WO2019128753A1 - Procédé de service mobile à clé quantique présentant un faible retard - Google Patents

Procédé de service mobile à clé quantique présentant un faible retard Download PDF

Info

Publication number
WO2019128753A1
WO2019128753A1 PCT/CN2018/121409 CN2018121409W WO2019128753A1 WO 2019128753 A1 WO2019128753 A1 WO 2019128753A1 CN 2018121409 W CN2018121409 W CN 2018121409W WO 2019128753 A1 WO2019128753 A1 WO 2019128753A1
Authority
WO
WIPO (PCT)
Prior art keywords
quantum
key
qkp
service
relay
Prior art date
Application number
PCT/CN2018/121409
Other languages
English (en)
Chinese (zh)
Inventor
熊英
陈娟
唐小康
Original Assignee
成都零光量子科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都零光量子科技有限公司 filed Critical 成都零光量子科技有限公司
Publication of WO2019128753A1 publication Critical patent/WO2019128753A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • the invention belongs to the field of quantum secure communication and mobile communication, and particularly relates to a low-latency quantum key mobile service method.
  • Quantum key distribution is a new method for secure key distribution through quantum channels.
  • QKD is based on quantum mechanical principles such as quantum state inexact cloning, and can realize unconditionally secure quantum key distribution.
  • the QKD network requires a dedicated fiber channel, the technical problems of the quantum relay technology and the quantum routing are difficult, and the quantum link has a problem of large-scale concurrency conflict. Therefore, it is difficult to construct a quantum network with a complex topology.
  • Chinese Patent Authorization No. CN 104243143 B and Application Publication No. CN 106972922 A disclose a mobile secret communication method based on a quantum key distribution network, which comprises a quantum key distribution network composed of a centralized control station, each centralized control station It can be bound to at least one terminal device, and the unicast and key single-hop forwarding route addressing relay method is used to deliver the encrypted information to the terminal device bound to the remote centralized control station.
  • its ciphertext and key relay have security diffusion problems, scale application concurrency conflicts and delay problems; since the service key (or session key) must be generated by a centralized control station, in the case of scale application, a large number of real-time generation The random number will occupy more system resources.
  • the present invention discloses a novel session key generation and concurrent relay method and a method based on the same A low-latency quantum key mobility service method, including but not limited to the following steps:
  • At least one quantum service node in the registered application terminal vector subkey distribution network applies for quantum key traffic (the quantum key flow is recorded as QKP, and QKP can generate a certain amount of random numbers from the noise source, and the random number is After the randomness test, the user divides into multiple subkeys according to a certain length and format, and creates a corresponding key identifier or number), and realizes quantum key traffic sharing between the application terminal and the quantum service node, and establishes the quantum.
  • the quantum service node sends the service association list to a quantum network management server of the quantum key distribution network; (1-3) after the communication service is initiated (or before the communication service starts, According to specific service characteristics, not strictly defined, the application terminal vector subkey distribution network requests the session key service of the current communication (the calling and called application terminals of the communication are MT_U and MT_V respectively);
  • the quantum network management server in the quantum key distribution network searches for the corresponding service association list according to the quantum IDs of the application terminals MT_U and MT_V, respectively, and obtains the associated calling quantum service node.
  • QKN_A and called quantum service node
  • QKN_B uses a subkey QKP_AUi in the quantum key traffic shared with QKN_A (i is not greater than the number of subkeys in quantum key traffic) Natural number
  • MT_V uses a subkey QKP_BVi in the quantum key traffic shared with QKN_B (i is not greater than the natural number of the number of subkeys in the quantum key traffic, and can be selected according to the encryption and decryption rate of the specific service data.
  • the length of the key and the address of the relay node participating in the session key service;
  • the quantum network management server performs the following operations according to the stored relay routing table and the current state indicator of the associated quantum service node:
  • the quantum network management server directly specifies QKN_A to provide the session key service;
  • QKN_A puts R and QKP_AUi and QKP_BVj dense
  • the key identifier is sent to the quantum key relay server, and the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U, and the key identifiers of R and QKP_BVj to MT_V;
  • MT_U negotiates with MT_V to use QKP_AUi (
  • the quantum network management server directly specifies QKN_A and QKN_B to use a previously shared shared quantum key or Real-time negotiated shared quantum key Kab;
  • QKN_A sends the key identifiers of Kab ⁇ QKP_AUi and QKP_AUi to the quantum key relay server;
  • QKN_B sends the key identifiers of Kab ⁇ QKP_BVj and QKP_BVj to the quantum key relay server;
  • the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V.
  • the quantum network management server directly specifies that the QKN_A and QKN_B use a shared quantum key buffered in advance or a shared quantum key R negotiated in real time;
  • the quantum network management server selects n (n is a natural number greater than 0) relay nodes participating in the quantum key relay, And causing each of the relay nodes to calculate an exclusive OR value of the shared quantum key between the two adjacent nodes and transmitting the same to the quantum key relay server;
  • the sub-key relay server sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V; MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as the shared session key, and accordingly, MT_V calculates R ⁇ QK
  • the MT_U and MT_V use the session key R obtained in the step (1-5) to perform secure communication through the original data link of the communication service.
  • the content of the service association list in the foregoing step (1-2) includes, but is not limited to, the quantum ID of the application terminal, the verification password, the address of the associated quantum service node, and the service account identifier; wherein, the quantum of the registered application terminal The ID is unique in the entire quantum key distribution network; the above verification password is used for identity confirmation when the application terminal connects to the quantum key distribution network; the service account identifier is the type supported by the application terminal and the quantum key distribution network.
  • a collection of accounts for a communication service that contains one or more accounts for different services.
  • the above method further includes a quantum network management server, and the features thereof include but are not limited to:
  • (3-1) storing, maintaining, and querying a service association list and a relay routing table between the quantum service node and the application terminal;
  • the vector sub-key relay server sends a relay service command according to the received relay request information
  • (3-4) summarizing the current state indicators of the nodes participating in the trusted relay, and determining the nodes participating in the relay;
  • the foregoing method further includes a quantum key relay server, and the features thereof include, but are not limited to, real-time response to an instruction of the quantum network management server, receiving relay related data of the relay node, and transmitting the relay secret to the source node and the target node. Key related data.
  • the above method further includes that the quantum service node includes but is not limited to: a QKD system, a quantum key server, and a secure storage server, and is characterized by:
  • the QKD system includes one or more QKD transceivers or QKD transmitters and/or receivers, a quantum service node QKD and other adjacent quantum services with point-to-point quantum channel connections.
  • the QKD of the node can form at least one set of quantum key distribution systems (the same type of QKD system is used between adjacent relay nodes to form a quantum key distribution link);
  • the quantum key server is configured to provide a registration service and a quantum key traffic service for the application terminal and create a corresponding service association list, and is further configured to respond to the instruction of the quantum network management server and report the node status information and provide
  • the trusted relay service is also used to send the user registration information and the service association list to the quantum network management server; and is also used for negotiating and confirming the quantum key used by the adjacent node;
  • the secure storage server is configured to cache a quantum key negotiated between the QKD system and other QKD systems of adjacent quantum service nodes having a direct connection relationship, and is also used to store and serve the application terminal. Shared quantum key traffic between.
  • the quantum keys may be buffered in advance or a certain amount of quantum keys may be negotiated in real time, and the corresponding nodes may group the quantum keys and perform randomness tests on each group to pass randomness.
  • the tested packet is divided into a plurality of subkeys (for example, one packet 10 MB, divided into 10 1 MB subkeys, or divided into a plurality of 32B, 64B, or 128B subkeys), and the subkey is performed. Number and cache, create the corresponding key identifier.
  • the method for the quantum network management server to obtain the address of the relay node participating in the session key service is characterized by:
  • the quantum network management server searches for the corresponding service association list according to the received quantum IDs of the calling application terminal and the called application terminal, and obtains the address of the calling quantum service node and the called quantum service node address in the current communication;
  • the stored relay routing table is further queried to obtain the address of each relay quantum service node between the calling quantum service node and the called quantum service node in the current communication.
  • the relay routing table needs to consider whether there is a pre-cached quantum key between adjacent nodes, whether the quantum key can be negotiated in real time, if there is a pre-cached quantum key between adjacent nodes or can be negotiated in real time. The quantum key, then the route between the adjacent nodes is accessible; otherwise, it is nowhere.
  • the method further includes: if a registered application terminal acquires quantum key traffic from a plurality of quantum service nodes, and both have a service association relationship and a corresponding plurality of service association lists are saved,
  • the application terminal sorts the plurality of service association lists by priority (for example, the node where the registration is located, the node of the current location using the traffic, etc., which is not limited by the present invention), and preferentially selects the association according to the ranking selection.
  • the quantum service node uses the corresponding quantum key traffic.
  • the "relay routing table" in the step (1-5) in the above method includes, but is not limited to:
  • the relay routing table is composed of a plurality of records, and the contents of each record include but are not limited to: a local address, a destination address, and a next hop address;
  • Each quantum service node of the quantum key distribution network stores its own relay routing table
  • the current state indicator of the quantum service node in the above method includes, but is not limited to:
  • an indicator reflecting the current position state of the quantum service node in the quantum key distribution network the indicator being a quantitative indicator including but not limited to:
  • the application terminal in the above method comprises an intelligent portable communication device (including but not limited to: a smart phone, a tablet with a network communication function and a notebook computer) having a wireless communication function, and a key data forwarding device having a wireless communication function ( Including but not limited to: a key injection device with wireless communication function, a secure tablet with wireless communication function for directly importing a key for a fixed password terminal) and using quantum key traffic and the method to obtain and other devices Shared key device (including but not limited to: network IP encryption device that obtains quantum key traffic through mobile storage media and negotiates shared key using the method, various VPN encryption gateway devices, channel encryption devices, and running encryption) Software PC), which is characterized by:
  • the intelligent portable communication device having a wireless communication function is configured to perform service data encryption and decryption communication using a session key obtained by the method;
  • the key data forwarding device having a wireless communication function is configured to forward the session key obtained by the method to another encrypted communication device and use the service data between the other encrypted communication devices. Encryption and decryption communication;
  • the apparatus for acquiring a shared key with another device by using quantum key traffic and the method is characterized in that the device obtains quantum key traffic by using an offline route, and adopts the method and Other devices negotiate a shared key and perform encrypted communication based on the shared key.
  • the quantum key flow of an application terminal When the quantum key flow of an application terminal is used up, it can apply for a new quantum key traffic to any quantum service node and create a new service association list.
  • the above method further includes quantum key traffic, wherein the quantum key traffic comprises a length of a random number sequence having a specific data format and a sequenced random key sequence, characterized in that: the specific data format
  • the random number sequence is a random number sequence that is tested by randomness and can be divided into multiple subkeys by a certain length; the arranged random key sequence is composed of multiple sub-densions with key identification by randomness test Key composition (quantum key traffic generates a certain amount of random numbers from the noise source. After passing the randomness test, the random number is divided into multiple subkeys according to a certain length and format, and a corresponding key identifier or number is created, and QKP includes multiple a sub-key and its key identifier.
  • the key identifier includes an application terminal ID, an associated node ID, a key number, and a key data length.
  • a key identifier is KeyIndex_U1_A_2_1MB, indicating that the key is U1 and node A.
  • the present invention has a more flexible and efficient quantum key service mode, and has significant innovations in the following aspects:
  • the session key of the present invention is directly generated by the quantum key of the calling and called nodes, and does not require an additional noise source; the efficiency is higher, and there is no performance bottleneck;
  • the key relay adopts the concurrent relay mode, and the relay node directly transmits the relay key XOR value of the adjacent node to the quantum key relay server, thereby overcoming the usual "single-hop routing addressing". Following the process delay and security diffusion problem, the relay efficiency is higher, the security is higher, and there is no quantum link size concurrency conflict problem;
  • the invention has very important practical application value in the fields of mobile secure communication, mobile office systems, network control systems of industrial control systems (finance, electric power, energy, transportation, etc.).
  • Figure 1 is a schematic diagram of the principle of the method of the present invention.
  • FIG. 2 is a schematic flowchart of an application terminal registration and communication according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a principle of using a shared key between adjacent nodes according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a quantum key mobility service method according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of an application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of an extended application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention
  • FIG. 7 is a schematic diagram of an application principle of a device for acquiring a shared key with other devices by using quantum key traffic and the method of the present invention according to an embodiment of the present invention.
  • the communication channel involved in the solution of the present invention includes a quantum key distribution channel between quantum service nodes and a traditional communication network channel (including wired and wireless networks, wherein the wireless network includes but is not limited to 4G/5G network, WIFI, satellite communication network a conventional communication network channel between the wireless communication network channel between the application terminals, the application terminal and the quantum service node, and the quantum network management server (quantum key relay server).
  • the quantum network management server quantum key relay server
  • other network communication uses the traditional communication network channel, including wired and wireless channels, and the communication between the mobile terminal and the quantum service node and the quantum network management server preferentially selects the wireless channel.
  • the key involved in the solution of the present invention mainly comprises three parts: (1) a shared key between adjacent quantum service nodes (or quantum relay nodes), which is composed of adjacent quantum service nodes (or quantum relay nodes).
  • the quantum key distribution system is generated and stored in the quantum service node; (2) the quantum key traffic between the application terminal and the associated quantum service node, which is generated and saved by the quantum service node, and the application terminal is wired Download to the storage device; (3) Session key negotiated in real time for each communication; these keys are used only once and are deleted after use.
  • FIG. 1 The embodiment of the present invention shown in FIG. 1 and the reference symbols in FIG. 1 are the same as the corresponding descriptions in the above-mentioned "[0004]", and are not described here.
  • the detailed embodiment of the present invention will be described below by taking the process of completing the secure communication between the application terminal initial registration and the application terminals using the method of the present invention as an example.
  • the application terminals MT_U and MT_V respectively apply for registration and obtain quantum IDs to adjacent QKN_A and QKN_B (process 1 in FIG. 2, for example, an application terminal holder (which may be a personal or application terminal)
  • the production equipment manufacturer first goes to the confidentiality certification center to go through the network registration procedure, and the confidential certification center audits the user's network application.
  • each application terminal that applies for the network access obtains a network distributed by the quantum network management server.
  • a unique quantum ID which is stored in a permanent storage medium (such as an SD password card, etc.) of an application terminal that is applied to the network, and sets a password for obtaining identity authentication of the service, respectively, and applies for and obtains quantum key traffic.
  • QKP_AU and QKP_BV process 2 in Figure 2;
  • QKN_A and QKN_B respectively create service association lists of associated application terminals MT_U and MT_V and upload them to the quantum network management server (process 3 in FIG. 2); wherein the service association list is composed of several records, each record representing one registered
  • the associated information of the application terminal the format of which includes but is not limited to the following format:
  • the application terminal MT_U requests the session key with the MT_V through the traditional communication network vector sub-network management server (process 4 in FIG. 2); the quantum network management server first authenticates the identity (for example, requires the application terminal to input the quantum ID and corresponding The password, or the associated quantum service node ID and business account (such as mobile phone number, mailbox), etc., if the information does not match, you need to re-enter; if the quantum ID does not exist or has been deactivated, you need to re-apply or activate) After the identity authentication, the corresponding service association list is searched according to the quantum IDs of the application terminals MT_U and MT_V, and the associated QKN_A and QKN_B are found according to the service association list;
  • the quantum network management server directly specifies (process 5 in Fig. 2) that QKN_A and QKN_B use a shared quantum key cached in advance or a shared quantum key Kab negotiated in real time (using the process 6 in Fig. 2 to negotiate a shared quantum key) Key);
  • QKN_A sends the key identifiers of Kab ⁇ QKP_AUi and QKP_AUi to the quantum key relay server (Process 7 in Figure 2);
  • QKN_B sends the key identifiers of Kab ⁇ QKP_BVj and QKP_BVj to the quantum key relay server (Process 7 in Figure 2);
  • the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U ( Figure Process 8) in 2, the key identification of R and QKP_BV
  • the application terminal in addition to the communication process other than acquiring the quantum key traffic, the application terminal does not need to connect to the QKN or the quantum network management server through a wired connection, and does not limit the geographical location where the application terminal is located.
  • a traditional communication network including wired and wireless communication networks
  • FIG. 3 is an embodiment of a method for confirming a key identifier of a quantum key used between adjacent nodes according to the present invention, wherein node C(i-1) (where i is a natural number greater than 0, where Used only to indicate different nodes) to send a key identifier of a shared key Ki among the selected shared keys to the node Ci (process 1 in FIG. 3), the node Ci to the node C (i-1) transmitting confirmation information for selecting Ki (Process 3 in FIG. 3); node Ci transmits to node C(i+1) one of the shared keys between the selected two of them The key identifier of K(i+1) (Process 2 in Fig.
  • the node C(i+1) sends a confirmation message of selection K(i+1) to the node Ci (Process 4 in Fig. 3). If the quantum key margin between adjacent nodes is insufficient, a certain amount of shared quantum key needs to be negotiated in real time, and then a subkey is negotiated to be used for the current key relay service.
  • the quantum network management server selects three relay nodes QKN_C1, QKN_C2, and QKN_C3 (the quantum network management server first sends and uploads respective current state indicators to QKN_C1, QKN_C2, and QKN_C3.
  • the instructions, then, the quantum network management server collects the current state metrics of the nodes, such as the nominal quantum key distribution rate of each node, how many relay tasks are currently participating, and whether quantum channels are available between other nodes.
  • R3 K3 ⁇ K4, and send R1, R2, and R3 to the quantum key relay server respectively;
  • quantum The key relay server then sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V;
  • MT_U and MT_V use QKP_AUi (or QKP_BVj) as the session key for the communication and perform secure communication.
  • FIG. 5 is a schematic diagram of an application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention, wherein the mobile terminal is respectively a secure mobile phone 501 and a wireless communication function for directly importing a key for a fixed password terminal.
  • the tablet 502; the secure mobile phone 501 and the secure tablet 502 respectively apply the quantum key traffic to the vector sub-service node A 503 and the quantum service node B 504, and the secure mobile phone 501 and the secure tablet 502 acquire the shared session key by using the method in FIG. Passing the session key into the password server 506 through a dedicated security interface (such as a one-way USB cable, an SD password card or a wireless injection adapter);
  • a dedicated security interface such as a one-way USB cable, an SD password card or a wireless injection adapter
  • the secure mobile phone 501 encrypts the data to be uploaded by using the session key, and uploads it to the password server 506 via the VPN gateway 505.
  • the password server 506 decrypts the session key and uploads it to the enterprise OA system 507.
  • the secure mobile phone 501 is from the enterprise.
  • the data is downloaded by the OA system 507, first, the downloaded data needs to be encrypted by the password server 506, and then downloaded to the secure mobile phone 501 via the VPN gateway 505.
  • the secure mobile phone 501 decrypts the session key and decrypts it. The data.
  • the shared session key can be obtained first and securely communicated between the two secure phones.
  • FIG. 6 is a schematic diagram of an extended application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention, wherein a security tablet 601 and 602 for directly importing a key for a fixed password terminal having a wireless communication function, a security tablet
  • the 601 and the security tablet 602 respectively apply the quantum key traffic to the vector sub-service node A 603 and the quantum service node B 604.
  • the security tablet 601 and the security tablet 602 acquire the shared session key by using the method in FIG.
  • the dedicated security interface for example, The one-way USB cable, the SD cryptographic card or the wireless injection adapter
  • the service communication between the industrial control system A 607 and the industrial control system B 607 is encrypted and decrypted based on the shared session key.
  • FIG. 7 is a schematic diagram of an application principle of a device for acquiring a shared key with another device by using the quantum key traffic and the method of the present invention, wherein 701 and 702 are respectively bound to the cryptographic servers 605 and 606, respectively.
  • the removable storage medium is used to inject quantum key traffic for the cryptographic servers 605 and 606, respectively; the cryptographic servers 605 and 606 acquire the shared session key using the method of FIG. 1, and perform encryption and decryption communication based on the shared session key.
  • the method of the invention can be widely used in mobile secure communication, mobile office systems, and also in network security systems of industrial control systems (financial, electric power, energy, transportation, etc.).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé de service mobile à clé quantique présentant un faible retard, destiné à être utilisé pour résoudre les problèmes de sécurité, d'efficacité et d'accès à grande échelle d'un service mobile à clé quantique. La présente invention comprend les étapes suivantes : un terminal d'application demande à s'enregistrer auprès d'un nœud quantique et obtient un flux de clé quantique ; un serveur de gestion de réseau quantique interroge des nœuds quantiques appelants et appelés associés, ainsi qu'un nœud de relais conformément à une requête ; le nœud envoie simultanément une valeur OU exclusif d'une clé quantique partagée entre le nœud et deux nœuds adjacents, à un serveur de relais à clé quantique ; le serveur de relais à clé quantique réalise un calcul OU exclusif sur la valeur OU exclusif correspondante reçue afin d'obtenir une valeur OU exclusif des clés quantiques de deux terminaux d'application ; et le terminal d'application met en œuvre un partage de clé sur la base de la valeur OU exclusif. Le procédé selon la présente invention possède les avantages d'être sûr et hautement efficace, de présenter un faible retard, et de ne présenter aucun congestionnement ralentissant les performances ; et la présente invention possède une valeur d'application importante dans les domaines tels que la communication mobile, le bureau mobile et les systèmes de sécurité des réseaux de commande industriels.
PCT/CN2018/121409 2017-12-29 2018-12-17 Procédé de service mobile à clé quantique présentant un faible retard WO2019128753A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711466178.5 2017-12-29
CN201711466178.5A CN109995513B (zh) 2017-12-29 2017-12-29 一种低延迟的量子密钥移动服务方法

Publications (1)

Publication Number Publication Date
WO2019128753A1 true WO2019128753A1 (fr) 2019-07-04

Family

ID=67066569

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/121409 WO2019128753A1 (fr) 2017-12-29 2018-12-17 Procédé de service mobile à clé quantique présentant un faible retard

Country Status (2)

Country Link
CN (1) CN109995513B (fr)
WO (1) WO2019128753A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110601835A (zh) * 2019-09-30 2019-12-20 南方电网调峰调频发电有限公司信息通信分公司 量子安全网关密钥在线更新方法
US20220294616A1 (en) * 2021-03-15 2022-09-15 evolutionQ System and Method for Optimizing the Routing of Quantum Key Distribution (QKD) Key Material in A Network

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112367160B (zh) * 2019-09-01 2023-09-26 成都量安区块链科技有限公司 一种虚拟量子链路服务方法与装置
CN112367163B (zh) * 2019-09-01 2023-09-26 成都量安区块链科技有限公司 一种量子网络虚拟化方法与装置
CN110557253B (zh) * 2019-10-14 2023-06-06 成都量安区块链科技有限公司 一种中继路由采集方法、装置及应用系统
CN111211895B (zh) * 2019-12-18 2022-05-24 北京邮电大学 密钥分析处理方法和装置、密钥分发随机性检测系统
CN113132090B (zh) * 2019-12-31 2023-05-09 科大国盾量子技术股份有限公司 一种共享量子密钥的系统和基于所述系统的保密通信方法
CN111262699A (zh) * 2020-03-03 2020-06-09 成都量安区块链科技有限公司 一种量子安全的密钥服务方法与系统
CN111786782A (zh) * 2020-06-30 2020-10-16 全球能源互联网研究院有限公司 电力专用2m链路终端设备及2m链路数据的加解密方法
CN114389796A (zh) * 2020-10-16 2022-04-22 中创为(成都)量子通信技术有限公司 量子云密钥协商方法、装置及系统、量子及量子云服务器
CN112887086B (zh) * 2021-01-19 2022-07-22 北京邮电大学 量子密钥同步方法及系统
CN113193958B (zh) * 2021-05-10 2023-07-07 成都量安区块链科技有限公司 一种量子密钥服务方法与系统
CN113691313A (zh) * 2021-07-04 2021-11-23 河南国科量子通信网络有限公司 一种星地一体量子密钥链路虚拟化应用服务系统
CN113489586B (zh) * 2021-07-26 2023-01-31 河南国科量子通信网络有限公司 一种兼容量子密钥协商的vpn网络系统
CN114095183B (zh) * 2022-01-23 2022-05-03 杭州字节信息技术有限公司 一种客户端双重认证方法、终端设备及存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789052A (zh) * 2017-03-28 2017-05-31 浙江神州量子网络科技有限公司 一种基于量子通信网络的远程密钥颁发系统及其使用方法
CN106972922A (zh) * 2013-06-08 2017-07-21 科大国盾量子技术股份有限公司 一种基于量子密钥分配网络的移动保密通信方法
CN107147492A (zh) * 2017-06-01 2017-09-08 浙江九州量子信息技术股份有限公司 一种基于多终端通信的密钥服务系统与方法

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092538B (zh) * 2014-07-15 2017-04-12 华南师范大学 多用户波分复用qkd网络系统及其密钥分发与共享方法
CN104219042A (zh) * 2014-07-24 2014-12-17 安徽问天量子科技股份有限公司 量子密钥分发中心控制装置及方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106972922A (zh) * 2013-06-08 2017-07-21 科大国盾量子技术股份有限公司 一种基于量子密钥分配网络的移动保密通信方法
CN106789052A (zh) * 2017-03-28 2017-05-31 浙江神州量子网络科技有限公司 一种基于量子通信网络的远程密钥颁发系统及其使用方法
CN107147492A (zh) * 2017-06-01 2017-09-08 浙江九州量子信息技术股份有限公司 一种基于多终端通信的密钥服务系统与方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110601835A (zh) * 2019-09-30 2019-12-20 南方电网调峰调频发电有限公司信息通信分公司 量子安全网关密钥在线更新方法
US20220294616A1 (en) * 2021-03-15 2022-09-15 evolutionQ System and Method for Optimizing the Routing of Quantum Key Distribution (QKD) Key Material in A Network
US11652619B2 (en) * 2021-03-15 2023-05-16 Evolutionq Inc. System and method for optimizing the routing of quantum key distribution (QKD) key material in a network

Also Published As

Publication number Publication date
CN109995513A (zh) 2019-07-09
CN109995513B (zh) 2020-06-19

Similar Documents

Publication Publication Date Title
WO2019128753A1 (fr) Procédé de service mobile à clé quantique présentant un faible retard
CN109995510B (zh) 一种量子密钥中继服务方法
CN108462573B (zh) 一种灵活的量子安全移动通信方法
WO2019128785A1 (fr) Procédé de relais à clé quantique
US8386772B2 (en) Method for generating SAK, method for realizing MAC security, and network device
KR101019300B1 (ko) 애드 혹 무선 네트워크에서 인증 키 요소의 보안 처리를 위한 방법 및 시스템
JP3263878B2 (ja) 暗号通信システム
US11736304B2 (en) Secure authentication of remote equipment
CN108540436B (zh) 基于量子网络实现信息加解密传输的通信系统和通信方法
CN102035845B (zh) 支持链路层保密传输的交换设备及其数据处理方法
CN109995514A (zh) 一种安全高效的量子密钥移动服务方法
CN109995511A (zh) 一种基于量子密钥分发网络的移动保密通信方法
WO2019062862A1 (fr) Procédé, dispositif et système de protection de paramètre
CN111342952B (zh) 一种安全高效的量子密钥服务方法与系统
CN208986966U (zh) 一种加密终端以及相应的数据传输系统
WO2011095039A1 (fr) Procédé, système et dispositif de négociation de clé de session de bout en bout
KR20180130203A (ko) 사물인터넷 디바이스 인증 장치 및 방법
CN102905199B (zh) 一种组播业务实现方法及其设备
Sudarsono et al. An implementation of secure data exchange in wireless delay tolerant network using attribute-based encryption
WO2022027476A1 (fr) Procédé de gestion de clés et appareil de communication
US11233727B1 (en) System and method for securing SDN based source routing
KR20240002666A (ko) 메신저 서비스를 제공하기 위한 방법, 시스템 및 비일시성의 컴퓨터 판독 가능한 기록 매체
KR101329968B1 (ko) IPSec VPN 장치들 사이의 보안 정책을 결정하기 위한 방법 및 시스템
KR100686736B1 (ko) 인증을 통한 이동 애드혹 네트워크에의 참여 방법
CN109361684B (zh) 一种vxlan隧道的动态加密方法和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18897231

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18897231

Country of ref document: EP

Kind code of ref document: A1