CN116599664A - Link encryption method based on quantum key distribution - Google Patents
Link encryption method based on quantum key distribution Download PDFInfo
- Publication number
- CN116599664A CN116599664A CN202310751676.3A CN202310751676A CN116599664A CN 116599664 A CN116599664 A CN 116599664A CN 202310751676 A CN202310751676 A CN 202310751676A CN 116599664 A CN116599664 A CN 116599664A
- Authority
- CN
- China
- Prior art keywords
- quantum key
- key
- encryption
- link encryption
- quantum
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 230000005540 biological transmission Effects 0.000 claims abstract description 15
- 239000013598 vector Substances 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 claims description 11
- 238000009795 derivation Methods 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 abstract description 5
- 230000001360 synchronised effect Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
- H04L9/0858—Details about key distillation or coding, e.g. reconciliation, error correction, privacy amplification, polarisation coding or phase coding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0637—Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a link encryption method based on quantum key distribution. In the network security transmission scene, link transparent encryption is a common technical means, but because the link encryption mostly adopts a simpler encryption protocol, the key management means is more complex, and the overall security is easily reduced due to management risk. The method utilizes a quantum key distribution system to provide a working key for a link encryption device, further derives a session key, and simultaneously inputs another group of quantum keys as an IV initialization vector into an encryption process. Compared with the prior art, the method solves the problems of higher management complexity and lower security in key management of most of the existing link encryption systems by using the quantum key distribution technology, and improves the encryption security of the algorithm by adopting the quantum IV initialization vector.
Description
Technical Field
The invention relates to a computer network communication transmission encryption system and technology, and relates to quantum cryptography application technology.
Background
Encryption for network transmission data is a very common information security requirement, and has a very wide application range, and common technologies include systems such as IPSecVPN and SSLVPN. The two network encryption protocol principles are that an original network data packet is entirely encrypted (comprising IP data packet header information or two-layer data packet header MAC address information), then a packet header (comprising a new MAC address and an IP address) is added again according to the route setting of a VPN system, the new encrypted packet is sent to an opposite VPN system, and the opposite VPN system decrypts the original data packet. Such a solution requires that an IP address must be allocated to the VPN system in advance, and requires that the application system directs the routing information of its default gateway or destination network to the VPN system, and at the same time, requires that relatively complex tunnel rule information be set between VPN systems, which has a certain requirement on the professional technology of the user. In many practical network encryption requirement scenarios, customer operators often do not have much network knowledge base and VPN system usage experience, resulting in very low VPN configuration and application efficiency, and potential safety hazards easily occur due to configuration errors.
For the above reasons, link layer transparent encryption systems have evolved, which generally appear as fully transparent network devices, without the operator having to configure them with IP addresses, MAC addresses, routing information, and tunnel rules. The working principle is that the whole network data packet is not encrypted, the header information of the original data packet is kept unchanged, only the load content is encrypted, and then the encrypted data is transmitted to the network. The advantage of doing so is: how the data packet originally flows (including how to route and address), the encrypted data packet can still flow according to the original network path, because the network device judges and processes the data packet according to the address information of the packet header when forwarding the data packet, the transparent encryption changes only the load content, and the address information of the packet header is not changed. Therefore, the workload and difficulty of the operator for deploying the link encryption system are greatly reduced, encryption or decryption can be automatically completed only by connecting the system in a network in series when data passes through the link encryption system, and the system is very convenient.
However, the existing link encryption system also has some problems, on one hand, because there is no IP address, and session key negotiation can not be achieved between devices by using the PKI public key system, so that the security is relatively poor due to the adoption of an external injection symmetric key mode. On the other hand, most encryption systems adopt CBC or CFB encryption modes with higher security, and the two encryption algorithm modes need to input IV (i.e. Initialization Vector) initialization vectors, and the quality of the IV directly relates to the security of encrypted data; unfortunately, most encryption systems use fixed data as the IV in order to reduce implementation complexity, which is a significant compromise on the security of the cryptosystem.
Disclosure of Invention
Aiming at the defects of the existing link encryption system, the invention provides a link encryption method based on quantum key distribution, which realizes safe work key distribution and IV initialization vector distribution based on a QKD quantum key distribution mechanism, so that key management is safer and more efficient, and simultaneously, the security of an encryption algorithm in practical application is improved.
In order to achieve the above purpose, the present invention provides the following technical solutions:
the link encryption method based on quantum key distribution is characterized by comprising at least two link encryption systems, wherein each link encryption system is connected with a local quantum key distribution server, key distribution is completed through a quantum key transmission channel, and each link encryption system at least comprises a quantum key access interface, a key derivation function module, an encryption function module and a network communication module; the method comprises the following steps:
s1, the quantum key distribution server realizes quantum key distribution through a quantum key transmission channel.
S2, the link encryption system obtains two quantum keys through the quantum key access interface.
S3, the key derivation function module takes the obtained first quantum key as a working key, calls a specific KDF key derivation function and a related cryptographic algorithm, and derives two different session keys; two link encryption systems may use the same mechanism to obtain two identical sets of session keys.
S3, the link encryption system receives network data transmitted in two directions through the network communication module.
S4, the encryption function module uses two different session keys to encrypt and decrypt network data in two directions of network transmission respectively; the link encryption system on the other side can decrypt and encrypt using the corresponding session key. The encrypted mode employs CFB or CBC using the second quantum key obtained in step S2 as IV.
Finally, the method realizes efficient secure encrypted communication between two link encryption systems.
Drawings
Fig. 1 is a schematic diagram of a link encryption method based on quantum key distribution according to the present invention.
Detailed Description
The technical scheme of the invention is further described below with reference to the accompanying drawings and specific embodiments.
The link encryption method based on quantum key distribution is characterized by comprising at least two link encryption systems, wherein each link encryption system is connected with a local quantum key distribution server, key distribution is completed through a quantum key transmission channel, and each link encryption system at least comprises a quantum key access interface, a key derivation function module, an encryption function module and a network communication module; the method comprises the following steps:
s1, the quantum key distribution server realizes quantum key distribution through a quantum key transmission channel.
S2, the link encryption system obtains two quantum keys through the quantum key access interface.
S3, the key derivation function module takes the obtained first quantum key as a working key, calls a specific KDF key derivation function and a related cryptographic algorithm, and derives two different session keys; two link encryption systems may use the same mechanism to obtain two identical sets of session keys.
S3, the link encryption system receives network data transmitted in two directions through the network communication module.
S4, the encryption function module uses two different session keys to encrypt and decrypt network data in two directions of network transmission respectively; the link encryption system on the other side can decrypt and encrypt using the corresponding session key. The encrypted pattern employs CFB or CBC using the second quantum key obtained in step S2 as an IV initialization vector.
Finally, the method realizes efficient secure encrypted communication between two link encryption systems.
Example 1:
referring to fig. 1, the system comprises two link encryption systems, each of which is connected with a local quantum key distribution server, and the two key distribution servers realize the synchronous issuing of quantum keys with the same content through a quantum key transmission channel, wherein each link encryption system is internally provided with:
s1, two quantum key distribution servers realize quantum key synchronous distribution through a quantum key transmission channel.
S2, the two link encryption systems respectively obtain two sub-keys through the quantum key access interfaces.
S3, the key derivation function module takes the obtained first quantum key as a working key, invokes algorithms such as a KDF key derivation function, SM3 and the like, and derives two different session keys; two link encryption systems may use the same mechanism to obtain two identical sets of session keys.
S3, the link encryption system receives network data transmitted in two directions through the network communication module.
S4, the encryption function module uses two different session keys to encrypt and decrypt network data in two directions of network transmission respectively; the link encryption system on the other side can decrypt and encrypt using the corresponding session key. The encrypted pattern uses CFB algorithm using the second partial key obtained in step S2 as IV.
The link encryption system completes the synchronous work of the quantum key and the IV and realizes the safe network encryption function.
Claims (1)
1. The link encryption method based on quantum key distribution is characterized by comprising at least two link encryption systems, wherein each link encryption system is connected with a local quantum key distribution server, key distribution is completed through a quantum key transmission channel, and each link encryption system at least comprises a quantum key access interface, a key derivation function module, an encryption function module and a network communication module; the method comprises the following steps:
s1, the quantum key distribution server realizes quantum key distribution through the quantum key transmission channel.
S2, the link encryption system obtains two parts of sub-keys through the quantum key access interface.
S3, the key derivation function module uses the obtained first quantity sub-key as a working key, calls a specific KDF key derivation function and a related cryptographic algorithm, and derives two different session keys.
S3, the link encryption system receives network data transmitted in two directions through the network communication module.
S4, the encryption function module uses two different session keys to encrypt and decrypt network data in two directions of network transmission respectively; the encrypted mode employs CFB or CBC using the second quantum key obtained in S2 as the IV initialization vector.
Finally, the method realizes efficient secure encrypted communication between the two link encryption systems.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310751676.3A CN116599664A (en) | 2023-06-25 | 2023-06-25 | Link encryption method based on quantum key distribution |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310751676.3A CN116599664A (en) | 2023-06-25 | 2023-06-25 | Link encryption method based on quantum key distribution |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116599664A true CN116599664A (en) | 2023-08-15 |
Family
ID=87595823
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310751676.3A Pending CN116599664A (en) | 2023-06-25 | 2023-06-25 | Link encryption method based on quantum key distribution |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116599664A (en) |
-
2023
- 2023-06-25 CN CN202310751676.3A patent/CN116599664A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| CN110581763B (en) | Quantum key service block chain network system | |
| US20020184487A1 (en) | System and method for distributing security processing functions for network applications | |
| Mehic et al. | Quantum cryptography in 5G networks: a comprehensive overview | |
| EP1396979A2 (en) | System and method for secure group communications | |
| CN111371798B (en) | Data security transmission method, system, device and storage medium | |
| CN109194477B (en) | Access node device for quantum secret communication network system and communication network system comprising the same | |
| US11212265B2 (en) | Perfect forward secrecy (PFS) protected media access control security (MACSEC) key distribution | |
| US20090199290A1 (en) | Virtual private network system and method | |
| JP2006101051A (en) | Server, vpn client, vpn system, and software | |
| CN110191052B (en) | Cross-protocol network transmission method and system | |
| CN116055091B (en) | Method and system for realizing IPSec VPN by adopting software definition and quantum key distribution | |
| CN113489586B (en) | VPN network system compatible with quantum key negotiation | |
| KR102609406B1 (en) | Communication apparatus based on transport layer security protocol, shared key extension method | |
| CN114285571A (en) | Method, gateway device and system for using quantum key in IPSec protocol | |
| Farinacci et al. | Locator/ID separation protocol (LISP) data-plane confidentiality | |
| US9319222B2 (en) | Two factor authentication of ICR transport and payload for interchassis redundancy | |
| JP2011176395A (en) | IPsec COMMUNICATION METHOD AND IPsec COMMUNICATION SYSTEM | |
| Oliveira et al. | Dh-aes-p4: on-premise encryption and in-band key-exchange in p4 fully programmable data planes | |
| Lopez et al. | Applying QKD to improve next-generation network infrastructures | |
| Takahashi et al. | A high-speed key management method for quantum key distribution network | |
| WO2016134631A1 (en) | Processing method for openflow message, and network element | |
| CN115473641B (en) | Quantum encryption communication method and system capable of realizing automatic networking | |
| CN114362938B (en) | Quantum communication key management dynamic route generation network architecture and method | |
| JP2001177514A (en) | Method and device for communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |