WO2023227067A1 - Quantum network communication method and apparatus, electronic device and storage medium - Google Patents

Quantum network communication method and apparatus, electronic device and storage medium Download PDF

Info

Publication number
WO2023227067A1
WO2023227067A1 PCT/CN2023/096317 CN2023096317W WO2023227067A1 WO 2023227067 A1 WO2023227067 A1 WO 2023227067A1 CN 2023096317 W CN2023096317 W CN 2023096317W WO 2023227067 A1 WO2023227067 A1 WO 2023227067A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
information
request
address
quantum
Prior art date
Application number
PCT/CN2023/096317
Other languages
French (fr)
Chinese (zh)
Inventor
田野
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2023227067A1 publication Critical patent/WO2023227067A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present disclosure relates to the field of communication technology, and in particular, to a quantum network communication method, device, electronic equipment and storage medium.
  • embodiments of the present disclosure provide a quantum network communication method, device, electronic equipment and storage medium.
  • Embodiments of the present disclosure provide a quantum network communication method, applied to a first application or a first device, and the method includes:
  • the method also includes:
  • the first information is determined according to the corresponding relationship between the application and the KM.
  • the first information is the identification and/or address of the second KM.
  • the corresponding relationship between the application and KM is at least one of the following:
  • the method before sending the first information to the first KM, the method further includes:
  • the first information is obtained from the second application or the local configuration of the second device.
  • the method before sending the first information to the first KM, the method further includes:
  • the second device includes an application layer device or a user network management layer device in a quantum secure communication network
  • the second application is a password application.
  • the first request also carries second information; the second information is used to indicate the first KM that provides services for the first application or the first device.
  • the method also includes:
  • a third device is sent to the third device. 2 requests;
  • the second request also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
  • the method also includes:
  • the following content is securely protected and transmitted: first information, second information, third information, first request and response result, second request and response result.
  • the first information also includes: the identification and/or address of the second application/the second device; the first information is also used for the first KM to transfer the second The identity and/or address of the application/second device is forwarded to the second KM for use by the second KM to determine the second application/second device to receive the quantum key.
  • An embodiment of the present disclosure also provides a quantum network communication device, including:
  • the first sending unit is configured to send first information to the first KM; wherein the first information is used to indicate the second KM that provides services for the second application or the second device.
  • An embodiment of the present disclosure also provides an electronic device, including a first processor and a first communication interface, wherein,
  • the first communication interface is used to send first information to a first KM; wherein the first information is used to indicate a second KM that provides services for a second application or a second device.
  • An embodiment of the present disclosure also provides an electronic device, including: a first processor and a first memory used to store a computer program capable of running on the first processor, wherein the first processor is used to run the computer program, perform the steps of either method above.
  • An embodiment of the present disclosure also provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of any of the above methods are implemented.
  • the first application or the first device sends the first information to the first KM; the first information is used to indicate the second application or the first device.
  • the second device provides services to the second KM.
  • the first KM can query the second KM based on the first information, thereby communicating with the second KM Establish a session connection and negotiate a quantum key that can be used by the first application and the second application, so that the second KM can establish a session connection with the second application, thereby completing the first application-first KM-second KM-th End-to-end session creation between two applications can improve the probability of successful communication between applications.
  • Figure 1 is a schematic diagram of the quantum secure communication network architecture in related technologies
  • FIG. 2 is a schematic diagram of the quantum secure communication system architecture in related technologies
  • Figure 3 is a schematic flow chart of the implementation of a quantum network communication method according to an embodiment of the present disclosure
  • Figure 4 is a schematic interactive flow diagram of a quantum network communication method provided by an embodiment of the present disclosure
  • Figure 5 is a schematic interactive flow diagram of a quantum network communication method provided by an embodiment of the present disclosure.
  • Figure 6 is a schematic diagram of a quantum network communication structure provided by an embodiment of the present disclosure.
  • Figure 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
  • FIG. 1 shows a schematic diagram of the quantum communication network architecture in related technologies.
  • a quantum communication network consists of a quantum key distribution (QKD) network and a user network.
  • QKD quantum key distribution
  • the QKD network is used to provide key distribution capabilities.
  • the QKD network includes the quantum layer, key management layer, QKD Network (QKDN, QKDN) control layer and QKDN network management layer.
  • QKD network here can also be called quantum key distribution QKD network, quantum secure communication network, quantum communication network, quantum network, network layer, etc.
  • the user network uses quantum keys distributed by the QKD network to achieve secure communication; the user network includes an application layer and a user network network management layer.
  • FIG. 2 shows a schematic diagram of the quantum communication system architecture in related technologies.
  • cryptographic application A accesses the QKD network through the Ak interface and obtains the quantum key from KM A that provides services for cryptographic application A.
  • Cryptographic application B accesses the QKD network through the Ak interface.
  • QKD network obtains the same quantum key from KM B serving cryptographic application B.
  • the quantum key is used by cryptographic application A and cryptographic application B to encrypt and decrypt the transmitted data to achieve secure communication.
  • the Ak interface can be an application programming interface (Application Programming Interface, API) or a message interface.
  • API Application Programming Interface
  • the active-side application before the active-side application establishes communication with the passive-side application, the active-side application needs to establish a communication connection with the active-side KM. After the active-side application establishes a communication connection with the active-side KM, and after the active-side KM establishes a communication connection with the active-side application Before transmitting the key, it is necessary to complete the end-to-end session creation between the active end application-active end KM-passive end application-passive end KM.
  • the relevant session creation process is as follows:
  • the active-side application initiates a session creation request to the active-side KM by calling the QKD_APP_OpenSession interface, and provides the passive-side application's application identification, key stream quality of service (QoS) requirements, key transmission mode and other information;
  • the active end application refers to the application that initiates the request
  • the passive end application refers to the application that receives the request
  • the active end KM refers to the KM that provides services for the active end, and can also be called the source KM
  • the passive end KM refers to the KM that provides services for the active end.
  • the KM that provides services on the passive side can also be called the destination KM;
  • the active end KM determines the passive end KM based on the application identification provided by the active end application, and then establishes a communication connection with the passive end KM.
  • the active end KM and the passive end KM conduct quantum key negotiation, and negotiate the available applications and passive end applications to the active end. Apply the provided QKD key stream identifier and key stream QoS parameters to complete the session connection establishment between the active end KM and the passive end KM;
  • the active-end KM returns information such as the QKD key stream identifier and key stream QoS parameters to the active-end application. After the active-end application confirms that the QoS meets the requirements, it completes the session establishment between the active-end application and the active-end KM.
  • the active end application needs to provide the active end KM with the application identification of the passive end application.
  • the application identifier of the passive-side application is used to query the QKDN network management system for the passive-side KM, but there is a technical problem that the passive-side KM cannot be found.
  • the active-side KM queries the QKDN network management system for the passive-side KM based on the identification information of the passive-side password application, but there is a technical problem that the passive-side KM cannot be found.
  • the passive-side KM cannot be found.
  • the QKDN network management system is responsible for fault management, configuration management, billing management, performance management and security management (Fault, Configuration, Accounting, Performance and Security, FCAPS) of the entire QKD network, and supports communication with user networks Network management system connection.
  • the more relevant configuration management function is responsible for the provision, configuration and discovery of QKDN resources, as well as the acquisition and management of QKDN topology.
  • the configuration management function can also assist the QKDN controller to provide key relay routing.
  • the QKDN network management system of the QKD network mainly implements the management and maintenance of various resources within the QKD network, and is not responsible for maintaining the correspondence between the KM in the QKD key management layer and various upper-layer applications. . Therefore, the QKDN network management system cannot provide relevant query information for KM, causing the active KM to be unable to find the passive KM.
  • the first application or the first device sends first information to the first KM; the first information is used to indicate the second KM that provides services for the second application or the second device. . Since the first information is used to indicate the second KM, and both the first KM and the second KM are located in the key management layer in the QKD network, the first KM can query the second KM based on the first information, thereby communicating with the second KM Establish a session connection and negotiate a quantum key that can be used by the first application and the second application, so that the second KM can establish a session connection with the second application, thereby completing the first application-first KM-second KM-th End-to-end session creation between two applications can improve the probability of successful communication between applications.
  • the above solution can effectively separate the QKD network from the upper user network. Separation can prevent the QKDN network management system from intervening in the management and maintenance of upper-layer business information, reduce the operation and maintenance complexity of the QKD network management system, and contribute to the integrated development of the QKD network, user networks, and services.
  • Embodiments of the present disclosure provide a quantum network communication method, applied to a first application or a first device.
  • the first device may be an electronic device such as a terminal or a server. Referring to Figure 3, the method includes:
  • Step 301 Send the first information to the first KM.
  • the first information is used to indicate a second KM that provides services for the second application or the second device.
  • the first KM represents a KM that provides services for the first application or the first device.
  • the first device is characterized as a first device running a first application.
  • the first device may be called an active end device/source end device.
  • the first application may be called an active end application/source end application and runs on the first device;
  • the second device is characterized as a device running a second application.
  • the second device may be called a passive end device/destination end device, and the second application may be called a passive end application/destination end application. It should be noted that multiple applications can run on the same device, and different applications can use different quantum keys.
  • the first information may directly indicate or indirectly indicate the second KM.
  • the method further includes:
  • the first information is determined according to the corresponding relationship between the application and the KM.
  • the first application or the first device determines the second application
  • it determines the second KM that provides services for the second application or the second device based on the corresponding relationship between the application and the KM, and determines the second KM based on the determined relationship.
  • the second KM determines the first information.
  • the correspondence between an application and a KM may be one application corresponding to one KM, one application corresponding to multiple KMs, or multiple applications corresponding to one KM.
  • the first information is the identification and/or address of the second KM.
  • the corresponding relationship between the application and the KM is at least one of the following:
  • the identifier of the application may be the name of the application.
  • the first information can be stored locally in a preconfigured manner, and the first application or the first device maintains the corresponding relationship between the application and the KM. Based on this, in one embodiment, before sending to the first KM Before the first information, the method further includes:
  • the first information is obtained from the first application or a local configuration of the first device.
  • the first application or the first device obtains the first information from the local configuration of the first application; or, obtains the first information from the local configuration of the first device. .
  • the method when sending Before the first KM sends the first information, the method further includes:
  • the first application or the first device can send a first request to the second application, and receive the query result returned by the second application regarding the first request.
  • the first request Used to query the second KM that provides services for the second application or the second device; the first application or the first device can also send a first request to the second device, and receive the query results returned by the second device regarding the first request.
  • the first request is used to query the second KM that provides services for the second application or the second device.
  • the query results include the first information.
  • the second device includes an application layer device or a user network management layer device in a quantum network
  • the second application is a password application.
  • the first application may also be a cryptographic application.
  • Cryptozoological applications can be understood as various applications or businesses that require the use of quantum cryptography or quantum keys for secure communication.
  • Cryptocurrency application is a general concept, and there may be many implementation methods in actual application.
  • cryptography application can be equipment, business systems, application systems and programs that directly need to use the keys generated by the QKD network, or it can It does not directly use the keys generated by the QKD network, but stores, manages or forwards the quantum keys, thereby satisfying the needs of middle-layer equipment, business systems or programs that need to use quantum keys.
  • the first request On the basis of sending the first request to the second application or the second device, in one embodiment, the first request also carries second information; the second information is used to indicate that the first application or the second device is the first request.
  • the first device provides the first KM of the service.
  • the second application or the second device when the second application or the second device receives the first request, it parses the second information from the first request and stores the second information; it can also update the relationship between the application and the KM based on the first information. corresponding relationship.
  • a third device may be used to uniformly maintain the correspondence between the application and the KM. Based on this, in one embodiment, the method further includes:
  • a third device is sent to the third device. Two requests.
  • the second request also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
  • the second request may be a registration request or an update request.
  • the second request may be a registration request; when the KM that provides services for the first application or the first device changes, the second request may be an update request.
  • the third device may be a central system management device.
  • one of the functions of the third device is responsible for maintaining the correspondence between the application/device and the KM, and storing a correspondence list or mapping list between the application and the KM.
  • the method further includes:
  • the following content is securely protected and transmitted: first information, second information, third information, first request and response result, second request and response result.
  • the first request and the response result refer to the first request and the response result regarding the first request
  • the response result can be understood as the query result
  • the second request and response result refer to the second request and the response result regarding the second request.
  • the first application or the first device can perform security protection on the communication content.
  • the first application or the first device can communicate with other applications (such as the second application) or devices (such as the first KM, the second device). and third devices) for security protection.
  • Security protection can be understood as encryption and/or integrity protection, digital signature/signature verification, etc.
  • the security protection method used here is based on the traditional cryptographic system and does not use quantum keys for protection.
  • the quantum key negotiated between KMs is used to protect important applications or business data.
  • the first information further includes: the identification and/or address of the second application/the second device; the first information is also used for the first KM to transfer the The identity and/or address of the second application/second device is forwarded to the second KM for use by the second KM to determine the second application/second device to receive the quantum key.
  • the first KM parses out the identity and/or address of the second application or the second device contained in the first information, and converts the identity and/or address of the second application or the second device into The address is forwarded to the second KM, so that the second KM determines the second application to receive the quantum key based on the identity and/or address of the second application, or determines the second application to receive the quantum key based on the identity and/or address of the second device.
  • Second device for quantum keys is
  • the first application/first device obtains the first information through message interaction with the second application/second device. information.
  • Step 1 The first application/first device sends a first request to the second application/second device.
  • the first request is used to query the second KM that provides services for the second application or the second device.
  • the second device includes an application layer device or a user network management layer device in a quantum secure communication network; and/or the second application is a cryptographic application.
  • the first request also carries second information; the second information is used to indicate the first KM that provides services for the first application or the first device.
  • Step 2 The first application/first device receives the query result.
  • the second application/second device receives the first request, based on the corresponding relationship between the application and the KM, the second KM is determined, and the first information is determined and sent to the first application/first device. Return query results.
  • the first information is used to indicate the KM that provides services for the second application or the second device.
  • the first application/first device receives the query result returned by the second application/second device based on the first request, and associates and stores the second application with the first information.
  • the query results include the first information.
  • the first information is the identification and/or address of the second KM.
  • the corresponding relationship between the application and the KM is at least one of the following:
  • the first application/first device can also securely protect and transmit the first information, the second information, the first request and the query result.
  • the first application/first device obtains the first information through message interaction with the third device.
  • Step 1 The second application/second device sends a second request to the third device.
  • the second request may be a registration request or an update request.
  • the second request sent to the third device may be a registration request;
  • the KM that provides services for the second application/second device changes the second request sent to the third device may be a registration request;
  • the second request sent by the three devices is an update request.
  • the second request sent by the second application/second device also carries third information; the third information is used to indicate the second KM that provides services for the second application or the second device.
  • the third device can be a centralized system management device.
  • the first application and the second application are password applications.
  • Step 2 The third device returns a response to the second request to the second application/second device.
  • Step 3 The first application/first device sends a second request to the third device.
  • the second request is a registration request; when the KM that provides services for the first application/first device changes, the second request is an update request.
  • the second request sent by the first application/first device also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
  • Step 4 The third device returns a response to the second request to the first application/first device.
  • Step 5 The first application/first device sends the first request to the third device.
  • the first request is used to query the second KM that provides services for the second application or the second device.
  • the first request also carries second information; the second information is used to indicate the first KM that provides services for the first application or the first device.
  • Step 6 The third device returns the query result regarding the first request to the first application/first device.
  • the third device determines the second KM based on the correspondence between the application and the KM, determines the first information, and returns the query result to the first application.
  • the query results include the first information.
  • the first information is used to indicate a second KM that provides services for the second application or the second device.
  • the first information is the identification and/or address of the second KM.
  • the first application/first device receives the query result returned by the third device based on the first request, and associates and stores the second application with the first information.
  • the first application/first device can also securely protect and transmit the first information, the second information, the third information, the first request and query results, the second request and the response to the second request. .
  • the first application or the first device sends the first information to the first KM; the first information is used to indicate the second application or the first device.
  • the second device provides services to the second KM. Since the first information is used to indicate the second KM, and both the first KM and the second KM are located in the key management layer in the QKD network, the first KM can query the second KM based on the first information and establish a relationship with the second KM.
  • the session is connected and the quantum key that can be used by the first application and the second application is negotiated, so that the second KM can establish a session connection with the second application, thereby completing the first application-first KM-second KM-second End-to-end session creation between applications can improve the probability of successful communication between applications.
  • the embodiment of the present disclosure also provides a quantum network communication device, which is provided on the first device or the first application. As shown in Figure 6, the device includes:
  • the first sending unit 61 is configured to send first information to the first KM; wherein the first information is used to indicate the second KM that provides services for the second application or the second device.
  • the device includes:
  • a determining unit configured to determine the first information according to the corresponding relationship between the application and the KM.
  • the first information is the identification and/or address of the second KM.
  • the corresponding relationship between the application and the KM is at least one of the following:
  • the device further includes:
  • An obtaining unit configured to obtain the first information from the first application or the local configuration of the first device.
  • the device further includes:
  • the second sending unit is used to send a first request to the second application or the second device; the first request is used to query the second KM that provides services for the second application or the second device. ;
  • the first receiving unit is used to receive query results.
  • the second device includes an application layer device or a user network management layer device in a quantum secure communication network
  • the second application is a password application.
  • the first request also carries second information; the second information is used to indicate a first KM that provides services for the first application or the first device.
  • the device includes:
  • the third sending unit is configured to send a message to the quantum network when the first application or the first device accesses the quantum network for the first time, or when the KM that provides services for the first application or the first device changes.
  • the third device sends a second request;
  • the second request also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
  • the device further includes:
  • the processing unit is used to securely protect and transmit the following content: first information, second information, third information, first request and response result, and second request and response result.
  • the first information further includes: the identification and/or address of the second application/the second device;
  • the first information is also used for the first KM to transfer the second application/the second device
  • the identification and/or address are forwarded to the second KM for the second KM to determine the second application/second device to receive the quantum key.
  • the first sending unit 61, the second sending unit, the third sending unit, the fourth sending unit and the first receiving unit can be implemented by the processor in the quantum network communication device in combination with the communication interface, and the determination unit, acquisition unit and processing unit
  • the unit may be implemented by a processor in a quantum network communication device.
  • the quantum network communication device provided in the above embodiment performs quantum network communication
  • only the division of the above program modules is used as an example.
  • the above processing can be allocated to different program modules as needed. Completion means dividing the internal structure of the device into different program modules to complete all or part of the processing described above.
  • the quantum network communication device provided by the above embodiments and the quantum network communication method embodiments belong to the same concept. Please refer to the method embodiments for the specific implementation process, which will not be described again here.
  • the embodiment of the disclosure also provides an electronic device.
  • the electronic device 7 includes:
  • the first communication interface 71 is capable of information exchange with other network nodes
  • the first processor 72 is connected to the first communication interface 71 to implement information interaction with other network nodes, and is used to execute the method provided by one or more of the above technical solutions when running a computer program.
  • the computer program is stored on the first memory 73 .
  • the first communication interface 71 is used to send first information to the first KM; wherein the first information is used to indicate the second KM that provides services for the second application or the second device.
  • the first processor 72 is configured to determine the first information according to the corresponding relationship between the application and the KM.
  • the first information is the identification and/or address of the second KM.
  • the corresponding relationship between the application and the KM is at least one of the following:
  • the first processor 72 is further configured to: obtain the data from the first application or the first The local configuration of the device obtains the first information.
  • the first communication interface 71 is also used for:
  • the second device includes an application layer device or a user network management layer device in a quantum secure communication network; and/or the second application is a cryptographic application.
  • the first request also carries second information; the second information is used to indicate a first KM that provides services for the first application or the first device.
  • the first communication interface 71 is also used for:
  • a third device is sent to the third device.
  • the first processor 72 is also configured to provide security protection for the following content and transmit: first information, second information, third information, first request and response result, second request and Response results.
  • the first information further includes: the identification and/or address of the second application/the second device; the first information is also used for the first KM to transfer the The identity and/or address of the second application/second device is forwarded to the second KM for use by the second KM to determine the second application/second device to receive the quantum key.
  • bus system 74 is used to implement connection communications between these components.
  • bus system 74 also includes a power bus, a control bus and a status signal bus.
  • the various buses are labeled bus system 74 in FIG. 7 .
  • the first memory 73 in the embodiment of the present disclosure is used to store various types of data to support the operation of the electronic device 7 .
  • Examples of such data include any computer program used to operate on the electronic device 7 .
  • the methods disclosed in the above embodiments of the present disclosure can be applied to the first processor 72, or Implemented by the first processor 72 .
  • the first processor 72 may be an integrated circuit chip having signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 72 .
  • the above-mentioned first processor 72 may be a general processor, a digital signal processor (Digital Signal Processor, DSP), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the first processor 72 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the first memory 73.
  • the first processor 72 reads the information in the first memory 73, and completes the steps of the foregoing method in combination with its hardware.
  • the electronic device 7 may be configured by one or more application specific integrated circuits (Application Specific Integrated Circuit, ASIC), DSP, programmable logic device (Programmable Logic Device, PLD), complex programmable logic device (Complex Programmable Logic Device (CPLD), Field-Programmable Gate Array (FPGA), general-purpose processor, controller, microcontroller (Micro Controller Unit, MCU), microprocessor (Microprocessor), or other electronic Component implementation, used to execute the aforementioned methods.
  • ASIC Application Specific Integrated Circuit
  • DSP programmable logic device
  • PLD programmable Logic Device
  • CPLD Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • controller microcontroller
  • MCU Micro Controller Unit
  • MCU microprocessor
  • Microprocessor Microprocessor
  • the memory (first memory 73) in the embodiment of the present disclosure may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories.
  • the non-volatile memory can be read-only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-Only Memory, PROM), erasable programmable read-only memory (Erasable Programmable Read-Only Memory).
  • the magnetic surface memory can be a magnetic disk memory or a magnetic tape memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM SyncLink Dynamic Random Access Memory
  • DRRAM Direct Rambus Random Access Memory
  • the embodiment of the present disclosure also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, such as a first memory 73 that stores a computer program.
  • the computer program can be stored in an electronic device 7
  • the first processor 72 executes to complete the steps described in the foregoing first terminal side method.
  • the computer-readable storage medium can be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM and other memories.
  • a and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations.
  • at least one in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure provides a quantum network communication method and apparatus, an electronic device and a storage medium. The method comprises: a first application or a first device sends first information to a first KM, wherein the first information is used for indicating a second KM which provides services for a second application or a second device.

Description

量子网络通信方法、装置、电子设备及存储介质Quantum network communication methods, devices, electronic equipment and storage media
相关申请的交叉引用Cross-references to related applications
本申请主张在2022年5月25日在中国提交的中国专利申请号No.202210583447.0的优先权,其全部内容通过引用包含于此。This application claims priority to Chinese Patent Application No. 202210583447.0 filed in China on May 25, 2022, the entire content of which is incorporated herein by reference.
技术领域Technical field
本公开涉及通信技术领域,尤其涉及一种量子网络通信方法、装置、电子设备及存储介质。The present disclosure relates to the field of communication technology, and in particular, to a quantum network communication method, device, electronic equipment and storage medium.
背景技术Background technique
在量子保密通信网络中,第一密码应用(Application,APP)与第二密码应用建立通信之前,存在无法确定提供服务的量子密钥管理器(Key Manager,KM)的问题,导致密码应用之间通信失败。In the quantum secure communication network, before the first cryptographic application (Application, APP) establishes communication with the second cryptographic application, there is a problem that the quantum key manager (Key Manager, KM) that provides the service cannot be determined, resulting in Communication failed.
发明内容Contents of the invention
为解决相关技术问题,本公开实施例提供一种量子网络通信方法、装置、电子设备及存储介质。In order to solve related technical problems, embodiments of the present disclosure provide a quantum network communication method, device, electronic equipment and storage medium.
本公开实施例的技术方案是这样实现的:The technical solution of the embodiment of the present disclosure is implemented as follows:
本公开实施例提供了一种量子网络通信方法,应用于第一应用或第一设备,所述方法包括:Embodiments of the present disclosure provide a quantum network communication method, applied to a first application or a first device, and the method includes:
向第一KM发送第一信息;其中,所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。Send first information to the first KM; wherein the first information is used to indicate a second KM that provides services for the second application or the second device.
上述方案中,所述方法还包括:In the above solution, the method also includes:
根据应用与KM之间的对应关系,确定所述第一信息。The first information is determined according to the corresponding relationship between the application and the KM.
上述方案中,所述第一信息为第二KM的标识和/或地址。In the above solution, the first information is the identification and/or address of the second KM.
上述方案中,所述应用与KM之间的对应关系为以下至少之一:In the above solution, the corresponding relationship between the application and KM is at least one of the following:
应用的标识与KM的标识之间的对应关系;The correspondence between the application identifier and the KM identifier;
应用的标识与KM的地址之间的对应关系; The correspondence between the application identifier and the KM address;
应用的地址与KM的地址之间的对应关系;The correspondence between the application address and the KM address;
应用的地址与KM的标识之间的对应关系。The correspondence between the application address and the KM identifier.
上述方案中,在向第一KM发送第一信息之前,所述方法还包括:In the above solution, before sending the first information to the first KM, the method further includes:
从所述第二应用或所述第二设备的本地配置得到所述第一信息。The first information is obtained from the second application or the local configuration of the second device.
上述方案中,在向第一KM发送第一信息之前,所述方法还包括:In the above solution, before sending the first information to the first KM, the method further includes:
向所述第二应用或第二设备发送第一请求;所述第一请求用于查询为所述第二应用或第二设备提供服务的第二KM;Send a first request to the second application or second device; the first request is used to query a second KM that provides services for the second application or second device;
接收返回的查询结果。Receive the returned query results.
上述方案中,所述第二设备包括量子保密通信网络中的应用层设备或者用户网络管理层设备;In the above solution, the second device includes an application layer device or a user network management layer device in a quantum secure communication network;
和/或,所述第二应用为密码应用。And/or, the second application is a password application.
上述方案中,所述第一请求还携带第二信息;所述第二信息用于指示为所述第一应用或第一设备提供服务的第一KM。In the above solution, the first request also carries second information; the second information is used to indicate the first KM that provides services for the first application or the first device.
上述方案中,所述方法还包括:In the above solution, the method also includes:
在所述第一应用或所述第一设备首次接入量子网络时,或者,在为所述第一应用或所述第一设备提供服务的KM发生变更时,向所述第三设备发送第二请求;When the first application or the first device accesses the quantum network for the first time, or when the KM that provides services for the first application or the first device changes, a third device is sent to the third device. 2 requests;
其中,所述第二请求还携带第三信息;所述第三信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。Wherein, the second request also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
上述方案中,所述方法还包括:In the above solution, the method also includes:
对于以下内容进行安全保护,并传输:第一信息、第二信息、第三信息、第一请求及响应结果、第二请求及响应结果。The following content is securely protected and transmitted: first information, second information, third information, first request and response result, second request and response result.
上述方案中,所述第一信息还包括:所述第二应用/所述第二设备的标识和/或地址;所述第一信息,还用于供所述第一KM将所述第二应用/所述第二设备的标识和/或地址转发至所述第二KM,用于供所述第二KM确定待接收量子密钥的第二应用/第二设备。In the above solution, the first information also includes: the identification and/or address of the second application/the second device; the first information is also used for the first KM to transfer the second The identity and/or address of the application/second device is forwarded to the second KM for use by the second KM to determine the second application/second device to receive the quantum key.
本公开实施例还提供了一种量子网络通信装置,包括:An embodiment of the present disclosure also provides a quantum network communication device, including:
第一发送单元,用于向第一KM发送第一信息;其中,所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。 The first sending unit is configured to send first information to the first KM; wherein the first information is used to indicate the second KM that provides services for the second application or the second device.
本公开实施例还提供了一种电子设备,包括第一处理器和第一通信接口,其中,An embodiment of the present disclosure also provides an electronic device, including a first processor and a first communication interface, wherein,
所述第一通信接口,用于向第一KM发送第一信息;其中,所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。The first communication interface is used to send first information to a first KM; wherein the first information is used to indicate a second KM that provides services for a second application or a second device.
本公开实施例还提供了一种电子设备,包括:第一处理器和用于存储能够在第一处理器上运行的计算机程序的第一存储器,其中,所述第一处理器用于运行所述计算机程序时,执行上述任一方法的步骤。An embodiment of the present disclosure also provides an electronic device, including: a first processor and a first memory used to store a computer program capable of running on the first processor, wherein the first processor is used to run the computer program, perform the steps of either method above.
本公开实施例还一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述任一方法的步骤。An embodiment of the present disclosure also provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of any of the above methods are implemented.
本公开实施例提供的量子网络通信方法、装置、电子设备及存储介质中,第一应用或第一设备向第一KM发送第一信息;所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。由于第一信息用于指示第二KM,第一KM和第二KM均位于QKD网络中的密钥管理层,因此,第一KM可以根据第一信息查询到第二KM,从而与第二KM建立会话连接并协商出可供第一应用与第二应用使用的量子密钥,从而使得第二KM可以与第二应用建立会话连接,进而完成第一应用-第一KM-第二KM-第二应用之间的端到端会话创建,可以提高应用之间通信成功的概率。In the quantum network communication method, device, electronic device and storage medium provided by the embodiments of the present disclosure, the first application or the first device sends the first information to the first KM; the first information is used to indicate the second application or the first device. The second device provides services to the second KM. Since the first information is used to indicate the second KM, and both the first KM and the second KM are located in the key management layer in the QKD network, the first KM can query the second KM based on the first information, thereby communicating with the second KM Establish a session connection and negotiate a quantum key that can be used by the first application and the second application, so that the second KM can establish a session connection with the second application, thereby completing the first application-first KM-second KM-th End-to-end session creation between two applications can improve the probability of successful communication between applications.
附图说明Description of the drawings
图1为相关技术中量子保密通信网络架构示意图;Figure 1 is a schematic diagram of the quantum secure communication network architecture in related technologies;
图2为相关技术中量子保密通信系统架构示意图;Figure 2 is a schematic diagram of the quantum secure communication system architecture in related technologies;
图3为本公开实施例一种量子网络通信方法的实现流程示意图;Figure 3 is a schematic flow chart of the implementation of a quantum network communication method according to an embodiment of the present disclosure;
图4为本公开实施例提供的一种量子网络通信方法的交互流程示意图;Figure 4 is a schematic interactive flow diagram of a quantum network communication method provided by an embodiment of the present disclosure;
图5为本公开实施例提供的一种量子网络通信方法的交互流程示意图;Figure 5 is a schematic interactive flow diagram of a quantum network communication method provided by an embodiment of the present disclosure;
图6为本公开实施例提供的一种量子网络通信结构示意图;Figure 6 is a schematic diagram of a quantum network communication structure provided by an embodiment of the present disclosure;
图7为本公开实施例电子设备结构示意图。Figure 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
具体实施方式Detailed ways
图1示出了相关技术中量子通信网络架构示意图。如图1所示,根据现 有标准定义:量子通信网络由量子密钥分发(Quantum key distribution,QKD)网络和用户网络组成。Figure 1 shows a schematic diagram of the quantum communication network architecture in related technologies. As shown in Figure 1, according to the current There is a standard definition: a quantum communication network consists of a quantum key distribution (QKD) network and a user network.
其中,QKD网络用于提供密钥分发能力,QKD网络包括量子层、密钥管理层、QKD网络(QKD Network,QKDN)控制层和QKDN网管层。此外,这里的QKD网络还可以被称为是量子密钥分发QKD网络、量子保密通信网络、量子通信网络、量子网络、网络层等。用户网络利QKD网络分发的量子密钥实现保密通信;用户网络包括应用层和用户网络网管层。Among them, the QKD network is used to provide key distribution capabilities. The QKD network includes the quantum layer, key management layer, QKD Network (QKDN, QKDN) control layer and QKDN network management layer. In addition, the QKD network here can also be called quantum key distribution QKD network, quantum secure communication network, quantum communication network, quantum network, network layer, etc. The user network uses quantum keys distributed by the QKD network to achieve secure communication; the user network includes an application layer and a user network network management layer.
图2示出了相关技术中量子通信系统架构示意图。如图2所示,密码应用A与密码应用B建立通信之前,密码应用A通过Ak接口访问QKD网络,从为密码应用A提供服务的KMA中获取量子密钥,密码应用B通过Ak接口访QKD网络,从为密码应用B提供服务的KMB中获取相同的量子密钥。其中,量子密钥用于供密码应用A和密码应B对传输的数据进行加密和解密,实现安全通信。Ak接口可以是应用编程接口(Application Programming Interface,API),也可以是消息接口。Figure 2 shows a schematic diagram of the quantum communication system architecture in related technologies. As shown in Figure 2, before cryptographic application A and cryptographic application B establish communication, cryptographic application A accesses the QKD network through the Ak interface and obtains the quantum key from KM A that provides services for cryptographic application A. Cryptographic application B accesses the QKD network through the Ak interface. QKD network, obtains the same quantum key from KM B serving cryptographic application B. Among them, the quantum key is used by cryptographic application A and cryptographic application B to encrypt and decrypt the transmitted data to achieve secure communication. The Ak interface can be an application programming interface (Application Programming Interface, API) or a message interface.
相关技术中,在主动端应用与被动端应用建立通信之前,主动端应用需要与主动端KM建立通信连接,在主动端应用与主动端KM建立通信连接之后,并且在主动端KM向主动端应用传输密钥之前,需要完成:主动端应用-主动端KM-被动端应用-被动端KM之间的端到端会话创建。相关的会话创建流程如下:In the related technology, before the active-side application establishes communication with the passive-side application, the active-side application needs to establish a communication connection with the active-side KM. After the active-side application establishes a communication connection with the active-side KM, and after the active-side KM establishes a communication connection with the active-side application Before transmitting the key, it is necessary to complete the end-to-end session creation between the active end application-active end KM-passive end application-passive end KM. The relevant session creation process is as follows:
a)主动端应用通过调用QKD_APP_OpenSession接口,向主动端KM发起会话创建请求,并提供被动端应用的应用标识、密钥流服务质量(Quality of Service,QoS)要求、密钥传输模式等信息;其中,主动端应用是指发起请求的应用,被动端应用是指接收请求的应用;主动端KM是指为主动端提供服务的KM,也可被称为是源端KM,被动端KM是指为被动端提供服务的KM,也可被称为是目的端KM;a) The active-side application initiates a session creation request to the active-side KM by calling the QKD_APP_OpenSession interface, and provides the passive-side application's application identification, key stream quality of service (QoS) requirements, key transmission mode and other information; where , the active end application refers to the application that initiates the request, the passive end application refers to the application that receives the request; the active end KM refers to the KM that provides services for the active end, and can also be called the source KM, and the passive end KM refers to the KM that provides services for the active end. The KM that provides services on the passive side can also be called the destination KM;
b)主动端KM根据主动端应用提供的应用标识确定被动端KM,然后与被动端KM建立通信连接,主动端KM与被动端KM进行量子密钥协商,协商出可向主动端应用和被动端应用提供的QKD密钥流标识和密钥流QoS参数,完成主动端KM与被动端KM之间的会话连接建立; b) The active end KM determines the passive end KM based on the application identification provided by the active end application, and then establishes a communication connection with the passive end KM. The active end KM and the passive end KM conduct quantum key negotiation, and negotiate the available applications and passive end applications to the active end. Apply the provided QKD key stream identifier and key stream QoS parameters to complete the session connection establishment between the active end KM and the passive end KM;
c)主动端KM向主动端应用返回QKD密钥流标识和密钥流QoS参数等信息,主动端应用确认QoS满足要求后,完成主动端应用与主动端KM的会话建立。c) The active-end KM returns information such as the QKD key stream identifier and key stream QoS parameters to the active-end application. After the active-end application confirms that the QoS meets the requirements, it completes the session establishment between the active-end application and the active-end KM.
为了能够使主动端KM找到被动端KM,并通过QKD网络为主动端KM和被动端KM生成相同的量子密钥,主动端应用需要向主动端KM提供被动端应用的应用标识,主动端KM根据被动端应用的应用标识,向QKDN网管系统查询被动端KM,但存在无法查找到被动端KM的技术问题。原因如下:In order to enable the active end KM to find the passive end KM and generate the same quantum key for the active end KM and the passive end KM through the QKD network, the active end application needs to provide the active end KM with the application identification of the passive end application. The application identifier of the passive-side application is used to query the QKDN network management system for the passive-side KM, but there is a technical problem that the passive-side KM cannot be found. Here’s why:
相关技术中,主动端KM根据被动端的密码应用的标识信息,向QKDN网管系统查询被动端KM,但存在无法查找到被动端KM的技术问题。原因如下:In the related technology, the active-side KM queries the QKDN network management system for the passive-side KM based on the identification information of the passive-side password application, but there is a technical problem that the passive-side KM cannot be found. Here’s why:
根据现有标准的定义,QKDN网管系统负责整个QKD网络的故障管理、配置管理、计费管理、性能管理和安全性管理(Fault、Configuration、Accounting、Performance and Security,FCAPS),并支持与用户网络网管系统对接。其中,较为相关的配置管理功能负责QKDN资源的提供、配置和发现,以及QKDN拓扑结构的获取和管理。当QKDN支持密钥中继功能时,配置管理功能也可协助QKDN控制器来提供密钥中继路由。According to the definition of existing standards, the QKDN network management system is responsible for fault management, configuration management, billing management, performance management and security management (Fault, Configuration, Accounting, Performance and Security, FCAPS) of the entire QKD network, and supports communication with user networks Network management system connection. Among them, the more relevant configuration management function is responsible for the provision, configuration and discovery of QKDN resources, as well as the acquisition and management of QKDN topology. When QKDN supports the key relay function, the configuration management function can also assist the QKDN controller to provide key relay routing.
由以上定义可以看出:QKD网络的QKDN网管系统主要实现QKD网络内部的各种资源的管理和维护,并不负责维护QKD密钥管理层中的KM与上层的各种应用之间的对应关系。因此,QKDN网管系统无法为KM提供相关查询信息,导致主动端KM无法查找到被动端KM。It can be seen from the above definition that the QKDN network management system of the QKD network mainly implements the management and maintenance of various resources within the QKD network, and is not responsible for maintaining the correspondence between the KM in the QKD key management layer and various upper-layer applications. . Therefore, the QKDN network management system cannot provide relevant query information for KM, causing the active KM to be unable to find the passive KM.
基于此,在本公开的各实施例中,第一应用或第一设备向第一KM发送第一信息;所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。由于第一信息用于指示第二KM,第一KM和第二KM均位于QKD网络中的密钥管理层,因此,第一KM可以根据第一信息查询到第二KM,从而与第二KM建立会话连接并协商出可供第一应用与第二应用使用的量子密钥,从而使得第二KM可以与第二应用建立会话连接,进而完成第一应用-第一KM-第二KM-第二应用之间的端到端会话创建,可以提高应用之间通信成功的概率。上述方案,能够有效地将QKD网络与上层用户网络相分 离,可以避免QKDN网管系统介入上层业务信息的管理与维护,降低了QKD网管系统的运维复杂度,有助于QKD网络与用户网络、业务的融合发展。Based on this, in various embodiments of the present disclosure, the first application or the first device sends first information to the first KM; the first information is used to indicate the second KM that provides services for the second application or the second device. . Since the first information is used to indicate the second KM, and both the first KM and the second KM are located in the key management layer in the QKD network, the first KM can query the second KM based on the first information, thereby communicating with the second KM Establish a session connection and negotiate a quantum key that can be used by the first application and the second application, so that the second KM can establish a session connection with the second application, thereby completing the first application-first KM-second KM-th End-to-end session creation between two applications can improve the probability of successful communication between applications. The above solution can effectively separate the QKD network from the upper user network. Separation can prevent the QKDN network management system from intervening in the management and maintenance of upper-layer business information, reduce the operation and maintenance complexity of the QKD network management system, and contribute to the integrated development of the QKD network, user networks, and services.
下面结合附图及实施例对本公开再作进一步详细的描述。The present disclosure will be described in further detail below with reference to the accompanying drawings and embodiments.
本公开实施例提供了一种量子网络通信方法,应用于第一应用或第一设备,第一设备可以为终端或服务器等电子设备,参照图3,该方法包括:Embodiments of the present disclosure provide a quantum network communication method, applied to a first application or a first device. The first device may be an electronic device such as a terminal or a server. Referring to Figure 3, the method includes:
步骤301:向第一KM发送第一信息。Step 301: Send the first information to the first KM.
其中,所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。Wherein, the first information is used to indicate a second KM that provides services for the second application or the second device.
这里,第一KM表征为第一应用或第一设备提供服务的KM。第一设备表征为运行第一应用的第一设备,第一设备可以称为主动端设备/源端设备,第一应用可以被称为主动端应用/源端应用,运行于第一设备;第二设备表征为运行第二应用的设备,第二设备可以称为被动端设备/目的端设备,第二应用可以被称为被动端应用/目的端应用。需要说明的是,同一设备上可运行多个应用,不同的应用可以使用不同的量子密钥。第一信息可以直接指示或间接指示第二KM。Here, the first KM represents a KM that provides services for the first application or the first device. The first device is characterized as a first device running a first application. The first device may be called an active end device/source end device. The first application may be called an active end application/source end application and runs on the first device; The second device is characterized as a device running a second application. The second device may be called a passive end device/destination end device, and the second application may be called a passive end application/destination end application. It should be noted that multiple applications can run on the same device, and different applications can use different quantum keys. The first information may directly indicate or indirectly indicate the second KM.
在向第一KM发送第一信息之前,在一实施例中,所述方法还包括:Before sending the first information to the first KM, in an embodiment, the method further includes:
根据应用与KM之间的对应关系,确定所述第一信息。The first information is determined according to the corresponding relationship between the application and the KM.
这里,第一应用或第一设备在确定出第二应用的情况下,根据应用与KM之间的对应关系,确定出为第二应用或第二设备提供服务的第二KM,并根据确定出的第二KM确定第一信息。Here, when the first application or the first device determines the second application, it determines the second KM that provides services for the second application or the second device based on the corresponding relationship between the application and the KM, and determines the second KM based on the determined relationship. The second KM determines the first information.
其中,应用与KM之间的对应关系中,可以是一个应用对应一个KM,也可以是一个应用对应多个KM,或者多个应用对应一个KM。Among them, the correspondence between an application and a KM may be one application corresponding to one KM, one application corresponding to multiple KMs, or multiple applications corresponding to one KM.
在一实施例中,所述第一信息为所述第二KM的标识和/或地址。在一实施例中,所述应用与KM之间的对应关系为以下至少之一:In one embodiment, the first information is the identification and/or address of the second KM. In one embodiment, the corresponding relationship between the application and the KM is at least one of the following:
应用的标识与KM的标识之间的对应关系;The correspondence between the application identifier and the KM identifier;
应用的标识与KM的地址之间的对应关系;The correspondence between the application identifier and the KM address;
应用的地址与KM的地址之间的对应关系;The correspondence between the application address and the KM address;
应用的地址与KM的标识之间的对应关系。The correspondence between the application address and the KM identifier.
这里,应用的标识可以为应用的名称。 Here, the identifier of the application may be the name of the application.
实际应用时,可以采用预配置的方式在本地存储第一信息,由第一应用或第一设备维护应用与KM之间的对应关系,基于此,在一实施例中,在向第一KM发送第一信息之前,所述方法还包括:In actual application, the first information can be stored locally in a preconfigured manner, and the first application or the first device maintains the corresponding relationship between the application and the KM. Based on this, in one embodiment, before sending to the first KM Before the first information, the method further includes:
从所述第一应用或所述第一设备的本地配置得到所述第一信息。The first information is obtained from the first application or a local configuration of the first device.
这里,在确定出第二应用或第二设备的情况下,第一应用或第一设备从第一应用的本地配置中获取第一信息;或者,从第一设备的本地配置中获取第一信息。Here, when the second application or the second device is determined, the first application or the first device obtains the first information from the local configuration of the first application; or, obtains the first information from the local configuration of the first device. .
应用与KM之间的对应关系可以由第二应用或第二设备维护,第一信息可以通过与第二应用或第二设备进行消息交互的方式获得,基于此,在一实施例中,在向第一KM发送第一信息之前,所述方法还包括:The corresponding relationship between the application and the KM may be maintained by the second application or the second device, and the first information may be obtained through message interaction with the second application or the second device. Based on this, in one embodiment, when sending Before the first KM sends the first information, the method further includes:
向所述第二应用或所述第二设备发送第一请求;所述第一请求用于查询为所述第二应用或所述第二设备提供服务的第二KM;Send a first request to the second application or the second device; the first request is used to query a second KM that provides services for the second application or the second device;
接收查询结果。Receive query results.
这里,在确定出第二应用或第二设备的情况下,第一应用或第一设备可以向第二应用发送第一请求,并接收第二应用返回关于第一请求的查询结果,第一请求用于查询为第二应用或第二设备提供服务的第二KM;第一应用或第一设备也可以向第二设备发送第一请求,并接收第二设备返回的关于第一请求的查询结果,第一请求用于查询为第二应用或第二设备提供服务的第二KM。查询结果包括第一信息。Here, when the second application or the second device is determined, the first application or the first device can send a first request to the second application, and receive the query result returned by the second application regarding the first request. The first request Used to query the second KM that provides services for the second application or the second device; the first application or the first device can also send a first request to the second device, and receive the query results returned by the second device regarding the first request. , the first request is used to query the second KM that provides services for the second application or the second device. The query results include the first information.
在一实施例中,所述第二设备包括量子网络中的应用层设备或用户网络管理层设备;In one embodiment, the second device includes an application layer device or a user network management layer device in a quantum network;
和/或,所述第二应用为密码应用。And/or, the second application is a password application.
这里,在第二应用为密码应用的情况下,第一应用也可以为密码应用。Here, when the second application is a cryptographic application, the first application may also be a cryptographic application.
密码应用可以理解为需要使用量子密码或量子密钥进行保密通信的各类应用或业务。密码应用是一个泛指的概念,实际应用时可能有多种实施方式,例如,密码应用可以是对于QKD网络所生成的密钥有直接使用需求的设备、业务系统、应用系统及程序,也可以是对于QKD网络所生成的密钥没有直接使用,但对量子密钥进行储存、管理或转发等,进而满足对需要使用量子密钥的中间层设备、业务系统或程序。 Cryptozoological applications can be understood as various applications or businesses that require the use of quantum cryptography or quantum keys for secure communication. Cryptocurrency application is a general concept, and there may be many implementation methods in actual application. For example, cryptography application can be equipment, business systems, application systems and programs that directly need to use the keys generated by the QKD network, or it can It does not directly use the keys generated by the QKD network, but stores, manages or forwards the quantum keys, thereby satisfying the needs of middle-layer equipment, business systems or programs that need to use quantum keys.
在向第二应用或第二设备发送第一请求的基础上,在一实施例中,所述第一请求还携带第二信息;所述第二信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。On the basis of sending the first request to the second application or the second device, in one embodiment, the first request also carries second information; the second information is used to indicate that the first application or the second device is the first request. The first device provides the first KM of the service.
这里,第二应用或第二设备在接收到的第一请求的情况下,从第一请求中解析出第二信息,并存储第二信息;还可以基于第一信息,更新应用与KM之间的对应关系。Here, when the second application or the second device receives the first request, it parses the second information from the first request and stores the second information; it can also update the relationship between the application and the KM based on the first information. corresponding relationship.
实际应用时,可以采用第三设备统一维护应用与KM之间的对应关系,基于此,在一实施例中,所述方法还包括:In actual application, a third device may be used to uniformly maintain the correspondence between the application and the KM. Based on this, in one embodiment, the method further includes:
在所述第一应用或所述第一设备首次接入量子网络时,或者,在为所述第一应用或所述第一设备提供服务的KM发生变更时,向所述第三设备发送第二请求。When the first application or the first device accesses the quantum network for the first time, or when the KM that provides services for the first application or the first device changes, a third device is sent to the third device. Two requests.
其中,所述第二请求还携带第三信息;所述第三信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。Wherein, the second request also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
这里,第二请求可以为注册请求或更新请求。其中,在第一应用或第一设备首次接入量子网络时,第二请求可以为注册请求;在为第一应用或第一设备提供服务的KM发生变更时,第二请求为更新请求。Here, the second request may be a registration request or an update request. When the first application or the first device accesses the quantum network for the first time, the second request may be a registration request; when the KM that provides services for the first application or the first device changes, the second request may be an update request.
第三设备可以为中心式的系统管理设备。例如,第三设备的其中一个功能负责维护应用/设备与KM之间的对应关系,存储应用与KM之间的对应关系列表或映射列表。The third device may be a central system management device. For example, one of the functions of the third device is responsible for maintaining the correspondence between the application/device and the KM, and storing a correspondence list or mapping list between the application and the KM.
为了保护量子密钥协商过程中的通信内容的安全性,在一实施例中,所述方法还包括:In order to protect the security of communication content during the quantum key agreement process, in an embodiment, the method further includes:
对于以下内容进行安全保护,并传输:第一信息、第二信息、第三信息、第一请求及响应结果、第二请求及响应结果。The following content is securely protected and transmitted: first information, second information, third information, first request and response result, second request and response result.
这里,第一请求及响应结果是指第一请求和关于第一请求的响应结果,该响应结果可以理解为查询结果。第二请求及响应结果是指第二请求和关于第二请求的响应结果。Here, the first request and the response result refer to the first request and the response result regarding the first request, and the response result can be understood as the query result. The second request and response result refer to the second request and the response result regarding the second request.
也就是说,第一应用或第一设备可以对通信内容进行安全保护,例如,第一应用或第一设备对与其他应用(比如第二应用)或设备(比如,第一KM、第二设备以及第三设备)之间的通信内容进行安全保护。 That is to say, the first application or the first device can perform security protection on the communication content. For example, the first application or the first device can communicate with other applications (such as the second application) or devices (such as the first KM, the second device). and third devices) for security protection.
安全保护可以理解为加密和/或完整性保护、数字签名/验签等。这里所采用的安全保护方法是基于传统密码体制的保护方法,并未采用量子密钥的方式进行保护。KM之间协商好的量子密钥用于对重要的应用或业务数据进行保护。Security protection can be understood as encryption and/or integrity protection, digital signature/signature verification, etc. The security protection method used here is based on the traditional cryptographic system and does not use quantum keys for protection. The quantum key negotiated between KMs is used to protect important applications or business data.
在一实施例中,所述第一信息还包括:所述第二应用/所述第二设备的标识和/或地址;所述第一信息,还用于供所述第一KM将所述第二应用/所述第二设备的标识和/或地址转发至所述第二KM,用于供所述第二KM确定待接收量子密钥的第二应用/第二设备。In one embodiment, the first information further includes: the identification and/or address of the second application/the second device; the first information is also used for the first KM to transfer the The identity and/or address of the second application/second device is forwarded to the second KM for use by the second KM to determine the second application/second device to receive the quantum key.
这里,第一KM在接收到第一信息的情况下,解析出第一信息中包含的第二应用或第二设备的标识和/或地址,将第二应用或第二设备的标识和/或地址转发至第二KM,以便第二KM根据第二应用的标识和/或地址,确定出待接收量子密钥的第二应用,或者根据第二设备的标识和/或地址,确定出待接收量子密钥的第二设备。Here, when receiving the first information, the first KM parses out the identity and/or address of the second application or the second device contained in the first information, and converts the identity and/or address of the second application or the second device into The address is forwarded to the second KM, so that the second KM determines the second application to receive the quantum key based on the identity and/or address of the second application, or determines the second application to receive the quantum key based on the identity and/or address of the second device. Second device for quantum keys.
以下进一步地结合交互流程示意图,对本公开实施例中第一应用或第一设备获取第一信息的方案进行说明。The solution for the first application or the first device to obtain the first information in the embodiment of the present disclosure will be further described below with reference to the interaction flow diagram.
如图4所示,在第二应用/第二设备维护应用与KM之间的对应关系的应用场景下,第一应用/第一设备通过与第二应用/第二设备进行消息交互获取第一信息。As shown in Figure 4, in an application scenario where the second application/second device maintains the corresponding relationship between the application and the KM, the first application/first device obtains the first information through message interaction with the second application/second device. information.
步骤1:第一应用/第一设备向第二应用/第二设备发送第一请求。Step 1: The first application/first device sends a first request to the second application/second device.
其中,第一请求用于查询为第二应用或第二设备提供服务的第二KM。Wherein, the first request is used to query the second KM that provides services for the second application or the second device.
在一实施例中,第二设备包括量子保密通信网络中的应用层设备或者用户网络管理层设备;和/或,第二应用为密码应用。In one embodiment, the second device includes an application layer device or a user network management layer device in a quantum secure communication network; and/or the second application is a cryptographic application.
在一实施例中,第一请求还携带第二信息;第二信息用于指示为第一应用或第一设备提供服务的第一KM。In an embodiment, the first request also carries second information; the second information is used to indicate the first KM that provides services for the first application or the first device.
步骤2:第一应用/第一设备接收查询结果。Step 2: The first application/first device receives the query result.
这里,第二应用/第二设备在接收到第一请求的情况下,基于应用与KM之间的对应关系,确定出第二KM,并确定出第一信息,向第一应用/第一设备返回查询结果。其中,第一信息用于指示为第二应用或第二设备提供服务的第KM。 Here, when the second application/second device receives the first request, based on the corresponding relationship between the application and the KM, the second KM is determined, and the first information is determined and sent to the first application/first device. Return query results. The first information is used to indicate the KM that provides services for the second application or the second device.
第一应用/第一设备接收第二应用/第二设备基于第一请求返回的查询结果,并关联存储第二应用与第一信息。查询结果包括第一信息。The first application/first device receives the query result returned by the second application/second device based on the first request, and associates and stores the second application with the first information. The query results include the first information.
在一实施例中,第一信息为第二KM的标识和/或地址。In one embodiment, the first information is the identification and/or address of the second KM.
在一实施例中,应用与KM之间的对应关系为以下至少之一:In one embodiment, the corresponding relationship between the application and the KM is at least one of the following:
应用的标识与KM的标识之间的对应关系;The correspondence between the application identifier and the KM identifier;
应用的标识与KM的地址之间的对应关系;The correspondence between the application identifier and the KM address;
应用的地址与KM的地址之间的对应关系;The correspondence between the application address and the KM address;
应用的地址与KM的标识之间的对应关系。The correspondence between the application address and the KM identifier.
在一实施例中,第一应用/第一设备还可以对第一信息、第二信息、第一请求及查询结果进行安全保护并传输。In an embodiment, the first application/first device can also securely protect and transmit the first information, the second information, the first request and the query result.
如图5所示,在第三设备统一维护应用与KM之间的对应关系的应用场景下,第一应用/第一设备通过与第三设备进行消息交互获取第一信息。As shown in Figure 5, in an application scenario where the third device uniformly maintains the correspondence between the application and the KM, the first application/first device obtains the first information through message interaction with the third device.
步骤1:第二应用/第二设备向第三设备发送第二请求。Step 1: The second application/second device sends a second request to the third device.
第二请求可以为注册请求或更新请求。其中,在第二应用/第二设备首次接入量子网络时,向第三设备发送的第二请求可以为注册请求;在为第二应用/第二设备提供服务的KM发生变更时,向第三设备发送的第二请求为更新请求。The second request may be a registration request or an update request. Wherein, when the second application/second device accesses the quantum network for the first time, the second request sent to the third device may be a registration request; when the KM that provides services for the second application/second device changes, the second request sent to the third device may be a registration request; The second request sent by the three devices is an update request.
在一实施例中,第二应用/第二设备发送的第二请求还携带第三信息;第三信息用于指示为第二应用或第二设备提供服务的第二KM。In one embodiment, the second request sent by the second application/second device also carries third information; the third information is used to indicate the second KM that provides services for the second application or the second device.
实际应用时,第三设备可以为中心式的系统管理设备。第一应用和第二应用为密码应用。In actual application, the third device can be a centralized system management device. The first application and the second application are password applications.
步骤2:第三设备向第二应用/第二设备返回关于第二请求的响应。Step 2: The third device returns a response to the second request to the second application/second device.
步骤3:第一应用/第一设备向第三设备发送第二请求。Step 3: The first application/first device sends a second request to the third device.
在第一应用/第一设备首次接入量子网络时,第二请求为注册请求;在为第一应用/第一设备提供服务的KM发生变更时,第二请求为更新请求。When the first application/first device accesses the quantum network for the first time, the second request is a registration request; when the KM that provides services for the first application/first device changes, the second request is an update request.
在一实施例中,第一应用/第一设备发送的第二请求还携带第三信息;第三信息用于指示为第一应用或第一设备提供服务的第一KM。In one embodiment, the second request sent by the first application/first device also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
步骤4:第三设备向第一应用/第一设备返回关于第二请求的响应。Step 4: The third device returns a response to the second request to the first application/first device.
步骤5:第一应用/第一设备向第三设备发送第一请求。 Step 5: The first application/first device sends the first request to the third device.
其中,第一请求用于查询为第二应用或第二设备提供服务的第二KM。Wherein, the first request is used to query the second KM that provides services for the second application or the second device.
在一实施例中,第一请求还携带第二信息;第二信息用于指示为第一应用或第一设备提供服务的第一KM。In an embodiment, the first request also carries second information; the second information is used to indicate the first KM that provides services for the first application or the first device.
步骤6:第三设备向第一应用/第一设备返回关于第一请求的查询结果。Step 6: The third device returns the query result regarding the first request to the first application/first device.
这里,第三设备在接收到第一请求的情况下,基于应用与KM之间的对应关系,确定出第二KM,并确定出第一信息,向第一应用返回查询结果。查询结果包括第一信息。第一信息用于指示为第二应用或第二设备提供服务的第二KM。在一实施例中,第一信息为第二KM的标识和/或地址。Here, when receiving the first request, the third device determines the second KM based on the correspondence between the application and the KM, determines the first information, and returns the query result to the first application. The query results include the first information. The first information is used to indicate a second KM that provides services for the second application or the second device. In one embodiment, the first information is the identification and/or address of the second KM.
第一应用/第一设备接收第三设备基于第一请求返回的查询结果,并关联存储第二应用与第一信息。The first application/first device receives the query result returned by the third device based on the first request, and associates and stores the second application with the first information.
在一实施例中,第一应用/第一设备还可以对第一信息、第二信息、第三信息、第一请求及查询结果、第二请求及关于第二请求的响应进行安全保护并传输。In an embodiment, the first application/first device can also securely protect and transmit the first information, the second information, the third information, the first request and query results, the second request and the response to the second request. .
本公开实施例提供的量子网络通信方法、装置、电子设备及存储介质中,第一应用或第一设备向第一KM发送第一信息;所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。由于第一信息用于指示第二KM,第一KM和第二KM均位于QKD网络中的密钥管理层,因此,第一KM可以根据第一信息查询到第二KM,与第二KM建立会话连接并协商出可供第一应用与第二应用使用的量子密钥,从而使得第二KM可以与第二应用建立会话连接,进而完成第一应用-第一KM-第二KM-第二应用之间的端到端会话创建,可以提高应用之间通信成功的概率。In the quantum network communication method, device, electronic device and storage medium provided by the embodiments of the present disclosure, the first application or the first device sends the first information to the first KM; the first information is used to indicate the second application or the first device. The second device provides services to the second KM. Since the first information is used to indicate the second KM, and both the first KM and the second KM are located in the key management layer in the QKD network, the first KM can query the second KM based on the first information and establish a relationship with the second KM. The session is connected and the quantum key that can be used by the first application and the second application is negotiated, so that the second KM can establish a session connection with the second application, thereby completing the first application-first KM-second KM-second End-to-end session creation between applications can improve the probability of successful communication between applications.
为了实现本公开实施例的量子网络通信方法,本公开实施例还提供了一种量子网络通信装置,设置在第一设备或第一应用上,如图6所示,该装置包括:In order to implement the quantum network communication method of the embodiment of the present disclosure, the embodiment of the present disclosure also provides a quantum network communication device, which is provided on the first device or the first application. As shown in Figure 6, the device includes:
第一发送单元61,用于向第一KM发送第一信息;其中,所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。The first sending unit 61 is configured to send first information to the first KM; wherein the first information is used to indicate the second KM that provides services for the second application or the second device.
在一实施例中,该装置包括:In one embodiment, the device includes:
确定单元,用于根据应用与KM之间的对应关系,确定所述第一信息。A determining unit, configured to determine the first information according to the corresponding relationship between the application and the KM.
在一实施例中,所述第一信息为第二KM的标识和/或地址。 In one embodiment, the first information is the identification and/or address of the second KM.
在一实施例中,所述应用与KM之间的对应关系为以下至少之一:In one embodiment, the corresponding relationship between the application and the KM is at least one of the following:
应用的标识与KM的标识之间的对应关系;The correspondence between the application identifier and the KM identifier;
应用的标识与KM的地址之间的对应关系;The correspondence between the application identifier and the KM address;
应用的地址与KM的地址之间的对应关系;The correspondence between the application address and the KM address;
应用的地址与KM的标识之间的对应关系。The correspondence between the application address and the KM identifier.
在一实施例中,该装置还包括:In one embodiment, the device further includes:
获取单元,用于从所述第一应用或所述第一设备的本地配置得到所述第一信息。An obtaining unit, configured to obtain the first information from the first application or the local configuration of the first device.
在一实施例中,该装置还包括:In one embodiment, the device further includes:
第二发送单元,用于向所述第二应用或所述第二设备发送第一请求;所述第一请求用于查询为所述第二应用或所述第二设备提供服务的第二KM;The second sending unit is used to send a first request to the second application or the second device; the first request is used to query the second KM that provides services for the second application or the second device. ;
第一接收单元,用于接收查询结果。The first receiving unit is used to receive query results.
在一实施例中,所述第二设备包括量子保密通信网络中的应用层设备或者用户网络管理层设备;In one embodiment, the second device includes an application layer device or a user network management layer device in a quantum secure communication network;
和/或,第二应用为密码应用。And/or, the second application is a password application.
在一实施例中,所述第一请求还携带第二信息;所述第二信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。In an embodiment, the first request also carries second information; the second information is used to indicate a first KM that provides services for the first application or the first device.
在一实施例中,该装置包括:In one embodiment, the device includes:
第三发送单元,用于在所述第一应用或所述第一设备首次接入量子网络时,或者,在为所述第一应用或所述第一设备提供服务的KM发生变更时,向所述第三设备发送第二请求;The third sending unit is configured to send a message to the quantum network when the first application or the first device accesses the quantum network for the first time, or when the KM that provides services for the first application or the first device changes. The third device sends a second request;
其中,所述第二请求还携带第三信息;所述第三信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。Wherein, the second request also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
在一实施例中,该装置还包括:In one embodiment, the device further includes:
处理单元,用于对于以下内容进行安全保护,并传输:第一信息、第二信息、第三信息、第一请求及响应结果、第二请求及响应结果。The processing unit is used to securely protect and transmit the following content: first information, second information, third information, first request and response result, and second request and response result.
在一实施例中,所述第一信息还包括:所述第二应用/所述第二设备的标识和/或地址;In one embodiment, the first information further includes: the identification and/or address of the second application/the second device;
所述第一信息,还用于供所述第一KM将所述第二应用/所述第二设备 的标识和/或地址转发至所述第二KM,用于供所述第二KM确定待接收量子密钥的第二应用/第二设备。The first information is also used for the first KM to transfer the second application/the second device The identification and/or address are forwarded to the second KM for the second KM to determine the second application/second device to receive the quantum key.
实际应用时,第一发送单元61、第二发送单元、第三发送单元、第四发送单元和第一接收单元可由量子网络通信装置中的处理器结合通信接口实现,确定单元、获取单元和处理单元可由量子网络通信装置中的处理器实现。In actual application, the first sending unit 61, the second sending unit, the third sending unit, the fourth sending unit and the first receiving unit can be implemented by the processor in the quantum network communication device in combination with the communication interface, and the determination unit, acquisition unit and processing unit The unit may be implemented by a processor in a quantum network communication device.
需要说明的是:上述实施例提供的量子网络通信装置在进行量子网络通信时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的量子网络通信装置与量子网络通信方法实施例属于同一构思,具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the quantum network communication device provided in the above embodiment performs quantum network communication, only the division of the above program modules is used as an example. In actual applications, the above processing can be allocated to different program modules as needed. Completion means dividing the internal structure of the device into different program modules to complete all or part of the processing described above. In addition, the quantum network communication device provided by the above embodiments and the quantum network communication method embodiments belong to the same concept. Please refer to the method embodiments for the specific implementation process, which will not be described again here.
基于上述程序模块的硬件实现,且为了实现本公开实施例的量子网络通信方法,本公开实施例还提供了一种电子设备,如图7所示,电子设备7包括:Based on the hardware implementation of the above program module, and in order to implement the quantum network communication method of the embodiment of the disclosure, the embodiment of the disclosure also provides an electronic device. As shown in Figure 7, the electronic device 7 includes:
第一通信接口71,能够与其他网络节点进行信息交互;The first communication interface 71 is capable of information exchange with other network nodes;
第一处理器72,与所述第一通信接口71连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器73上。The first processor 72 is connected to the first communication interface 71 to implement information interaction with other network nodes, and is used to execute the method provided by one or more of the above technical solutions when running a computer program. The computer program is stored on the first memory 73 .
具体地,所述第一通信接口71,用于向第一KM发送第一信息;其中,所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。Specifically, the first communication interface 71 is used to send first information to the first KM; wherein the first information is used to indicate the second KM that provides services for the second application or the second device.
在一实施例中,所述第一处理器72,用于根据应用与KM之间的对应关系,确定所述第一信息。In an embodiment, the first processor 72 is configured to determine the first information according to the corresponding relationship between the application and the KM.
在一实施例中,所述第一信息为第二KM的标识和/或地址。In one embodiment, the first information is the identification and/or address of the second KM.
在一实施例中,所述应用与KM之间的对应关系为以下至少之一:In one embodiment, the corresponding relationship between the application and the KM is at least one of the following:
应用的标识与KM的标识之间的对应关系;The correspondence between the application identifier and the KM identifier;
应用的标识与KM的地址之间的对应关系;The correspondence between the application identifier and the KM address;
应用的地址与KM的地址之间的对应关系;The correspondence between the application address and the KM address;
应用的地址与KM的标识之间的对应关系。The correspondence between the application address and the KM identifier.
在一实施例中,所述第一处理器72还用于:从所述第一应用或所述第一 设备的本地配置得到所述第一信息。In an embodiment, the first processor 72 is further configured to: obtain the data from the first application or the first The local configuration of the device obtains the first information.
在一实施例中,所述第一通信接口71还用于:In one embodiment, the first communication interface 71 is also used for:
向所述第二应用或所述第二设备发送第一请求;所述第一请求用于查询为所述第二应用或所述第二设备提供服务的第二KM;接收返回的查询结果。Send a first request to the second application or the second device; the first request is used to query a second KM that provides services for the second application or the second device; and receive the returned query result.
在一实施例中,所述第二设备包括量子保密通信网络中的应用层设备或者用户网络管理层设备;和/或,第二应用为密码应用。In one embodiment, the second device includes an application layer device or a user network management layer device in a quantum secure communication network; and/or the second application is a cryptographic application.
在一实施例中,所述第一请求还携带第二信息;所述第二信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。In an embodiment, the first request also carries second information; the second information is used to indicate a first KM that provides services for the first application or the first device.
在一实施例中,所述第一通信接口71还用于:In one embodiment, the first communication interface 71 is also used for:
在所述第一应用或所述第一设备首次接入量子网络时,或者,在为所述第一应用或所述第一设备提供服务的KM发生变更时,向所述第三设备发送第二请求;其中,所述第二请求还携带第三信息;所述第三信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。When the first application or the first device accesses the quantum network for the first time, or when the KM that provides services for the first application or the first device changes, a third device is sent to the third device. Two requests; wherein the second request also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
在一实施例中,所述第一处理器72还用于:对于以下内容进行安全保护,并传输:第一信息、第二信息、第三信息、第一请求及响应结果、第二请求及响应结果。In one embodiment, the first processor 72 is also configured to provide security protection for the following content and transmit: first information, second information, third information, first request and response result, second request and Response results.
在一实施例中,所述第一信息还包括:所述第二应用/所述第二设备的标识和/或地址;所述第一信息,还用于供所述第一KM将所述第二应用/所述第二设备的标识和/或地址转发至所述第二KM,用于供所述第二KM确定待接收量子密钥的第二应用/第二设备。需要说明的是:第一处理器72和第一通信接口71的具体处理过程可参照上述方法理解。In one embodiment, the first information further includes: the identification and/or address of the second application/the second device; the first information is also used for the first KM to transfer the The identity and/or address of the second application/second device is forwarded to the second KM for use by the second KM to determine the second application/second device to receive the quantum key. It should be noted that the specific processing procedures of the first processor 72 and the first communication interface 71 can be understood with reference to the above method.
当然,实际应用时,电子设备7中的各个组件通过总线系统74耦合在一起。可理解,总线系统74用于实现这些组件之间的连接通信。总线系统74除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图7中将各种总线都标为总线系统74。Of course, in actual application, various components in the electronic device 7 are coupled together through the bus system 74 . It can be appreciated that the bus system 74 is used to implement connection communications between these components. In addition to the data bus, the bus system 74 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, the various buses are labeled bus system 74 in FIG. 7 .
本公开实施例中的第一存储器73用于存储各种类型的数据以支持电子设备7的操作。这些数据的示例包括:用于在电子设备7上操作的任何计算机程序。The first memory 73 in the embodiment of the present disclosure is used to store various types of data to support the operation of the electronic device 7 . Examples of such data include any computer program used to operate on the electronic device 7 .
上述本公开实施例揭示的方法可以应用于所述第一处理器72中,或者 由所述第一处理器72实现。所述第一处理器72可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器72中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器72可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器72可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本公开实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器73,所述第一处理器72读取第一存储器73中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present disclosure can be applied to the first processor 72, or Implemented by the first processor 72 . The first processor 72 may be an integrated circuit chip having signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 72 . The above-mentioned first processor 72 may be a general processor, a digital signal processor (Digital Signal Processor, DSP), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The first processor 72 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the first memory 73. The first processor 72 reads the information in the first memory 73, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,电子设备7可以被一个或多个应用专用集成电路(Application Specific Integrated Circuit,ASIC)、DSP、可编程逻辑器件(Programmable Logic Device,PLD)、复杂可编程逻辑器件(Complex Programmable Logic Device,CPLD)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)、通用处理器、控制器、微控制器(Micro Controller Unit,MCU)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the electronic device 7 may be configured by one or more application specific integrated circuits (Application Specific Integrated Circuit, ASIC), DSP, programmable logic device (Programmable Logic Device, PLD), complex programmable logic device (Complex Programmable Logic Device (CPLD), Field-Programmable Gate Array (FPGA), general-purpose processor, controller, microcontroller (Micro Controller Unit, MCU), microprocessor (Microprocessor), or other electronic Component implementation, used to execute the aforementioned methods.
可以理解,本公开实施例的存储器(第一存储器73)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read Only Memory,ROM)、可编程只读存储器(Programmable Read-Only Memory,PROM)、可擦除可编程只读存储器(Erasable Programmable Read-Only Memory,EPROM)、电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性随机存取存储器(Ferromagnetic Random Access Memory,FRAM)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(Compact Disc Read-Only Memory,CD-ROM);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说 明,许多形式的RAM可用,例如静态随机存取存储器(Static Random Access Memory,SRAM)、同步静态随机存取存储器(Synchronous Static Random Access Memory,SSRAM)、动态随机存取存储器(Dynamic Random Access Memory,DRAM)、同步动态随机存取存储器(Synchronous Dynamic Random Access Memory,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate Synchronous Dynamic Random Access Memory,DDRSDRAM)、增强型同步动态随机存取存储器(Enhanced Synchronous Dynamic Random Access Memory,ESDRAM)、同步连接动态随机存取存储器(SyncLink Dynamic Random Access Memory,SLDRAM)、直接内存总线随机存取存储器(Direct Rambus Random Access Memory,DRRAM)。本公开实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (first memory 73) in the embodiment of the present disclosure may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. Among them, the non-volatile memory can be read-only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-Only Memory, PROM), erasable programmable read-only memory (Erasable Programmable Read-Only Memory). , EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Magnetic Random Access Memory (Ferromagnetic Random Access Memory, FRAM), Flash Memory, Magnetic Surface Memory , optical disk, or compact disc (Compact Disc Read-Only Memory, CD-ROM); the magnetic surface memory can be a magnetic disk memory or a magnetic tape memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of illustration but not limitation It has been shown that many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (Dynamic Random Access Memory, DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced Synchronous Dynamic Random Access Memory, ESDRAM), SyncLink Dynamic Random Access Memory (SLDRAM), Direct Rambus Random Access Memory (DRRAM). Memories described in embodiments of the present disclosure are intended to include, but are not limited to, these and any other suitable types of memory.
在示例性实施例中,本公开实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的第一存储器73,上述计算机程序可由电子设备7的第一处理器72执行,以完成前述第一终端侧方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, the embodiment of the present disclosure also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, such as a first memory 73 that stores a computer program. The computer program can be stored in an electronic device 7 The first processor 72 executes to complete the steps described in the foregoing first terminal side method. The computer-readable storage medium can be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM and other memories.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that "first", "second", etc. are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中术语“至少一种”表示多个中的任意一种或多种中的至少两种的任意组合,例如,包括A、B、C中的至少一种,可以表示包括从A、B和C构成的集合中选择的任意一个或多个元素。The term "and/or" in this article is just an association relationship that describes related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations. In addition, the term "at least one" in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.
另外,本公开实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present disclosure may be combined arbitrarily as long as there is no conflict.
以上所述,仅为本公开的较佳实施例而已,并非用于限定本公开的保护范围。 The above descriptions are only preferred embodiments of the present disclosure and are not intended to limit the scope of the present disclosure.

Claims (15)

  1. 一种量子网络通信方法,应用于第一应用或第一设备,所述方法包括:A quantum network communication method, applied to a first application or a first device, the method includes:
    向第一量子密钥管理器KM发送第一信息;所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。First information is sent to the first quantum key manager KM; the first information is used to indicate a second KM that provides services for the second application or the second device.
  2. 根据权利要求1所述的方法,所述方法还包括:The method of claim 1, further comprising:
    根据应用与KM之间的对应关系,确定所述第一信息。The first information is determined according to the corresponding relationship between the application and the KM.
  3. 根据权利要求2所述的方法,其中,所述第一信息为第二KM的标识和/或地址。The method according to claim 2, wherein the first information is the identification and/or address of the second KM.
  4. 根据权利要求2所述的方法,其中,所述应用与KM之间的对应关系为以下至少之一:The method according to claim 2, wherein the corresponding relationship between the application and the KM is at least one of the following:
    应用的标识与KM的标识之间的对应关系;The correspondence between the application identifier and the KM identifier;
    应用的标识与KM的地址之间的对应关系;The correspondence between the application identifier and the KM address;
    应用的地址与KM的地址之间的对应关系;The correspondence between the application address and the KM address;
    应用的地址与KM的标识之间的对应关系。The correspondence between the application address and the KM identifier.
  5. 根据权利要求1至4中任一项所述的方法,其中,在向第一KM发送第一信息之前,所述方法还包括:The method according to any one of claims 1 to 4, wherein before sending the first information to the first KM, the method further includes:
    从所述第一应用或所述第一设备的本地配置得到所述第一信息。The first information is obtained from the first application or a local configuration of the first device.
  6. 根据权利要求1至4中任一项所述的方法,其中,在向第一KM发送第一信息之前,所述方法还包括:The method according to any one of claims 1 to 4, wherein before sending the first information to the first KM, the method further includes:
    向所述第二应用或所述第二设备发送第一请求;所述第一请求用于查询为所述第二应用或所述第二设备提供服务的第二KM;Send a first request to the second application or the second device; the first request is used to query a second KM that provides services for the second application or the second device;
    接收返回的查询结果。Receive the returned query results.
  7. 根据权利要求6所述的方法,其中,The method of claim 6, wherein
    所述第二设备包括量子保密通信网络中的应用层设备或者用户网络管理层设备;The second device includes an application layer device or a user network management layer device in a quantum secure communication network;
    和/或,所述第二应用为密码应用。And/or, the second application is a password application.
  8. 根据权利要求6所述的方法,其中,所述第一请求还携带第二信息; 所述第二信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。The method according to claim 6, wherein the first request also carries second information; The second information is used to indicate a first KM that provides services for the first application or the first device.
  9. 根据权利要求1至4中任一项所述的方法,所述方法还包括:The method according to any one of claims 1 to 4, further comprising:
    在所述第一应用或所述第一设备首次接入量子网络时,或者,在为所述第一应用或所述第一设备提供服务的KM发生变更时,向第三设备发送第二请求;When the first application or the first device accesses the quantum network for the first time, or when the KM that provides services for the first application or the first device changes, send a second request to the third device. ;
    其中,所述第二请求还携带第三信息;所述第三信息用于指示为所述第一应用或所述第一设备提供服务的第一KM。Wherein, the second request also carries third information; the third information is used to indicate the first KM that provides services for the first application or the first device.
  10. 根据权利要求1至4中任一项所述的方法,所述方法还包括:The method according to any one of claims 1 to 4, further comprising:
    对于以下内容进行安全保护,并传输:第一信息、第二信息、第三信息、第一请求及响应结果、第二请求及响应结果。The following content is securely protected and transmitted: first information, second information, third information, first request and response result, second request and response result.
  11. 根据权利要求2或3所述的方法,其中,所述第一信息还包括:The method according to claim 2 or 3, wherein the first information further includes:
    所述第二应用/所述第二设备的标识和/或地址;The identification and/or address of the second application/the second device;
    所述第一信息,还用于供所述第一KM将所述第二应用/所述第二设备的标识和/或地址转发至所述第二KM,用于供所述第二KM确定待接收量子密钥的第二应用/第二设备。The first information is also used for the first KM to forward the identification and/or address of the second application/the second device to the second KM for the second KM to determine The second application/second device to receive the quantum key.
  12. 一种量子网络通信装置,包括:A quantum network communication device, including:
    第一发送单元,用于向第一KM发送第一信息;其中,所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。The first sending unit is configured to send first information to the first KM; wherein the first information is used to indicate the second KM that provides services for the second application or the second device.
  13. 一种电子设备,包括第一处理器和第一通信接口,其中,所述第一通信接口,用于向第一KM发送第一信息;其中,所述第一信息用于指示为第二应用或第二设备提供服务的第二KM。An electronic device includes a first processor and a first communication interface, wherein the first communication interface is used to send first information to a first KM; wherein the first information is used to indicate a second application Or a second KM served by a second device.
  14. 一种电子设备,包括:第一处理器和用于存储能够在第一处理器上运行的计算机程序的第一存储器,An electronic device including: a first processor and a first memory for storing a computer program capable of running on the first processor,
    其中,所述第一处理器用于运行所述计算机程序时,执行权利要求1至11中任一项所述方法的步骤。Wherein, the first processor is configured to perform the steps of the method according to any one of claims 1 to 11 when running the computer program.
  15. 一种存储介质,其上存储有计算机程序,其中,所述计算机程序被处理器执行时实现权利要求1至11中任一项所述的方法的步骤。 A storage medium having a computer program stored thereon, wherein the steps of the method according to any one of claims 1 to 11 are implemented when the computer program is executed by a processor.
PCT/CN2023/096317 2022-05-25 2023-05-25 Quantum network communication method and apparatus, electronic device and storage medium WO2023227067A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210583447.0 2022-05-25
CN202210583447.0A CN117176333A (en) 2022-05-25 2022-05-25 Quantum network communication method, quantum network communication device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2023227067A1 true WO2023227067A1 (en) 2023-11-30

Family

ID=88918578

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/096317 WO2023227067A1 (en) 2022-05-25 2023-05-25 Quantum network communication method and apparatus, electronic device and storage medium

Country Status (2)

Country Link
CN (1) CN117176333A (en)
WO (1) WO2023227067A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060062392A1 (en) * 2004-07-08 2006-03-23 Magiq Technologies, Inc. Key manager for QKD networks
CN114362936A (en) * 2020-12-30 2022-04-15 广东国腾量子科技有限公司 Secret key relay method in communication network based on quantum secrecy

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060062392A1 (en) * 2004-07-08 2006-03-23 Magiq Technologies, Inc. Key manager for QKD networks
CN114362936A (en) * 2020-12-30 2022-04-15 广东国腾量子科技有限公司 Secret key relay method in communication network based on quantum secrecy

Also Published As

Publication number Publication date
CN117176333A (en) 2023-12-05

Similar Documents

Publication Publication Date Title
WO2019184924A1 (en) Identity management method, equipment, communication network, and storage medium
WO2021115449A1 (en) Cross-domain access system, method and device, storage medium, and electronic device
CN110650076B (en) VXLAN implementation method, network equipment and communication system
WO2019178942A1 (en) Method and system for performing ssl handshake
WO2007041918A1 (en) Method and system for obtaining ssh host key of managed device
EP4290790A1 (en) Key acquisition method and apparatus, and key management system
US20040010713A1 (en) EAP telecommunication protocol extension
WO2011140919A1 (en) Method, device, server and system for accessing service wholesale network
CN112787806A (en) IBE-based industrial internet terminal general security service system
CN112769568A (en) Security authentication communication system and method in fog computing environment and Internet of things equipment
CN114679274A (en) Cross-subnet interactive permission control method and device, electronic equipment and storage medium
US11652910B2 (en) Data transmission method, device, and system
CN114338153A (en) IPSec negotiation method and device
US7526560B1 (en) Method and apparatus for sharing a secure connection between a client and multiple server nodes
US20200366474A1 (en) Private key generation method and device
CN114760197A (en) Calculation force node management method, device and equipment and readable storage medium
WO2023241331A1 (en) Internet of things system, authentication and communication method therefor, and related device
US20230300622A1 (en) Communication system, communication method, and communication apparatus
WO2023197529A1 (en) Online monitoring system, method and apparatus for power transmission line, and master station
US20090136043A1 (en) Method and apparatus for performing key management and key distribution in wireless networks
WO2023227067A1 (en) Quantum network communication method and apparatus, electronic device and storage medium
WO2019128468A1 (en) Authentication method, device, and system
US20060023646A1 (en) Method and apparatus for anonymous data transfers
WO2022171177A1 (en) Communication key configuration method and apparatus
WO2023056713A1 (en) Cloud platform binding method and system for internet of things card, and device and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23811137

Country of ref document: EP

Kind code of ref document: A1