CN117176345B - Quantum cryptography network key relay dynamic routing method, device and system - Google Patents
Quantum cryptography network key relay dynamic routing method, device and system Download PDFInfo
- Publication number
- CN117176345B CN117176345B CN202311426981.1A CN202311426981A CN117176345B CN 117176345 B CN117176345 B CN 117176345B CN 202311426981 A CN202311426981 A CN 202311426981A CN 117176345 B CN117176345 B CN 117176345B
- Authority
- CN
- China
- Prior art keywords
- key
- relay
- path
- derivative
- pool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000004364 calculation method Methods 0.000 claims abstract description 13
- 238000004891 communication Methods 0.000 claims description 25
- 238000009826 distribution Methods 0.000 claims description 16
- 230000009467 reduction Effects 0.000 claims description 15
- 150000003839 salts Chemical class 0.000 claims description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 14
- 230000007246 mechanism Effects 0.000 claims description 11
- 230000001960 triggered effect Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000009795 derivation Methods 0.000 description 4
- 230000032683 aging Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 230000010287 polarization Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 230000005610 quantum mechanics Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 241000533950 Leucojum Species 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000000691 measurement method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a dynamic routing method, a device and a system for key relay of a quantum cryptography network, wherein the method comprises the steps of inquiring all reachable key relay paths in the quantum cryptography network; each relay node on the key relay path is selected to generate a derived key pool for the service distributed to the key relay path; calculating the path weight of each relay node of each key relay path according to the number of derivative key pools generated by each relay node on each key relay path and the key generation speed; determining an optimal key relay path according to the maximum path weight and the number of relay nodes on each key relay path; the invention solves the key generation rate bottleneck problem of the key relay, and the route calculation method is simple, thereby improving concurrency performance.
Description
Technical Field
The invention relates to the technical field of quantum communication, in particular to a method, a device and a system for dynamic routing of a quantum cryptography network key relay.
Background
Quantum communication is a novel interdisciplinary developed in the last twenty years, and is a novel research field combining quantum theory and information theory. Physically, quantum communication can be understood as high performance communication realized by quantum effects under physical limits. In informatics, quantum communication is considered to be the information transfer between two places by utilizing the basic principles of quantum mechanics (such as the quantum state unclonable principle, the measurement collapse property of the quantum state and the like) or utilizing the special properties of quantum systems such as quantum state invisible transmission and the like and a quantum measurement method. The quantum communication has the characteristics of unconditional safety, high efficiency and the like, so that the revolutionary development is brought to the information safety, and the quantum communication is a main research direction of the current data secret transmission.
Quantum cryptography based on quantum key distribution (Quantum key distribution, QKD) protocols is one of the most important practical applications of quantum communications at the present stage. Traditional cryptography is a cipher system based on mathematics, while quantum cryptography is based on quantum mechanics, and the security is established on the basis of the physical characteristics of inaccuracy measurement principle, quantum unclonability, quantum coherence and the like, and proved to be absolutely safe, so that the quantum cryptography attracts high importance in academia.
The quantum cryptography network is a secure communication network adopting quantum cryptography technology, and is constructed by a classical communication network and a quantum key distribution network. The quantum key distribution network mainly comprises quantum key distribution terminal equipment and a quantum link and is used for distributing keys. Classical communication networks use quantum keys to achieve encryption and decryption of data and transmission of encrypted data. A quantum cipher network node is generally composed of a classical communication terminal connected with a classical communication network and a quantum key distribution equipment terminal connected with a quantum communication network, and the network node of the quantum cipher network is generally divided into two types of terminal nodes and relay nodes. Due to the limitation of the maximum quantum communication distance and the consideration of network construction cost, direct quantum links between a plurality of terminals do not exist, direct distribution of quantum keys cannot be realized, and encrypted communication data between the terminals need to be forwarded by means of relay nodes.
The quantum cryptography network with larger scale can have a large number of relay nodes, encrypted communication data among terminal nodes can be transferred by one or a plurality of relay nodes, and different optional relay nodes can be used for data transfer. How to select relay nodes through which communication data of any two nodes in the quantum cryptography network pass in sequence from an initial node to a destination node is called quantum cryptography network routing.
In the related art, patent application publication No. CN103001875a discloses a complete solution of quantum cryptography network routing, in which a next hop route of communication data of a destination relay node for any other relay node needs to be calculated and determined according to a weighted shortest path rule, and a weight of the next hop route is a key amount on a path, that is, a path with a larger key amount is a next hop of the route under the shortest path rule. Patent application publication number CN109962774a discloses a dynamic routing method for a quantum cryptographic network key relay, in which, in the routing method, the path weight of the relay path is related to the quantum key supply and demand on the path, and complex poisson distribution is needed to be utilized, and the calculation mode of the routing weight is complex. The route establishment method proposed in the publication CN116418492a requires attention to the amount of keys remaining to be relayed, and is complex in calculation.
In fact, the amount of keys on a path does not truly reflect how much the present path needs to meet data routing encryption in the next routing cycle, because whether the existing amount of keys on the path is sufficient is related to not only the amount of keys, but also the speed of key consumption of the present path. None of the above mentioned related art considers the problem of low remote QKD relay-to-bit rate and the situation where the key generation speed is less than the key consumption speed and cannot meet the traffic concurrency requirement, for example: over a distance of about one hundred kilometers, the QKD key bit rate based on BB84 protocol is only about 1 Kbps, the QKD bit rate is low and is determined by physical principle, and the QKD key negotiation is performed through a series of operations of photon polarization state preparation, transmission, polarization state filtering, detection, polarization state consistency check, key block parity check and the like, so that the complex process can further reduce the QKD bit rate.
In addition, the complex route calculation algorithm has the problem of performance degradation caused by key relay resource competition under a high concurrency scene.
Disclosure of Invention
The invention aims to solve the technical problem of how to solve the key generation rate bottleneck problem of key relay.
The invention solves the technical problems by the following technical means:
in a first aspect, the present invention provides a method for dynamic routing of a quantum cryptography network key relay, the method comprising:
inquiring all reachable key relay paths in the quantum cryptography network;
each relay node on the key relay path is selected to generate a derived key pool for tasks distributed to the key relay path;
calculating the path weight of each relay node of each key relay path according to the number of derivative key pools generated by each relay node on each key relay path and the key generation speed;
and determining an optimal key relay path according to the maximum path weight value and the number of relay nodes on each key relay path.
Further, the querying all reachable key relay paths in the quantum cryptography network includes:
inquiring information of a QKD node to which a local service system belongs and a QKD node to which a peer service system belongs from a password management service platform;
and receiving the information of the QKD node to which the local end service system belongs and the information of the QKD node to which the opposite end service system belongs, which are returned by the password management service platform, and inquiring all reachable key relay paths in the quantum password network to a QKDN controller through a key manager corresponding to the QKD node to which the local end service system belongs.
Further, each relay node on the selected key relay path generates a derived key pool for the task allocated to the key relay path, including:
the local terminal service system generates a globally unique service identifier businessId, and each relay node on the key relay path is selected to generate a derivative key pool related to the businessId in an initializing mode;
at least 1 derived key pool is allocated for traffic allocated to the current key relay path.
Further, the derived key pools between different services are isolated from each other.
Further, the method further comprises:
expanding the capacity of the derived key pool according to the capacity expansion triggering condition of the derived key pool;
the capacity expansion triggering condition is when the key consumption speed of the service reaches a% of the key generation speed, or when the stock key of the derived key pool is lower than a threshold value, or when the used derived key pool reaches b% of the total derived key pool.
Further, the method further comprises:
carrying out capacity reduction on the derivative key pool according to the capacity reduction triggering condition of the derivative key pool;
the capacity reduction triggering condition is when the consumed key speed of continuous m time window services is lower than c% of the key generation speed, or when the used derivative key pool is lower than d% of the total derivative key pool.
Further, the derived key pool is a first-in first-out queue FIFO structure having a maximum length.
Further, the method further comprises:
generating a derivative key by adopting a PBKDF2 algorithm;
and adding the set number n of the derivative keys into the derivative key pool by adopting a batch enqueuing mode, removing n original derivative keys in the derivative key pool as historical derivative keys, and updating keys in the derivative key pool.
Further, the calculation formula for generating the derivative key by adopting the PBKDF2 algorithm is as follows:
key=PBKDF2(password,salt,iterations-count,hash-function,derived-key-len)
wherein, the password is a password/password; salt is a cryptographically secure pseudorandom number group; the iteration-count is the iteration number; hash-function is a hash function for HMAC; the derived-key-len is the derived key length; PBKDF2 () is the operation of PBKDF 2; key is a derivative key.
Further, adopting a random key in a main key pool generated by QKD relay as the password;
by usingAs the salt;
taking a service key pool number as the interfaces-count, and taking an SM3 algorithm as the hash-function;
the determined-key-len takes a value of 128.
Further, when the service calls the derivative key concurrently, the method further comprises:
carrying out Hash according to the service identification to distribute the derivative key to a derivative key pool corresponding to the service;
and (3) adopting a CAS (control and access system) unlocking mechanism to carry out concurrent call on the derivative key pool corresponding to the same service.
Further, the concurrent calling of the derivative key pool corresponding to the same service by adopting the CAS lock-free mechanism includes:
a unique sequence number is allocated to the same derived key pool, and the service number +1 corresponding to the service passing through the CAS (CAS) non-lock mechanism is allocated;
and transmitting the service number, the derived key pool number and the key number of the derived key pool as parameters to a QKD relay/negotiation opposite-end service system to perform derived key relay.
Further, when updating the key in the derived key pool, the CAS number is +n, and the n shifted-out historical derived keys are reserved for a set period of time.
Further, the calculating the path weight of each relay node of each key relay path according to the number of the derived key pools generated by each relay node on each key relay path and the key generation speed includes:
the path weight of each relay node is calculated based on the sliding window as follows: the number of derived key pools generated by the relay node/key generation speed.
Further, when the relay node does not derive the key, the number of derived key pools corresponding to the relay node is set to 1.
Further, the determining an optimal key relay path according to the maximum path weight and the number of relay nodes on each key relay path includes:
according to the maximum path weight and the number of relay nodes on each key relay path, calculating the weight P=the number of relay nodes of the corresponding key relay pathλw, λ is the empirical value of the control weight ratio, w is the maximum path weight on the key relay path, +.>Is a multiplied symbol;
and determining the key relay path with the minimum weight P value as the optimal key relay path.
In a second aspect, the present invention further provides a quantum cryptography network key relay dynamic routing device, where the device includes:
the relay path inquiry module is used for inquiring all reachable key relay paths in the quantum cryptography network;
the deriving module is used for selecting each relay node on the key relay path to generate a deriving key pool for the task distributed on the key relay path;
the path weight calculation module is used for calculating the path weight of each relay node of each key relay path according to the number of derivative key pools generated by each relay node on each key relay path and the key generation speed;
and the path determining module is used for determining the optimal key relay path according to the maximum path weight and the number of relay nodes on each key relay path.
In a third aspect, the present invention provides a quantum cryptography network key relay dynamic routing system, where the system includes a quantum key distribution network, a key manager, a QKDN controller, a key management system, and a cryptographic management service platform, where the cryptographic management service platform is connected to a service communication terminal, and the service communication terminal is configured to execute the quantum cryptography network key relay dynamic routing method as described above.
The invention has the advantages that:
(1) According to the invention, the derivative key pool is generated for the task distributed to the key relay path by utilizing the relay node on the key relay path, the path weight of each relay node of each key relay path is calculated by utilizing the number of the derivative key pools generated by the relay node and the key generation speed, so that the optimal key relay path is determined, the routing calculation method is simple, the performance is higher, different services use independent key pools, the problem that a plurality of services share one key pool for concurrent locking is not required to be considered, the key generation speed bottleneck problem of the key relay is solved, the routing calculation method is simple, and the concurrent performance is improved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a schematic flow chart of a dynamic routing method for key relay in a quantum cryptography network according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a dynamic routing device for quantum cryptography network key relay according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a dynamic routing system for quantum cryptography network key relay according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, a first embodiment of the present invention discloses a method for dynamic routing of a quantum cryptography network key relay, the method comprising the steps of:
s10, inquiring all reachable key relay paths in the quantum cryptography network;
s20, each relay node on the key relay path is selected to generate a derived key pool for tasks distributed to the key relay path;
s30, calculating the path weight of each relay node of each key relay path according to the number of derivative key pools generated by each relay node on each key relay path and the key generation speed;
and S40, determining the optimal key relay path according to the maximum path weight and the number of relay nodes on each key relay path.
It should be noted that, in this embodiment, a derivative key pool is generated for a task allocated to a key relay path by using a relay node on the key relay path, and the path weight of each relay node in each key relay path is calculated by using the number of derivative key pools generated by the relay nodes and the key generation speed, so as to determine an optimal key relay path, break through the key rate bottleneck of QKD relay by adopting the derivative key pool, and solve the key generation rate bottleneck problem of key relay.
In one embodiment, the step S10: querying all reachable key relay paths in the quantum cryptography network, comprising the following steps:
s11, inquiring information of a QKD node to which a local end service system belongs and a QKD node to which an opposite end service system belongs from a password management service platform;
s12, receiving information of the QKD node of the local end service system and information of the QKD node of the opposite end service system returned by the password management service platform, and inquiring all reachable key relay paths in the quantum password network to a QKDN controller through a key manager corresponding to the QKD node of the local end service system.
Specifically, if the service system a is used as a service initiation direction password management service platform (CMSP) to query QKD node information of the node (starting point) and the opposite service system B (end point); the service system A carries the information of the starting point and the end point of the quantum key network route and inquires the QKDN controller about all the reachable key relay paths in the quantum key network through a Key Manager (KM) corresponding to the node.
In one embodiment, the step S20: each relay node on the key relay path is selected to generate a derived key pool for tasks distributed on the key relay path, and the method comprises the following steps:
s21, a local terminal service system generates a globally unique service identifier businessId, and each relay node on the key relay path is selected to generate a derivative key pool related to the businessId in an initializing mode;
s22, at least 1 derivative key pool is allocated for the service allocated to the current key relay path.
Specifically, the local service system, i.e. the service initiator, generates a globally unique service identifier bussinessId, the bussinessId generates a unique id of 64-bit bits according to a snowflake algorithm, the id is of a long type, the highest 1-bit fixed value 0 of the service identifier, the 41-bit storage millisecond-level timestamp, the 12-bit relay node code comprising a 6-bit initial node and a 6-bit end point, the 6-bit storage machine code workerId (the datacentrerid is consistent with the initial node and omitted), and the last 4-bit storage serial number; at the same millisecond time stamp, distinguished by this incremented sequence number, the relay link does not need to be re-established every time key agreement is made, and hence the concurrency requirement is not as high
In one embodiment, each relay node on the selected key relay link initiates generation of a pool of derived keys associated with the businessId(typically n.gtoreq.3) derived key pools, at least 1 derived key pool is allocated to the traffic allocated to the current key relay path, and the derived key pools between the traffic are isolated from each other.
In an embodiment, the method further comprises the steps of:
expanding the capacity of the derived key pool according to the capacity expansion triggering condition of the derived key pool;
the capacity expansion triggering condition is when the key consumption speed of the service reaches a% of the key generation speed, or when the stock key of the derived key pool is lower than a threshold value, or when the used derived key pool reaches b% of the total derived key pool.
Specifically, when the key consumption speed of the service reaches 75% of the key generation speed, the expansion of the derivative key pool of 2 times is triggered, or when the stock key of the derivative key pool is lower than a threshold (such as 10% of the maximum length of the derivative key pool), the expansion of the 2 times of the total derivative key pool is triggered, and when the used derivative key pool reaches 80% of the total derivative key pool, the expansion of the 2 times of the total derivative key pool is triggered. According to the embodiment, the concurrent capacity is improved by expanding the derived key pool, so that resources are allocated in advance to prevent waiting for key derivation when the service is used.
In an embodiment, the method further comprises the steps of:
carrying out capacity reduction on the derivative key pool according to the capacity reduction triggering condition of the derivative key pool;
the capacity reduction triggering condition is when the consumed key speed of continuous m time window services is lower than c% of the key generation speed, or when the used derivative key pool is lower than d% of the total derivative key pool.
Specifically, when the consumed key speed of continuous m (m is a tested value and the value is 3-5) time window services is lower than 25% of the key generation speed, the capacity reduction of 2 times is triggered, when the used derivative key pool is lower than 20% of the total derivative key pool, the capacity reduction of 2 times of the total derivative key pool is triggered, resources are released, and the cost is reduced.
In one embodiment, the derived key pool is a first-in first-out queue FIFO structure having a maximum length.
Specifically, in this embodiment, the derived key pool is in a FIFO (first-in first-out queue) structure with a maximum length of 40k (40960) keys, when the derived key pool reaches the maximum length, a new derived key is added to the tail of the queue, the derived key at the head of the queue is discarded, if the maximum length of the derived key pool is too long, the residence time of the derived key is longer, the risk of being broken by violence exists, and if the maximum length is too short, the situation that the derived key pool is frequently expanded or the service request key is used to wait for QKD key negotiation exists, so that the maximum length in the derived key pool generally adopts the key generation amount of the master key pool within 5-10 s.
In this embodiment, the derived key pool has a maximum length FIFO structure, and a reasonable maximum length can protect the aging of the derived key and prevent brute force cracking.
In an embodiment, the method further comprises updating keys in the derived key pool, comprising the steps of:
generating a derivative key by adopting a PBKDF2 algorithm;
and adding the set number n of the derivative keys into the derivative key pool by adopting a batch enqueuing mode, removing n original derivative keys in the derivative key pool as historical derivative keys, and updating keys in the derivative key pool.
Specifically, as the master key pool of key negotiation for QKD key relay continuously negotiates to generate new keys, the derivative key pool updates keys in a batch enqueuing manner, adding 4k (4096) derivative keys at the tail of FIFO queue once, and discarding the 4k (4096) derivative keys at the head of the queue, where n can be 4096.
In an embodiment, the calculation formula for generating the derivative key by adopting the PBKDF2 algorithm is as follows:
key=PBKDF2(password,salt,iterations-count,hash-function,derived-key-len)
wherein, the password is a password/password; salt is a cryptographically secure pseudorandom number group; the iteration-count is the iteration number; hash-function is a hash function for HMAC; the derived-key-len is the derived key length; PBKDF2 () is the operation of PBKDF 2; key is a derivative key.
In one embodiment, a random key in a master key pool generated by QKD relay is used as the password;
by usingAs a means ofThe salt can increase randomness;
taking a service key pool number as the interfaces-count, and taking SM3 as the hash-function;
the determined-key-len takes a value of 128.
It should be noted that, the PBKDF2 (Password-Based Key Derivation Function) algorithm is a simple key derivation algorithm, and has higher key generation efficiency under the condition of lower iteration times, so as to meet the requirement of high concurrence service scenarios. And because the trusted relay node is an independent physical machine, the cloud-like shared computing problem does not exist, and the QKD network between the nodes is different from a classical channel, so that the threat caused by memory-timing side channel attacks (side-channel attacks) can be avoided.
In addition, because the password derived from the key is a true random number, the salt value is related to the service, the derived keys of different services are isolated, the salt value and the password are subjected to exclusive or, so that the randomness of the salt is ensured, meanwhile, the key relay process is one-time pad and abandoned after use, and the derived key pool adopts a queue structure with a FIFO (first in first out) of maximum length and has aging limitation, even if the key is subjected to ASIC (application specific integrated circuit) attack (ASIC-resistance) or FPGA (field programmable gate array) attack (FPGA-resistance), on one hand, the aging of the GPU brute force cracking can not meet the attack requirement, on the other hand, the final negotiation key can be obtained only by brute force cracking the derived keys of the whole relay link, and the exposure of the derived keys among the single nodes does not influence the overall security.
In an embodiment, when the service concurrently invokes the derived key, the method further comprises the steps of:
carrying out Hash according to the service identification to distribute the derivative key to a derivative key pool corresponding to the service;
and (3) adopting a CAS (control and access system) unlocking mechanism to carry out concurrent call on the derivative key pool corresponding to the same service.
In the embodiment, when the service concurrently calls the derivative keys, hash is performed according to the unique service identifier to be distributed to the derivative key pool corresponding to the service, the same service derivative key pool adopts a CAS (Compare And Swap) lock-free mode when the service is concurrently called, the key calling efficiency is accelerated by adopting a key negotiation and key use separation mode, and the CAS lock-free mode is adopted when the service is called to improve the concurrency efficiency.
In an embodiment, the performing, by using the CAS lock-free mechanism, a concurrent call to the derivative key pool corresponding to the same service includes:
a unique sequence number is allocated to the same derived key pool, and the service number +1 corresponding to the service passing through the CAS (CAS) non-lock mechanism is allocated;
and transmitting the service number, the derived key pool number and the key number of the derived key pool as parameters to a QKD relay/negotiation opposite-end service system to perform derived key relay.
It should be noted that, in this embodiment, a unique sequence number is allocated to the same derivative key pool, the service obtains the number +1 through CAS, and uses the service number, the derivative key pool number, and the key number of the derivative key pool as parameters to be transferred to the opposite end of QKD relay/negotiation, so as to avoid the confusion of the sequence of derivative key call.
In one embodiment, when updating the keys in the derived key pool, CAS number +n, and keep n historical derived key set durations of the shifts out.
In this embodiment, CAS number +4096 is reset every day when the derivative key is updated in bulk, in order to prevent the derivative key from relaying in the derivative key bulk updating process, 4096 historical derivative keys are temporarily reserved.
It should be noted that, the retention time of the historical derivative key is related to the key generation speed, the generation time of 4096 keys is generally not more than 5s, and if the generation speed is particularly slow, the generation time is not more than 10s at maximum for safety.
In one embodiment, the step S30: according to the number of derivative key pools generated by each relay node on each key relay path and the key generation speed, calculating the path weight of each relay node of each key relay path, comprising the following steps:
the path weight of each relay node is calculated based on the sliding window as follows: the number of derived key pools generated by the relay node/key generation speed.
It should be noted that, if there are multiple relay paths, path weights of all relay nodes on the key relay path are calculated based on a sliding window: the smaller the weight, the shorter the path is, the number of derived key pools/key generation speed.
Further, if the relay node does not make any key derivation, the number of the derived key pool is set to 1.
In one embodiment, the step S40: according to the maximum path weight and the number of relay nodes on each key relay path, determining an optimal key relay path, comprising the following steps:
s41, calculating the weight P=the number of relay nodes of the corresponding key relay path according to the maximum path weight and the number of relay nodes on each key relay pathλw, λ is the empirical value of the control weight ratio, w is the maximum path weight on the key relay path, +.>Is a multiplied symbol;
s42, determining the key relay path with the minimum weight P value as the optimal key relay path.
It should be noted that, according to the barrel effect, the maximum weight w in each path is found, the weight P of each key relay path is calculated, the smaller P represents the better the path, and the optimal path with the minimum P value is selected.
As shown in fig. 2, a second embodiment of the present invention discloses a quantum cryptography network key relay dynamic routing device, which includes:
the relay path inquiring module 10 is used for inquiring all the reachable key relay paths in the quantum cryptography network;
a deriving module 20, configured to select each relay node on the key relay path to generate a derived key pool for a task allocated to the key relay path;
the path weight calculation module 30 is configured to calculate a path weight of each relay node in each key relay path according to the number of derivative key pools generated by each relay node in each key relay path and the key generation speed;
the path determining module 40 is configured to determine an optimal key relay path according to the maximum path weight and the number of relay nodes on each key relay path.
In an embodiment, the relay path query module 10 is specifically configured to:
inquiring information of a QKD node to which a local service system belongs and a QKD node to which a peer service system belongs from a password management service platform;
and receiving the information of the QKD node to which the local end service system belongs and the information of the QKD node to which the opposite end service system belongs, which are returned by the password management service platform, and inquiring all reachable key relay paths in the quantum password network to a QKDN controller through a key manager corresponding to the QKD node to which the local end service system belongs.
In one embodiment, the deriving module 20 includes:
the initialization unit is used for generating a globally unique service identifier businessId by the local service system, and initializing and generating a derivative key pool related to the businessId by selecting each relay node on the key relay path;
an allocation unit, configured to allocate at least 1 derivative key pool for the service allocated to the current key relay path.
In one embodiment, the derived key pools between different services are isolated from each other.
In an embodiment, the apparatus further includes a capacity expansion module, specifically configured to:
expanding the capacity of the derived key pool according to the capacity expansion triggering condition of the derived key pool;
the capacity expansion triggering condition is when the key consumption speed of the service reaches a% of the key generation speed, or when the stock key of the derived key pool is lower than a threshold value, or when the used derived key pool reaches b% of the total derived key pool.
In an embodiment, the device further comprises a capacity reduction module, specifically configured to:
carrying out capacity reduction on the derivative key pool according to the capacity reduction triggering condition of the derivative key pool;
the capacity reduction triggering condition is when the consumed key speed of continuous m time window services is lower than c% of the key generation speed, or when the used derivative key pool is lower than d% of the total derivative key pool.
In one embodiment, the derived key pool is a first-in first-out queue FIFO structure having a maximum length.
In an embodiment, the apparatus further includes a key update module, specifically configured to:
generating a derivative key by adopting a PBKDF2 algorithm;
and adding the set number n of the derivative keys into the derivative key pool by adopting a batch enqueuing mode, removing n original derivative keys in the derivative key pool as historical derivative keys, and updating keys in the derivative key pool.
In an embodiment, the calculation formula for generating the derivative key by adopting the PBKDF2 algorithm is as follows:
key=PBKDF2(password,salt,iterations-count,hash-function,derived-key-len)
wherein, the password is a password or a password; salt is a cryptographically secure pseudorandom number group; the iteration-count is the iteration number; hash-function is a hash function for HMAC; the derived-key-len is the derived key length; PBKDF2 () is the operation of PBKDF 2; key is a derivative key.
In one embodiment, a random key in a master key pool generated by QKD relay is used as the password;
by usingAs the salt;
taking a service key pool number as the interfaces-count, and taking SM3 as the hash-function;
the determined-key-len takes a value of 128.
In an embodiment, the apparatus further comprises a key invoking module for:
a derivative key distribution unit, configured to perform Hash according to a service identifier to distribute the derivative key to a derivative key pool corresponding to a service;
and the calling unit is used for carrying out concurrent calling on the derivative key pool corresponding to the same service by adopting the CAS (control architecture) unlocking mechanism.
In an embodiment, the calling unit is specifically configured to:
a unique sequence number is allocated to the same derived key pool, and the service number +1 corresponding to the service passing through the CAS (CAS) non-lock mechanism is allocated;
and transmitting the service number, the derived key pool number and the key number of the derived key pool as parameters to a QKD relay/negotiation opposite-end service system to perform derived key relay.
In one embodiment, when updating the keys in the derived key pool, CAS number +n, and keep n historical derived key set durations of the shifts out.
In an embodiment, the path weight calculation module 30 is configured to calculate, based on a sliding window, a path weight of each relay node as follows: the number of derived key pools generated by the relay node/key generation speed.
In an embodiment, when the relay node does not derive the key, the number of derived key pools corresponding to the relay node is set to 1.
In one embodiment, the path determination module 40 includes:
a weight calculating unit, configured to calculate a weight p=number of relay nodes of the corresponding key relay path according to the maximum path weight and the number of relay nodes on each key relay pathλw, λ is the empirical value of the control weight ratio, w is the maximum path weight on the key relay path, +.>Is a multiplied symbol;
and the path determining unit is used for determining the key relay path with the minimum weight P value as the optimal key relay path.
It should be noted that, other embodiments of the quantum cryptography network key relay dynamic routing device or the implementation method thereof may refer to the above method embodiments, and are not repeated here.
As shown in fig. 3, a third embodiment of the present invention discloses a dynamic routing system for a quantum cryptographic network key relay, where the system includes a quantum key distribution network, a key manager, a QKDN controller, a key management system and a cryptographic management service platform, where the quantum key distribution network is connected to the key management system through the key manager, the key manager is connected to the QKDN controller, and the cryptographic management service platform is connected to a service communication terminal, where the service communication terminal is configured to execute the dynamic routing method for a quantum cryptographic network key relay described in the first embodiment above.
Specifically, the quantum key distribution module (QKD) is configured to implement quantum key distribution with the connected node quantum key distribution module, so that both parties obtain a key pair.
The Key Manager (KM) is responsible for receiving and managing keys generated by the QKD, relaying the keys and providing the keys to applications requiring cryptography.
QKDN controllers are responsible for controlling the various resources of the QKD network to ensure safe, stable, efficient, robust operation of the QKD network.
The Key Management System (KMS) is used for creating and managing keys, protecting confidentiality, integrity and availability of the keys and meeting the key management requirements of applications and businesses.
The password management service platform (CMSP) is used for routing control, resource scheduling, etc. of a Key Management System (KMS).
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (18)
1. A quantum cryptography network key relay dynamic routing method, the method comprising:
inquiring all reachable key relay paths in the quantum cryptography network;
each relay node on the key relay path is selected to generate a derived key pool for the service distributed to the key relay path;
calculating the path weight of each relay node of each key relay path according to the number of derivative key pools generated by each relay node on each key relay path and the key generation speed;
and determining an optimal key relay path according to the maximum path weight value and the number of relay nodes on each key relay path.
2. The quantum cryptography network key relay dynamic routing method of claim 1, wherein querying all reachable key relay paths in the quantum cryptography network comprises:
inquiring information of a QKD node to which a local service system belongs and a QKD node to which a peer service system belongs from a password management service platform;
and receiving the information of the QKD node to which the local end service system belongs and the information of the QKD node to which the opposite end service system belongs, which are returned by the password management service platform, and inquiring all reachable key relay paths in the quantum password network to a QKDN controller through a key manager corresponding to the QKD node to which the local end service system belongs.
3. The method of claim 1, wherein each relay node on the selected key relay path generates a derived key pool for traffic allocated on the key relay path, comprising:
the local terminal service system generates a globally unique service identifier businessId, and each relay node on the key relay path is selected to generate a derivative key pool related to the businessId in an initializing mode;
at least 1 derived key pool is allocated for traffic allocated to the current key relay path.
4. A quantum cryptography network key relay dynamic routing method of claim 3 wherein the pools of derivative keys between different services are isolated from each other.
5. The quantum cryptography network key relay dynamic routing method of claim 1, further comprising:
expanding the capacity of the derived key pool according to the capacity expansion triggering condition of the derived key pool;
the capacity expansion triggering condition is when the key consumption speed of the service reaches a% of the key generation speed, or when the stock key of the derived key pool is lower than a threshold value, or when the used derived key pool reaches b% of the total derived key pool.
6. The quantum cryptography network key relay dynamic routing method of claim 1, further comprising:
carrying out capacity reduction on the derivative key pool according to the capacity reduction triggering condition of the derivative key pool;
the capacity reduction triggering condition is when the consumed key speed of continuous m time window services is lower than c% of the key generation speed, or when the used derivative key pool is lower than d% of the total derivative key pool.
7. The method of claim 1, wherein the derived key pool is a FIFO structure having a maximum length.
8. The quantum cryptography network key relay dynamic routing method of claim 1, further comprising:
generating a derivative key by adopting a PBKDF2 algorithm;
and adding the set number n of the derivative keys into the derivative key pool by adopting a batch enqueuing mode, removing n original derivative keys in the derivative key pool as historical derivative keys, and updating keys in the derivative key pool.
9. The method for dynamically routing the quantum cryptography network key relay of claim 8, wherein the calculation formula for generating the derivative key by using the PBKDF2 algorithm is as follows:
key=PBKDF2(password,salt,iterations-count,hash-function,derived-key-len)
wherein, the password is a password or a password; salt is a cryptographically secure pseudorandom number group; the iteration-count is the iteration number; hash-function is a hash function for HMAC; the derived-key-len is the derived key length; PBKDF2 () is the operation of PBKDF 2; key is a derivative key.
10. The quantum cryptography network key relay dynamic routing method of claim 9, wherein a random key in a master key pool generated by QKD relay is employed as the password;
by usingAs said salt,/->Is an exclusive or operation, | is a byte string connector;
taking a service key pool number as the interfaces-count, and taking an SM3 algorithm as the hash-function;
the determined-key-len takes a value of 128.
11. The quantum cryptography network key relay dynamic routing method of claim 1, wherein upon a traffic concurrency invocation of a derivative key, the method further comprises:
carrying out Hash according to the service identification to distribute the derivative key to a derivative key pool corresponding to the service;
and (3) adopting a CAS (control and access system) unlocking mechanism to carry out concurrent call on the derivative key pool corresponding to the same service.
12. The method for dynamically routing the quantum cryptography network key relay of claim 11, wherein the employing the CAS airless mechanism to make a concurrent call to the derivative key pool corresponding to the same service comprises:
a unique sequence number is allocated to the same derived key pool, and the service number +1 corresponding to the service passing through the CAS (CAS) non-lock mechanism is allocated;
and transmitting the service number, the derived key pool number and the key number of the derived key pool as parameters to a QKD relay or a negotiated opposite-end service system to perform the derived key relay.
13. The quantum cryptography network key relay dynamic routing method of claim 8, wherein CAS number +n is updated for keys in the derivative key pool and n history derivative key set durations of shifts are reserved.
14. The method for dynamically routing the key relay of the quantum cryptography network according to claim 1, wherein the calculating the path weight of each relay node of each key relay path according to the number of the derived key pools generated by each relay node on each key relay path and the key generation speed comprises:
the path weight of each relay node is calculated based on the sliding window as follows: the number of derived key pools generated by the relay node +..
15. The method of claim 14, wherein when the relay node does not derive the key, the number of derived key pools corresponding to the relay node is set to 1.
16. The method for dynamic routing of key relay in a quantum cryptography network of claim 1, wherein determining an optimal key relay path based on a maximum path weight and a number of relay nodes on each key relay path comprises:
according to the maximum path weight and the number of relay nodes on each key relay path, calculating the weight P=the number of relay nodes of the corresponding key relay pathλw, λ is the empirical value of the control weight ratio, w is the maximum path weight on the key relay path, +.>Is a multiplied symbol;
and determining the key relay path with the minimum weight P value as the optimal key relay path.
17. A quantum cryptography network key relay dynamic routing apparatus, the apparatus comprising:
the relay path inquiry module is used for inquiring all reachable key relay paths in the quantum cryptography network;
the deriving module is used for selecting each relay node on the key relay path to generate a deriving key pool for the service distributed on the key relay path;
the path weight calculation module is used for calculating the path weight of each relay node of each key relay path according to the number of derivative key pools generated by each relay node on each key relay path and the key generation speed;
and the path determining module is used for determining the optimal key relay path according to the maximum path weight and the number of relay nodes on each key relay path.
18. The system is characterized by comprising a quantum key distribution network, a key manager, a QKDN controller, a key management system and a password management service platform, wherein the password management service platform is connected with a service communication terminal, and the service communication terminal is used for executing the quantum password network key relay dynamic routing method according to any one of claims 1-16.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311426981.1A CN117176345B (en) | 2023-10-31 | 2023-10-31 | Quantum cryptography network key relay dynamic routing method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311426981.1A CN117176345B (en) | 2023-10-31 | 2023-10-31 | Quantum cryptography network key relay dynamic routing method, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117176345A CN117176345A (en) | 2023-12-05 |
CN117176345B true CN117176345B (en) | 2024-01-09 |
Family
ID=88945254
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311426981.1A Active CN117176345B (en) | 2023-10-31 | 2023-10-31 | Quantum cryptography network key relay dynamic routing method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117176345B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN118523913B (en) * | 2024-07-23 | 2024-10-01 | 中电信量子科技有限公司 | Quantum key relay route calculation method and system |
CN118764199B (en) * | 2024-09-09 | 2024-11-08 | 易迅通科技有限公司 | Quantum key-based terminal encryption method for Internet of things |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105471576A (en) * | 2015-12-28 | 2016-04-06 | 科大国盾量子技术股份有限公司 | Quantum key relaying method, quantum terminal nodes and quantum key relaying system |
CN106850204A (en) * | 2017-02-27 | 2017-06-13 | 北京邮电大学 | Quantum key distribution method and system |
CN107147492A (en) * | 2017-06-01 | 2017-09-08 | 浙江九州量子信息技术股份有限公司 | A kind of cipher key service System and method for communicated based on multiple terminals |
CN110086713A (en) * | 2019-04-17 | 2019-08-02 | 北京邮电大学 | It is a kind of to divide domain method for routing for wide area quantum key distribution network |
CN112737776A (en) * | 2020-12-29 | 2021-04-30 | 中天通信技术有限公司 | Load balancing quantum key resource distribution method facing data center |
CN112769550A (en) * | 2020-12-29 | 2021-05-07 | 中天通信技术有限公司 | Load balancing quantum key resource distribution system facing data center |
KR20210081178A (en) * | 2019-12-23 | 2021-07-01 | 주식회사 케이티 | Method, apparatus and system for controlling quantum key relay in quantum key distribution network |
CN114006694A (en) * | 2021-09-26 | 2022-02-01 | 北京邮电大学 | Quantum key processing method and device, electronic equipment and storage medium |
CN114499842A (en) * | 2021-12-31 | 2022-05-13 | 华南师范大学 | QKD network key resource pre-allocation method based on reinforcement learning |
CN116418492A (en) * | 2021-12-30 | 2023-07-11 | 科大国盾量子技术股份有限公司 | Route establishment method, system and quantum cryptography network |
CN116418490A (en) * | 2021-12-30 | 2023-07-11 | 科大国盾量子技术股份有限公司 | Multi-path key relay method, quantum key distribution equipment and system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112217637B (en) * | 2016-11-04 | 2024-03-15 | 华为技术有限公司 | Quantum key relay method and device based on centralized management and control network |
KR102592873B1 (en) * | 2020-07-03 | 2023-10-25 | 한국전자통신연구원 | Quantum Key Distribution Node Apparatus and Method for Quantum Key Distribution thereof |
-
2023
- 2023-10-31 CN CN202311426981.1A patent/CN117176345B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105471576A (en) * | 2015-12-28 | 2016-04-06 | 科大国盾量子技术股份有限公司 | Quantum key relaying method, quantum terminal nodes and quantum key relaying system |
CN106850204A (en) * | 2017-02-27 | 2017-06-13 | 北京邮电大学 | Quantum key distribution method and system |
CN107147492A (en) * | 2017-06-01 | 2017-09-08 | 浙江九州量子信息技术股份有限公司 | A kind of cipher key service System and method for communicated based on multiple terminals |
CN110086713A (en) * | 2019-04-17 | 2019-08-02 | 北京邮电大学 | It is a kind of to divide domain method for routing for wide area quantum key distribution network |
KR20210081178A (en) * | 2019-12-23 | 2021-07-01 | 주식회사 케이티 | Method, apparatus and system for controlling quantum key relay in quantum key distribution network |
CN112737776A (en) * | 2020-12-29 | 2021-04-30 | 中天通信技术有限公司 | Load balancing quantum key resource distribution method facing data center |
CN112769550A (en) * | 2020-12-29 | 2021-05-07 | 中天通信技术有限公司 | Load balancing quantum key resource distribution system facing data center |
CN114006694A (en) * | 2021-09-26 | 2022-02-01 | 北京邮电大学 | Quantum key processing method and device, electronic equipment and storage medium |
CN116418492A (en) * | 2021-12-30 | 2023-07-11 | 科大国盾量子技术股份有限公司 | Route establishment method, system and quantum cryptography network |
CN116418490A (en) * | 2021-12-30 | 2023-07-11 | 科大国盾量子技术股份有限公司 | Multi-path key relay method, quantum key distribution equipment and system |
CN114499842A (en) * | 2021-12-31 | 2022-05-13 | 华南师范大学 | QKD network key resource pre-allocation method based on reinforcement learning |
Non-Patent Citations (3)
Title |
---|
《多变量公钥密码在区块链中的应用研究与实现》;申汝平;《中国优秀硕士论文期刊》;全文 * |
基于密钥中继的广域量子密钥网络路由方案;杨超;张红旗;苏锦海;陈华城;;网络与信息安全学报(第11期);全文 * |
软件定义的量子密钥分发网络技术研究;马彰超;曹原;董凯;赵永利;;邮电设计技术(第04期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN117176345A (en) | 2023-12-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN117176345B (en) | Quantum cryptography network key relay dynamic routing method, device and system | |
CN107689947B (en) | Data processing method and device | |
JP7353375B2 (en) | End-to-end double ratchet encryption with epoch key exchange | |
WO2016184240A1 (en) | Method for implementing data transmission and optical channel transmission device | |
US20020087708A1 (en) | Method of processing serial data,serial data processor and architecture therefore | |
CN112398651B (en) | Quantum secret communication method and device, electronic equipment and storage medium | |
Kwon et al. | Secure and efficient broadcast authentication in wireless sensor networks | |
Sule et al. | A variable length fast message authentication code for secure communication in smart grids | |
EP4060931A1 (en) | System and method for optimizing the routing of quantum key distribution (qkd) key material in a network | |
JP2022507488A (en) | Methods and architectures for protecting and managing networks of embedded systems with an optimized public key infrastructure | |
Srivastava et al. | The rabin cryptosystem & analysis in measure of Chinese Reminder Theorem | |
JP2002505550A (en) | Method and apparatus for cryptographically secure algebraic key setting protocol | |
CN113765663B (en) | Method and device for strengthening security of quantum key distribution network | |
Xing et al. | An improved secure key management scheme for LoRa system | |
KR20190079186A (en) | Method for security communication in Network Functional Virtualization and System thereof | |
Hayouni et al. | A novel energy-efficient encryption algorithm for secure data in WSNs | |
Haripriya et al. | ECC based self-certified key management scheme for mutual authentication in Internet of Things | |
Vasudevan et al. | Jigsaw-based secure data transfer over computer networks | |
Noguchi et al. | A secure secret key-sharing system for resource-constrained IoT devices using MQTT | |
CN112105019B (en) | Wireless sensor network encryption method for extracting random numbers based on physical layer service data | |
Athulya et al. | Security in mobile ad-hoc networks | |
Abraham et al. | An efficient protocol for authentication and initial shared key establishment in clustered wireless sensor networks | |
Ramotsoela et al. | Data aggregation using homomorphic encryption in wireless sensor networks | |
Ehdaie et al. | 2D hash chain robust random key distribution scheme | |
Misic et al. | Performance implications of periodic key exchanges and packet integrity overhead in an 802.15. 4 beacon enabled cluster |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |