CN117201052A - Quantum cryptography QVPN-based one-time pad energy data transmission method, storage device and intelligent terminal - Google Patents
Quantum cryptography QVPN-based one-time pad energy data transmission method, storage device and intelligent terminal Download PDFInfo
- Publication number
- CN117201052A CN117201052A CN202211611790.8A CN202211611790A CN117201052A CN 117201052 A CN117201052 A CN 117201052A CN 202211611790 A CN202211611790 A CN 202211611790A CN 117201052 A CN117201052 A CN 117201052A
- Authority
- CN
- China
- Prior art keywords
- vpn gateway
- communication
- key
- qvpn
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000005540 biological transmission Effects 0.000 title claims abstract description 28
- 230000006854 communication Effects 0.000 claims abstract description 89
- 238000004891 communication Methods 0.000 claims abstract description 82
- 230000008569 process Effects 0.000 claims abstract description 15
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 2
- 230000009191 jumping Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Abstract
The invention discloses a quantum-password-based QVPN one-time pad energy data transmission method, a storage device and an intelligent terminal, wherein the method comprises the following steps: the communication parties establish an IKESA protocol and generate a shared secret key between a sending end VPN gateway and a receiving end VPN gateway; establishing an IPSecSA negotiation process by both communication parties; the sending end VPN gateway encrypts a plaintext by using a second public key K2 to obtain a ciphertext, generates a self digital signature, encrypts the digital signature by using a first private key P1, and binds the ciphertext and the encrypted digital signature to generate a data packet to be sent to the receiving end VPN gateway; after receiving the data packet, the receiving end VPN gateway decrypts the encrypted digital signature and then decrypts the added data; and obtaining the decrypted plaintext and completing communication. The invention applies the asymmetric encryption mode to VPN communication encryption, and further improves the safety degree of combining the quantum technology with VPN communication by using different keys during encryption and decryption.
Description
Technical Field
The invention relates to the technical field of quantum key distribution and optical communication, in particular to a quantum-password-based QVPN one-time pad energy data transmission method.
Background
Currently, the method of quantum key combined VPN communication is to add relevant mechanisms and options of quantum keys in the use process of ipsec VPN by adding a secure interface of QKD in the ipsec VPN gateway. The basic principle is that a quantum key access and application mechanism is added in an IPSecVPN security policy by adding a QKD security interface in an IPSecVPN gateway, a one-time-pad encryption option based on a quantum key is added in an IPSec encryption component, and a policy of preferentially adopting the quantum key as a pre-shared key, a session key of a data encryption algorithm and a shared key of an HMAC algorithm is added; and the fusion application of the quantum password and the IPSec protocol is realized, and the quantum security of identity authentication, message authentication and energy data encryption of an IPSecVPN system is improved.
The method combines the VPN and the quantum key, improves the security guarantee for transmitting information in the VPN communication process, but because the quantum key is used as a shared key to encrypt the information in the VPN, the same quantum key is used by a sender and a receiver, and if an eavesdropper intercepts the key and the ciphertext in the information transmission process through a violence means, the information content transmitted currently can be stolen, and the security of both communication parties is threatened.
Therefore, there is a need for further improvements in the prior art to improve the communication security of energy data during transmission in combination with quantum keys and VPN communications.
Disclosure of Invention
In order to solve the technical problems, a QVPN one-time-secret key distribution method for improving the safety of quantum communication based on energy data transmission is provided.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
the method for transmitting the one-time pad energy data based on the quantum cryptography QVPN comprises the following steps:
step 1: the communication sending end A and the communication receiving end B establish an IKESA protocol, and a shared secret key between a sending end VPN gateway and a receiving end VPN gateway is generated;
step 2: the communication sending end A and the communication receiving end B establish an IPSecSA negotiation process to generate a first public key K1, a first private key P1, a second public key K2 and a second private key P2, and a sending end VPN gateway and a receiving end VPN gateway share the first public key K1 and the second public key K2;
step 3: the sending end VPN gateway encrypts a plaintext by using a second public key K2 to obtain a ciphertext, generates a self digital signature, encrypts the digital signature by using a first private key P1, and binds the ciphertext and the encrypted digital signature to generate a data packet to be sent to the receiving end VPN gateway;
step 4: after receiving the data packet, the receiving end VPN gateway decrypts the encrypted digital signature by using a first public key K1, if the digital signature is consistent with the digital signature of the communication sending end, the identity of the sender is confirmed to be correct, the step S5 is skipped, otherwise, the receiving end VPN gateway refuses to receive the data, and returns to the step S3;
step 5: after the identity is confirmed, the receiving end VPN gateway decrypts the ciphertext in the data packet by using the second private key P2 to obtain a decrypted plaintext, and the communication is completed.
Preferably, the step 1 includes the following steps:
step 1-1: the communication transmitting terminal A transmits a data transmission request instruction to a transmitting terminal VPN gateway, and the transmitting terminal VPN gateway transmits a quantum key negotiation instruction to the vector first QKD after receiving the instruction;
step 1-2: the first QKD generates a quantum key as a shared key in the communication process of the sending VPN gateway and the receiving VPN gateway, and completes the IKESA negotiation process in the first stage.
Preferably, the step 2 includes the following steps:
step 2-1: the transmitting VPN gateway establishes connection with a second QKD, and the second QKD generates a first public key K1 and a first private key P1 by combining an RSA algorithm;
the receiving end VPN gateway establishes connection with a third QKD, and the third QKD generates a second public key K2 and a second private key P2 by combining an RSA algorithm;
step 2-2: the sending end VPN gateway and the receiving end VPN gateway share a first public key K1 and a second public key K2, and meanwhile, the two parties keep private keys of the sending end VPN gateway and the receiving end VPN gateway, and the second-stage IPSecSA negotiation process is completed.
Preferably, the communication sending end and the communication receiving end are used for initiating and terminating communication requirements and editing and browsing communication information.
Preferably, the sending end QPPN gateway and the receiving end QPPN gateway are responsible for information encryption and decryption processing and transmitting and receiving the encryption and decryption information.
Preferably, the second QKD and the third QKD are responsible for generating the required quantum keys in conjunction with the RSA algorithm and interacting with the VPN gateway.
Preferably, the public key and the private key correspond to each other, the information encrypted by the public key is decrypted by the corresponding private key, and the information encrypted by the private key is decrypted by the corresponding public key.
A storage device having stored therein a plurality of instructions adapted to be loaded by a processor and to perform the operations of the steps of any of the methods described above.
A smart terminal comprising a processor for executing instructions and a storage device for storing instructions adapted to be loaded by the processor and to perform the operations of the steps of any of the methods described above.
The beneficial effects are that: in the energy data transmission process, the invention applies an asymmetric encryption mode to VPN communication encryption, and the security degree of combining the quantum technology with VPN communication is further improved by using different keys in encryption and decryption. When ciphertext is intercepted violently during transmission among different VPNs, an eavesdropper can only obtain the ciphertext and a public key which cannot unlock the ciphertext, the threat to two communication parties is avoided, the two communication parties discard the current key after knowing that a communication channel is broken, and the new key and the channel are used for communication, so that the communication safety is further improved.
Drawings
Fig. 1 is a block diagram of the one-time-pad key distribution system based on QVPN according to the present invention.
Fig. 2 is a schematic diagram of a method for one-time pad energy data transmission based on quantum cryptography QVPN.
Fig. 3 is a flow chart of steps of a method for one-time pad energy data transmission based on quantum cryptography QVPN of the present invention.
Detailed Description
The present invention will be further described in detail with reference to the following examples, for the purpose of making the objects, technical solutions and advantages of the present invention more apparent, but the scope of the present invention is not limited to the following specific examples.
As shown in fig. 1, the method for one-time pad energy data transmission based on quantum cryptography QVPN comprises the following steps:
the utility model provides a one-time-secret key distribution method based on QVPN (QualityVirtualPrivateNetwork), which is applied to a one-time-secret key distribution system based on QVPN, and the system comprises a communication transmitting end A, a communication receiving end B, a transmitting end VPN gateway, a receiving end VPN gateway, a first QKD, a second QKD and a third QKD three quantum key distribution devices, wherein the communication transmitting end A, the communication receiving end B, the transmitting end VPN gateway and the receiving end VPN gateway are sequentially connected through a classical network; the transmitting-end VPN gateway is respectively connected with the first QKD and the second QKD through a quantum network; the receiving-side VPN gateway is connected to the third QKD through a quantum network.
Specifically, as shown in fig. 1, the system can be extended to a plurality of communication sending ends and a plurality of communication receiving ends, when a plurality of communication sending ends and communication receiving ends exist, the plurality of communication sending ends are all connected with the sending end VPN gateway, the plurality of communication receiving ends are connected with the receiving end VPN gateway, and in the communication process, one-to-one, one-to-many and many-to-many communication services can be realized through the cooperation of the gateway and a protocol, and the one-to-one communication is realized by the scheme of the embodiment.
In a one-time-secret key distribution system based on QVPN, when a communication requirement exists, the communication parties firstly use a shared quantum key to carry out an IKESA negotiation process, after the IKESA negotiation is completed, a sending end VPN gateway and a receiving end VPN gateway carry out negotiation with quantum key distribution equipment (QKD), the sending end encrypts and transmits plaintext and digital signature by utilizing the generated quantum key containing public key and private key, and the receiving end uses the corresponding key to verify the digital signature and decrypt ciphertext, so that information to be transmitted is finally obtained.
Specifically, in combination with a one-time pad key distribution system, the method comprises the following steps:
step 1: the communication sending end A and the communication receiving end B establish an IKESA protocol, and a shared secret key between a sending end VPN gateway and a receiving end VPN gateway is generated;
the specific steps of the step 1 are as follows:
step 1-1: the communication transmitting terminal A transmits a data transmission request instruction to a transmitting terminal VPN gateway, and the transmitting terminal VPN gateway receives the instruction and then transmits a negotiation generation quantum key instruction to the quantum first QKD;
step 1-2: the first QKD generates a quantum key M, which is a shared key in a communication process between the transmitting VPN gateway and the receiving VPN gateway, and is used to encrypt the transmitted information, and at this time, the first stage IKESA negotiation process is completed.
Step 2: the communication sending end A and the communication receiving end B establish an IPSecSA negotiation process to generate a first public key K1, a first private key P1, a second public key K2 and a second private key P2, and a sending end VPN gateway and a receiving end VPN gateway share the first public key K1 and the second public key K2;
after the first stage of IKESA negotiation is completed, the transmitting end VPN gateway and the receiving end VPN gateway further negotiate to establish IPSecSA on the basis of the IKESA, and the protocol agrees that the IPSec transmission process uses QKD to combine with the quantum key generated by RSA algorithm.
Specifically, the detailed steps of step 2 are as follows:
step 2-1: the transmitting VPN gateway establishes connection with a second QKD, and the second QKD generates a first public key K1 and a first private key P1 by combining an RSA algorithm;
the receiving-end VPN gateway establishes connection with a third QKD, and the third QKD combines an RSA algorithm (public key cryptography algorithm) to generate a second public key K2 and a second private key P2;
step 2-2: the sending end VPN gateway and the receiving end VPN gateway share a first public key K1 and a second public key K2, and meanwhile, the two parties keep private keys of the sending end VPN gateway and the receiving end VPN gateway, and the second-stage IPSecSA negotiation process is completed.
Step 3: the sending end VPN gateway encrypts a plaintext by using a second public key K2 to obtain a ciphertext, generates a self digital signature, encrypts the digital signature by using a first private key P1, and binds the ciphertext and the encrypted digital signature to generate a data packet to be sent to the receiving end VPN gateway;
step 4: after receiving the data packet, the receiving end VPN gateway firstly verifies whether the identity of the sender is correct, decrypts the encrypted digital signature by using a first public key K1, and if the digital signature is consistent with the digital signature of the communication sending end, the identity of the sender is confirmed to be correct, and the step S5 is skipped;
otherwise, refusing to receive the data, and returning to the step S3;
step 5: after the identity is confirmed, the receiving end VPN gateway decrypts the ciphertext in the data packet by using the second private key P2 to obtain a decrypted plaintext, and the communication is completed.
In this embodiment, when information transfer between two communication parties is completed, a fault occurs in the middle of communication, an attack is encountered in a communication process or one party requests interruption of communication, the system discards all currently used keys, and regenerates the keys for use when the next communication demand arrives, thereby realizing one-time one-secret requirements.
Preferably, the communication sending end and the communication receiving end are used for initiating and terminating communication requirements and editing and browsing communication information.
Preferably, the sending end QPPN gateway and the receiving end QPPN gateway are responsible for information encryption and decryption processing and transmitting and receiving the encryption and decryption information.
Preferably, the second QKD and the third QKD are responsible for generating the required quantum keys in conjunction with the RSA algorithm and interacting with the VPN gateway.
Preferably, a public key encryption algorithm, also called an asymmetric algorithm, is adopted, and the keys generated by the algorithm are used in pairs, so that the public key and the private key correspond to each other, the information encrypted by the public key is decrypted by the corresponding private key, the information encrypted by the private key is decrypted by the corresponding public key, specifically, in this embodiment, after being encrypted by the second public key K2, the information encrypted by the first private key P1 is decrypted by the corresponding first public key K1.
The specific workflow of the scheme is as follows:
the one-time pad system based on QVPN is started, the communication sending end A carries information to be transferred, the communication sending end A sends a data stream triggering an IKE process to the communication receiving end B and sends a data transmission request to a sending end VPN gateway, the sending end VPN gateway negotiates with a first QKD, the first QKD generates a quantum key as a shared key to be used in an IKESA negotiation process, after the IKESA negotiation process is established, IPSeSA is negotiated and established on the basis of the IKESA negotiation, and the fact that the quantum keys generated by combining RSA algorithms respectively by using a second QKD and a third QKD in the IPSec transmission process are agreed is adopted, so that the sending end VPN gateway and the receiving end VPN gateway are respectively in communication with a second QKD6 and a third QKD.
The second QKD combines with the RSA algorithm to generate a pair of keys for the sender VPN gateway, a first public key K1 and a first private key P1, respectively. The third QKD combines with the RSA algorithm to generate a pair of keys for the receiving-end VPN gateway, which are the second public key K2 and the second private key P2, respectively, and the communication transmitting end a and the communication receiving end B exchange and share the public keys of each other, but retain the private keys.
The transmitting end VPN gateway encrypts the plaintext by using the receiving end second public key K2 to obtain a ciphertext, and encrypts the transmitting end digital signature by using the transmitting end first private key to obtain an encrypted transmitting end digital signature. The transmitting end VPN gateway binds the ciphertext and the encrypted transmitting end digital signature together into a data packet and then transmits the data packet to the receiving end VPN gateway, and the receiving end VPN gateway firstly determines whether the identity of a user transmitting the data packet is correct or not, so that the encrypted digital signature in the data packet is firstly decrypted by using a first public key K1 of the transmitting end, the ciphertext is decrypted by using a second private key P2 of the receiving end after the identity of a communication counterpart is confirmed, and finally the obtained plaintext information is transmitted to the communication receiving end. If the current information transmission is completed, or the communication is in fault, or the communication process encounters an attack, or one party requires to interrupt the communication, the system discards all keys used currently, and regenerates the keys for use when the next communication requirement comes, thereby realizing one-time pad.
The invention is mainly based on the encryption mode in the energy data transmission process, but the data transmitted by the invention is not limited to the energy data, and other communication data are applicable.
A storage device having stored therein a plurality of instructions adapted to be loaded by a processor and to perform the operations of the steps of any of the methods described above.
A smart terminal comprising a processor for executing instructions and a storage device for storing instructions adapted to be loaded by the processor and to perform the operations of the steps of any of the methods described above.
Variations and modifications to the above would be obvious to persons skilled in the art to which the invention pertains from the foregoing description and teachings. Therefore, the invention is not limited to the specific embodiments disclosed and described above, but some modifications and changes of the invention should be also included in the scope of the claims of the invention. In addition, although specific terms are used in the present specification, these terms are for convenience of description only and do not constitute any limitation on the invention.
Claims (9)
1. The method for transmitting the one-time pad energy data based on the quantum cryptography QVPN is characterized by comprising the following steps of:
step 1: the communication sending end A and the communication receiving end B establish an IKESA protocol, and a shared secret key between a sending end VPN gateway and a receiving end VPN gateway is generated;
step 2: the communication sending end A and the communication receiving end B establish an IPSecSA negotiation process to generate a first public key K1, a first private key P1, a second public key K2 and a second private key P2, and a sending end VPN gateway and a receiving end VPN gateway share the first public key K1 and the second public key K2;
step 3, encrypting the plaintext by using a second public key K2 of the VPN gateway at the transmitting end to obtain a ciphertext, generating a digital signature of the ciphertext, encrypting the digital signature by using a first private key P1, binding the ciphertext and the encrypted digital signature to generate a data packet, and transmitting the data packet to the VPN gateway at the receiving end;
step 4, after the receiving end VPN gateway receives the data packet, the encrypted digital signature is decrypted by utilizing a first public key K1, and whether the digital signature is consistent with the digital signature of the communication transmitting end or not is judged; if the digital signature is consistent with the digital signature of the communication transmitting end, confirming that the identity of the sender is correct, jumping to the step 5, otherwise refusing to receive the data, and returning to the step 3;
and 5, after confirming the identity, the receiving end VPN gateway decrypts the ciphertext in the data packet by using the second private key P2 to obtain a decrypted plaintext, and the communication is completed.
2. The method for one-time pad energy data transmission based on quantum cryptography QVPN according to claim 1, wherein the step 1 includes the following steps:
step 1-1: the communication transmitting terminal A transmits a data transmission request instruction to a transmitting terminal VPN gateway, and the transmitting terminal VPN gateway transmits a quantum key negotiation instruction to the vector first QKD after receiving the instruction;
step 1-2: the first QKD generates a quantum key as a shared key in the communication process of the sending VPN gateway and the receiving VPN gateway, and completes the IKESA negotiation process in the first stage.
3. The method for one-time pad energy data transmission based on quantum cryptography QVPN according to claim 1, wherein the step 2 includes the following steps:
step 2-1: the transmitting VPN gateway establishes connection with a second QKD, and the second QKD generates a first public key K1 and a first private key P1 by combining an RSA algorithm;
the receiving end VPN gateway establishes connection with a third QKD, and the third QKD generates a second public key K2 and a second private key P2 by combining an RSA algorithm;
step 2-2: the sending end VPN gateway and the receiving end VPN gateway share a first public key K1 and a second public key K2, and meanwhile, the two parties keep private keys of the sending end VPN gateway and the receiving end VPN gateway, and the second-stage IPSec SA negotiation process is completed.
4. The method for one-time pad energy data transmission based on quantum cryptography QVPN according to claim 1, wherein the communication transmitting end and the communication receiving end are used for initiating and terminating communication requirements and editing and browsing communication information.
5. The method for one-time-pad energy data transmission based on quantum cryptography QVPN according to claim 1, wherein the transmitting-end QVPN gateway and the receiving-end QVPN gateway are responsible for information encryption and decryption processing and transmission and reception of encrypted and decrypted information.
6. A method of quantum cryptography QVPN one-time-pad energy data transfer according to claim 3 wherein the second QKD and third QKD are responsible for generating the required quantum keys in combination with the RSA algorithm and interacting with a VPN gateway.
7. The method for one-time pad energy data transmission based on quantum cryptography QVPN according to claim 2, wherein the method comprises the following steps: the public key and the private key correspond to each other, the information encrypted by the public key is decrypted by the corresponding private key, and the information encrypted by the private key is decrypted by the corresponding public key.
8. A storage device having stored therein a plurality of instructions adapted to be loaded by a processor and to perform the step operations of the method of quantum cryptography QVPN-based one-time-pad energy data transmission according to any of claims 1-7.
9. A smart terminal comprising a processor for executing instructions and a storage device for storing instructions, wherein the instructions are adapted to be loaded by the processor and to perform the step operations of the method for quantum cryptography QVPN-based one-time-pad energy data transmission according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211611790.8A CN117201052A (en) | 2022-12-14 | 2022-12-14 | Quantum cryptography QVPN-based one-time pad energy data transmission method, storage device and intelligent terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211611790.8A CN117201052A (en) | 2022-12-14 | 2022-12-14 | Quantum cryptography QVPN-based one-time pad energy data transmission method, storage device and intelligent terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117201052A true CN117201052A (en) | 2023-12-08 |
Family
ID=88983879
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211611790.8A Pending CN117201052A (en) | 2022-12-14 | 2022-12-14 | Quantum cryptography QVPN-based one-time pad energy data transmission method, storage device and intelligent terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201052A (en) |
-
2022
- 2022-12-14 CN CN202211611790.8A patent/CN117201052A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
| CN111052672B (en) | Secure key transfer protocol without certificate or pre-shared symmetric key | |
| EP2469753A1 (en) | Method, device and network system for negotiating encryption information | |
| CN101442403B (en) | Self-adapting method for exchanging composite cipher key and managing session cipher key | |
| WO2012024906A1 (en) | Mobile communication system and voice call encryption method thereof | |
| WO2010012203A1 (en) | Authentication method, re-certification method and communication device | |
| US20190158283A1 (en) | Method for unified network and service authentication based on id-based cryptography | |
| CN104486077A (en) | End-to-end secret key negotiation method for VoIP (Voice Over Internet Protocol) real-time data safety transmission | |
| KR101297936B1 (en) | Method for security communication between mobile terminals and apparatus for thereof | |
| CN106134231A (en) | Key generation method, equipment and system | |
| CN108599926B (en) | HTTP-Digest improved AKA identity authentication system and method based on symmetric key pool | |
| WO2012083828A1 (en) | Method, base station and system for implementing local routing | |
| CN101958907A (en) | Method, system and device for transmitting key | |
| CN113242122B (en) | Encryption method based on DH and RSA encryption algorithm | |
| CN104901803A (en) | Data interaction safety protection method based on CPK identity authentication technology | |
| CN101790160A (en) | Method and device for safely consulting session key | |
| CN108040071A (en) | A kind of VoIP audio-video encryptions key dynamic switching method | |
| CN108337084A (en) | A kind of key distribution system, method and device | |
| KR20070006913A (en) | Fast and secure connectivity for a mobile node | |
| JPH0974408A (en) | Security communication method | |
| CN106209384B (en) | Use the client terminal of security mechanism and the communication authentication method of charging unit | |
| CN106656493A (en) | Software-defined network security communication method based on quantum key distribution | |
| CN114386020A (en) | Quick secondary identity authentication method and system based on quantum security | |
| CN117201052A (en) | Quantum cryptography QVPN-based one-time pad energy data transmission method, storage device and intelligent terminal | |
| WO2008074226A1 (en) | A method for negotiating the session secret key between the endpoints across multiple gatekeeper zones |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |