, wherein the authentication key encryption message is obtained by encrypting an authentication key by the quantum key management system by adopting a user master key;
and searching a corresponding user master key according to the user master key identifier, and decrypting the authentication key encryption message to obtain the authentication key.
In one embodiment, the login request module 13 is specifically configured to perform the following steps:
the user side terminal encrypts login information by using an authentication key WK-A, sends login information ciphertext and A readkeyID to the identity authentication service system A, enables the identity authentication service system A to receive the login information ciphertext, obtains the authentication key WK-A from the quantum key management system A based on the readkeyID, verifies the login information after decryption, and generates A token ciphertext after verification passes by the identity authentication service system A.
In one embodiment, the cross-domain authentication module 14 is specifically configured to perform the following steps:
receiving the token ciphertext, decrypting and verifying the token ciphertext by adopting the authentication key, and confirming that response authentication is completed;
when a user side terminal accesses a cross-domain identity authentication service system, forwarding the token ciphertext to a quantum key management system corresponding to the cross-domain identity authentication service system;
and receiving a cross-domain authentication result returned by the quantum key management system corresponding to the cross-domain identity authentication service system.
In an embodiment, the user terminal accesses the cross-domain authentication service system, sends a login request to the cross-domain authentication service system, and if the login request does not carry the token ciphertext, the user terminal further includes:
The redirection message receiving module is used for receiving a connection failure message and a redirection message returned by the cross-domain identity authentication service system, wherein the redirection message comprises parameter information of the identity authentication service system in the local domain;
and the identity authentication module is used for initiating an identity authentication flow to the identity authentication service system in the local domain based on the parameter information of the identity authentication service system in the local domain.
It should be noted that, in other embodiments of the user side terminal or the implementation method of the present invention, reference may be made to the above-mentioned method embodiment 2, which is not repeated here.
Example 5
As shown in fig. 5, a fifth embodiment of the present invention provides a cross-domain identity authentication system based on a quantum key distribution network, where the system includes a user side terminal, a quantum key generation system, an identity authentication service system a in a home domain of the user side terminal, and an identity authentication service system B in a cross domain of the user side terminal, where the identity authentication service system a is connected to a quantum key management system a, the identity authentication service system B is connected to a quantum key management system B, and both the quantum key management system a and the quantum key management system B are connected to the quantum key generation system, where:
The identity authentication service system A and the identity authentication service system B are used for sending a key negotiation request to the quantum key generation system, establishing a relay key negotiation link between KMs in the quantum key generation system and generating a symmetrical authentication key;
the user side terminal sends an authentication request to the identity authentication service system A and receives an authentication key identifier returned by the identity authentication service system A;
the user side terminal sends login request information to the identity authentication service system A and receives a token ciphertext responded by the identity authentication service system A;
and the user side terminal accesses the identity authentication service system B based on the token ciphertext.
In the embodiment, the identity authentication service system initiates a cross-domain key negotiation request by adopting a configurable key application mode vector sub-key management system, establishes a relay key link between KMs in a quantum key generation system, realizes key negotiation between the cross-domain quantum key management systems, and solves the problem of key synchronization between the cross-domain identity authentication service systems based on a quantum key distribution network; the identity authentication service system receives an authentication request sent by a user side terminal, responds to the constructed token ciphertext to the user side terminal, does not need to intensively maintain user identity tokens among a plurality of cross-domain identity authentication service systems, and when a user needs to access other cross-domain identity authentication service systems, the user side directly forwards the identity token ciphertext generated in the user side to the corresponding cross-domain identity authentication service system to finish decryption and verification, and after the decryption and verification pass, the cross-domain authentication is finished, so that the problem that the traditional cross-domain identity authentication service system needs to intensively maintain the identity tokens is solved.
In particular, the quantum key distribution network comprises a quantum key generation system and a quantum key management system (Quantum Key Management Service, QMS).
The quantum key generation system is a network formed by connecting two or more quantum key distribution nodes through a QKD (quantum key distribution) system and a KM (quantum key terminal) link, and when the two quantum key distribution nodes cannot be directly connected through the QKD and the KM, the key distribution can be realized through the key relay function of the KM.
The QKD is a software and hardware system for implementing the quantum optical processes (including QKD protocols, synchronization, key distillation, etc.) and cryptographic functions required for quantum key distribution. QKD, as an endpoint module that directly generates keys, can be interconnected through a QKD link. Two typical QKD are the QKD transmitter (QKD-Tx) and the QKD receiver (QKD-Rx), respectively.
The KM is a software and hardware system for realizing the key management function of a key management layer in the quantum key distribution node, and provides the functions of key storage, key output, key negotiation, key relay and the like. The key relay refers to key generation among non-direct-connection quantum key distribution nodes, and can expand the QKD transmission distance.
The quantum key management system provides functions such as quantum key management, quantum key filling, quantum key distribution, key synchronization realized through data interaction between a network and a plurality of cross-domain identity authentication service systems.
The security chip is a product which accords with the certificate issued by the national commercial code bureau, can be in the forms of a SIM card or a U shield and the like, and is internally or externally connected with a user side terminal. The secure medium with basic functions such as key storage and password operation can be in butt joint with the quantum key management system to realize the functions such as key filling and key application in the secure chip.
The user side terminal can have different expression forms, including a mobile phone mobile terminal, a PC mobile terminal and the like. And the docking security chip is supported to acquire the secret key, so that the encryption of the identity token data is realized.
The identity authentication service system provides user identity authentication by using a CAS technology, token maintenance, and uses a preset key of a security chip to butt against the quantum key management system to realize the functions of key application and the like. The identity authentication service system A corresponds to a system in the local domain, and the identity authentication service system B corresponds to a system outside the cross domain.
The CAS refers to central authentication service, the CAS Server is responsible for authenticating the user, the CAS Client is responsible for providing resources, and when the resources are protected and the identity authentication of the user is required, the CAS Server is redirected to perform authentication.
Further, the cross-domain identity authentication process based on the quantum key distribution network in combination with the CAS technology comprises the following steps:
(1) Cross-domain key negotiation process: the identity authentication service system A is used as an active end and adopts a request type, the identity authentication service system B is used as a passive end and adopts a push type key transmission mode vector subkey management system to initiate a cross-domain key negotiation request, a relay key link between KMs in the quantum key generation system is established, and key negotiation between the cross-domain quantum key management systems is realized.
1-1) the identity authentication service system A calls an initialization interface vector subkey management system A to complete the initialization process, and QMID-A, KMID-A, IP and port parameters are input.
1-2) the identity authentication service system A as a key application service end initiates an internet access authentication request to a vector subkey management system, and the quantum key management system generates a public and private key pair Kp and Ks and imports the public and private key pair Kp and Ks to the identity authentication service system.
1-3) the identity authentication service system A signs authentication data by using a private key Ks, the quantum key management system verifies the signed authentication information by using a preset public key Kp, and after verification is passed, the authentication is returned to pass.
1-4) the quantum key management system A returns a token handle-A, and the identity authentication service system A caches the authentication token handle. The authentication token handle after passing the authentication can be used as an input when the application key function is called. The identity authentication system B completes the S1-S4 process in the same way, and obtains an authentication token handle-B.
1-5) an identity authentication service system A is used as a initiative end, a request type vector subkey management system A is adopted to initiate key negotiation, the quantum key management system A recognizes that the key negotiation request is in a cross-domain key negotiation mode, and negotiation request information comprises (QMID-A||KMID-A||QMID-B|KMID-B) and is sent to a quantum key generation network.
1-6)triggeringrelaykeynegotiationflowsofKM-AandKM-Baccordingtonegotiationrequestinformationbythequantumkeygenerationnetwork,respectivelygeneratingsymmetricalkeysbyKM-AandKM-Bafterthenegotiationflowsarecompleted,andstoringthesymmetricalkeysinrelaykeypoolsRelayABandRelayBA.
1-7) the identity authentication service system A applies for batch keys in advance to the sub-key management system A, inputs an authentication token handle-A, QMSID-B, KMID-B, and returns an acquisition notice and a key identification ReadkeyID.
1-8) the identity authentication service system B is used as a passive end to monitor and wait for the local end quantum key management system B to return key information by adopting push type, and the identity authentication service systems at two ends do not need to directly establish a connection relationship. The passive end caches the acquired key information for subsequent key acquisition.
(2) Cross-domain authentication key application process: whentheuserterminalaccessestheidentityauthenticationservicesystemAinthelocaldomain,anauthenticationkeyisacquiredfromthequantumkeymanagementsystemAbasedonthesecuritychip,andtheauthenticationkeyisderivedfromarelaykeypoolofKM-A. When a user side terminal accesses a cross-domain identity authentication service system B, after an authentication key identifier is transmitted into a quantum key management system B, a corresponding authentication key is searched in a relay key pool of KM-B.
2-1) presetting a quantum key to a security chip of a user side terminal by a quantum key management system A as a user master key; the quantum key management system A stores the correspondence between the user master key and the security chip.
2-2) the user terminal initiates an authentication request to the identity authentication service system A, and obtains a user master key UMK-1, a key identifier NUMK-1 and a chip ID from the security chip.
2-3) the user side terminal establishes a session with the identity authentication service system A, and the identity authentication service system A distributes a key identification ReadkeyID. The user side terminal vector subkey management system A initiates an authentication key application request and constructs authentication key request information: the user master key UMK-1 is encrypted (time-varying parameter chip ID readkeyID) +key identification NUMK-1.
2-4)thequantumkeymanagementsystemAsearchesthecorrespondingkeyaccordingtothekeyidentificationNUMK-1tofinishdecryptionoftheauthenticationkeyrequestinformation,andsimultaneouslyobtainsanauthenticationkeyWK-AaccordingtotheReadkeyID,whereintheauthenticationkeyisderivedfromArelaykeypoolRelayABofKM-A.
2-5) the authentication key WK-A is distributed to the user side terminal after being encrypted by the user master key UMK-1, the user side terminal searches the corresponding user master key UMK-1 according to the key identification NUMK-1 to complete decryption, and the user side terminal obtains the authentication key WK-A. The user terminal maintains the relationship data of the authentication key WK-A, readkeyID, QMSID-A, KMID-a.
(3) Cross-domain identity authentication process: the identity authentication service system A acquires the authentication key, constructs ciphertext data of the Token, calculates the MAC value of the ciphertext data of the Token by combining the authentication key by using an HMAC-SM3 algorithm, and forwards the ciphertext data of the Token and the MAC value to the user side terminal. When the user needs to access other cross-domain identity authentication service systems, the user side directly forwards the ciphertext data and the MAC value of the Token to the corresponding cross-domain identity authentication service system to finish decryption and verification, and after the decryption and verification are finished, the cross-domain authentication is responded.
3-1) the user terminal uses the authentication key WK-A to operate the login information by combining SM4 and HAMC-SM3 algorithm, calculates login information ciphertext (time-varying parameter+login authentication credential) and login information MAC value, and sends the login information ciphertext, the login information MAC value and the readkeyID to the identity authentication service system A.
3-2) the identity authentication service system A receives the login information ciphertext and the login information MAC value, acquires the authentication key WK-A from the quantum key management system A based on the ReadkeyID, decrypts and verifies the login information, and generates an identity Token according to the CAS technology after the login authentication credentials pass verification.
3-3) the identity authentication service system A calculates the ciphertext datA of Token (time-varying parameter+token) by using the authentication key WK-A and the national encryption SM4 algorithm, and calculates the MAC1 value of the ciphertext datA of Token by using the HMAC-SM3 algorithm and the authentication key. And forwarding the ciphertext data of Token and the MAC-1 value to the user side terminal.
3-4) the user terminal receives the ciphertext datA and the MAC value of the Token, and uses the authentication key WK-A to finish decrypting the ciphertext datA of the Token, thereby obtaining the Token. And calculates Mac-2 values using HMAC-SM3 algorithm and compares Mac-1 to Mac-2 for consistency. If the decryption information is consistent, the process continues [018 ]. If the decryption information fails or the comparison MAC values are inconsistent, a failure response is returned.
3-5) when the user needs to access the cross-domain identity authentication service system B, the user side terminal sends the ciphertext data of Token, the MAC-1 value and ReadkeyID, QMSID-A, KMID-A to the identity authentication service system B.
3-6) the identity authentication service system B transmits ReadkeyID, QMSID-A, KMID-A, tokenHandle-B to the sub-key management system B, and the quantum key management system B searches the corresponding authentication key WK-A for the relay key pool Relay BA based on the key identification.
3-7) the authentication service system B obtains the authentication key WK-A, calculates the Mac-3 value by using the HMAC-SM3 algorithm, and compares whether the MAC-3 is consistent with the Mac-1. If the decryption information is consistent, the authentication is passed. If the decryption information fails or the comparison MAC values are inconsistent, an authentication failure response is returned.
It should be noted that, in this embodiment, the user side terminal uses the preset key of the security chip as the user master key, applies the authentication key for encrypting the login information based on the user master key vector subkey distribution network, and the authentication service system decrypts and verifies the validity after receiving the login encryption information, thereby solving the problem that the traditional authentication credential data is not encrypted or the encryption depends on the public key algorithm.
After the authentication credentials of the user pass through the verification of the authentication service system, the authentication service system responds to the constructed token ciphertext to the user side. When a user needs to access other cross-domain identity authentication service systems, the user side directly forwards the token ciphertext to the corresponding cross-domain identity authentication service system, so that the problem that the traditional cross-domain identity authentication service system needs to maintain the identity token in a centralized manner is solved.
The identity authentication service system initiates a cross-domain key negotiation request by adopting a configurable key application mode vector subkey management system, establishes a relay key link between KMs in the quantum key generation system, realizes key negotiation between the cross-domain quantum key management systems, and solves the problem of key synchronization between the cross-domain identity authentication service systems based on a quantum key distribution network.
Example 6
As shown in fig. 6, a sixth embodiment of the present invention proposes another cross-domain identity authentication system based on a quantum key distribution network in combination with CAS technology, which is the same as the above embodiment 5, and includes: the system comprises a quantum key distribution network, a security chip, a user terminal, an identity authentication service system A and an identity authentication service system B.
The cross-domain key negotiation process and the cross-domain authentication key application process refer to the process of embodiment 5, and a description thereof will not be repeated.
The difference between the cross-domain identity authentication process of embodiment 6 and embodiment 5 is that the identity authentication process of embodiment 5 is that the user side needs to obtain the identity Token from the identity authentication service system of the domain before the cross-domain identity authentication process is completed, and has a definite authentication precondition.
The cross-domain identity authentication process of embodiment 6 adds a judgment mechanism to realize that when the user side first initiates a login request to the cross-domain identity authentication service system B, the identity authentication service system B recognizes that the user is a cross-domain first-time login user, the identity authentication service system B returns a redirection message to the user side, and the user side re-initiates the identity authentication process to the identity authentication service system a in the home domain, which specifically comprises the following steps:
(1) The user side terminal sends a connection request to the cross-domain identity authentication service system B, and the request information comprises (time-varying parameters of the chip ID QMISID-A).
(2) The identity authentication service system B receives the connection request, identifies the QMID as a cross-domain user, caches no user information, and judges that the user is a cross-domain first-time login user.
(3) The identity authentication service system B responds to the connection failure message to the user side terminal and returns an authentication redirection message, wherein the message comprises the IP or domain name and port parameters of the identity authentication service system A.
(4) The user terminal receives the authentication redirection message and initiates an identity authentication flow to the identity authentication service system A.
(5) The subsequent procedure is the same as in example 5, and a description thereof will not be repeated.
Example 7
As shown in fig. 7, a seventh embodiment of the present invention proposes a cross-domain identity authentication system based on a quantum key distribution network of a network structure, the system comprising: the system comprises a quantum key distribution network, a security chip, a user terminal, an identity authentication service system A, an identity authentication service system B and an identity authentication service system C; the identity authentication service system A corresponds to a system in the local domain, and the identity authentication service system B and the identity authentication service system C correspond to a system outside the cross domain.
The workflow of the cross-domain identity authentication system based on the quantum key distribution network of the network structure of the embodiment comprises the following steps:
(1) Cross-domain key negotiation process: the identity authentication service system A is used as an active end to adopt a request type, and the identity authentication service system B and the identity authentication service system C are used as passive ends to adopt a push type key transmission mode vector subkey management system to initiate a cross-domain key negotiation request. KM-AandKM-Baredirectlinks,KM-BandKM-Caredirectlinks,andKM-AandKM-Carerelaylinks.
1-1) the identity authentication service system A calls an initialization interface vector subkey management system A to complete the initialization process, and QMID-A, KMID-A, IP and port parameters are input.
1-2) the identity authentication service system A as a key application service end initiates an internet access authentication request to a vector subkey management system, and the quantum key management system generates a public and private key pair Kp and Ks and imports the public and private key pair Kp and Ks to the identity authentication service system.
1-3) the identity authentication service system A signs authentication data by using a private key Ks, the quantum key management system verifies the signed authentication information by using a preset public key Kp, and after verification is passed, the authentication is returned to pass.
1-4) the quantum key management system A returns a token handle-A, and the identity authentication service system A caches the authentication token handle. The authentication token handle after passing the authentication can be used as an input when the application key function is called. The identity authentication system B and the identity authentication system C are used for acquiring an authentication token handle-B in a similar way.
1-5) an identity authentication service system A is used as a initiative end, a request type vector subkey management system A is adopted to initiate key negotiation, the quantum key management system A recognizes that the key negotiation request is in a cross-domain key negotiation mode, and negotiation request information comprises (QMID-A|KMID-B) and (QMID-A|KMID-A|QMID-C|KMID-C) and is sent to a quantum key generation network.
1-6)triggeringadirectkeynegotiationflowofKM-AandKM-Baccordingtonegotiationrequestinformationbythequantumkeygenerationnetwork,respectivelygeneratingsymmetrickeysbyKM-AandKM-Bafterthenegotiationflowiscompleted,andstoringthesymmetrickeysinadirectkeypoolQuantumABandaQuantumBA.
1-7)triggeringarelaykeynegotiationflowofKM-AandKM-Catthesametime,respectivelygeneratingsymmetricalkeysbyKM-AandKM-Cafterthenegotiationflowiscompleted,andstoringthesymmetricalkeysinrelaykeypoolsRelayABandRelayBA.
1-8) the identity authentication service system A applies for batch keys in advance to the sub-key management system A, inputs an authentication token handle-A, QMSID-B, KMID-B, QMSID-C, KMID-C, and returns an acquisition notice and key identification readkeyID-AB and readkeyID-AC.
1-9) the identity authentication service system B and the identity authentication service system C are adopted as passive ends to monitor and wait for the local end quantum key management system B and the quantum key management system C to return key information. The passive end caches the acquired key information for subsequent key acquisition.
(2) Cross-domain authentication key application process: when the user terminal accesses the identity authentication service system A in the local domain, the user terminal can acquire an authentication key from the quantum key management system A based on the security chip. When the user-side terminal accesses the cross-domain authentication service system B and the authentication service system C, respectively, the acquisition of the authentication key is completed according to the assigned key identification by referring to the procedure of embodiment 1.
2-1) presetting a quantum key to a security chip of a user side terminal by a quantum key management system A as a user master key; the quantum key management system A stores the correspondence between the user master key and the security chip.
2-2) the user terminal initiates an authentication request to the identity authentication service system A, and obtains a user master key UMK-1, a key identifier NUMK-1 and a chip ID from the security chip.
2-3) the user side terminal establishes session with the identity authentication service system A, the identity authentication service system B and the identity authentication service system C respectively, and returns SessionID-AB and SessionID-AC respectively.
2-4) when the user side terminal accesses the identity authentication service system B, the identity authentication service system A distributes a key identification ReadkeyID-AB through the incoming session SessionID-AB. Authentication key application request information: the user master key UMK-1 is encrypted (chip ID QMID-A KMID-A readkeyID-AB) +key identification NUMK-1.
2-5)thequantumkeymanagementsystemAsearchesthecorrespondingkeyaccordingtothekeyidentificationNUMK-1tofinishdecryptionoftheauthenticationkeyrequestinformation,andappliesfortheauthenticationkeyWK-ABaccordingtotheReadkeyID-AB,whereintheauthenticationkeyisderivedfromadirectkeypoolQuantumABofKM-A.
2-6) the authentication key WK-AB is distributed to the user side terminal after being encrypted by the user master key UMK-1, the user side terminal searches the corresponding user master key UMK-1 according to the key identification NUMK-1 to complete decryption, and the user side terminal obtains the authentication key WK-AB. The user terminal maintains the relationship data of the authentication keys WK-AB, readKeyID-AB, QMID-A, KMID-A.
2-7) repeating the processes of 2-4) -2-6) when the user side terminal accesses the identity authentication service system C.
(3) Cross-domain identity authentication process: the identity authentication service system acquires the authentication key to construct the ciphertext data of the Token, calculates the MAC value of the ciphertext data of the Token by combining the authentication key by using an HMAC-SM3 algorithm, and forwards the ciphertext data of the Token and the MAC value to the user terminal. When the user needs to access the cross-domain identity authentication service system B and the identity authentication service system C respectively, the user side directly forwards the ciphertext data and the MAC value of the Token constructed based on the cross-domain authentication key to the corresponding cross-domain identity authentication service system to finish decryption and verification, and after the decryption and verification are finished, the cross-domain authentication is responded.
3-1) encrypting login information through an authentication key when the user side terminal accesses the identity authentication service system A in the home domain, and sending login information ciphertext and a key identification ReadkeyID to the identity authentication service system A. The ReadkeyID is selected according to the procedures of [212] - [215], and the cross-domain authentication service system which is required to be accessed by the user side.
3-2) when the user side terminal accesses the inter-domain identity authentication service system B, the identity authentication service system A receives login information ciphertext, acquires an authentication key WK-AB based on the ReadkeyID-AB vector subkey management system A, verifies login information after decryption, and generates Token after verification passes through the identity authentication service system A.
3-3) the identity authentication service system A calculates ciphertext data of the Token by using an authentication key WK-AB in combination with a national encryption SM4 algorithm, and calculates the MAC value of the ciphertext data of the Token by using an HMAC-SM3 algorithm in combination with the authentication key. And forwarding the ciphertext data and the MAC value of the Token to the user side terminal.
3-4) the user terminal receives the ciphertext data and the MAC value of the Token, and uses the authentication key WK-AB to finish decryption, the message code comparison is consistent, and the response authentication is finished.
3-5) when the user needs to access the cross-domain identity authentication service system B, the user side terminal transmits the encrypted data, the MAC value and the ReadkeyID-AB and QMID-A, KMID-A of the Token generated in the step 3-1) to the identity authentication service system B.
3-6) the identity authentication service system B transmits the ReadkeyID-AB and QMIDD-A, KMID-A, tokenHandle-B to the vector subkey management system B, and the quantum key management system B searches the corresponding authentication key WK-BA based on the direct key pool Quantum BA generated in the step 1-6).
3-7) the identity authentication service system B acquires the authentication key WK-BA, decrypts the ciphertext data and the MAC value of the Token, and completes decryption by responding to cross-domain authentication without responding to authentication failure.
3-8) repeating the processes of the steps 3-2) to 3-7) when the user side terminal accesses the identity authentication service system C.
The cross-domain identity authentication system based on the quantum key distribution network provided by the embodiment has the following beneficial effects:
(1) Safety promotion
The method solves the problem that the identity authentication data is not encrypted or depends on a public key algorithm in the distribution process, the authentication key is safely distributed based on the quantum key distribution network, the identity authentication data is encrypted based on the authentication key, and the data integrity is ensured through the HMAC.
(2) Protection against threat of quantum computing to classical password security
Based on the information theory security of quantum key distribution, the negotiation and generation of quantum symmetric keys are realized, and the quantum symmetric keys are still safe under the condition that quantum computing has infinite computing resources; the quantum symmetric key is used as an authentication key for encrypting identity authentication data, and the symmetric algorithm is combined to replace the existing public key cryptographic algorithm which is easy to attack by quantum computing.
(3) Cross-domain identity authentication decentralization
And when the user needs to access other cross-domain identity authentication service systems, the user side directly forwards the identity token ciphertext generated in the user domain to the corresponding cross-domain identity authentication service system to finish decryption and verification, and after the user passes the cross-domain authentication, the cross-domain authentication is finished.
(4) Mature technology and easy realization
The quantum key distribution technology is the most representative and practical quantum security technology currently accepted, generates and negotiates an authentication key based on a quantum key distribution network, and is used for encryption and integrity of data such as an identity token and the like, and is a mature scheme. The whole system is slightly changed, and a mature safety chip integration scheme is used at the user side to provide key storage and cryptographic algorithm functions; the authentication server directly interfaces with the quantum key distribution network through the key interface to apply for the key, which is easy to realize and does not worry about the problem of large key consumption of the server.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.

Claims (18)

1. A cross-domain identity authentication method based on a quantum key distribution network, which is characterized by being applied to an identity authentication service system, the method comprising:
sending a key negotiation request to a corresponding quantum key management system, and forwarding the key negotiation request to a quantum key generation system by the quantum key management system so that the quantum key generation system establishes a relay key negotiation link between quantum key terminals and generates a symmetric authentication key;
Receiving an authentication request sent by a corresponding user side terminal, and distributing an identification of the authentication key to the user side terminal based on the authentication request, so that when the user side terminal accesses a cross-domain identity authentication service system, the authentication key is applied to a quantum key management system corresponding to the cross-domain identity authentication service system based on the identification of the authentication key;
receiving login request information sent by a corresponding user side terminal, and responding to the constructed token ciphertext to the user side terminal based on the login request information so as to forward the token ciphertext to a cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system.
2. The quantum key distribution network-based cross-domain identity authentication method of claim 1, wherein prior to the sending of the key agreement request to the corresponding quantum key management system, the method further comprises:
sending an internet access authentication request to the corresponding quantum key management system so that the quantum key management system generates a signature public-private key pair and returns the signature public-private key pair to the identity authentication service system;
Signing the authentication data by using the private key in the public-private key pair to obtain signature data and sending the signature data to the quantum key management system so that the quantum key management system verifies the authentication information of the signature data based on the public key;
and after the quantum key management system passes the verification, receiving an authentication token handle returned by the quantum key management system.
3. The method for cross-domain identity authentication based on a quantum key distribution network according to claim 1, wherein the sending a key agreement request to a corresponding quantum key management system and forwarding the key agreement request to a quantum key generation system by the quantum key management system, so that the quantum key generation system establishes a relay key agreement link between quantum key terminals and generates a symmetric authentication key, comprises:
sending a key negotiation request to the corresponding quantum key management system, wherein the information carried by the key negotiation request is QMID-A I KMID-A I QMID-B I KMID-B, wherein QMID-A is a virtual unique identifier of the quantum key management system A, KMID-A is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system A, QMID-B is a virtual unique identifier of the quantum key management system B, KMID-B is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system B, and I is a virtual unique identifier representing logic and characters;
And sending the key negotiation request to the quantum key generation system by the quantum key management system, so that the quantum key generation system triggers relay key negotiation among quantum key virtual terminals, and the symmetric authentication key is generated and stored in a relay key pool corresponding to each relay.
4. A method of cross-domain identity authentication based on a quantum key distribution network as claimed in claim 3, wherein after said sending a key agreement request to the corresponding quantum key management system, the method further comprises:
sending a batch key request to the quantum key management system, wherein the batch key request carries information including an authentication token handle, a QMID-B and a KMID-B;
and receiving the identification readkeyID of the authentication key returned by the quantum key management system, wherein the cross-domain identity authentication service system is used as a passive end to monitor and wait for the quantum key management system corresponding to the local end to return the identification readkeyID of the authentication key.
5. The method for cross-domain identity authentication based on quantum key distribution network according to claim 1, wherein the authentication request carried information sent by the user side terminal includes a user master key, a user master key identifier and a security chip ID, the user master key is stored in the security chip, and the security chip is disposed at the user side terminal.
6. The method for cross-domain identity authentication based on quantum key distribution network according to claim 1, wherein the steps of receiving login request information sent by a corresponding user terminal, and responding a constructed token ciphertext to the user terminal based on the login request information include:
receiving corresponding login request information sent by the user side terminal, wherein the login request information comprises an identification of the authentication key and login information ciphertext encrypted by the authentication key;
requesting the quantum key management system to acquire the authentication key based on the identification of the authentication key;
and verifying the login request information based on the authentication key, and generating the token ciphertext after verification is passed.
7. The method for cross-domain identity authentication based on a quantum key distribution network of claim 6, wherein verifying the login request information based on the authentication key and generating the token ciphertext after verification passes comprises:
after the login information passes verification, an identity Token is generated;
calculating ciphertext data of the identity Token by adopting the authentication key in combination with an encryption algorithm;
Calculating the MAC value of the ciphertext data of the identity Token by using hash operation in combination with the authentication key;
and generating the Token ciphertext based on the ciphertext data of the identity Token and the MAC value of the Token.
8. The quantum key distribution network-based cross-domain identity authentication method of claim 1, wherein the method further comprises:
receiving login request information sent by a user side terminal corresponding to a cross-domain identity authentication service system, wherein the login request information carries the token ciphertext;
sending the token ciphertext to a corresponding quantum key management system so that the quantum key management system searches an authentication key;
and receiving the authentication key and decrypting the token ciphertext by using the authentication key to obtain a cross-domain authentication result.
9. The method for cross-domain identity authentication based on quantum key distribution network according to claim 8, wherein when receiving login request information sent by a user side terminal corresponding to a cross-domain identity authentication service system, if the login request information does not carry the token ciphertext, the method further comprises:
responding to the connection failure information and the authentication redirection information to the user side terminal corresponding to the cross-domain identity authentication service system, wherein the authentication redirection information comprises parameter information of the cross-domain identity authentication service system.
10. A method of cross-domain identity authentication based on a quantum key distribution network as claimed in any one of claims 1 to 9, wherein the cross-domain identity authentication service system comprises at least one cross-domain authentication service system.
11. The cross-domain identity authentication method based on the quantum key distribution network is characterized by being applied to a user side terminal, and comprises the following steps:
sending an authentication request to a corresponding identity authentication service system to acquire an authentication key identifier distributed by the identity authentication service system;
sending an authentication key application request to a corresponding quantum key management system based on the authentication key identification so as to acquire an authentication key returned by the quantum key management system;
sending login request information to the identity authentication service system so that the identity authentication service system generates a token ciphertext based on the login request information, wherein the login request information is obtained by encrypting the authentication key;
and receiving the token ciphertext, and sending a login request to the cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system, wherein the login request carries the token ciphertext.
12. The method for cross-domain identity authentication based on a quantum key distribution network according to claim 11, wherein the user terminal is provided with a security chip, a quantum key preset by a quantum key distribution system is stored in the security chip as a user master key, and the sending an authentication request to a corresponding authentication service system to obtain an authentication key identifier allocated by the authentication service system includes:
sending an authentication request to the identity authentication service system, wherein the authentication request carries information including a user master key, a user master key identifier and a security chip ID;
and establishing a session with the identity authentication service system and receiving an authentication key identifier (ReadkeyID) distributed by the identity authentication service system.
13. The method for cross-domain identity authentication based on a quantum key distribution network according to claim 12, wherein the sending an authentication key application request to a corresponding quantum key management system based on the authentication key identifier to obtain an authentication key returned by the quantum key management system comprises:
constructing authentication key request information and sending the authentication key request information to a corresponding quantum key management system, wherein the authentication key request information comprises the user master key identification and request information encrypted by adopting the user master key, and the request information is: the security chip ID QMID-A KMID-A ReadkeyID, QMSID-A is a virtual unique identifier of the quantum key management system A, KMID-A is a virtual unique identifier of a quantum key terminal corresponding to the quantum key management system A, and ReadkeyID is the authentication key identifier;
After the quantum key management system successfully decrypts the authentication key request information by searching the corresponding user master key according to the user master key identification, receiving an authentication key encryption message returned by the quantum key management system, wherein the authentication key encryption message is obtained by encrypting an authentication key by the quantum key management system by adopting a user master key;
and searching a corresponding user master key according to the user master key identifier, and decrypting the authentication key encryption message to obtain the authentication key.
14. The method for cross-domain authentication based on quantum key distribution network according to claim 13, wherein receiving the token ciphertext, when the user terminal accesses the cross-domain authentication service system, sending a login request to the cross-domain authentication service system, where the login request carries the token ciphertext, includes:
receiving the token ciphertext, decrypting and verifying the token ciphertext by adopting the authentication key, and confirming that response authentication is completed;
when a user side terminal accesses a cross-domain identity authentication service system, forwarding the token ciphertext to a quantum key management system corresponding to the cross-domain identity authentication service system;
And receiving a cross-domain authentication result returned by the quantum key management system corresponding to the cross-domain identity authentication service system.
15. The method for cross-domain identity authentication based on quantum key distribution network according to claim 13, wherein the user terminal accesses the cross-domain identity authentication service system, and sends a login request to the cross-domain identity authentication service system, and if the login request does not carry the token ciphertext, the method further comprises:
receiving a connection failure message and a redirection message returned by a cross-domain identity authentication service system, wherein the redirection message comprises parameter information of the identity authentication service system in the local domain;
and initiating an identity authentication flow to the identity authentication service system in the local domain based on the parameter information of the identity authentication service system in the local domain.
16. An authentication service system, the system comprising:
the key negotiation request sending module is used for sending a key negotiation request to a corresponding quantum key management system and forwarding the key negotiation request to the quantum key generation system by the quantum key management system so that the quantum key generation system establishes a relay key negotiation link between quantum key terminals and generates a symmetrical authentication key;
The request receiving module is used for receiving an authentication request sent by a corresponding user side terminal, distributing an identification of the authentication key to the user side terminal based on the authentication request, and applying the authentication key to a quantum key management system corresponding to the cross-domain identity authentication service system based on the identification of the authentication key when the user side terminal accesses the cross-domain identity authentication service system;
the identity authentication module is used for receiving login request information sent by the corresponding user side terminal, responding the constructed token ciphertext to the user side terminal based on the login request information, and forwarding the token ciphertext to the cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system.
17. A user-side terminal, the terminal comprising:
the authentication request module is used for sending an authentication request to a corresponding identity authentication service system so as to acquire an authentication key identifier distributed by the identity authentication service system;
the authentication key application module is used for sending an authentication key application request to the corresponding quantum key management system based on the authentication key identification so as to acquire an authentication key returned by the quantum key management system;
A login request module for sending login request information to the identity authentication service system so that the identity authentication service system generates a token ciphertext based on the login request information, wherein the login request information is obtained by encrypting the authentication key;
the cross-domain authentication module is used for receiving the token ciphertext, and sending a login request to the cross-domain identity authentication service system when the user side terminal accesses the cross-domain identity authentication service system, wherein the login request carries the token ciphertext.
18. The system comprises a user side terminal, a quantum key generation system, an identity authentication service system A in the user side terminal, and an identity authentication service system B in the user side terminal, wherein the identity authentication service system A is connected with the quantum key management system A, the identity authentication service system B is connected with the quantum key management system B, and the quantum key management system A and the quantum key management system B are both connected with the quantum key generation system, wherein:
the identity authentication service system A and the identity authentication service system B are used for sending a key negotiation request to the quantum key generation system, establishing a relay key negotiation link between quantum key terminals in the quantum key generation system and generating a symmetrical authentication key;
The user side terminal sends an authentication request to the identity authentication service system A and receives an authentication key identifier returned by the identity authentication service system A;
the user side terminal sends login request information to the identity authentication service system A and receives a token ciphertext responded by the identity authentication service system A;
and the user side terminal accesses the identity authentication service system B based on the token ciphertext.
CN202310799391.7A 2023-07-03 2023-07-03 Cross-domain identity authentication method and system based on quantum key distribution network Active CN116527259B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310799391.7A CN116527259B (en) 2023-07-03 2023-07-03 Cross-domain identity authentication method and system based on quantum key distribution network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310799391.7A CN116527259B (en) 2023-07-03 2023-07-03 Cross-domain identity authentication method and system based on quantum key distribution network

Publications (2)

Publication Number Publication Date
CN116527259A CN116527259A (en) 2023-08-01
CN116527259B true CN116527259B (en) 2023-09-19

Family

ID=87399724

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310799391.7A Active CN116527259B (en) 2023-07-03 2023-07-03 Cross-domain identity authentication method and system based on quantum key distribution network

Country Status (1)

Country Link
CN (1) CN116527259B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117176346B (en) * 2023-11-01 2024-03-08 中电信量子科技有限公司 Distributed quantum key link control method and key management system

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161402A (en) * 2015-04-22 2016-11-23 阿里巴巴集团控股有限公司 Encryption equipment key injected system based on cloud environment, method and device
CN107453869A (en) * 2017-09-01 2017-12-08 中国电子科技集团公司第三十研究所 A kind of method for the IPSecVPN for realizing quantum safety
CN107453868A (en) * 2017-09-01 2017-12-08 中国电子科技集团公司第三十研究所 A kind of safe and efficient quantum key method of servicing
CN108462573A (en) * 2018-02-09 2018-08-28 中国电子科技集团公司第三十研究所 A kind of flexible quantum safety moving communication means
CN109995510A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of quantum key relay services method
CN110519046A (en) * 2019-07-12 2019-11-29 如般量子科技有限公司 Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN112367163A (en) * 2019-09-01 2021-02-12 成都量安区块链科技有限公司 Quantum network virtualization method and device
CN112910639A (en) * 2021-02-05 2021-06-04 北京邮电大学 Quantum encryption service transmission method under multi-domain scene and related equipment
CN113452687A (en) * 2021-06-24 2021-09-28 中电信量子科技有限公司 Method and system for encrypting sent mail based on quantum security key
CN113507358A (en) * 2020-03-24 2021-10-15 阿里巴巴集团控股有限公司 Communication system, authentication method, electronic device, and storage medium
CN113691313A (en) * 2021-07-04 2021-11-23 河南国科量子通信网络有限公司 Satellite-ground integrated quantum key link virtualization application service system
CN114362947A (en) * 2022-03-17 2022-04-15 成都量安区块链科技有限公司 Wide-area quantum key service method and system
CN115567223A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Unified identity authentication method, device and system based on quantum security middleware
CN115694791A (en) * 2021-07-30 2023-02-03 南京如般量子科技有限公司 QKD-based distribution network and method
CN116094698A (en) * 2022-12-30 2023-05-09 天翼物联科技有限公司 Quantum security identity authentication device, method, equipment and storage medium
CN116248290A (en) * 2022-12-30 2023-06-09 中国电信股份有限公司 Identity authentication method and device and electronic equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0801395D0 (en) * 2008-01-25 2008-03-05 Qinetiq Ltd Network having quantum key distribution
US11121878B2 (en) * 2019-10-11 2021-09-14 Accenture Global Solutions Limited Authentication using key distribution through segmented quantum computing environments
US11641364B2 (en) * 2020-03-03 2023-05-02 International Business Machines Corporation Cross-domain state synchronization
US11695573B2 (en) * 2021-07-23 2023-07-04 International Business Machines Corporation Blockchain controlled cross-domain data transfer

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161402A (en) * 2015-04-22 2016-11-23 阿里巴巴集团控股有限公司 Encryption equipment key injected system based on cloud environment, method and device
CN107453869A (en) * 2017-09-01 2017-12-08 中国电子科技集团公司第三十研究所 A kind of method for the IPSecVPN for realizing quantum safety
CN107453868A (en) * 2017-09-01 2017-12-08 中国电子科技集团公司第三十研究所 A kind of safe and efficient quantum key method of servicing
CN109995510A (en) * 2017-12-29 2019-07-09 成都零光量子科技有限公司 A kind of quantum key relay services method
CN108462573A (en) * 2018-02-09 2018-08-28 中国电子科技集团公司第三十研究所 A kind of flexible quantum safety moving communication means
CN110519046A (en) * 2019-07-12 2019-11-29 如般量子科技有限公司 Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN112367163A (en) * 2019-09-01 2021-02-12 成都量安区块链科技有限公司 Quantum network virtualization method and device
CN113507358A (en) * 2020-03-24 2021-10-15 阿里巴巴集团控股有限公司 Communication system, authentication method, electronic device, and storage medium
CN112910639A (en) * 2021-02-05 2021-06-04 北京邮电大学 Quantum encryption service transmission method under multi-domain scene and related equipment
CN113452687A (en) * 2021-06-24 2021-09-28 中电信量子科技有限公司 Method and system for encrypting sent mail based on quantum security key
CN113691313A (en) * 2021-07-04 2021-11-23 河南国科量子通信网络有限公司 Satellite-ground integrated quantum key link virtualization application service system
CN115694791A (en) * 2021-07-30 2023-02-03 南京如般量子科技有限公司 QKD-based distribution network and method
CN114362947A (en) * 2022-03-17 2022-04-15 成都量安区块链科技有限公司 Wide-area quantum key service method and system
CN115567223A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Unified identity authentication method, device and system based on quantum security middleware
CN116094698A (en) * 2022-12-30 2023-05-09 天翼物联科技有限公司 Quantum security identity authentication device, method, equipment and storage medium
CN116248290A (en) * 2022-12-30 2023-06-09 中国电信股份有限公司 Identity authentication method and device and electronic equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一个新型的量子密钥服务体系架构;陈晖;;中国电子科学研究院学报(第03期);全文 *
一种网络多用户量子认证和密钥分配理论方案;杨宇光, 温巧燕, 朱甫臣;物理学报(第09期);全文 *

Also Published As

Publication number Publication date
CN116527259A (en) 2023-08-01

Similar Documents

Publication Publication Date Title
CN106357649B (en) User identity authentication system and method
RU2406251C2 (en) Method and device for establishing security association
Bird et al. The kryptoknight family of light-weight protocols for authentication and key distribution
CN101662705B (en) Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
JP5513482B2 (en) Station distributed identification method in network
US20080160959A1 (en) Method for Roaming User to Establish Security Association With Visited Network Application Server
US20090158394A1 (en) Super peer based peer-to-peer network system and peer authentication method thereof
CN113360925B (en) Method and system for storing and accessing trusted data in power information physical system
CN113746632B (en) Multi-level identity authentication method for Internet of things system
US9608971B2 (en) Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
CN111147460A (en) Block chain-based cooperative fine-grained access control method
CN116527259B (en) Cross-domain identity authentication method and system based on quantum key distribution network
CN110808829A (en) SSH authentication method based on key distribution center
KR100892616B1 (en) Method For Joining New Device In Wireless Sensor Network
KR20240112239A (en) Method, apparatus and system for connecting VPN secured session based on quantum technology
CN113747433B (en) Equipment authentication method based on block side chain structure in fog network
CN115913521A (en) Method for identity authentication based on quantum key
Liou et al. T-auth: A novel authentication mechanism for the IoT based on smart contracts and PUFs
CN103781026A (en) Authentication method of general authentication mechanism
JPH08335208A (en) Method and system for proxy authorization
CN116599659A (en) Certificate-free identity authentication and key negotiation method and system
CN116318637A (en) Method and system for secure network access communication of equipment
CN117411697B (en) Water service Internet of things data transmission encryption system and working method
CN113098890B (en) Network security service guarantee method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant