CN116827538A - Ukey encryption system and method based on quantum cryptography cloud - Google Patents

Ukey encryption system and method based on quantum cryptography cloud Download PDF

Info

Publication number
CN116827538A
CN116827538A CN202310978848.0A CN202310978848A CN116827538A CN 116827538 A CN116827538 A CN 116827538A CN 202310978848 A CN202310978848 A CN 202310978848A CN 116827538 A CN116827538 A CN 116827538A
Authority
CN
China
Prior art keywords
key
ukey
session key
quantum
service system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310978848.0A
Other languages
Chinese (zh)
Inventor
郭邦红
梁玉峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Quantum Communication Guangdong Co Ltd
Original Assignee
National Quantum Communication Guangdong Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Quantum Communication Guangdong Co Ltd filed Critical National Quantum Communication Guangdong Co Ltd
Priority to CN202310978848.0A priority Critical patent/CN116827538A/en
Publication of CN116827538A publication Critical patent/CN116827538A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a Ukey encryption system based on a quantum cryptography cloud, which comprises QKD equipment, a quantum cryptography cloud platform, a user side, a Ukey and a service system; the Ukey encryption method based on the quantum cipher cloud is realized based on the Ukey encryption system based on the quantum cipher cloud and comprises the steps of identity verification, distribution of a session key and use of the session key. The invention discloses a Ukey encryption system and a Ukey encryption method based on quantum cryptography cloud, wherein a quantum key generated by QKD equipment is obtained through a quantum cryptography cloud platform and used as a session key, so that the true randomness of the session key is ensured; when the data is required to be encrypted and decrypted by using the session key, the data required to be encrypted and the encrypted session key encryption string are transmitted to the UKey, the session key is decrypted by the UKey by using a built-in symmetric encryption algorithm in combination with the key, and then the data is encrypted and decrypted by using the session key, so that the transmission safety of the session key and the message integrity verification are ensured, and the safety of the encrypted communication data is effectively ensured.

Description

Ukey encryption system and method based on quantum cryptography cloud
Technical Field
The invention relates to the technical field of quantum cryptography cloud and encryption communication, in particular to a Ukey encryption system and method based on quantum cryptography cloud.
Background
In conventional HTTP communications, data is transmitted in plain text form over a network, and the communications content is easily modified by an attacker, resulting in the data being tampered with, damaged or embedded with malicious content, which poses a serious threat to the privacy and sensitive information of the user.
In order to solve the problem of HTTP communication, HTTPs introduces encryption technology on the basis of HTTP, and encrypts transmitted data by using SSL (Secure Sockets Layer) or its successor TLS (Transport Layer Security), so as to ensure that the data is not easily eavesdropped and tampered when transmitted on a network.
However, with the development of quantum computing technology, the security of HTTPS is also beginning to be compromised. HTTPS uses public key cryptography algorithms, such as RSA, in the key agreement phase, relying on the ambiguity of the large number resolution problem. Although it takes a long time to decompose a large number on a conventional computer, a quantum computer can solve this problem in a short time using a technique of a Shor algorithm or the like. This means that the quantum computer can quickly crack the RSA algorithm for HTTPS key exchange, so that the contents of the encrypted communication are no longer secure at the time of key agreement.
And the session key used for actual data transmission in HTTPS is generated according to the random number generated by the algorithm, so that the true randomness of the random number cannot be guaranteed, and if the Grover algorithm is used, the correct key can be quickly found by searching the key space in square root time.
Therefore, the existing encryption technology cannot guarantee the security of the encrypted communication data.
Disclosure of Invention
The invention provides a Ukey encryption system and method based on quantum cryptography cloud, which aims to solve the problem that the existing encryption technology cannot guarantee the safety of encrypted communication data.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
the Ukey encryption system based on the quantum cryptography cloud comprises QKD equipment, a quantum cryptography cloud platform, a user side, a UKey and a service system;
the QKD device for generating a quantum key;
the quantum cryptography cloud platform is used for acquiring a quantum key generated by QKD equipment as a session key; respectively combining a quantum key Key A and a quantum key Key B by using a symmetric encryption algorithm to encrypt a session key, correspondingly obtaining a session key encryption string encrypteKey A and a session key encryption string encrypteKey B, and sending the session key encryption string encrypteKey A and the session key encryption string encrypteKey B to a service system; and performing identity verification of the user side and the service system;
the user terminal is used for sending data to the UKey, requesting the UKey to encrypt or decrypt, and initiating a request to the service system;
the UKey is used for encrypting identity information to be encrypted of a user side by using a built-in symmetric encryption algorithm and combining a quantum key Key A to obtain encrypted data encryptedData; decrypting the session key encryption string encrypteKeyA by using a built-in symmetric encryption algorithm in combination with the quantum key KeyA to obtain a session key; encrypting the data by using the session key to obtain encrypted data encryptDataA and returning the encrypted data encryptDataA to the user side; decrypting the encrypted data encryptDataB by using the session key to obtain a data plaintext and returning the data plaintext to the user side;
the service system is used for generating a session Id, and decrypting the encrypted data encryptData by using a symmetric encryption algorithm in combination with a session key corresponding to the session Id to obtain user-side data; decrypting the session key encryption string encryptekeyb by using a symmetric encryption algorithm in combination with the quantum key KeyB to obtain a session key; encrypting service system identity information by combining a symmetric encryption algorithm with a quantum key Key B to obtain encrypted data appEncryptData; and carrying out service logic operation on the data of the user terminal, encrypting the operation result by using a symmetric encryption algorithm and combining a session key to obtain encrypted data encryptdataB and returning the encrypted data encryptdataB to the user terminal.
Preferably, the quantum cryptography cloud platform is further configured to provide registration for the user terminal, preset a quantum key KeyA in the UKey, and bind the relationship between the user terminal and the UKey.
Preferably, the quantum cryptography cloud platform is further configured to provide registration for a service system, preset a quantum key KeyB in the service system, and bind a relationship between a user terminal and the service system.
Preferably, the quantum cryptography cloud platform and the UKey share a quantum key KeyA.
Preferably, the quantum cryptography cloud platform and the service system share a quantum key KeyB.
Preferably, the symmetric encryption algorithm is a national cipher SM4 symmetric encryption algorithm.
The Ukey encryption method based on the quantum cipher cloud is realized based on the Ukey encryption system based on the quantum cipher cloud and comprises the following specific steps of:
s11: the quantum cipher cloud platform acquires a quantum key generated by QKD equipment as a session key;
s12: the quantum cryptography cloud platform encrypts a session key by combining a quantum key Key A corresponding to the ukeyId through a symmetric encryption algorithm to obtain a session key encryption string encrypteKey A and sends the session key encryption string encrypteKey A to a service system;
and encrypting the session key by using a symmetric encryption algorithm in combination with the quantum key Key B corresponding to the appId to obtain a session key encryption string encrypteKey B and sending the session key encryption string encrypteKey B to the service system;
the Ukey Id is the identification of the Ukey for encrypting the identity information of the user terminal initiating the session key request, and the app Id is the identification of the service system receiving the session key request of the corresponding user terminal;
s13: the service system uses a symmetric encryption algorithm to combine the quantum key Key B to decrypt the session key encryption string encrypteKey B, so as to obtain a session key and store the session key;
s14: the service system generates a session Id, and sends the session Id and a session key encryption string encrypteKeyA to the user side for storage, so that the distribution of the session key is completed.
Preferably, before the distribution of the session key, the method further comprises the step of identity verification, wherein the specific steps are as follows:
s01: the UKey receives the identity information to be encrypted by the user side and an encryption request of the user side;
s02: the UKey encrypts identity information to be encrypted of the user side by using a built-in symmetric encryption algorithm and combining a quantum key Key A to obtain encrypted data encryptData, and sends the encrypted data encryptData and UkeyId of the UKey to the user side;
s03: the user sends the encrypted data encrypteddata and ukeyId to the service system to initiate a user session key request;
s04: the service system responds to a user session key request, and uses a symmetric encryption algorithm to encrypt service system identity information by combining a quantum key Key B to obtain encrypted data appEncryptData;
s05: the business system sends the ukeyId, the appId, the encrypted data encryptedData and the encrypted data appencryptedData to the quantum cryptography cloud platform to initiate a business system session key request;
s06: the quantum cryptography cloud platform responds to a service system session key request, decrypts encrypted data encrypteddata by combining a symmetric encryption algorithm with a quantum key Key A to obtain user end identity information, verifies the user end identity, and if the user end identity does not pass, stops executing;
decrypting the encrypted data appEncryptData by using a symmetric encryption algorithm in combination with the quantum key Key B to obtain service system identity information, and checking the service system identity, if the service system identity does not pass, stopping execution;
and judging the binding relation between the user terminal and the service system according to the decrypted user terminal identity information and service system identity information, and if the user terminal and the service system are not bound, stopping execution.
Preferably, before the identity verification, the method further comprises the following steps:
the method comprises the steps of presetting a quantum key Key A in a UKey, binding the relation between a user terminal and the UKey, and presetting a quantum key Key B in a service system, binding the relation between the user terminal and the service system.
Preferably, the method also comprises the use of a session key, and the specific steps are as follows:
s21: the user sends the session key encryption string encrypteKeyA and data needing to be encrypted to the UKey and requests the UKey to encrypt the data;
s22: the UKey responds to an encryption request of a user side, and a built-in symmetric encryption algorithm is used for decrypting a session key encryption string encrypteKeyA in combination with a quantum key KeyA to obtain a session key; encrypting the data by using the session key to obtain encrypted data encryptDataA and returning the encrypted data encryptDataA to the user side;
s23: the user sends the session Id and the encrypted data encryptedDataA to a service system to initiate a service processing request;
s24: the service system responds to the service processing request of the user terminal, and decrypts the encrypted data encryptDataA by using a symmetric encryption algorithm in combination with a session key corresponding to the session Id to obtain the data of the user terminal;
s25: the service system performs service logic operation on the user side data, encrypts the operation result by using a symmetric encryption algorithm and combining a session key to obtain encrypted data encryptDataB and returns the encrypted data encryptDataB to the user side;
s26: the user sends encrypted data encryptDataB and a session key encryption string encryptedKeyA to the UKey and requests the UKey to decrypt the data;
s27: the UKey responds to a decryption request of a user side, and a built-in symmetric encryption algorithm is used for decrypting the session key encryption string encrypteKeyA in combination with the quantum key KeyA to obtain a session key; and decrypting the encrypted data encryptDataB by using the session key to obtain a data plaintext and returning the data plaintext to the user side.
The beneficial technical effects of the invention are as follows:
the invention discloses a Ukey encryption system and a Ukey encryption method based on quantum cryptography cloud, wherein a quantum key generated by QKD equipment is obtained through a quantum cryptography cloud platform and used as a session key, so that the true randomness of the session key is ensured; the symmetric encryption algorithm is used for encrypting the session key by combining the quantum key of the corresponding Ukey and the service system, so that the safety and confidentiality of the session key transmission are ensured; when the data is required to be encrypted and decrypted by using the session key, the data required to be encrypted and the encrypted session key encryption string are transmitted to the UKey, the session key is decrypted by the UKey by using a built-in symmetric encryption algorithm in combination with the key, and then the data is encrypted and decrypted by using the session key, so that the transmission safety of the session key and the message integrity verification are ensured, and the safety of the encrypted communication data is effectively ensured; meanwhile, encryption and decryption are based on hardware, so that efficiency is improved.
Drawings
FIG. 1 is a schematic diagram of a modular connection according to the present invention;
FIG. 2 is a flow chart illustrating the distribution of session keys in the present invention;
FIG. 3 is a schematic diagram of the identity verification process in the present invention;
fig. 4 is a flow chart of the use of session keys in the present invention.
Detailed Description
The present invention will be further described in detail with reference to the following examples, for the purpose of making the objects, technical solutions and advantages of the present invention more apparent, but the scope of the present invention is not limited to the following specific examples.
Example 1
As shown in fig. 1, a Ukey encryption system based on quantum cryptography cloud comprises a QKD device, a quantum cryptography cloud platform, a user side, a Ukey and a service system;
the QKD device for generating a quantum key;
the quantum cryptography cloud platform is used for acquiring a quantum key generated by QKD equipment as a session key; respectively combining a quantum key Key A and a quantum key Key B by using a symmetric encryption algorithm to encrypt a session key, correspondingly obtaining a session key encryption string encrypteKey A and a session key encryption string encrypteKey B, and sending the session key encryption string encrypteKey A and the session key encryption string encrypteKey B to a service system; and performing identity verification of the user side and the service system;
the user terminal is used for sending data to the UKey, requesting the UKey to encrypt or decrypt, and initiating a request to the service system;
the UKey is used for encrypting identity information to be encrypted of a user side by using a built-in symmetric encryption algorithm and combining a quantum key Key A to obtain encrypted data encryptedData; decrypting the session key encryption string encrypteKeyA by using a built-in symmetric encryption algorithm in combination with the quantum key KeyA to obtain a session key; encrypting the data by using the session key to obtain encrypted data encryptDataA and returning the encrypted data encryptDataA to the user side; decrypting the encrypted data encryptDataB by using the session key to obtain a data plaintext and returning the data plaintext to the user side;
the service system is used for generating a session Id, and decrypting the encrypted data encryptData by using a symmetric encryption algorithm in combination with a session key corresponding to the session Id to obtain user-side data; decrypting the session key encryption string encryptekeyb by using a symmetric encryption algorithm in combination with the quantum key KeyB to obtain a session key; encrypting service system identity information by combining a symmetric encryption algorithm with a quantum key Key B to obtain encrypted data appEncryptData; and carrying out service logic operation on the data of the user terminal, encrypting the operation result by using a symmetric encryption algorithm and combining a session key to obtain encrypted data encryptdataB and returning the encrypted data encryptdataB to the user terminal.
In the specific implementation process, a quantum key generated by QKD equipment is obtained through a quantum cryptography cloud platform and used as a session key, so that the true randomness of the session key is ensured; the symmetric encryption algorithm is used for encrypting the session key by combining the quantum key of the corresponding Ukey and the service system, so that the safety and confidentiality of the session key transmission are ensured; when the data is required to be encrypted and decrypted by using the session key, the data required to be encrypted and the encrypted session key encryption string are transmitted to the UKey, the session key is decrypted by the UKey by using a built-in symmetric encryption algorithm in combination with the key, and then the data is encrypted and decrypted by using the session key, so that the transmission safety of the session key and the message integrity verification are ensured, and the safety of the encrypted communication data is effectively ensured; meanwhile, encryption and decryption are based on hardware, so that efficiency is improved.
More specifically, the quantum cryptography cloud platform is further configured to provide registration for the user terminal, preset a quantum key KeyA in the UKey, and bind the relationship between the user terminal and the UKey.
More specifically, the quantum cryptography cloud platform is further configured to provide registration for a service system, preset a quantum key KeyB in the service system, and bind a relationship between a user terminal and the service system.
More specifically, the quantum cryptography cloud platform and the UKey share a quantum key KeyA.
More specifically, the quantum cryptography cloud platform and the business system share a quantum key KeyB.
More specifically, the symmetric encryption algorithm is a national cipher SM4 symmetric encryption algorithm.
In the implementation process, the session key is generated by the quantum cryptography cloud platform, and the distribution of the session key is encrypted by using a national cipher SM 4-GCM symmetric encryption algorithm. The main operation of symmetric encryption is bit operation, which is very fast.
The service system needs to register in a quantum cryptography cloud platform, and the quantum cryptography cloud platform presets a quantum key Key B for the service system. The service system and the quantum cryptography cloud platform share a quantum key Key B.
Before UKey is used, a user end needs to register on a quantum cryptography cloud platform, a quantum key Key A is preset in the UKey by the quantum cryptography cloud platform, and the relation between the user end and the UKey is bound. And simultaneously binding the relation between the user terminal and the service system. The quantum cryptography cloud platform and the UKey share a quantum key KeyA.
The UKey only stores one preset quantum key Key A, the session key is encrypted through a national encryption SM4 symmetric encryption algorithm, the session key is stored outside the UKey, when the session key is needed to encrypt and decrypt data, the data needed to be encrypted and decrypted and the encrypted session key encryption string are transmitted into the UKey, the UKey uses the built-in national encryption SM4 symmetric encryption algorithm to combine with the built-in quantum key Key A to decrypt the session key, and then the session key is used to encrypt and decrypt the data.
Example 2
As shown in fig. 2, the Ukey encryption method based on the quantum cryptography cloud is realized based on the Ukey encryption system based on the quantum cryptography cloud, and comprises the following specific steps of:
s11: the quantum cipher cloud platform acquires a quantum key generated by QKD equipment as a session key;
s12: the quantum cryptography cloud platform encrypts a session key by combining a quantum key Key A corresponding to the ukeyId through a symmetric encryption algorithm to obtain a session key encryption string encrypteKey A and sends the session key encryption string encrypteKey A to a service system;
and encrypting the session key by using a symmetric encryption algorithm in combination with the quantum key Key B corresponding to the appId to obtain a session key encryption string encrypteKey B and sending the session key encryption string encrypteKey B to the service system;
the Ukey Id is the identification of the Ukey for encrypting the identity information of the user terminal initiating the session key request, and the app Id is the identification of the service system receiving the session key request of the corresponding user terminal;
s13: the service system uses a symmetric encryption algorithm to combine the quantum key Key B to decrypt the session key encryption string encrypteKey B, so as to obtain a session key and store the session key;
s14: the service system generates a session Id, and sends the session Id and a session key encryption string encrypteKeyA to the user side for storage, so that the distribution of the session key is completed.
More specifically, as shown in fig. 3, before the distribution of the session key, the method further includes performing identity verification, and specifically includes the following steps:
s01: the UKey receives the identity information to be encrypted by the user side and an encryption request of the user side;
s02: the UKey encrypts identity information to be encrypted of the user side by using a built-in symmetric encryption algorithm and combining a quantum key Key A to obtain encrypted data encryptData, and sends the encrypted data encryptData and UkeyId of the UKey to the user side;
s03: the user sends the encrypted data encrypteddata and ukeyId to the service system to initiate a user session key request;
s04: the service system responds to a user session key request, and uses a symmetric encryption algorithm to encrypt service system identity information by combining a quantum key Key B to obtain encrypted data appEncryptData;
s05: the business system sends the ukeyId, the appId, the encrypted data encryptedData and the encrypted data appencryptedData to the quantum cryptography cloud platform to initiate a business system session key request;
s06: the quantum cryptography cloud platform responds to a service system session key request, decrypts encrypted data encrypteddata by combining a symmetric encryption algorithm with a quantum key Key A to obtain user end identity information, verifies the user end identity, and if the user end identity does not pass, stops executing;
decrypting the encrypted data appEncryptData by using a symmetric encryption algorithm in combination with the quantum key Key B to obtain service system identity information, and checking the service system identity, if the service system identity does not pass, stopping execution;
and judging the binding relation between the user terminal and the service system according to the decrypted user terminal identity information and service system identity information, and if the user terminal and the service system are not bound, stopping execution.
More specifically, before the identity verification, the method further comprises the following steps:
the method comprises the steps of presetting a quantum key Key A in a UKey, binding the relation between a user terminal and the UKey, and presetting a quantum key Key B in a service system, binding the relation between the user terminal and the service system.
Example 3
More specifically, as shown in fig. 4, the method further includes the use of session keys, and specifically includes the following steps:
s21: the user sends the session key encryption string encrypteKeyA and data needing to be encrypted to the UKey and requests the UKey to encrypt the data;
s22: the UKey responds to an encryption request of a user side, and a built-in symmetric encryption algorithm is used for decrypting a session key encryption string encrypteKeyA in combination with a quantum key KeyA to obtain a session key; encrypting the data by using the session key to obtain encrypted data encryptDataA and returning the encrypted data encryptDataA to the user side;
s23: the user sends the session Id and the encrypted data encryptedDataA to a service system to initiate a service processing request;
s24: the service system responds to the service processing request of the user terminal, and decrypts the encrypted data encryptDataA by using a symmetric encryption algorithm in combination with a session key corresponding to the session Id to obtain the data of the user terminal;
s25: the service system performs service logic operation on the user side data, encrypts the operation result by using a symmetric encryption algorithm and combining a session key to obtain encrypted data encryptDataB and returns the encrypted data encryptDataB to the user side;
s26: the user sends encrypted data encryptDataB and a session key encryption string encryptedKeyA to the UKey and requests the UKey to decrypt the data;
s27: the UKey responds to a decryption request of a user side, and a built-in symmetric encryption algorithm is used for decrypting the session key encryption string encrypteKeyA in combination with the quantum key KeyA to obtain a session key; and decrypting the encrypted data encryptDataB by using the session key to obtain a data plaintext and returning the data plaintext to the user side.
Variations and modifications to the above would be obvious to persons skilled in the art to which the invention pertains from the foregoing description and teachings. Therefore, the invention is not limited to the specific embodiments disclosed and described above, but some modifications and changes of the invention should be also included in the scope of the claims of the invention. In addition, although specific terms are used in the present specification, these terms are for convenience of description only and do not limit the present invention in any way.

Claims (10)

1. The Ukey encryption system based on the quantum cryptography cloud is characterized by comprising QKD equipment, a quantum cryptography cloud platform, a user side, a UKey and a service system;
the QKD device for generating a quantum key;
the quantum cryptography cloud platform is used for acquiring a quantum key generated by QKD equipment as a session key; respectively combining a quantum key Key A and a quantum key Key B by using a symmetric encryption algorithm to encrypt a session key, correspondingly obtaining a session key encryption string encrypteKey A and a session key encryption string encrypteKey B, and sending the session key encryption string encrypteKey A and the session key encryption string encrypteKey B to a service system; and performing identity verification of the user side and the service system;
the user terminal is used for sending data to the UKey, requesting the UKey to encrypt or decrypt, and initiating a request to the service system;
the UKey is used for encrypting identity information to be encrypted of a user side by using a built-in symmetric encryption algorithm and combining a quantum key Key A to obtain encrypted data encryptedData; decrypting the session key encryption string encrypteKeyA by using a built-in symmetric encryption algorithm in combination with the quantum key KeyA to obtain a session key; encrypting the data by using the session key to obtain encrypted data encryptDataA and returning the encrypted data encryptDataA to the user side; decrypting the encrypted data encryptDataB by using the session key to obtain a data plaintext and returning the data plaintext to the user side;
the service system is used for generating a session Id, and decrypting the encrypted data encryptData by using a symmetric encryption algorithm in combination with a session key corresponding to the session Id to obtain user-side data; decrypting the session key encryption string encryptekeyb by using a symmetric encryption algorithm in combination with the quantum key KeyB to obtain a session key; encrypting service system identity information by combining a symmetric encryption algorithm with a quantum key Key B to obtain encrypted data appEncryptData; and carrying out service logic operation on the data of the user terminal, encrypting the operation result by using a symmetric encryption algorithm and combining a session key to obtain encrypted data encryptdataB and returning the encrypted data encryptdataB to the user terminal.
2. The Ukey encryption system based on quantum cryptography cloud according to claim 1, wherein the quantum cryptography cloud platform is further configured to provide registration for a user terminal, preset a quantum key KeyA in the Ukey, and bind a relationship between the user terminal and the Ukey.
3. The Ukey encryption system based on quantum cryptography cloud according to claim 2, wherein the quantum cryptography cloud platform is further configured to provide registration for a service system, preset a quantum key KeyB in the service system, and bind a relationship between a user side and the service system.
4. The Ukey encryption system of claim 2 wherein the quantum cryptography cloud platform and Ukey share a quantum key KeyA.
5. A Ukey encryption system based on a quantum cryptography cloud according to claim 3, characterized in that the quantum cryptography cloud platform and the business system share a quantum key KeyB.
6. The Ukey encryption system of any one of claims 1 to 5 wherein the symmetric encryption algorithm is a national secret SM4 symmetric encryption algorithm.
7. The Ukey encryption method based on the quantum cryptography cloud is characterized by comprising the following specific steps of:
s11: the quantum cipher cloud platform acquires a quantum key generated by QKD equipment as a session key;
s12: the quantum cryptography cloud platform encrypts a session key by combining a quantum key Key A corresponding to the ukeyId through a symmetric encryption algorithm to obtain a session key encryption string encrypteKey A and sends the session key encryption string encrypteKey A to a service system;
and encrypting the session key by using a symmetric encryption algorithm in combination with the quantum key Key B corresponding to the appId to obtain a session key encryption string encrypteKey B and sending the session key encryption string encrypteKey B to the service system;
the Ukey Id is the identification of the Ukey for encrypting the identity information of the user terminal initiating the session key request, and the app Id is the identification of the service system receiving the session key request of the corresponding user terminal;
s13: the service system uses a symmetric encryption algorithm to combine the quantum key Key B to decrypt the session key encryption string encrypteKey B, so as to obtain a session key and store the session key;
s14: the service system generates a session Id, and sends the session Id and a session key encryption string encrypteKeyA to the user side for storage, so that the distribution of the session key is completed.
8. The Ukey encryption method based on quantum cryptography cloud according to claim 7, further comprising the step of performing identity verification before distribution of session keys, comprising the specific steps of:
s01: the UKey receives the identity information to be encrypted by the user side and an encryption request of the user side;
s02: the UKey encrypts identity information to be encrypted of the user side by using a built-in symmetric encryption algorithm and combining a quantum key Key A to obtain encrypted data encryptData, and sends the encrypted data encryptData and UkeyId of the UKey to the user side;
s03: the user sends the encrypted data encrypteddata and ukeyId to the service system to initiate a user session key request;
s04: the service system responds to a user session key request, and uses a symmetric encryption algorithm to encrypt service system identity information by combining a quantum key Key B to obtain encrypted data appEncryptData;
s05: the business system sends the ukeyId, the appId, the encrypted data encryptedData and the encrypted data appencryptedData to the quantum cryptography cloud platform to initiate a business system session key request;
s06: the quantum cryptography cloud platform responds to a service system session key request, decrypts encrypted data encrypteddata by combining a symmetric encryption algorithm with a quantum key Key A to obtain user end identity information, verifies the user end identity, and if the user end identity does not pass, stops executing;
decrypting the encrypted data appEncryptData by using a symmetric encryption algorithm in combination with the quantum key Key B to obtain service system identity information, and checking the service system identity, if the service system identity does not pass, stopping execution;
and judging the binding relation between the user terminal and the service system according to the decrypted user terminal identity information and service system identity information, and if the user terminal and the service system are not bound, stopping execution.
9. The Ukey encryption method based on quantum cryptography cloud according to claim 8, further comprising the steps of, before the identity verification:
the method comprises the steps of presetting a quantum key Key A in a UKey, binding the relation between a user terminal and the UKey, and presetting a quantum key Key B in a service system, binding the relation between the user terminal and the service system.
10. The Ukey encryption method based on quantum cryptography cloud of claim 7, further comprising the use of session keys, comprising the specific steps of:
s21: the user sends the session key encryption string encrypteKeyA and data needing to be encrypted to the UKey and requests the UKey to encrypt the data;
s22: the UKey responds to an encryption request of a user side, and a built-in symmetric encryption algorithm is used for decrypting a session key encryption string encrypteKeyA in combination with a quantum key KeyA to obtain a session key; encrypting the data by using the session key to obtain encrypted data encryptDataA and returning the encrypted data encryptDataA to the user side;
s23: the user sends the session Id and the encrypted data encryptedDataA to a service system to initiate a service processing request;
s24: the service system responds to the service processing request of the user terminal, and decrypts the encrypted data encryptDataA by using a symmetric encryption algorithm in combination with a session key corresponding to the session Id to obtain the data of the user terminal;
s25: the service system performs service logic operation on the user side data, encrypts the operation result by using a symmetric encryption algorithm and combining a session key to obtain encrypted data encryptDataB and returns the encrypted data encryptDataB to the user side;
s26: the user sends encrypted data encryptDataB and a session key encryption string encryptedKeyA to the UKey and requests the UKey to decrypt the data;
s27: the UKey responds to a decryption request of a user side, and a built-in symmetric encryption algorithm is used for decrypting the session key encryption string encrypteKeyA in combination with the quantum key KeyA to obtain a session key; and decrypting the encrypted data encryptDataB by using the session key to obtain a data plaintext and returning the data plaintext to the user side.
CN202310978848.0A 2023-08-04 2023-08-04 Ukey encryption system and method based on quantum cryptography cloud Pending CN116827538A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310978848.0A CN116827538A (en) 2023-08-04 2023-08-04 Ukey encryption system and method based on quantum cryptography cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310978848.0A CN116827538A (en) 2023-08-04 2023-08-04 Ukey encryption system and method based on quantum cryptography cloud

Publications (1)

Publication Number Publication Date
CN116827538A true CN116827538A (en) 2023-09-29

Family

ID=88114652

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310978848.0A Pending CN116827538A (en) 2023-08-04 2023-08-04 Ukey encryption system and method based on quantum cryptography cloud

Country Status (1)

Country Link
CN (1) CN116827538A (en)

Similar Documents

Publication Publication Date Title
CN1708003B (en) Method and apparatus for secure communication reusing session key
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN101296086B (en) Method, system and device for access authentication
CN108809633B (en) Identity authentication method, device and system
CN110889696A (en) Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology
CN108809936B (en) Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof
CN103036880A (en) Network information transmission method, transmission equipment and transmission system
CN113612797A (en) Kerberos identity authentication protocol improvement method based on state cryptographic algorithm
CN115632880B (en) Reliable data transmission and storage method and system based on state cryptographic algorithm
CN113868684A (en) Signature method, device, server, medium and signature system
CN116244750A (en) Secret-related information maintenance method, device, equipment and storage medium
CN113609522B (en) Data authorization and data access method and device
CN114154181A (en) Privacy calculation method based on distributed storage
CN112800462A (en) Method for storing confidential information in cloud computing environment
CN101539978B (en) Software protection method based on space
CN114785527B (en) Data transmission method, device, equipment and storage medium
CN114282189A (en) Data security storage method, system, client and server
CN114036541A (en) Application method for compositely encrypting and storing user private content
CN116827538A (en) Ukey encryption system and method based on quantum cryptography cloud
CN111447060A (en) Electronic document distribution method based on proxy re-encryption
CN111431846A (en) Data transmission method, device and system
US11917056B1 (en) System and method of securing a server using elliptic curve cryptography
CN114124369B (en) Multi-group quantum key cooperation method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination