WO2016206498A1

WO2016206498A1 - First quantum node, second quantum node, secure communications architecture system, and method

Info

Publication number: WO2016206498A1
Application number: PCT/CN2016/082147
Authority: WO
Inventors: 孙翼舟; 黄兵; 江华
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2015-06-23
Filing date: 2016-05-13
Publication date: 2016-12-29
Anticipated expiration: 2017-12-23
Also published as: CN106330434A; CN106330434B

Abstract

Disclosed are a first quantum node, a second quantum node, a secure communications network architecture system, a service key transmission method, and a routing switching method. The first quantum node is configured to negotiate with the neighboring second quantum node by using a quantum channel, to generate a quantum key pair, so as to perform encryption and decryption processing on a service key of service data of an access user according to the quantum key pair, to obtain a processed data packet. The processed data packet is transmitted to the neighboring second quantum node according to a routing protocol by using a classical channel.

Description

First quantum node, second quantum node, secure communication architecture system and method

Technical field

本发明涉及量子保密通信和通信技术领域的安全通信技术，尤其涉及一种第一量子节点、第二量子节点、安全通信网络架构系统、业务密钥传输方法及路由切换方法。The present invention relates to a secure communication technology in the field of quantum secure communication and communication technologies, and in particular, to a first quantum node, a second quantum node, a secure communication network architecture system, a service key transmission method, and a route switching method.

Background technique

传统的加密系统，不管是对称密钥还是非对称密钥，其密文的安全性完全依赖于密钥的秘密性。密钥必须是由足够长的随机二进制串组成，一旦收发双方的密钥对建立起来，通过密钥编码而成的密文就可以在公开信道上进行传送。然而为了建立密钥对，发送方与接收方必须选择一条安全可靠的通信信道，但由于截收者的存在，从技术上来说，真正的安全很难保证，而且密钥的分发总是会在合法使用者无从察觉的情况下被消极监听。The traditional encryption system, whether it is a symmetric key or an asymmetric key, its ciphertext security depends entirely on the secretity of the key. The key must be composed of a sufficiently long random binary string. Once the key pair of the transmitting and receiving parties is established, the ciphertext encoded by the key can be transmitted on the public channel. However, in order to establish a key pair, the sender and the receiver must select a secure and reliable communication channel, but due to the existence of the interceptor, technically, the real security is difficult to guarantee, and the key distribution will always be A legitimate user is passively monitored without being aware of it.

近年来，由于量子力学和密码学的结合，诞生了量子密码学，它可完成仅仅由传统数学无法完成的完善保密系统。量子密码学是在量子理论基础上提出了一种全新的安全通信系统，它利用了量子特性从物理学原理上就是不可复制的特性。对量子密码学起关键作用的是“海森堡测不准原理”和“单量子不可复制定理”，海森堡测不准原理即测量量子系统时通常会对该系统产生干扰，任何对于量子信道进行监测的努力都会以某种方式的干扰在影响信道中传输的信息，单量子不可复制定理是海森堡测不准原理的推论，它指在不知道量子状态的情况下复制单个量子是不可能的，因为要复制单个量子就只能先作测量，测量这一量子系统会对该系统产生干扰并且会产生出关于该系统测量前状态的不完整信息。因此，窃听一量子通信信道就会产生不可避免的干扰，合法的通信双方则可由此而察觉到有人在窃听。量子密码术利用这一原理，使从未见过面且事先没有共享秘密信息的通信双方建立通信密钥，然后再采用从数学上绝对安全的“一次一密”的密码通信，即可确保通信双方的秘密不泄漏。In recent years, due to the combination of quantum mechanics and cryptography, quantum cryptography has been born, which can complete a perfect security system that cannot be completed only by traditional mathematics. Quantum cryptography is a new type of secure communication system based on quantum theory. It utilizes the characteristics that quantum properties are not replicable from the physics principle. The key to quantum cryptography is the Heisenberg uncertainty principle and the single quantum non-reproducible theorem. Heisenberg's uncertainty principle is that when measuring quantum systems, it usually interferes with the system. The channel monitoring effort will interfere with the information transmitted in the channel in some way. The single quantum non-reproducible theorem is the inference of Heisenberg's uncertainty principle. It means that copying a single quantum without knowing the quantum state is Impossible, because to copy a single quantum, you can only make measurements first. Measuring this quantum system can interfere with the system and produce incomplete information about the pre-measurement state of the system. Therefore, eavesdropping on a quantum communication channel will inevitably cause interference, and legitimate communication parties can thus perceive that someone is tapping. Quantum cryptography uses this principle to establish communication keys for both parties that have never seen each other and have not shared secret information in advance, and then use mathematically absolutely secure "one-time-one-secret" cryptographic communication to ensure communication. The secrets of both parties are not leaked.

量子密码学最著名的应用是量子密钥分发(QKD)。1984年，Bennett和Brassard提出第一个量子密钥分发方案，用单光子偏振态编码，现在称之为BB84协议，迎来了量子密钥分发的新时期。1992年，Bennett又提出一种与BB84协议类似而更简单、但效率减半的方案，后称之为B92协议。基于另一种量子现象即Einstein-Podolsky-Rosen(EPR)佯谬，Ekert于1991年提出用双量子纠缠态实现量子密码术，称为EPR协议。后来也出现了不少其他协议，但都可归纳为以上三种类型。近年来，随着单光子元器件的发展，基于BB84、B92、ERP等协议的量子密钥分发技术逐渐走向实用阶段。目前量子信道有两种，即光纤信道和开发空间信道，用于传输量子比特，生成量子密钥，QKD原型系统中也有经典信道，即传统网络，用于量子密钥生成时的协议交互，以及加密后密文的传输。The most famous application of quantum cryptography is quantum key distribution (QKD). In 1984, Bennett and Brassard proposed the first quantum key distribution scheme, coded with single-photon polarization, now called the BB84 protocol, ushered in a new era of quantum key distribution. In 1992, Bennett proposed a scheme that was similar to the BB84 protocol and simpler, but halved in efficiency, which was later called the B92 protocol. Based on another quantum phenomenon, Einstein-Podolsky-Rosen (EPR), Ekert proposed in 1991 to implement quantum cryptography with a double quantum entangled state, called the EPR protocol. Later, there have been many other agreements, but they can all be classified into the above three types. In recent years, with the development of single-photon components, quantum key distribution technology based on protocols such as BB84, B92, and ERP has gradually moved to a practical stage. At present, there are two types of quantum channels, namely, fiber channel and development space channel, which are used to transmit quantum bits and generate quantum keys. The QKD prototype system also has a classic channel, that is, a traditional network, which is used for protocol interaction in quantum key generation, and The transmission of encrypted ciphertext.

1993年英国国防研究部在光纤中用相位编码的方法第一次实现了BB84-QKD方案，光纤传输长度达到了10公里。2002年，德国和英国研究机构成功利用激光在相距23.4km的两座山峰之间传输光子密钥，证实了通过开放空间特别是近地卫星传送量子密钥的可能性。2004年，美国BNN公司在马萨诸塞州剑桥城建立了世界首个量子密码通信实验网络；同年，郭光灿研究小组成功实现125km光纤点对点的量子密钥分配。2008年，欧盟组建的7节点保密通信演示验证网络试运行成功。同年，中国科学技术大学潘建伟小组在合肥市组建了首个光量子实验网，并演示了带量子保密通信的语音通话功能。In 1993, the British Defense Research Department implemented the BB84-QKD solution for the first time using phase encoding in optical fiber, and the optical fiber transmission length reached 10 kilometers. In 2002, German and British research institutes successfully used lasers to transmit photon keys between two peaks 23.4 km apart, confirming the possibility of transmitting quantum keys through open spaces, especially near-Earth satellites. In 2004, BNN of the United States established the world's first quantum cryptography communication experimental network in Cambridge, Massachusetts. In the same year, Guo Guangcan's research team successfully realized the quantum key distribution of point-to-point 125km fiber. In 2008, the 7-node secure communication demonstration verification network established by the European Union was successfully commissioned. In the same year, the Pan Jianwei team of the University of Science and Technology of China set up the first photon experimental network in Hefei, and demonstrated the voice call function with quantum secure communication.

上述现有技术方案所存在的问题是：上述这些量子密钥分发系统都是实验系统，存在诸多不足：例如，仅能在两个节点之间或者有限的的几个节点之间分发量子密钥，对于大规模部署缺乏必要的路由寻址机制；发生信道中断时缺乏必要的重路由机制。显然，要在全国范围内甚至全球范围内部署QKD网络，需要将QKD设备与传统路由交换设备结合起来，并对QKD网络进行电信级改造。The problem with the above prior art solutions is that the above-mentioned quantum key distribution systems are all experimental systems, and there are many deficiencies: for example, only between two nodes or a limited number of The distribution of quantum keys between nodes eliminates the necessary routing addressing mechanisms for large-scale deployments; the lack of necessary rerouting mechanisms occurs when channel outages occur. Obviously, to deploy QKD networks nationwide or even globally, it is necessary to combine QKD equipment with traditional routing switching equipment and carry out carrier-grade transformation of QKD networks.

发明内容Summary of the invention

有鉴于此，本发明实施例希望提供一种第一量子节点、第二量子节点、安全通信网络架构系统、业务密钥传输方法及路由切换方法，至少解决了上述现有技术存在的问题。In view of this, embodiments of the present invention are directed to provide a first quantum node, a second quantum node, a secure communication network architecture system, a service key transmission method, and a route switching method, which at least solve the above problems in the prior art.

本发明实施例的技术方案是这样实现的：The technical solution of the embodiment of the present invention is implemented as follows:

本发明实施例的一种第一量子节点，所述第一量子节点，配置为与相邻的第二量子节点通过量子信道的协商生成量子密钥对，以根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包；将所述处理后的数据包按照路由协议通过经典信道传输给相邻的第二量子节点。A first quantum node according to an embodiment of the present invention, the first quantum node is configured to generate a quantum key pair by negotiation with a neighboring second quantum node through a quantum channel, to be connected according to the quantum key pair The service key of the user service data is subjected to encryption and decryption processing to obtain the processed data packet; and the processed data packet is transmitted to the adjacent second quantum node through the classical channel according to the routing protocol.

上述方案中，所述第一量子节点包括：In the above solution, the first quantum node comprises:

量子通信模块，配置为与相邻的第二量子节点中的量子通信模块通过量子信道的协商在两端分别选取相同的随机数序列，将其作为所述量子密钥对；a quantum communication module configured to select the same random number sequence at both ends of the quantum communication module in the adjacent second quantum node through negotiation of the quantum channel as the quantum key pair;

密钥管理模块，配置为存储和管理所述量子密钥对；a key management module configured to store and manage the quantum key pair;

加解密模块，配置为根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包；The encryption and decryption module is configured to perform encryption and decryption processing on the service key that accesses the user service data according to the quantum key pair, to obtain the processed data packet;

接入与路由模块，配置为对用户进行接入认证通过后，获取接入用户的业务数据，将所述业务数据对应的所述业务密钥发送到所述加解密模块进行加密处理后，选择下一跳量子节点的路由路径以将经加密处理得到的第一加密数据包传输给作为下一跳量子节点的所述第二量子节点，以及将接收对端发送的经加密处理得到的第二加密数据包发送到所述加解密模块进行解密处理后返回给用户。The access and routing module is configured to obtain the service data of the access user after the access authentication is performed, and send the service key corresponding to the service data to the encryption and decryption module for encryption processing, and then select a routing path of the next hop quantum node to transmit the first encrypted data packet obtained by the encryption process to the second quantum node as a next hop quantum node, and The second encrypted data packet obtained by receiving the encrypted processing sent by the opposite end is sent to the encryption and decryption module for decryption processing, and then returned to the user.

上述方案中，所述量子通信模块，还配置为与相邻的第二量子节点中的量子通信模块通过量子信道的协商生成第一量子密钥K1，所述第二量子节点与第二量子节点相邻的下一跳量子节点协商生成第二量子密钥K2。In the above solution, the quantum communication module is further configured to generate a first quantum key K1 by negotiation with a quantum communication module in an adjacent second quantum node through a quantum channel, the second quantum node and the second quantum node. The adjacent next hop quantum node negotiates to generate a second quantum key K2.

上述方案中，所述加解密模块，还配置为根据所述第一量子密钥K1对所述业务密钥S进行加密，得到所述第一加密数据包SΛK1；In the above solution, the encryption and decryption module is further configured to encrypt the service key S according to the first quantum key K1 to obtain the first encrypted data packet SΛK1;

所述接入与路由模块，还配置为根据所述路由协议得到下一跳量子节点的路由路径，将所述SΛK1发送给作为下一跳量子节点的所述第二量子节点。The access and routing module is further configured to obtain a routing path of a next hop quantum node according to the routing protocol, and send the SΛK1 to the second quantum node that is a next hop quantum node.

所述量子通信模块、所述密钥管理模块、所述加解密模块、所述接入与路由模块在执行处理时，可以采用中央处理器(CPU，Central Processing Unit)、数字信号处理器(DSP，Digital Singnal Processor)或可编程逻辑阵列(FPGA，Field－Programmable Gate Array)实现。The quantum communication module, the key management module, the encryption and decryption module, and the access and routing module may use a central processing unit (CPU) and a digital signal processor (DSP) when performing processing. , Digital Singnal Processor) or Field-Programmable Gate Array (FPGA) implementation.

本发明实施例的一种第二量子节点，所述第二量子节点，配置为与相邻的第一量子节点或与第二量子节点相邻的下一跳量子节点通过量子信道的协商生成量子密钥对，以根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包；将所述处理后的数据包按照路由协议通过经典信道传输给所述与第二量子节点相邻的下一跳量子节点。A second quantum node according to an embodiment of the present invention, the second quantum node configured to generate a quantum through negotiation of a quantum channel with an adjacent first quantum node or a next hop quantum node adjacent to the second quantum node a key pair for performing encryption and decryption processing on a service key that accesses user service data according to the quantum key pair to obtain a processed data packet; and transmitting the processed data packet to a classic channel according to a routing protocol The next hop quantum node adjacent to the second quantum node.

上述方案中，所述第二量子节点包括：In the above solution, the second quantum node comprises:

量子通信模块，配置为与相邻的第一量子节点或与第二量子节点相邻的下一跳量子节点中的量子通信模块通过量子信道的协商在两端分别选取相同的随机数序列，将其作为所述量子密钥对；The quantum communication module is configured to select the same random number sequence at both ends by the quantum channel negotiation in the quantum communication module in the next hop quantum node adjacent to the adjacent first quantum node or the second quantum node It acts as the quantum key pair;

密钥管理模块，配置为存储和管理所述量子密钥对； a key management module configured to store and manage the quantum key pair;

路由模块，配置为根据路由协议得到作为上一跳量子节点的所述第一量子节点及所述与第二量子节点相邻的下一跳量子节点；将所述第一量子节点发送的经加密处理得到的第一加密数据包发送到所述加解密模块进行解密处理，并再行加密后得到第三加密数据包，将第三加密数据包传输给所述与第二量子节点相邻的下一跳量子节点；以及将接收对端发送的经加密处理得到的第四加密数据包发送到所述加解密模块进行解密处理。a routing module, configured to obtain, according to a routing protocol, the first quantum node as a last hop quantum node and the next hop quantum node adjacent to the second quantum node; encrypting the first quantum node The first encrypted data packet obtained by the processing is sent to the encryption and decryption module for decryption processing, and then encrypted to obtain a third encrypted data packet, and the third encrypted data packet is transmitted to the next adjacent to the second quantum node. a one-hop quantum node; and transmitting, by the receiving end, the encrypted data packet obtained by the encryption process to the encryption and decryption module for decryption processing.

上述方案中，所述量子通信模块，还配置为与相邻的第一量子节点中的量子通信模块通过量子信道的协商生成第一量子密钥K1，所述第二量子节点与所述第二量子节点相邻的下一跳量子节点协商生成第二量子密钥K2。In the above solution, the quantum communication module is further configured to generate a first quantum key K1 by negotiation with a quantum communication module in an adjacent first quantum node through a quantum channel, the second quantum node and the second The next hop quantum node adjacent to the quantum node negotiates to generate a second quantum key K2.

上述方案中，所述加解密模块，还配置为接收所述第一量子节点发送的第一加密数据包SΛK1；根据所述第一量子密钥K1对所述SΛK1进行解密后再用第二量子密钥K2进行加密，得到所述第三加密数据包SΛK2；In the above solution, the encryption and decryption module is further configured to receive the first encrypted data packet SΛK1 sent by the first quantum node; decrypt the SΛK1 according to the first quantum key K1, and then use the second quantum The key K2 is encrypted to obtain the third encrypted data packet SΛK2;

所述路由模块，还配置为根据所述路由协议得到下一跳量子节点的路由路径，将所述SΛK2发送给与所述第二量子节点相邻的下一跳量子节点。The routing module is further configured to obtain a routing path of the next hop quantum node according to the routing protocol, and send the SΛK2 to a next hop quantum node adjacent to the second quantum node.

所述量子通信模块、所述密钥管理模块、所述加解密模块、所述路由模块在执行处理时，可以采用中央处理器(CPU，Central Processing Unit)、数字信号处理器(DSP，Digital Singnal Processor)或可编程逻辑阵列(FPGA，Field－Programmable Gate Array)实现。The quantum communication module, the key management module, the encryption and decryption module, and the routing module may use a central processing unit (CPU) and a digital signal processor (DSP, Digital Singnal) when performing processing. Processor) or Field-Programmable Gate Array (FPGA) implementation.

本发明实施例的一种安全通信架构系统，所述系统包括如上述方案中的任一项所述的第一量子节点，及如上述方案中任一项所述的第二量子节点；A secure communication architecture system according to an embodiment of the present invention, the system includes the first quantum node according to any one of the foregoing aspects, and the second quantum node according to any one of the foregoing aspects;

所述系统还包括：路由切换节点； The system further includes: a route switching node;

所述路由切换节点，配置为作为所述第一量子节点与所述第二量子节点之间的传输介质透传光路使用。The route switching node is configured to be used as a transmission medium transparent optical path between the first quantum node and the second quantum node.

本发明实施例的一种业务密钥传输方法，所述方法应用于第一量子节点，所述方法包括：A service key transmission method according to an embodiment of the present invention, the method is applied to a first quantum node, and the method includes:

第一量子节点与相邻的第二量子节点通过量子信道的协商生成量子密钥对；Generating a quantum key pair by the first quantum node and the adjacent second quantum node through negotiation of the quantum channel;

根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包；Decrypting and decrypting a service key that accesses user service data according to the quantum key pair to obtain a processed data packet;

将所述处理后的数据包按照路由协议通过经典信道传输给相邻的第二量子节点。The processed data packet is transmitted to the adjacent second quantum node through a classical channel according to a routing protocol.

本发明实施例的一种业务密钥传输方法，所述方法应用于第二量子节点，所述方法包括：A service key transmission method according to an embodiment of the present invention, the method is applied to a second quantum node, and the method includes:

第二量子节点与相邻的第一量子节点或与第二量子节点相邻的下一跳量子节点通过量子信道的协商生成量子密钥对；Generating, by the quantum channel, a quantum key pair by the second quantum node and the adjacent first quantum node or the next hop quantum node adjacent to the second quantum node;

将所述处理后的数据包按照路由协议通过经典信道传输给所述与第二量子节点相邻的下一跳量子节点。And transmitting the processed data packet to the next hop quantum node adjacent to the second quantum node by using a classical channel according to a routing protocol.

本发明实施例的一种业务密钥传输方法，所述方法基于所述安全通信架构系统，所述方法包括：A service key transmission method according to an embodiment of the present invention, the method is based on the secure communication architecture system, and the method includes:

相邻的每两个量子节点间通过量子信道的协商生成量子密钥对；A quantum key pair is generated by negotiation of a quantum channel between each adjacent two quantum nodes;

所述相邻的每两个量子节点包括上一跳的量子节点和下一跳的量子节点，量子节点的类型包括第一量子节点和第二量子节点；Each of the adjacent two quantum nodes includes a quantum node of a last hop and a quantum node of a next hop, and the type of the quantum node includes a first quantum node and a second quantum node;

根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包按照路由协议通过经典信道进行传输。 The service key that accesses the user service data is subjected to encryption and decryption processing according to the quantum key pair, and the processed data packet is transmitted through the classical channel according to a routing protocol.

上述方案中，所述相邻的每两个量子节点通过量子信道的协商生成的所述量子密钥对至少包括：第一量子密钥K1；In the above solution, the quantum key pair generated by the negotiation of the quantum channels by each adjacent two quantum nodes includes at least: a first quantum key K1;

所述根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包按照路由协议通过经典信道进行传输，包括：And performing the encryption and decryption processing on the service key that accesses the user service data according to the quantum key pair, and the processed data packet is transmitted through the classic channel according to the routing protocol, including:

接入用户发来的所述业务密钥S；Accessing the service key S sent by the user;

获取所述第一量子密钥K1，根据所述第一量子密钥K1对所述业务密钥S加密得到第一加密数据包SΛK1；Obtaining the first quantum key K1, encrypting the service key S according to the first quantum key K1 to obtain a first encrypted data packet SΛK1;

根据路由协议计算出下一跳量子节点的路由，将所述SΛK1发往下一跳的量子节点。Calculating the route of the next hop quantum node according to the routing protocol, and sending the SΛK1 to the quantum node of the next hop.

上述方案中，所述相邻的每两个量子节点通过量子信道的协商生成的所述量子密钥对还包括：第二量子密钥K2和第三量子密钥K3；In the above solution, the quantum key pair generated by the negotiation of the quantum channels by each adjacent two quantum nodes further includes: a second quantum key K2 and a third quantum key K3;

所述根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包按照路由协议通过经典信道进行传输，还包括：And performing, according to the quantum key pair, the service key that accesses the user service data is subjected to encryption and decryption processing, and the processed data packet is transmitted through the classic channel according to the routing protocol, and further includes:

下一跳的量子节点接收到所述SΛK1；The quantum node of the next hop receives the SΛK1;

获取所述第一量子密钥K1和第二量子密钥K2；Obtaining the first quantum key K1 and the second quantum key K2;

根据所述第一量子密钥K1对所述SΛK1进行解密后再用第二量子密钥K2进行加密，得到所述第三加密数据包SΛK2；Decrypting the SΛK1 according to the first quantum key K1 and then encrypting with the second quantum key K2 to obtain the third encrypted data packet SΛK2;

根据路由协议计算出下一跳量子节点的路由，将所述SΛK2发往下一跳的量子节点；Calculating a route of the next hop quantum node according to the routing protocol, and sending the SΛK2 to the quantum node of the next hop;

获取所述第二量子密钥K2和第三量子密钥K3；Obtaining the second quantum key K2 and the third quantum key K3;

根据所述第二量子密钥K2对所述SΛK2进行解密后再用第三量子密钥K3进行加密，得到第五加密数据包SΛK3；Decrypting the SΛK2 according to the second quantum key K2 and then encrypting with the third quantum key K3 to obtain a fifth encrypted data packet SΛK3;

根据路由协议计算出下一跳量子节点的路由，将所述SΛK3发往下一跳的量子节点后，用所述第三量子密钥K3对SΛK3进行解密，得到业务密钥S并分发给所述用户。 Calculating the route of the next hop quantum node according to the routing protocol, and sending the SΛK3 to the quantum node of the next hop, decrypting SΛK3 with the third quantum key K3, obtaining the service key S and distributing it to the office User.

本发明实施例的一种路由切换方法，所述方法基于所述安全通信架构系统，所述方法包括：A route switching method according to an embodiment of the present invention, the method is based on the secure communication architecture system, and the method includes:

相邻的每两个量子节点按照解析所述处理后的数据包得到的数据格式进行路由切换。Each of the adjacent two quantum nodes performs route switching according to a data format obtained by parsing the processed data packet.

上述方案中，所述安全通信架构系统由目的用户A，源用户B，第一量子节点QAG1，第二量子节点QRR1组成时，所述数据格式具体为：B|A|QAG1|QRR1|SΛK2。In the above solution, when the secure communication architecture system is composed of the destination user A, the source user B, the first quantum node QAG1, and the second quantum node QRR1, the data format is specifically: B|A|QAG1|QRR1|SΛK2.

上述方案中，所述相邻的每两个量子节点按照解析所述处理后的数据包得到的数据格式进行路由切换，包括：In the above solution, each of the adjacent two quantum nodes performs route switching according to a data format obtained by parsing the processed data packet, including:

用户A有一个业务密钥S要发给用户B时，发出所述数据包的格式为：B|A|S；When user A has a service key S to be sent to user B, the format of the data packet is: B|A|S;

当前量子节点QAG1收到所述数据包，解析出其数据格式为所述B|A|S，针对目的地址B计算路由，得到下一跳量子节点的地址是QRR1，查询QAG1与QRR1之间的第一量子密钥是K1，用K1对S做加密运算，得到第一加密数据包SΛK1，数据格式为B|A|QAG1|SΛK1，QAG1将所述SΛK1发给下一跳量子节点QRR1；The current quantum node QAG1 receives the data packet, parses out its data format as the B|A|S, calculates a route for the destination address B, and obtains the address of the next hop quantum node is QRR1, and queries between QAG1 and QRR1. The first quantum key is K1, and the encryption operation is performed by K1 to obtain the first encrypted data packet SΛK1, and the data format is B|A|QAG1|SΛK1, and QAG1 sends the SΛK1 to the next hop quantum node QRR1;

QRR1收到所述SΛK1，解析出其数据格式为所述B|A|QAG1|SΛK1，查询上一跳量子节点QAG1与QRR1的第一量子密钥是K1，针对目的地址B计算路由，得到下一跳量子节点的地址是QRR2，查询QRR1与QRR2之间的第二量子密钥是K2，对SΛK1用K1做解密再用K2做加密，得到第三加密数据包SΛK2，其数据格式为B|A|QAG1|QRR1|SΛK2，QRR1将所述SΛK2发给下一跳量子节点QRR2；QRR1 receives the SΛK1 and parses out its data format as the B|A|QAG1|SΛK1. The first quantum key of the last hop quantum nodes QAG1 and QRR1 is K1, and the route is calculated for the destination address B. The address of the one-hop quantum node is QRR2, and the QRR1 and QRR2 are queried. The second quantum key is K2, and the SΛK1 is decrypted with K1 and then encrypted with K2 to obtain the third encrypted data packet SΛK2. The data format is B|A|QAG1|QRR1|SΛK2, and QRR1 sends the SΛK2 Give the next hop quantum node QRR2;

QRR2收到所述SΛK2，解析出其数据格式为所述B|A|QAG1|QRR1|SΛK2，QRR2 receives the SΛK2 and parses out its data format as the B|A|QAG1|QRR1|SΛK2,

查询上一跳量子节点QRR1与QRR2的第二量子密钥是K2，针对目的地址B计算路由，得到下一跳量子节点的地址是QAG2，查询QRR2与QAG2之间的第三量子密钥是K3，对SΛK2用K2做解密再用K3做加密，得到第五加密数据包SΛK3，其数据格式为B|A|QAG1|QRR1|QRR2|SΛK3，QRR2将所述SΛK3发给下一跳量子节点QAG2；The second quantum key of the last hop quantum node QRR1 and QRR2 is K2, and the route is calculated for the destination address B, and the address of the next hop quantum node is QAG2, and the third quantum key between the query QRR2 and QAG2 is K3. K1 is decrypted for SΛK2 and then encrypted with K3 to obtain the fifth encrypted data packet SΛK3. The data format is B|A|QAG1|QRR1|QRR2|SΛK3, and QRR2 sends the SΛK3 to the next hop quantum node QAG2. ;

QAG2收到所述SΛK3，解析出其数据格式为所述B|A|QAG1|QRR1|QRR2|SΛK3，查询上一跳量子节点QRR2与QAG2的第三量子密钥是K3，用K3对SΛK3解密得到初始业务密钥S，将S分发给用户B。QAG2 receives the SΛK3, parses out its data format as the B|A|QAG1|QRR1|QRR2|SΛK3, and queries the third quantum key of the last hop quantum nodes QRR2 and QAG2 to be K3, and decrypts SΛK3 with K3. The initial service key S is obtained, and S is distributed to the user B.

本发明实施例的第一量子节点，配置为与相邻的第二量子节点通过量子信道的协商生成量子密钥对，以根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包；将所述处理后的数据包按照路由协议通过经典信道传输给相邻的第二量子节点。The first quantum node of the embodiment of the present invention is configured to generate a quantum key pair by negotiation with a neighboring second quantum node through a quantum channel, to perform a service key for accessing user service data according to the quantum key pair. The encryption and decryption process obtains the processed data packet; and the processed data packet is transmitted to the adjacent second quantum node through the classical channel according to the routing protocol.

采用本发明实施例，第一量子节点与相邻的第二量子节点通过量子信道的协商生成量子密钥对，以根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包；将所述处理后的数据包按照路由协议通过经典信道传输给相邻的第二量子节点，将相邻量子节点间通过量子信道协商的量子密码技术与路由交换技术相结合，既提高了安全性，也适用于大范围的QKD网络部署。 In the embodiment of the present invention, the first quantum node and the adjacent second quantum node generate a quantum key pair through negotiation of the quantum channel, to encrypt and decrypt the service key that accesses the user service data according to the quantum key pair. Processing, obtaining the processed data packet; transmitting the processed data packet to the adjacent second quantum node through a classical channel according to a routing protocol, and quantum cryptography and routing exchange between adjacent quantum nodes through quantum channel negotiation The combination of technologies not only improves security, but also applies to a wide range of QKD network deployments.

DRAWINGS

图1为本发明实施例中第一量子节点为QAG时的模块组成结构示意图；1 is a schematic structural diagram of a module structure when a first quantum node is a QAG according to an embodiment of the present invention;

图2为本发明实施例中第二量子节点为QRR时的模块组成结构示意图；2 is a schematic structural diagram of a module structure when a second quantum node is a QRR according to an embodiment of the present invention;

图3为本发明实施例中电信级QKD的网络架构示意图；3 is a schematic diagram of a network architecture of a carrier-grade QKD according to an embodiment of the present invention;

图4为本发明实施例中接入和中继业务密钥的流程示意图；4 is a schematic flowchart of accessing and relaying service keys in an embodiment of the present invention;

图5为本发明实施例中中继和分发业务密钥的流程示意图；FIG. 5 is a schematic flowchart of relaying and distributing a service key according to an embodiment of the present invention; FIG.

图6为本发明实施例中路由和切换的流程示意图。FIG. 6 is a schematic flowchart of routing and handover according to an embodiment of the present invention.

detailed description

下面结合附图对技术方案的实施作进一步的详细描述。The implementation of the technical solution will be further described in detail below with reference to the accompanying drawings.

本发明实施例的第一量子节点，所述第一量子节点，配置为与相邻的第二量子节点通过量子信道的协商生成量子密钥对，以根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包；将所述处理后的数据包按照路由协议通过经典信道传输给相邻的第二量子节点。In the first quantum node of the embodiment of the present invention, the first quantum node is configured to generate a quantum key pair by negotiation with a neighboring second quantum node through a quantum channel, so as to access the user according to the quantum key pair. The service key of the service data is subjected to encryption and decryption processing to obtain the processed data packet; and the processed data packet is transmitted to the adjacent second quantum node through the classical channel according to the routing protocol.

在本发明实施例一实施方式中，所述第一量子节点包括：In an embodiment of the present invention, the first quantum node includes:

接入与路由模块，配置为对用户进行接入认证通过后，获取接入用户的业务数据，将所述业务数据对应的所述业务密钥发送到所述加解密模块进行加密处理后，选择下一跳量子节点的路由路径以将经加密处理得到的第一加密数据包传输给作为下一跳量子节点的所述第二量子节点，以及将接收对端发送的经加密处理得到的第二加密数据包发送到所述加解密模块进行解密处理后返回给用户。The access and routing module is configured to obtain the service data of the access user after the user passes the access authentication, and send the service key corresponding to the service data to the encryption and decryption module. After performing the encryption process, the routing path of the next hop quantum node is selected to transmit the first encrypted data packet obtained by the encryption process to the second quantum node as the next hop quantum node, and the transmission sent by the receiving peer end The second encrypted data packet obtained by the encryption process is sent to the encryption and decryption module for decryption processing and returned to the user.

在本发明实施例一实施方式中，所述量子通信模块，还配置为与相邻的第二量子节点中的量子通信模块通过量子信道的协商生成第一量子密钥K1，所述第二量子节点与第二量子节点相邻的下一跳量子节点协商生成第二量子密钥K2。In an embodiment of the present invention, the quantum communication module is further configured to generate a first quantum key K1 by negotiation of a quantum channel with a quantum communication module in an adjacent second quantum node, the second quantum The node negotiates with the next hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

在本发明实施例一实施方式中，所述加解密模块，还配置为根据所述第一量子密钥K1对所述业务密钥S进行加密，得到所述第一加密数据包SΛK1；In an embodiment of the present invention, the encryption and decryption module is further configured to encrypt the service key S according to the first quantum key K1 to obtain the first encrypted data packet SΛK1;

在本发明实施例一实施方式中，所述第二量子节点包括：In an embodiment of the present invention, the second quantum node includes:

在本发明实施例一实施方式中，所述量子通信模块，还配置为与相邻的第一量子节点中的量子通信模块通过量子信道的协商生成第一量子密钥K1，所述第二量子节点与所述第二量子节点相邻的下一跳量子节点协商生成第二量子密钥K2。In an embodiment of the present invention, the quantum communication module is further configured to generate a first quantum key K1 by negotiation of a quantum channel with a quantum communication module in an adjacent first quantum node, the second quantum The node negotiates with the next hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

在本发明实施例一实施方式中，所述加解密模块，还配置为接收所述第一量子节点发送的第一加密数据包SΛK1；根据所述第一量子密钥K1对所述SΛK1进行解密后再用第二量子密钥K2进行加密，得到所述第三加密数据包SΛK2；In an embodiment of the present invention, the encryption and decryption module is further configured to receive a first encrypted data packet SΛK1 sent by the first quantum node, and decrypt the SΛK1 according to the first quantum key K1. Then encrypting with the second quantum key K2 to obtain the third encrypted data packet SΛK2;

本发明实施例的一种安全通信架构系统，所述系统包括如上述方案中任一项所述的第一量子节点，及如上述方案中任一项所述的第二量子节点；A secure communication architecture system according to an embodiment of the present invention, the system includes the first quantum node according to any one of the above aspects, and the second quantum node according to any one of the foregoing aspects;

所述系统还包括：路由切换节点；The system further includes: a route switching node;

本发明实施例的一种业务密钥传输方法，所述方法应用于第一量子节点，所述方法包括： A service key transmission method according to an embodiment of the present invention, the method is applied to a first quantum node, and the method includes:

根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包按照路由协议通过经典信道进行传输。The service key that accesses the user service data is subjected to encryption and decryption processing according to the quantum key pair, and the processed data packet is transmitted through the classical channel according to a routing protocol.

在本发明实施例一实施方式中，所述相邻的每两个量子节点通过量子信道的协商生成的所述量子密钥对至少包括：第一量子密钥K1；In an embodiment of the present invention, the quantum key pair generated by the negotiation of the quantum channels by each adjacent two quantum nodes includes at least: a first quantum key K1;

所述根据所述量子密钥对将接入用户业务数据的业务密钥进行加解密处理，得到处理后的数据包按照路由协议通过经典信道进行传输，包括： And performing the encryption and decryption processing on the service key that accesses the user service data according to the quantum key pair, and the processed data packet is transmitted through the classic channel according to the routing protocol, including:

在本发明实施例一实施方式中，所述相邻的每两个量子节点通过量子信道的协商生成的所述量子密钥对还包括：第二量子密钥K2和第三量子密钥K3；In an embodiment of the present invention, the quantum key pair generated by the negotiation of the quantum channel by each adjacent two quantum nodes further includes: a second quantum key K2 and a third quantum key K3;

根据路由协议计算出下一跳量子节点的路由，将所述SΛK3发往下一跳的量子节点后，用所述第三量子密钥K3对SΛK3进行解密，得到业务密钥S并分发给所述用户。Calculating the route of the next hop quantum node according to the routing protocol, and sending the SΛK3 to the quantum node of the next hop, decrypting SΛK3 with the third quantum key K3, obtaining the service key S and distributing it to the office User.

相邻的每两个量子节点间通过量子信道的协商生成量子密钥对； A quantum key pair is generated by negotiation of a quantum channel between each adjacent two quantum nodes;

在本发明实施例一实施方式中，所述安全通信架构系统由目的用户A，源用户B，第一量子节点QAG1，第二量子节点QRR1组成时，所述数据格式具体为：B|A|QAG1|QRR1|SΛK2。In an embodiment of the present invention, when the secure communication architecture system is composed of a destination user A, a source user B, a first quantum node QAG1, and a second quantum node QRR1, the data format is specifically: B|A| QAG1|QRR1|SΛK2.

在本发明实施例一实施方式中，所述相邻的每两个量子节点按照解析所述处理后的数据包得到的数据格式进行路由切换，包括：In an embodiment of the present invention, each of the adjacent two quantum nodes performs route switching according to a data format obtained by parsing the processed data packet, including:

QRR1收到所述SΛK1，解析出其数据格式为所述B|A|QAG1|SΛK1，查询上一跳量子节点QAG1与QRR1的第一量子密钥是K1，针对目的地址B计算路由，得到下一跳量子节点的地址是QRR2，查询QRR1与QRR2之间的第二量子密钥是K2，对SΛK1用K1做解密再用K2做加密，得到第三加密数据包SΛK2，其数据格式为B|A|QAG1|QRR1|SΛK2，QRR1将所述SΛK2发给下一跳量子节点QRR2； QRR1 receives the SΛK1 and parses out its data format as the B|A|QAG1|SΛK1. The first quantum key of the last hop quantum nodes QAG1 and QRR1 is K1, and the route is calculated for the destination address B. The address of the one-hop quantum node is QRR2, the second quantum key between the query QRR1 and QRR2 is K2, and the K1 is decrypted by S1 and then encrypted by K2, and the third encrypted data packet SΛK2 is obtained. The data format is B| A|QAG1|QRR1|SΛK2, QRR1 sends the SΛK2 to the next hop quantum node QRR2;

以一个现实应用场景为例对本发明实施例阐述如下：The embodiment of the present invention is described as an example of a practical application scenario as follows:

本应用场景具体为：第一量子节点是QAG，第二量子节点是QRR，路由切换节点是OSR，有它们共同构成的安全通信网络架构系统，及基于安全通信网络架构系统的安全地接入，中继，分发业务密钥，及基于“由目的地址|源地址|第一量子节点|第二量子节点|...|当前量子节点|加密信息”构成的数据包格式，根据对该数据包格式解析的结果，进行路由切换的过程，以下分别阐述：The application scenario is specifically as follows: the first quantum node is QAG, the second quantum node is QRR, the routing switching node is OSR, a secure communication network architecture system formed by them, and a secure access based on a secure communication network architecture system, Relaying, distributing a service key, and a packet format based on "by destination address|source address|first quantum node|second quantum node|...|current quantum node|encrypted information", according to the packet The result of format parsing, the process of routing switching, is explained below:

本应用场景采用本发明实施例，主要定义了电信级QKD网络的网络架构(下称本架构)。定义了本架构的三种典型设备：量子接入网关(QAG，Quantum Access Gateway)、光端口交换路由器(OSR，Optical Switch Router)和量子中继路由器(QRR，Quantum Relay Router)，描述了采用本架构的QKD网络的业务流程。本架构解决了如下问题：This application scenario adopts an embodiment of the present invention, and mainly defines a network architecture of a carrier-grade QKD network (hereinafter referred to as the present architecture). Three typical devices of this architecture are defined: Quantum Access Gateway (QAG), Optical Switch Router (OSR), and Quantum Relay Router (QRR). The business process of the architecture of the QKD network. This architecture solves the following problems:

1、路由寻址问题。量子保密通信是点到点的，在一张全国范围的大网中，跨一个或数个节点的量子通信成为必需，将量子系统与路由交换设备相结合，对现有的路由协议进行改造，利用路由器或交换机的处理能力对量子通信进行寻址和路由，满足大网部署的高吞吐量、高转发率要求。1, routing addressing problems. Quantum-secure communication is point-to-point. In a large-scale network across the country, quantum communication across one or several nodes becomes a must, quantum system and routing equipment In combination, the existing routing protocol is modified, and the processing capability of the router or the switch is used to address and route the quantum communication to meet the requirements of high throughput and high forwarding rate of the large network deployment.

2、链路保护问题。量子通信的物理介质是光纤或开放空间，在自然灾害或者战时是十分脆弱的，但不能因为某一部分链路的损坏造成全国范围QKD网络业务的中断。以网状网的形式组网，利用路由协议进行断路切换和链路保护，是必要的。2. Link protection issues. The physical medium of quantum communication is optical fiber or open space. It is very fragile in natural disasters or wartime, but it cannot interrupt the nationwide QKD network service due to the damage of a certain part of the link. It is necessary to use a routing protocol for network switching and link protection in the form of a mesh network.

针对上述电信级QKD网络中的这三类主要设备(QAG、OSR和QRR)而言，其中，QAG、QRR是进行量子通信的设备，称为量子节点，而OSR不处理量子信息，只做光交换，不是量子节点。这三种设备的描述如下：For the three main types of devices (QAG, OSR, and QRR) in the above-mentioned carrier-grade QKD network, QAG and QRR are devices for performing quantum communication, which are called quantum nodes, and OSR does not process quantum information, and only does light. Exchange, not a quantum node. The description of these three devices is as follows:

一、QAGFirst, QAG

QAG从功能上分为四个部分，即量子通信模块11、密钥管理模块12、加解密模块13、接入与路由模块14，如图1所示。The QAG is functionally divided into four parts, namely, a quantum communication module 11, a key management module 12, an encryption and decryption module 13, and an access and routing module 14, as shown in FIG.

就所述量子通信模块而言，所述量子通信模块在物理上由光源、光调制器、信道(光纤或开放空间)、测量基矢、光子探测器等器件组成，本端的量子通信模块用于与对端的量子通信模块通过量子信道，按BB84协议协商和生成一样的随机数序列。这个随机数序列是真随机数，真随机数与伪随机数是相对的概念，是通过物理过程而不是计算机程序来生成的随机数字。随机数序列的生成是一个连续的过程，通信两端通过协商，选取一段相同的随机数序列(如512bit)，作为密钥使用，这个密钥就是量子密钥，生成量子密钥过程叫密钥制备。In the case of the quantum communication module, the quantum communication module is physically composed of a light source, a light modulator, a channel (optical fiber or open space), a measurement basis vector, a photon detector, etc., and the local quantum communication module is used for The quantum communication module with the peer end negotiates and generates the same random number sequence according to the BB84 protocol through the quantum channel. This random number sequence is a true random number. The concept of a true random number and a pseudo-random number is a random number generated by a physical process rather than a computer program. The generation of a sequence of random numbers is a continuous process. The two ends of the communication negotiate to select a sequence of identical random numbers (such as 512 bits), which is used as a key. This key is a quantum key, and the process of generating a quantum key is called a key. preparation.

就所述密钥管理模块而言，所述密钥管理模块也叫密码箱、密码本，为用于存储、输出和管理密钥的设备。密钥管理模块有极高的安全保密需求，一旦发生泄漏，或者被别人攻破，整个系统就不再安全。由量子通信模块制备的密钥，都保存在密钥管理模块中。In the case of the key management module, the key management module is also called a lockbox, a codebook, and is a device for storing, outputting, and managing keys. The key management module has a very high security and confidentiality requirement. Once a leak occurs or is broken by others, the entire system is no longer secure. The keys prepared by the quantum communication module are stored in the key management module.

就所述加解密模块而言，所述加解密模块用于采用某些对称或非对称算法实现加解密功能，如AES、RSA、MD5等，对业务数据进行加解密操作的模块。加解密过程都需要用到密钥，密钥由密钥管理模块提供，这个过程叫密钥提供。In the case of the encryption and decryption module, the encryption and decryption module is used to adopt some symmetry or asymmetry. The algorithm implements encryption and decryption functions, such as AES, RSA, MD5, etc., modules for encrypting and decrypting business data. The encryption and decryption process requires the use of a key, which is provided by the key management module. This process is called key delivery.

就所述接入与路由模块而言，所述接入与路由模块主要有三个功能：一是对用户进行接入认证；二是接入用户的业务数据，将用户数据送到加解密模块进行加密操作，或者反过来，将加密数据包送到加解密模块进行解密操作，再分发给用户；三是执行路由协议，选择下一跳量子节点的路径，将加密数据包路由至下一跳量子节点。For the access and routing module, the access and routing module has three main functions: one is to perform access authentication on the user; the other is to access the user's service data, and send the user data to the encryption and decryption module. Encryption operation, or conversely, sending the encrypted data packet to the encryption and decryption module for decryption operation, and then distributing it to the user; third, executing the routing protocol, selecting the path of the next hop quantum node, and routing the encrypted data packet to the next hop quantum node.

与QAG相连的有两种信道，量子信道和经典信道。量子信道又有两种物理形式，即光纤和开放空间。量子信道里走的是单光子量子信号或者连续变量量子信号。经典信道是相对量子信道而言的，即目前广泛部署的各种有线和无线网络。QAG通过量子信道与另一个量子节点(QAG或QRR)相连，两两之间生成量子密钥，QAG通过经典信道接入用户数据，再将加密后的数据通过经典信道上传到经典网络。There are two channels connected to the QAG, a quantum channel and a classic channel. Quantum channels come in two physical forms, fiber and open space. In the quantum channel, a single photon quantum signal or a continuous variable quantum signal is taken. The classic channel is relative to the quantum channel, which is a variety of wired and wireless networks that are currently widely deployed. The QAG is connected to another quantum node (QAG or QRR) through a quantum channel, and a quantum key is generated between the two. The QAG accesses the user data through the classical channel, and then the encrypted data is uploaded to the classical network through the classical channel.

二、OSRSecond, OSR

OSR主要起光口的汇聚、交换等功能。OSR并不参与量子通信协议，也不参与密钥生成的过程，只作为传输介质透传光路，OSR对量子通信的两端是透明的，不被感知的，所以OSR不算量子节点。在QKD网络中，OSR主要是根据实际情况，用于构建不同的网络拓扑结构。The OSR mainly functions as a convergence and exchange of optical ports. OSR does not participate in the quantum communication protocol, nor does it participate in the key generation process. It is only used as a transmission medium to transparently transmit optical paths. OSR is transparent to both ends of quantum communication and is not perceived, so OSR does not count quantum nodes. In the QKD network, the OSR is mainly used to construct different network topologies according to actual conditions.

三、QRRThird, QRR

QRR与QAG类似，QRR从功能上也分为四个部分，即量子通信模块21、密钥管理模块22、加解密模块23、路由模块24，如图2所示。QRR is similar to QAG, and the QRR is functionally divided into four parts, namely, the quantum communication module 21, the key management module 22, the encryption and decryption module 23, and the routing module 24, as shown in FIG.

其中，QRR中的所述量子通信模块、所述密钥管理模块、所述加解密模块的功能与QAG中相对应的模块在功能实现上可以完全一样，只有QRR的路由模块与QAG中的所述接入与路由模块略有区别，QRR的路由模块主要是执行路由协议，计算出上一跳量子节点和下一跳量子节点，将上一跳量子节点发来的加密数据包经加解密处理后，再路由至下一跳量子节点。The function of the quantum communication module, the key management module, and the encryption and decryption module in the QRR may be identical to the corresponding module in the QAG, and only the routing module of the QRR and the QAG are used. The access and routing modules are slightly different, QRR routing module The main implementation is a routing protocol, and the last hop quantum node and the next hop quantum node are calculated, and the encrypted data packet sent by the last hop quantum node is subjected to encryption and decryption processing, and then routed to the next hop quantum node.

与QRR相连的有两种信道，量子信道和经典信道。QRR利用量子信道与上一跳量子节点、下一跳量子节点分别制备一批量子密钥，用于加解密操作，这个过程叫量子中继。QRR利用经典信道与经典网络连接，转发业务数据。There are two channels connected to the QRR, a quantum channel and a classic channel. QRR uses quantum channels to generate a batch of quantum keys from the previous hop quantum node and the next hop quantum node for encryption and decryption operations. This process is called quantum relay. QRR uses classic channels to connect to classic networks to forward business data.

四、电信级QKD网络的架构Fourth, the architecture of the carrier-grade QKD network

如图3所示，电信级QKD网络分为3层，即接入层、汇聚层和核心层。QAG部署在接入层，OSR部署在汇聚层，QRR部署在核心层。QAG、OSR和QRR之间，既有经典信道相连，也有量子信道相连。如果量子信道是光纤量子信道，取决于当前量子通信技术的水平，两个量子节点之间有距离限制，如不能超过70km。另外，OSR只是透传量子信号，所以OSR对电信级QKD网络来说不是必须的。As shown in FIG. 3, the carrier-grade QKD network is divided into three layers, namely, an access layer, an aggregation layer, and a core layer. QAG is deployed at the access layer, OSR is deployed at the aggregation layer, and QRR is deployed at the core layer. Between QAG, OSR and QRR, there are both classic channels and quantum channels. If the quantum channel is a fiber quantum channel, depending on the level of current quantum communication technology, there is a distance limit between the two quantum nodes, such as no more than 70 km. In addition, OSR only transmits quantum signals, so OSR is not necessary for carrier-grade QKD networks.

QAG是带量子通信功能的接入路由器，部署在接入层，与现有公网网络架构的接入路由器位置一致。QAG既执行经典通信功能，也执行量子通信功能。QAG可以根据其接入的每一个业务的性质，决定是否启用量子通信。QAG is an access router with quantum communication function. It is deployed at the access layer and is consistent with the location of the access router of the existing public network architecture. QAG performs both classic communication functions and quantum communication functions. QAG can decide whether to enable quantum communication based on the nature of each service it accesses.

QAG的经典通信功能主要是对用户进行认证，并接入用户的业务数据，如话音、短信、邮件、数据等，执行路由算法，将用户的业务数据路由至城域网或核心网等其他路由交换设备，另外还要在网络某些部分发生故障的时候要将数据通信切换到其他链路上进行，等等，这些功能与传统的接入路由器并无区别，本文不再描述。本文所描述的QAG的经典通信功能，是与量子通信功能相关的部分，即计算出量子通信的下一跳的路由，后面将有实施案例进行详细描述。QAG's classic communication function is mainly to authenticate users and access user's business data, such as voice, SMS, mail, data, etc., to execute routing algorithms, and to route user's business data to other routes such as metropolitan area network or core network. Switching devices, in addition to switching data traffic to other links when certain parts of the network fail, and so on, these functions are no different from traditional access routers, and will not be described in this article. The classic communication function of QAG described in this paper is related to the quantum communication function, that is, the calculation of the next hop routing of quantum communication, which will be described in detail later.

QAG的量子通信功能主要是进行业务密钥的分发，后面将有实施案例进行详细描述。QAG's quantum communication function is mainly to distribute business keys, and there will be implementation cases later. Carry out a detailed description.

OSR是包含端口级光交换功能的路由器，部署在汇聚层，主要起光口的汇聚、交换等功能，与现有公网网络架构的汇聚路由器或城域路由器位置一致。OSR执行经典通信功能，对量子通信透传。对经典通信而言，OSR就是普通的汇聚层路由器或汇聚层交换机。对量子通信而言，OSR主要执行端口级的光路交换功能，并不参与量子通信协议，也不参与密钥生成的过程，只作为传输介质透传光量子信号。The OSR is a router that includes port-level optical switching. It is deployed at the aggregation layer and functions to aggregate and exchange optical ports. It is consistent with the aggregation router or metro router of the existing public network architecture. The OSR performs classic communication functions and transparently transmits to quantum communication. For classic communications, OSR is a common aggregation layer router or aggregation layer switch. For quantum communication, OSR mainly performs port-level optical path switching functions, does not participate in quantum communication protocols, and does not participate in the key generation process, and only transmits optical quantum signals as transmission media.

QRR是带量子通信功能的汇聚或核心路由器，部署在核心层，与现有公网网络架构的城域路由器或骨干路由器位置一致。QRR既执行经典通信功能，也执行量子通信功能。QRR可以根据每一个业务的性质，决定是否启用量子通信。QRR is a converged or core router with quantum communication function. It is deployed at the core layer and is consistent with the location of the metro router or backbone router of the existing public network architecture. QRR performs both classic communication functions and quantum communication functions. QRR can decide whether to enable quantum communication based on the nature of each business.

QRR的经典通信功能主要是执行路由算法，将数据路由至城域网或核心网等其他路由交换设备，在网络某些部分发生故障的时候要将数据通信切换到其他链路上进行，等等，这些功能与传统的城域路由器和骨干路由器并无区别，本文不再描述。本文所描述的QRR的经典通信功能，是与量子通信功能相关的部分，即计算出量子通信的下一跳的路由，后面将有实施案例进行详细描述。QRR's classic communication function is mainly to implement routing algorithms to route data to other routing switching devices such as metropolitan area networks or core networks. When some parts of the network fail, data communication should be switched to other links, etc. These functions are no different from traditional metro routers and backbone routers, and will not be described in this article. The classic communication function of QRR described in this paper is related to the quantum communication function, that is, the calculation of the next hop routing of quantum communication, which will be described in detail later.

QRR的量子通信功能主要是进行业务密钥的中继，后面将有实施案例进行详细描述。The quantum communication function of QRR is mainly to relay the service key, and the implementation case will be described in detail later.

基于上述安全通信网络架构系统不同方法流程的应用实例如下所示：An application example based on the different method flows of the above secure communication network architecture system is as follows:

应用实例一：接入、中继和分发业务密钥的情况。Application example 1: The case of accessing, relaying and distributing service keys.

电信级QKD网络既可执行经典业务，又可执行量子业务。经典业务有话音、短信、邮件、数据等，执行经典业务的过程与目前的技术和方法没有区别，此不叙述。量子业务主要就是分发密钥，这里的密钥是业务密钥，对QKD网络来说，业务密钥可以简单地理解为一串需要传递的数字。QKD 网络的两两量子节点之间，会生成量子密钥对，QKD网络的每个量子节点用量子密钥对业务密钥进行加解密运算，再发送给下一条节点，这个过程就是业务密钥的接入、中继和分发流程。The carrier-grade QKD network can perform both classic and quantum services. The classic business has voice, text message, mail, data, etc. The process of executing the classic business is no different from the current technology and method. The quantum service is mainly the distribution key. The key here is the service key. For the QKD network, the service key can be simply understood as a string of numbers to be delivered. QKD A quantum key pair is generated between the two quantum nodes of the network. Each quantum node of the QKD network encrypts and decrypts the service key with the quantum key, and then sends it to the next node. This process is the service key. Access, relay, and distribution processes.

如图4所示为应用实例一中业务密钥的接入与中继的流程图，包括：FIG. 4 is a flowchart of accessing and relaying service keys in application example 1, including:

步骤41、QAG与相邻的量子节点事先制备一批量子密钥，保存在各自的密钥管理模块中，两个相邻量子节点制备的密钥完全一致。例如，QAG与相邻QRR各自生成了一批量子密钥，其中有一个是K1，QRR与下一跳量子节点各自生成了一批量子密钥，其中有一个是K2。Step 41: The QAG and the adjacent quantum node prepare a batch of quantum keys in advance, and save them in the respective key management modules, and the keys prepared by the two adjacent quantum nodes are completely identical. For example, QAG and adjacent QRR each generate a batch of quantum keys, one of which is K1, and QRR and the next hop quantum node each generate a batch of quantum keys, one of which is K2.

步骤42、QAG接入用户A发来的业务密钥S。Step 42: The QAG accesses the service key S sent by the user A.

步骤43、QAG的密钥管理模块提供K1给加解密模块。Step 43: The key management module of the QAG provides K1 to the encryption and decryption module.

步骤44、QAG的加解密模块用K1对S进行加密，得到加密数据包SΛK1。Step 44: The encryption and decryption module of the QAG encrypts S with K1 to obtain an encrypted data packet SΛK1.

步骤45、QAG的接入与路由模块执行路由协议，计算出下一跳量子节点的路由，将SΛK1发往下一跳量子节点。SΛK1可以在公网上传输。Step 45: The access and routing module of the QAG performs a routing protocol, calculates a route of the next hop quantum node, and sends the SΛK1 to the next hop quantum node. SΛK1 can be transmitted on the public network.

步骤46、下一跳的量子节点(这里用QRR做说明)收到SΛK1。Step 46, the next hop quantum node (here described by QRR) receives SΛK1.

步骤47、QRR的密钥管理模块提供K1和K2这两个量子密钥给加解密模块。Step 47: The key management module of the QRR provides two quantum keys K1 and K2 to the encryption and decryption module.

步骤48、QRR的加解密模块用K1和K2对SΛK1进行加解密运算。加解密运算的方法有很多种，最简单的方法是先用K1对SΛK1解密，解出S，再用K2对S加密，得到SΛK2。复杂一点的方法是先对K1和K2做异或运算，得到K1ΛK2，再用K1ΛK2对SΛK1加密。加解密运算的方法不属于本专利的发明点。此处用第一种方法做说明，即用K1对SΛK1解密，再用K2对S加密，得到SΛK2。Step 48: The QRR encryption and decryption module performs encryption and decryption operations on SΛK1 by K1 and K2. There are many ways to encrypt and decrypt the operation. The simplest method is to decrypt SΛK1 with K1, solve S, and then encrypt K with K2 to get SΛK2. A more complicated method is to perform an exclusive OR operation on K1 and K2 to obtain K1ΛK2, and then encrypt K1 to K1 with K1ΛK2. The method of encryption and decryption operation does not belong to the inventive point of this patent. Here, the first method is used to explain, that is, K1 is used to decrypt SΛK1, and then K2 is used to encrypt S to obtain SΛK2.

步骤49、QRR的接入与路由模块执行路由协议，计算出下一跳量子节点的路由，将SΛK2发往下一跳量子节点。SΛK2可以在公网上传输。 Step 49: The QRR access and routing module executes a routing protocol, calculates a route of the next hop quantum node, and sends SΛK2 to the next hop quantum node. SΛK2 can be transmitted on the public network.

如图4所示为应用实例一中业务密钥的中继与分发的流程图，包括：FIG. 4 is a flowchart of relaying and distributing service keys in application example 1, including:

步骤51、QRR与相邻的量子节点事先制备一批量子密钥，保存在各自的密钥管理模块中。两个相邻量子节点制备的密钥完全一致。例如，QRR与上一跳量子节点各自生成了一批量子密钥，其中有一个是K2，QRR与QAG各自生成了一批量子密钥，其中有一个是K3。Step 51: The QRR and the adjacent quantum node prepare a batch of quantum keys in advance and store them in the respective key management modules. The keys prepared by two adjacent quantum nodes are identical. For example, QRR and the previous hop quantum node each generate a batch of quantum keys, one of which is K2, and QRR and QAG each generate a batch of quantum keys, one of which is K3.

步骤52、QRR收到上一跳量子节点传来的SΛK2。Step 52: The QRR receives the SΛK2 from the last hop quantum node.

步骤53、QRR的密钥管理模块提供K2和K3两个量子密钥给加解密模块。Step 53: The key management module of the QRR provides two quantum keys K2 and K3 to the encryption and decryption module.

步骤54、QRR的加解密模块用K2，K3对SΛK2进行加解密运算，得到SΛK3。Step 54: The encryption and decryption module of the QRR performs encryption and decryption operations on SΛK2 with K2 and K3 to obtain SΛK3.

步骤55、QRR的接入与路由模块执行路由协议，计算出下一跳量子节点的路由，将SΛK3发往下一跳量子节点。SΛK3可以在公网上传输。Step 55: The QRR access and routing module executes a routing protocol, calculates a route of the next hop quantum node, and sends SΛK3 to the next hop quantum node. SΛK3 can be transmitted on the public network.

步骤56、QAG收到上一跳QRR发来的SΛK3。Step 56: The QAG receives the SΛK3 sent by the last hop QRR.

步骤57、QAG的密钥管理模块提供量子密钥K3给加解密模块。Step 57: The key management module of the QAG provides the quantum key K3 to the encryption and decryption module.

步骤58、QAG的加解密模块用K3对SΛK3进行解密，得到业务密钥S。Step 58: The encryption and decryption module of the QAG decrypts SΛK3 with K3 to obtain a service key S.

步骤59、QAG的接入与路由模块执行路由协议，将S分发给用户。Step 59: The access and routing module of the QAG executes a routing protocol, and distributes the S to the user.

应用实例二：路由和切换情况。Application example 2: routing and switching.

量子通信是点到点的，即每一个量子节点只与其相邻的固定的量子节点进行量子通信。将业务密钥从一个用户分发到另一个用户，这是一个端到端的过程，中间经过了很多个量子节点，需要计算路径。现有的实验系统，其节点数很少，路径是实验者预先设定好的。对于一个大规模部署的QKD网络，每一个节点都需要运用路由协议自动计算路由，在网络局部发生故障的时候能够自动切换到其他路径上。Quantum communication is point-to-point, that is, each quantum node only performs quantum communication with its adjacent fixed quantum nodes. Distributing a service key from one user to another is an end-to-end process in which many quantum nodes pass through and the path needs to be calculated. In the existing experimental system, the number of nodes is small, and the path is preset by the experimenter. For a large-scale deployment of QKD networks, each node needs to use routing protocols to automatically calculate routes, and automatically switch to other paths when the network fails locally.

如图6所示的是一个电信级QKD网络的极简模型，A、B两用户之间， QAG1，QAG2接入业务密钥，QAG1和QAG2的路径上由3台QRR组成的最小网络进行密钥的中继。OSR由于未参与量子通信处理过程，在图6所示的模型中省略掉了。在每两个相邻的量子节点之间，既有经典信道又有量子信道进行互联，相邻的量子节点通过量子信道各自生成了量子密钥对，用K1，K2，K3，K4，K5表示。业务密钥在从A到B的传递的过程中，加密数据包的格式是：Figure 6 shows a minimalist model of a carrier-grade QKD network between A and B users. QAG1 and QAG2 access the service key, and the minimum network composed of three QRRs on the path of QAG1 and QAG2 relays the key. The OSR is omitted from the model shown in Fig. 6 because it does not participate in the quantum communication processing. Between each two adjacent quantum nodes, there are both classical channels and quantum channels for interconnection. Adjacent quantum nodes generate quantum key pairs through quantum channels, which are represented by K1, K2, K3, K4, K5. . In the process of passing the service key from A to B, the format of the encrypted data packet is:

各个量子节点根据数据包的内容进行路由。路由过程包括：Each quantum node is routed based on the contents of the packet. The routing process includes:

步骤61、用户A有一个业务密钥S要发给用户B，发出数据包的格式是：B|A|S。Step 61: User A has a service key S to be sent to user B, and the format of the data packet is: B|A|S.

步骤62、QAG1收到B|A|S，针对目的地址B计算路由，得到下一跳量子节点的地址是QRR1，查询QAG1与QRR1之间的量子密钥是K1，用K1对S做加密运算，得到SΛK1，QAG1将新的加密数据包B|A|QAG1|SΛK1发给下一跳量子节点QRR1。Step 62: QAG1 receives B|A|S, calculates a route for the destination address B, obtains the address of the next hop quantum node is QRR1, and queries the quantum key between QAG1 and QRR1 as K1, and performs encryption operation on S by K1. , get SΛK1, QAG1 sends the new encrypted data packet B|A|QAG1|SΛK1 to the next hop quantum node QRR1.

步骤63、QRR1收到B|A|QAG1|SΛK1，查询上一跳量子节点QAG1与QRR1的量子密钥是K1，针对目的地址B计算路由，得到下一跳量子节点的地址是QRR2，查询QRR1与QRR2之间的量子密钥是K2，对SΛK1用K1做解密再用K2做加密，得到SΛK2，QRR1将新的加密数据包B|A|QAG1|QRR1|SΛK2发给下一跳量子节点QRR2。Step 63: QRR1 receives B|A|QAG1|SΛK1, queries the quantum key of the last hop quantum nodes QAG1 and QRR1 as K1, calculates a route for the destination address B, and obtains the address of the next hop quantum node is QRR2, and queries QRR1 The quantum key with QRR2 is K2, and K1 is decrypted with S1 and then encrypted with K2 to obtain SΛK2. QRR1 sends the new encrypted packet B|A|QAG1|QRR1|SΛK2 to the next hop quantum node QRR2. .

步骤64、QRR2收到B|A|QAG1|QRR1|SΛK2，采用与63相同的处理过程，向下一跳QAG2发出新的加密数据包B|A|QAG1|QRR1|QRR2|SΛK3。Step 64: QRR2 receives B|A|QAG1|QRR1|SΛK2, and uses the same processing procedure as 63 to issue a new encrypted data packet B|A|QAG1|QRR1|QRR2|SΛK3 to the next hop QAG2.

步骤65、QAG2收到B|A|QAG1|QRR1|QRR2|SΛK3，查询上一跳量子节点QRR2与QAG2的量子密钥是K3，用K3对SΛK3解密得到初始业务密钥S，将S分发给用户B。 Step 65: QAG2 receives B|A|QAG1|QRR1|QRR2|SΛK3, and queries the quantum key of the last hop quantum node QRR2 and QAG2 to be K3, decrypts SΛK3 with K3 to obtain the initial service key S, and distributes S to User B.

这里需要指出的是，当网络中某些信道出现问题，例如QRR1和QRR2之间的信道出现问题，需要进行链路切换。切换过程还包括如下步骤：It should be pointed out here that when there is a problem with some channels in the network, such as a problem between the channels between QRR1 and QRR2, link switching is required. The switching process also includes the following steps:

其中，前两步61、62过程，如上述路由过程中的一样，保持不变。Among them, the first two steps 61, 62 process, as in the above routing process, remain unchanged.

步骤66、QRR1收到B|A|QAG1|SΛK1，查询上一跳量子节点QAG1与QRR1的量子密钥是K1，针对目的地址B计算路由，发现QRR1和QRR2不通，重新计算路由得到新的下一跳量子节点的地址是QRR3，查询QRR1与QRR3之间的量子密钥是K4，对SΛK1用K1做解密再用K4做加密，得到SΛK4，QRR1将新的加密数据包B|A|QAG1|QRR1|SΛK4发给下一跳量子节点QRR3。Step 66: QRR1 receives B|A|QAG1|SΛK1, and queries the quantum key of the last hop quantum nodes QAG1 and QRR1 to be K1, calculates a route for the destination address B, finds that QRR1 and QRR2 are unreachable, and recalculates the route to obtain a new one. The address of the one-hop quantum node is QRR3, the quantum key between the query QRR1 and QRR3 is K4, the decryption is performed by K1 for SΛK1 and then encrypted by K4, and SΛK4 is obtained, and QRR1 will encrypt the new packet B|A|QAG1| QRR1|SΛK4 is sent to the next hop quantum node QRR3.

步骤67、QRR3收到B|A|QAG1|QRR1|SΛK4，采用与63相同的处理过程，向下一跳QAG2发出新的加密数据包B|A|QAG1|QRR1|QRR3|SΛK5。Step 67: QRR3 receives B|A|QAG1|QRR1|SΛK4, and uses the same processing procedure as 63 to issue a new encrypted data packet B|A|QAG1|QRR1|QRR3|SΛK5 to the next hop QAG2.

步骤68、QAG2收到B|A|QAG1|QRR1|QRR3|SΛK5，查询上一跳量子节点QRR3与QAG2的量子密钥是K5，用K5对SΛK5解密得到初始业务密钥S，将S分发给用户B。Step 68: QAG2 receives B|A|QAG1|QRR1|QRR3|SΛK5, queries the quantum key of the last hop quantum node QRR3 and QAG2 is K5, decrypts SΛK5 with K5 to obtain the initial service key S, and distributes S to User B.

本发明实施例所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时，也可以存储在一个计算机可读取存储介质中。基于这样的理解，本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本发明各个实施例所述方法的全部或部分。而前述的存储介质包括：U盘、移动硬盘、只读存储器(ROM，Read-Only Memory)、随机存取存储器(RAM，Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。这样，本发明实施例不限制于任何特定的硬件和软件结合。The integrated modules described in the embodiments of the present invention may also be stored in a computer readable storage medium if they are implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium, including a plurality of instructions. A computer device (which may be a personal computer, server, or network device, etc.) is caused to perform all or part of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. . Thus, embodiments of the invention are not limited to any specific combination of hardware and software.

相应的，本发明实施例还提供一种计算机存储介质，其中存储有计算机程序，该计算机程序用于执行本发明实施例的业务密钥分发方法及路由切换方法。Correspondingly, an embodiment of the present invention further provides a computer storage medium, where a calculation is stored The computer program is used to execute the service key distribution method and the route switching method of the embodiment of the present invention.

以上所述，仅为本发明的较佳实施例而已，并非用于限定本发明的保护范围。The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.

Industrial applicability

Claims

a first quantum node configured to generate a quantum key pair by negotiation with a second quantum node through a quantum channel to access user service data according to the quantum key pair The service key is subjected to encryption and decryption processing to obtain a processed data packet; and the processed data packet is transmitted to the adjacent second quantum node through a classical channel according to a routing protocol.

The first quantum node of claim 1 wherein said first quantum node comprises:

a quantum communication module configured to select the same random number sequence at both ends of the quantum communication module in the adjacent second quantum node through negotiation of the quantum channel as the quantum key pair;

a key management module configured to store and manage the quantum key pair;

The encryption and decryption module is configured to perform encryption and decryption processing on the service key that accesses the user service data according to the quantum key pair, to obtain the processed data packet;

The access and routing module is configured to obtain the service data of the access user after the access authentication is performed, and send the service key corresponding to the service data to the encryption and decryption module for encryption processing, and then select The routing path of the next hop quantum node transmits the first encrypted data packet obtained by the encryption process to the second quantum node as the next hop quantum node, and the second obtained by the encrypted processing of the receiving peer end The encrypted data packet is sent to the encryption and decryption module for decryption processing and returned to the user.

The first quantum node according to claim 2, wherein the quantum communication module is further configured to generate a first quantum key K1 by negotiation with a quantum communication module in an adjacent second quantum node through a quantum channel, The second quantum node negotiates with the next hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

The first quantum node according to claim 3, wherein the encryption and decryption module is further configured to encrypt the service key S according to the first quantum key K1 to obtain the first An encrypted data packet SΛK1;

The access and routing module is further configured to obtain a routing path of a next hop quantum node according to the routing protocol, and send the SΛK1 to the second quantum node that is a next hop quantum node.

a second quantum node configured to generate a quantum key pair by negotiation of a quantum channel with an adjacent first quantum node or a next hop quantum node adjacent to the second quantum node, to generate a quantum key pair Decrypting and decrypting a service key that accesses user service data according to the quantum key pair to obtain a processed data packet; and transmitting the processed data packet to the second and second channels according to a routing protocol according to a routing protocol. The next hop quantum node adjacent to the quantum node.

The second quantum node of claim 5 wherein said second quantum node comprises:

The quantum communication module is configured to select the same random number sequence at both ends by the quantum channel negotiation in the quantum communication module in the next hop quantum node adjacent to the adjacent first quantum node or the second quantum node It acts as the quantum key pair;

a key management module configured to store and manage the quantum key pair;

a routing module, configured to obtain, according to a routing protocol, the first quantum node as a last hop quantum node and the next hop quantum node adjacent to the second quantum node; encrypting the first quantum node The first encrypted data packet obtained by the processing is sent to the encryption and decryption module for decryption processing, and then encrypted to obtain a third encrypted data packet, and the third encrypted data packet is transmitted to the next adjacent to the second quantum node. a one-hop quantum node; and transmitting, by the receiving end, the encrypted data packet obtained by the encryption process to the encryption and decryption module for decryption processing.

The second quantum node according to claim 6, wherein the quantum communication module is further configured to negotiate with a quantum communication module in an adjacent first quantum node through a quantum channel Forming a first quantum key K1, the second quantum node negotiates with a next hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

The second quantum node according to claim 7, wherein the encryption and decryption module is further configured to receive a first encrypted data packet SΛK1 sent by the first quantum node; and according to the first quantum key K1 The SΛK1 is decrypted and then encrypted by the second quantum key K2 to obtain the third encrypted data packet SΛK2;

The routing module is further configured to obtain a routing path of the next hop quantum node according to the routing protocol, and send the SΛK2 to a next hop quantum node adjacent to the second quantum node.

A secure communication architecture system, the system comprising the first quantum node according to any one of claims 1 to 4, and the second quantum node according to any one of claims 5-8;

The system further includes: a route switching node;

The route switching node is configured to be used as a transmission medium transparent optical path between the first quantum node and the second quantum node.

A service key transmission method, the method being applied to a first quantum node, the method comprising:

Generating a quantum key pair by the first quantum node and the adjacent second quantum node through negotiation of the quantum channel;

Decrypting and decrypting a service key that accesses user service data according to the quantum key pair to obtain a processed data packet;

The processed data packet is transmitted to the adjacent second quantum node through a classical channel according to a routing protocol.

A service key transmission method, the method being applied to a second quantum node, the method comprising:

Generating, by the quantum channel, a quantum key pair by the second quantum node and the adjacent first quantum node or the next hop quantum node adjacent to the second quantum node;

And transmitting the processed data packet to the next hop quantum node adjacent to the second quantum node by using a classical channel according to a routing protocol.

A service key transmission method, the method is based on the secure communication architecture system, and the method includes:

A quantum key pair is generated by negotiation of a quantum channel between each adjacent two quantum nodes;

Each of the adjacent two quantum nodes includes a quantum node of a last hop and a quantum node of a next hop, and the type of the quantum node includes a first quantum node and a second quantum node;

The service key that accesses the user service data is subjected to encryption and decryption processing according to the quantum key pair, and the processed data packet is transmitted through the classical channel according to a routing protocol.

The method according to claim 12, wherein said quantum key pair generated by said neighboring two quantum nodes through negotiation of a quantum channel comprises at least: a first quantum key K1;

And performing the encryption and decryption processing on the service key that accesses the user service data according to the quantum key pair, and the processed data packet is transmitted through the classic channel according to the routing protocol, including:

Accessing the service key S sent by the user;

Obtaining the first quantum key K1, encrypting the service key S according to the first quantum key K1 to obtain a first encrypted data packet SΛK1;

Calculating the route of the next hop quantum node according to the routing protocol, and sending the SΛK1 to the quantum node of the next hop.

The method according to claim 13, wherein said quantum key pair generated by said adjacent two quantum nodes through negotiation of a quantum channel further comprises: a second quantum key K2 and a third quantum key K3 ;

And performing, according to the quantum key pair, the service key that accesses the user service data is subjected to encryption and decryption processing, and the processed data packet is transmitted through the classic channel according to the routing protocol, and further includes:

The quantum node of the next hop receives the SΛK1;

Obtaining the first quantum key K1 and the second quantum key K2;

Decrypting the SΛK1 according to the first quantum key K1 and then encrypting with the second quantum key K2 to obtain the third encrypted data packet SΛK2;

Calculating a route of the next hop quantum node according to the routing protocol, and sending the SΛK2 to the quantum node of the next hop;

Obtaining the second quantum key K2 and the third quantum key K3;

Decrypting the SΛK2 according to the second quantum key K2 and then encrypting with the third quantum key K3 to obtain a fifth encrypted data packet SΛK3;

Calculating the route of the next hop quantum node according to the routing protocol, and sending the SΛK3 to the quantum node of the next hop, decrypting SΛK3 with the third quantum key K3, obtaining the service key S and distributing it to the office User.

A route switching method, the method is based on the secure communication architecture system, and the method includes:

Decrypting and processing the service key accessing the user service data according to the quantum key pair, and obtaining the processed data packet, the data format of which is the destination address|source address|the first quantum node|the second quantum node|. ..|Current quantum node|encrypted information;

Each of the adjacent two quantum nodes performs route switching according to a data format obtained by parsing the processed data packet.

The method according to claim 15, wherein when the secure communication architecture system is composed of a destination user A, a source user B, a first quantum node QAG1, and a second quantum node QRR1, the data format is specifically: B|A |QAG1|QRR1|SΛK2.

The method according to claim 15, wherein each of the adjacent two quantum nodes performs routing switching according to a data format obtained by parsing the processed data packet, including:

When user A has a service key S to be sent to user B, the format of the data packet is: B|A|S;

The current quantum node QAG1 receives the data packet, parses out its data format as the B|A|S, calculates a route for the destination address B, and obtains the address of the next hop quantum node is QRR1, and queries between QAG1 and QRR1. The first quantum key is K1, and the encryption operation is performed by K1 to obtain the first encrypted data packet SΛK1, and the data format is B|A|QAG1|SΛK1, and QAG1 sends the SΛK1 to the next hop quantum node QRR1;

QRR1 receives the SΛK1 and parses out its data format as the B|A|QAG1|SΛK1. The first quantum key of the last hop quantum nodes QAG1 and QRR1 is K1, and the route is calculated for the destination address B. The address of the one-hop quantum node is QRR2, the second quantum key between the query QRR1 and QRR2 is K2, and the K1 is decrypted by S1 and then encrypted by K2, and the third encrypted data packet SΛK2 is obtained. The data format is B| A|QAG1|QRR1|SΛK2, QRR1 sends the SΛK2 to the next hop quantum node QRR2;

QRR2 receives the SΛK2 and parses out its data format as the B|A|QAG1|QRR1|SΛK2,

The second quantum key of the last hop quantum node QRR1 and QRR2 is K2, and the route is calculated for the destination address B, and the address of the next hop quantum node is QAG2, and the third quantum key between the query QRR2 and QAG2 is K3. K1 is decrypted for SΛK2 and then encrypted with K3 to obtain the fifth encrypted data packet SΛK3. The data format is B|A|QAG1|QRR1|QRR2|SΛK3, and QRR2 sends the SΛK3 to the next hop quantum node QAG2. ;

QAG2 receives the SΛK3, parses out its data format as the B|A|QAG1|QRR1|QRR2|SΛK3, and queries the third quantum key of the last hop quantum nodes QRR2 and QAG2 to be K3, and decrypts SΛK3 with K3. Obtain the initial service key S and distribute the S to the user. B.