WO2024012529A1 - Key management method and apparatus, and device and storage medium - Google Patents

Key management method and apparatus, and device and storage medium Download PDF

Info

Publication number
WO2024012529A1
WO2024012529A1 PCT/CN2023/107243 CN2023107243W WO2024012529A1 WO 2024012529 A1 WO2024012529 A1 WO 2024012529A1 CN 2023107243 W CN2023107243 W CN 2023107243W WO 2024012529 A1 WO2024012529 A1 WO 2024012529A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
sent
quantum
message
send
Prior art date
Application number
PCT/CN2023/107243
Other languages
French (fr)
Chinese (zh)
Inventor
田野
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2024012529A1 publication Critical patent/WO2024012529A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to the field of communication technology, and in particular, to a key management method, device, equipment and storage medium.
  • Key technology is a commonly used technical means in the current communication field to protect the security of transmission content, including symmetric keys, asymmetric keys, etc. It is understandable that keys are time-sensitive and require constant updating to ensure the freshness of keys and the security of communications.
  • the current key update method is relatively complicated, so how to update the key in a timely, effective and simple manner is an urgent problem that needs to be solved.
  • embodiments of the present disclosure provide a key management method, device, equipment and storage medium.
  • the embodiment of the present disclosure provides a key management method, applied to the first device, including:
  • Perform an operation related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
  • At least one of the first key, the second key, and the third key is sent to the second device.
  • the embodiment of the present disclosure also provides a key management method, applied to the second device, including:
  • Embodiments of the present disclosure also provide a key management method, applied to a third device, including:
  • An embodiment of the present disclosure also provides a key management device, including:
  • a first receiving unit configured to receive the first message sent by the second device
  • An execution unit configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
  • the first sending unit is used to send at least one of the first key, the second key and the third key to the second device.
  • An embodiment of the present disclosure also provides a key management device, including:
  • the second sending unit is used to send the first message to the first device
  • An embodiment of the present disclosure also provides a key management device, including:
  • the second receiving unit is configured to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  • An embodiment of the present disclosure also provides a first device, including: a first processor and a first communication interface; wherein,
  • the first communication interface is used to receive the first message sent by the second device
  • the first processor is configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
  • the first communication interface is also used to send at least one of the first key, the second key and the third key to the second device.
  • An embodiment of the present disclosure also provides a second device, including: a second processor and a second communication interface mouth; among them,
  • the second communication interface is used to send a first message to the first device; and to receive at least one of the first key, the second key and the third key sent by the first device.
  • Embodiments of the present disclosure also provide a third device, including: a third processor and a third communication interface; wherein,
  • the third communication interface is used to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  • An embodiment of the present disclosure also provides a first device, including: a first processor and a first memory for storing a computer program capable of running on the processor,
  • the first processor is configured to execute the steps of any method on the first device side when running the computer program.
  • An embodiment of the present disclosure also provides a second device, including: a second processor and a second memory for storing a computer program capable of running on the processor,
  • the second processor is configured to execute the steps of any method on the second device side when running the computer program.
  • Embodiments of the present disclosure also provide a third device, including: a third processor and a third memory for storing a computer program capable of running on the processor,
  • the third processor is configured to execute the steps of any method on the third device side when running the computer program.
  • Embodiments of the present disclosure also provide a storage medium on which a computer program is stored.
  • the computer program is executed by a processor, the steps of any method on the first device side are implemented, or any method on the second device side is implemented. or implement any of the above methods on the third device side.
  • the first device receives the first message sent by the second device; performs operations related to the first message, and obtains at least one of the following: The first key, the second key and the third key; sending at least one of the first key, the second key and the third key to the second device.
  • the first device performs While performing operations related to the first message, a key is generated for the second device. This eliminates the need for the second device to increase the storage space of the secure medium and can promptly replenish new keys, ensuring that the second device secures the security of the second device in a low-cost and efficient manner. Always provision sufficient keys.
  • Figure 1 is a schematic flow chart of a key management method according to an embodiment of the present disclosure
  • Figure 2 is a schematic flow chart of another key management method according to an embodiment of the present disclosure.
  • Figure 3 is a schematic flow chart of a third key management method according to an embodiment of the present disclosure.
  • Figure 4 is a schematic diagram of the interaction flow of a key management method according to an application embodiment of the present disclosure
  • Figure 5 is a schematic diagram of the interaction flow of another key management method according to an application embodiment of the present disclosure.
  • Figure 6 is a schematic structural diagram of a key management device according to an embodiment of the present disclosure.
  • Figure 7 is a schematic structural diagram of another key management device according to an embodiment of the present disclosure.
  • Figure 8 is a schematic structural diagram of a third key management device according to an embodiment of the present disclosure.
  • Figure 9 is a schematic structural diagram of the first equipment according to the embodiment of the present disclosure.
  • Figure 10 is a schematic structural diagram of the second equipment according to the embodiment of the present disclosure.
  • Figure 11 is a schematic structural diagram of a third device according to an embodiment of the present disclosure.
  • each communication device stores a certain amount of keys for secure communication with the peer or for secure storage of local information. Since keys are time-sensitive and a certain amount of keys pre-stored by the device will be gradually consumed with use, keys need to be updated regularly or irregularly.
  • the key update method in the related art requires setting up an additional key update process, and the key update process itself also requires consuming pre-stored keys, thus increasing the cost of device key update and the overhead of information interaction.
  • Quantum key refers to: a quantum key generated by a quantum random number generator based on the basic principles of quantum mechanics, or through the Quantum Key Distribution (QKD) network
  • QKD Quantum Key Distribution
  • quantum secure communication system multiple devices participating in the communication need to obtain a consistent quantum key through negotiation, which is used to encrypt and protect the data information transmitted between users to prevent attackers from illegally eavesdropping, tampering, and replaying the information content. and other attacks, causing information leakage.
  • terminal devices generally do not have the ability to generate quantum keys
  • quantum key communications are generated by the quantum key management center and then distributed to terminal devices for use.
  • the quantum key management center uses offline filling to place the quantum symmetric key in the secure medium and/or secure storage space of the terminal device.
  • the terminal can use the preset quantum symmetric key to securely access the quantum key.
  • key management center and achieve secure communication. For example, device identity authentication, message encryption, integrity protection, source authentication, etc. are implemented based on preset quantum symmetric keys.
  • the preset quantum symmetric key is one-time and will be destroyed after use. Therefore, each secure communication will consume a preset quantum symmetric key until the preset quantum symmetric key on the terminal side is exhausted.
  • terminal equipment needs to be able to store a large number of quantum symmetric keys in advance.
  • the storage space of the local security medium of the terminal device is limited, and the number of quantum symmetric keys that can be accommodated in one filling is limited.
  • To expand the storage space of the security medium of the terminal device and achieve large-scale storage of quantum symmetric keys will lead to terminal costs. An order of magnitude increase. If the number of preset quantum symmetric keys on the terminal device is limited, users will be forced to frequently go to the quantum key service site to refill the quantum symmetric key offline for the terminal, which reduces the user's application experience.
  • the first device receives the first message sent by the second device; performs operations related to the first message, and obtains at least one of the following: a first key, a second key and a third key; sending at least one of the first key, the second key, and the third key to the second device.
  • the first device while performing the first message-related operation, the first device The second device generates the key, thereby eliminating the need for the second device to increase the storage space of the secure medium and simultaneously replenishing new keys in a timely manner. This low-cost and efficient method ensures that the second device is always preset with sufficient keys.
  • An embodiment of the present disclosure provides a key management method, applied to a first device.
  • the method includes:
  • Step 101 Receive the first message sent by the second device.
  • the first device may be a key management center or a key manager (Key Manager, KM) of the QKD network.
  • the first device can be a unified security service platform, key management system or key management center, etc., used to provide unified key management services for a variety of different businesses; it can also be a key management device for a specific business.
  • the first device can be a key management platform for long-term evolution voice bearer (Voice over Long-Term Evolution, VoLTE) encrypted call service.
  • VoLTE long-term evolution voice bearer
  • the first device may also be called a password security service center, password service center, security service center or security center, etc.
  • the embodiments of the present disclosure are not only applicable to scenarios where traditional networks and/or systems use ordinary keys, but can also be applied to scenarios where quantum keys are used. It is easy to understand that when the embodiment of the present disclosure is applied to a quantum key scenario, "key” can be further understood as “quantum key”, “cryptographic security service center” can be further understood as “quantum cryptographic security service center”, “ “Cryptographic Service Center” can be further understood as “Quantum Crypto Service Center”, “Security Service Center” can be further understood as “Quantum Security Service Center”, “Security Center” can be further understood as “Quantum Security Center”, and so on, which will not be repeated. .
  • the second device may be a terminal device or other devices.
  • encryption gateway encryption Routers, encryption switches, etc. It can be a mobile device or a fixed device, a wired device or a wireless device.
  • the first message may be a request message during the communication interaction process, such as a query request, an access request, an update request, a deletion request, an access request, an authentication request, an authentication request, a service request, a key request, etc.
  • the first message may also be It is notification, response, response and other messages during communication interaction. The above are only examples, and the embodiment of the present disclosure does not place any limitation on the form of the first message.
  • Step 102 Perform an operation related to the first message, and obtain at least one of the following: a first key, a second key, and a third key.
  • Step 103 Send at least one of the first key, the second key and the third key to the second device.
  • the first device performs an operation related to the first message, which can be understood as: when the first message is a request message, the first device performs an operation corresponding to the corresponding request. For example, if the first message is used to request query information 1, then the first device performs a query operation for information 1; for another example, if the first message is used to request access authentication, then the first device performs authentication of the access end, including the first A device authenticates the access terminal, or requests other devices to authenticate the access terminal; when the first message is a notification message, the first device performs an operation corresponding to the corresponding notification. For example, the first device stores the information content informed by the corresponding notification, or does not perform an operation, or sends a confirmation response about the notification to the peer device, etc.
  • the first device When the first message is a response message or an answer message, the first device performs a corresponding response or an operation corresponding to the response. For example, the first device sends message 1 to the second device, and the second device replies with a response or response about message 1.
  • the first device processes the response or response, such as determining whether the content of the response or response is correct, and for example, storing the response. Or the information content of the response, for example, no processing of the response or response, etc.
  • step 102 the execution time sequence between "performing the operation related to the first message” and “obtaining at least one of the following: the first key, the second key, and the third key” is not limited. , but it should be understood that after receiving the first message, the first device needs to perform operations related to the first message and also obtain the corresponding key.
  • the first key may be generated by the first device, or may be obtained by the first device from other devices, or the first device may obtain an intermediate key or a random number from other devices, and then provide the first key to the first key.
  • a device is processed to obtain the first key.
  • the first key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc.
  • the first key may be a symmetric key or an asymmetric key.
  • the first key is a symmetric key, in addition to sending the first key to the second device, the first device also needs to store the first key locally to achieve key sharing.
  • the first key is an asymmetric key
  • the first key may be a public key and/or a private key.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the secure communication between the first device and the second device can be understood as directly using the first key to securely protect the information exchanged between the first device and the second device, or directly using the first key to securely protect the information exchanged between the first device and the second device.
  • the identity authentication between one device and the second device can also be understood as using the first key to further derive other keys, which are used to securely protect the information interacted between the first device and the second device, or for the first device Perform identity authentication with the second device.
  • security protection includes encryption and/or integrity protection, etc.
  • the secure storage of the local information of the second device can be understood as the secure storage of the local information of the second device, such as encryption and/or integrity, by directly using the first key or other keys derived from the first key. Protection etc.
  • sending the first key to the second device includes:
  • the first key that is securely protected by the fourth key is sent to the second device.
  • the fourth key is a shared key between the first device and the second device.
  • the fourth key can be understood as a shared key between the first device and the second device, such as a key for security protection of the first message.
  • obtaining the first key includes:
  • Send the first key to the second device including:
  • the method further includes:
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the secure communication between the first device and the third device can be understood as directly using the second key to securely protect the information exchanged between the first device and the third device, or directly using the second key to securely protect the third device.
  • the identity authentication between the first device and the third device can also be understood as using the second key to further derive other keys, which are used to securely protect the information interacted between the first device and the third device, or for the first device Perform identity authentication on both sides with the third device.
  • security protection includes encryption and/or integrity protection, etc.
  • the second key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc.
  • the second key may be a symmetric key or an asymmetric key.
  • the second key is a symmetric key, in addition to sending the second key to the third device, the first device also needs to store the second key locally to achieve key sharing.
  • the second key is an asymmetric key
  • the second key may be a public key and/or a private key.
  • the third device may be a terminal device or other devices.
  • encryption gateway encryption router, encryption switch, etc. It can be a mobile device or a fixed device, a wired device or a wireless device.
  • the secure storage of the local information of the third device can be understood as the secure storage of the local information of the third device by directly using the second key or other keys derived from the second key, such as encryption and/or integrity. Protection etc.
  • sending the second key to the second device includes:
  • the second key that is securely protected using the fifth key is sent to the second device.
  • the fifth key is a shared key between the first device and the third device.
  • the fifth key can be understood as the key shared by the first device and the third device. Therefore, even if the second device obtains the second key, since the second key is encrypted by the fifth key, The second device cannot learn the fifth key, thus ensuring the security of the transmission of the second key.
  • the method further includes:
  • sending the second key to the third device includes:
  • the second key that is securely protected using the fifth key is sent to the third device.
  • the fifth key is a shared key between the first device and the third device.
  • obtaining the second key includes:
  • Send the second key to the second device and/or the third device including:
  • the method further includes:
  • the third key is used for secure communication between the second device and the third device.
  • the secure communication between the second device and the third device can be understood as directly using the third key to securely protect the information exchanged between the second device and the third device, or directly using the third key to securely protect the information exchanged between the second device and the third device.
  • the identity authentication between the second device and the third device can also be understood as using the third key to further derive other keys, which are used to securely protect the information interacted between the second device and the third device, or for the second device Perform identity authentication on both sides with the third device.
  • security protection includes encryption and/or integrity protection, etc.
  • sending the third key to the second device includes:
  • the third key that is securely protected by using the fourth key and the fifth key is sent to the second device.
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the fourth key and the fifth key are used to securely protect the third key, that is, the fourth key is used to securely protect the third key to obtain the first information, and the fifth key is used to securely protect the third key.
  • Securely protect the third key to obtain the second information and send both the first and second information to the second device.
  • the second device can use the shared fourth key to decrypt the first information and obtain the second information.
  • Three keys At the same time, the second device transmits the second information to the third device. After receiving the second information, the third device can decrypt the second information using the shared fifth key, thereby obtaining the third key.
  • the method further includes:
  • sending the third key to the third device includes:
  • the third key that is securely protected by the fifth key is sent to the third device.
  • the fifth key is a shared key between the first device and the third device.
  • obtaining the third key includes:
  • Send the third key to the second device and/or the third device including:
  • the third key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc.
  • the third key may be a symmetric key or an asymmetric key.
  • the method further includes:
  • the message sent by the first device carries a timestamp.
  • a timestamp is carried in the message sent by the first device, and the timestamp is used to prevent message replay attacks. Furthermore, a timestamp is carried in the quantum key management related message to resist attackers. Replay attacks on quantum keys.
  • the message sent by the first device includes, but is not limited to, the first device is used to send at least one of the first key, the second key and the third key to the second device and/or Messages from the third device.
  • the messages sent by the first device may include: all or part of the messages sent by the first device for interaction between the first device and the second device, the third device and/or other devices.
  • the embodiment of the present disclosure also provides a key management method, applied to the second device.
  • the method includes:
  • Step 201 Send the first message to the first device.
  • Step 202 Receive at least one of the first key, the second key and the third key sent by the first device.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • receiving the first key sent by the first device includes:
  • the fourth key is used to decrypt the securely protected first key.
  • receiving the first key sent by the first device includes:
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • receiving the second key sent by the first device includes:
  • the second key that is securely protected using the fifth key is sent to the third device.
  • the method further includes:
  • the third key is used for secure communication between the second device and the third device.
  • receiving the third key sent by the first device includes:
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • receiving the third key includes:
  • the message sent by the second device carries a timestamp.
  • a timestamp is carried in the message sent by the second device, which is used to prevent message replay attacks. Furthermore, a timestamp is carried in the message related to quantum key management, which can resist the attacker's replay of the quantum key. Let attack.
  • the message sent by the second device includes but is not limited to the first message sent by the second device to the first device and/or the third device.
  • the messages sent by the second device may include: all or part of the messages sent by the second device for interaction between the second device and the first device, the third device and/or other devices.
  • embodiments of the present disclosure also provide a key management method, applied to a third device.
  • the method includes:
  • Step 301 Receive at least one of the second key and the third key sent by the first device and/or the second device.
  • the second key and the third key may be received by the third device from the same device, for example, both are received from the first device or both are received from the second device, or they may be received by the third device from different devices.
  • the second key is received from the first device
  • the third key is received from the second device.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • receiving the second key sent by the first device and/or the second device includes:
  • the fifth key is a shared key between the first device and the third device.
  • receiving the second key includes:
  • the third key is used for secure communication between the second device and the third device.
  • receiving the third key sent by the second device includes:
  • the third key secured by the fifth key is decrypted using the fifth key.
  • the fifth key is a shared key between the first device and the third device.
  • receiving the third key sent by the first device includes:
  • the third key secured by the fifth key is decrypted using the fifth key.
  • the fifth key is a shared key between the first device and the third device.
  • receiving the third key includes:
  • the method further includes:
  • the second message is used to indicate the result of returning the key reception.
  • the message sent by the third device carries a timestamp.
  • a timestamp is carried in the message sent by the third device, which is used to prevent message replay attacks. Furthermore, a timestamp is carried in the message related to quantum key management to resist the attacker's replay of the quantum key. Let attack.
  • the messages sent by the third device include but are not limited to: all messages sent by the third device for interaction between the third device and the first device, the second device and/or other devices. message or part of a message.
  • the first device generates a key for the second device while performing operations related to the first message. That is to say, after receiving the first message, the first device considers that the first device is conducting the first communication with the second device. Message-related communication will consume the key, or the first device finds that the second device has not updated the key within a period of time after receiving the first message, and then supplements the new key for the second device while performing the first message-related operation. key, thus ensuring that the second device is always preset with sufficient keys at low cost and efficiently without the need for the second device to increase the storage space of the security medium.
  • the solutions of the disclosed embodiments can be used to implement ordinary or quantum Handy complement of symmetric/asymmetric keys.
  • (Quantum) here means a scenario where quantum is possible.
  • (quantum) symmetric key can be understood as: ordinary symmetric key or quantum symmetric key. The subsequent brackets have the same meaning and will not be repeated.) .
  • the terminal accesses the (quantum) key management center and performs identity authentication and establishes a secure channel based on the (quantum) symmetric key
  • the terminal accesses the (quantum) key management center, based on the (quantum) symmetric key
  • the solutions of the disclosed embodiments can be used to implement (quantum) symmetric encryption.
  • a handy addition to the key when the (quantum) symmetric key shared with the terminal is used and consumed, for example, when the terminal performs identity authentication when accessing the (quantum) key center, there is a gap between the terminal and the (quantum) key center.
  • the (quantum) key center not only processes the relevant messages of the terminal, but also generates new (quantum) symmetric keys and uses the old (quantum) symmetric keys.
  • the new (quantum) symmetric key is securely protected, and then the securely protected new (quantum) symmetric key is provided to the terminal.
  • the terminal uses the old (quantum) symmetric key to decrypt and/or integrity protection check the new (quantum) symmetric key received, and after the decryption and/or integrity protection check is successful, the new ( Quantum) symmetric key Secure storage, thereby promptly replenishing the terminal's local (quantum) symmetric key.
  • the terminal can return a message to the (quantum) key center to confirm the result of the new (quantum) symmetric key reception (such as successful reception or reception failure); or it may not return any message to indicate that the (quantum) symmetric key has been successfully received. Key reception failed.
  • the (quantum) key center can destroy the old (quantum) symmetric key when the terminal receives it successfully, and the new (quantum) symmetric key is stored in the (quantum) key center and the terminal's local key pool in for later use when necessary.
  • quantum symmetric keys are used for illustration below. It is easy to understand that the following examples are Methods can also be applied to ordinary symmetric keys, ordinary asymmetric keys, or quantum asymmetric keys.
  • FIG 4 shows a schematic diagram of the interaction process of terminal A initiating the number binding service provided by the application embodiment of the present disclosure.
  • the interaction process includes:
  • Step 1 When it is necessary to interact with the quantum key management center and bind the mobile phone number to the password card and/or password resources, terminal A sends a service request message to the quantum key management center.
  • terminal A selects a valid quantum symmetric key KA from the local preconfigured quantum symmetric key pool, and uses KA or a symmetric key KA derived based on KA ', encrypt and/or integrity protect all or part of the information content of the service request message.
  • the service request message carries the identity of terminal A, the service type bound to the mobile phone number, and a Hash-based Message Authentication Code (HMAC) used to protect the integrity of the message.
  • HMAC Hash-based Message Authentication Code
  • It carries KA 's key identification K ID _A, timestamp or sequence number and other information to prevent message replay.
  • Step 2 The quantum key management center queries based on the terminal identification and key identification, obtains the quantum symmetric key KA shared with terminal A through pre-configuration, and uses KA or the symmetric key derived based on KA Key K A ' is used to perform integrity protection verification and decryption of the service request message. Afterwards, the number binding service requested by terminal A is processed.
  • the quantum key management center generates a new quantum symmetric key K A _new for the called terminal A, and correspondingly distributes a new key identification K ID _A_new.
  • the quantum symmetric key is generated by a quantum random number generator.
  • Step 3 The quantum key management center returns a service response message to terminal A, which carries business-related information, the newly generated quantum symmetric key K A _new, and optionally also carries the new key identification K ID _A_new and a timestamp. or serial number and other information. All or part of the information content of the service response message is encrypted and/or integrity protected using KA or the symmetric key KA ' derived based on KA .
  • Step 4 Terminal A uses KA or the symmetric key KA ' derived based on KA to verify and decrypt the service response message to complete business-related processing. At the same time, obtain the new quantum symmetric key K A _new generated by the quantum key management center. Optionally, terminal A also obtains the corresponding key identification K ID _A_new, and will obtain the new quantum symmetric key K A _new and/or the corresponding key identification K ID _A_new are securely stored, allowing the pre-shared quantum symmetric key to be supplemented. In addition, if the service response message does not carry the key identification K ID _A_new, terminal A needs to generate the corresponding key identification K ID _A_new according to the method agreed with the quantum key management center in advance.
  • step 5 Terminal A returns a message to the quantum key management center, which carries the key identification K ID _A_new to confirm that the quantum key K A _new has been successfully received.
  • the message also carries a timestamp. or serial number and other information.
  • the message can be securely protected based on KA or the symmetric key KA ' derived from KA .
  • terminal A and the quantum key management center will destroy the used K A.
  • step 5 is not performed, then the quantum key management center will destroy the used K A after step 3 and terminal A after step 4.
  • Figure 5 shows a schematic diagram of the interaction process of terminal A initiating the number binding service provided by the application embodiment of the present disclosure.
  • the interaction process includes:
  • Step 1 When the user makes an encrypted phone call, the calling terminal A initiates an encrypted phone call request.
  • Step 2 The calling terminal A and the called terminal B perform call connection through the application server (Application Server, AS).
  • AS Application Server
  • AS is the Session Initialization Protocol (SIP) server responsible for implementing telephone service functions; for encrypted telephone services based on VoLTE or New Radio (Voice over New Radio, VoNR) or fixed telephone, AS is The IP Multimedia Subsystem (IMS) system is responsible for the server of telephone services, such as VoLTE AS.
  • SIP Session Initialization Protocol
  • IMS IP Multimedia Subsystem
  • Step 3 During the call connection process, the calling terminal A synchronously sends a key request message to the quantum key management center to apply for the quantum session key for this encrypted phone call, which is used to encrypt and protect the user's voice information.
  • the request message carries the identities of the calling terminal A and the called terminal B. Optionally, it also carries information such as a session identifier, a timestamp or a sequence number. Among them, timestamp or sequence number information is used to prevent message replay.
  • the calling terminal A obtains an unused preconfigured quantum symmetric key K A from the local area, and uses K A or the symmetric key K A ' derived based on K A to Request that all or part of the information content of a message be encrypted and/or integrity protected.
  • Step 4 After receiving the key request message, the quantum key management center queries and obtains the quantum symmetric key K A shared with the calling terminal A through pre-configuration based on the calling terminal identification and key identification, and uses KA or the symmetric key KA' derived based on KA performs integrity protection verification and decryption of the key request message. Afterwards, if the key request message carries a timestamp or sequence number, the freshness of the key request message is verified based on the timestamp or sequence number.
  • the quantum key management center After the integrity and freshness of the key request message are verified, the quantum key management center queries the called terminal ID and obtains a quantum symmetric key K B and K B shared with the called terminal B in a pre-configured manner. Corresponding key identification K ID _B. At the same time, the quantum key management center generates a quantum session key for this call, generates new quantum symmetric keys K A _new and K B _new for the calling terminal A and the called terminal B respectively, and distributes new key identifiers accordingly. KID_A_new and KID_B_new .
  • the quantum session key as well as the new quantum symmetric key are generated by a quantum random number generator.
  • Step 5 The quantum key management center forms a key response message, provides the session key Ks used in this call to the calling terminal A and the called terminal B, and generates a new quantum symmetric key K A _new and K B _new, optionally, also provide new key identifiers K ID _A_new and K ID _B_new and other related information. If the quantum key management center does not transmit K ID _A_new and K ID _B_new in the key response message, then the calling terminal A and the called terminal B, after receiving K A _new and K B _new, should use the quantum encryption method in advance. A certain method agreed upon by the key management center to allocate new K ID _A_new and K ID _B_new for quantum key synchronization, thereby maintaining synchronization with the quantum key management center.
  • the quantum key management center For the calling terminal A, the quantum key management center provides the calling terminal A with: quantum session key Ks, key identification K ID_A , calling terminal identification and new quantum symmetric key K A _new, optionally , and also provide session identification and/or new key identification K ID _A_new and/or timestamp or sequence number and other information.
  • the quantum key management center should use KA or the symmetric key KA ' derived based on KA , for Ks, and, optionally, KA _new, K ID _A_new and other related information are encrypted and/or integrity protected to obtain integrity protected verification results, such as HMAC A.
  • the quantum key management center provides B with: quantum session key Ks, key identification K ID _B, calling terminal identification, new quantum symmetric key K B _new, optionally , and also provide session identification and/or new key identification K ID _B_new and/or timestamp or sequence number and other information.
  • the quantum key management center uses K B or the symmetric key K B ' derived based on K B , for Ks, and, optionally, for K B _new, K ID _B_new and other related information are encrypted and/or integrity protected to obtain integrity protected verification results, such as HMAC B.
  • the quantum key management center sends the newly generated quantum symmetric key, and, optionally, key identification and other information to the calling terminal A through the key response message.
  • Response messages include: Msg_A, HMAC A , Msg_B, HMAC B , etc.
  • Msg_A contains relevant information such as K A _new, K ID _A_new, Ks, timestamp or serial number after security protection
  • Msg_B contains K B _new, K ID _B_new, Ks, timestamp or serial number after security protection and other related information.
  • Step 6 The calling terminal A uses KA or the symmetric key KA ' derived based on KA to decrypt Msg_A, and obtains the new quantum symmetric key KA _new generated by the quantum key management center, and optionally Ground, obtain relevant information such as key identification K ID _A_new, Ks, timestamp or serial number, and securely store the relevant quantum key, thereby supplementing the pre-shared quantum symmetric key. If Msg_A contains a timestamp or sequence number, the calling terminal A can verify the freshness of the key response message Msg_A.
  • step 7 The calling terminal A returns a message to the subkey management center, which carries K ID _A_new. Optionally, it also carries information such as a timestamp or sequence number to confirm that K A _new has been successfully received.
  • the message can be secured based on KA or KA '. Afterwards, the calling terminal A and the quantum key management center destroy the used K A.
  • step 7 the quantum key management center will destroy the used KA after step 5, and the calling terminal A will destroy the used KA after step 6.
  • Step 8 The calling terminal A sends the session key to the called terminal B.
  • the message carries the relevant information provided by the quantum key management center to the called terminal B, including Msg_B, HMAC B , etc.
  • Step 9 The called terminal B uses K B or the symmetric key K B ' derived based on K B to decrypt Msg_B, and obtains the new quantum symmetric keys K B _new and Ks generated by the quantum key management center.
  • Relevant information such as key identification K ID _B_new, timestamp or serial number is also obtained, and the relevant quantum key is securely stored, thereby supplementing the pre-shared quantum symmetric key. If Msg_B contains a timestamp or sequence number, the called terminal B can verify the freshness of the key response message Msg_B.
  • step 10 The called terminal B returns a message to the subkey management center, which carries K ID _B_new. Optionally, it also carries information such as a timestamp or sequence number to confirm that K B _new has been successfully received. The message can be secured based on K B or K B '. Afterwards, the called terminal B and the quantum key management center destroy the used K B.
  • step 10 the quantum key management center will destroy the used K B after step 5, and the called terminal B will destroy the used K B after step 9.
  • Step 11 The called terminal B returns a session key confirmation message and confirms to the calling terminal A that the quantum session key Ks has been successfully received.
  • Step 12 The calling terminal A confirms that the called terminal B has successfully obtained the quantum session key Ks.
  • Step 13 The calling terminal A and the called terminal B use Ks to encrypt and protect the voice information exchanged between the users, and start the encrypted call. After the call ends, the calling and called terminals destroy the quantum session key Ks used this time.
  • the disclosed embodiments can be applied to encrypted voice and/or video calls, encrypted short messages, encrypted instant messages, encrypted voice and/or videos, encrypted intercom messages, encrypted emails, etc.
  • Various secure communication services based on quantum keys The above description only takes the quantum encrypted voice phone service as an example.
  • the quantum key management center described here can refer to a unified quantum key management platform that provides unified key management services for a variety of different businesses, or it can be a key management platform for a specific business, such as quantum VoLTE.
  • a key management platform for encrypted call services specifically providing key management services for quantum VoLTE encrypted call services.
  • the quantum symmetric key shared between the quantum key management center and the terminal plays a role in the interaction between the terminal and the quantum key management center during the secure communication process (such as session identification, quantum session key Ks,
  • the new quantum symmetric key K A _new and/or K B _new, key identification K ID _A_new/K ID _B_new, etc.) perform security protection functions such as encryption, integrity protection, source authentication, etc., so the shared symmetric key also It can be called a basic key, a working key, a key protection key, an authentication key or an access key, etc.
  • the disclosed embodiments are also applicable to secure communication services carried out by multiple terminals, meeting the needs of secure multi-party calls, secure voice and/or video conferencing, and secure group messages. , confidential multi-party intercom and other business applications.
  • the quantum key management center should newly generate a quantum symmetric key based on the quantum symmetric key currently in use and shared with each terminal, optionally, the newly distributed quantum key identification and related information, Perform encryption protection, and then send the encrypted and protected new quantum symmetric key and related information to each terminal through the terminal that initiated the key request. They can be sent together or separately. Subsequently, each terminal decrypts and obtains the newly generated quantum symmetric key.
  • the disclosed embodiments can enable devices with a small number of local quantum symmetric key storage to meet the long-term needs of users by supplementing the quantum symmetric key without expanding the storage space of the device's security medium. Or the need for frequent quantum secure communication services, it is suitable for equipment with small security medium storage space, which can reduce equipment costs. Furthermore, the use of time stamp or sequence number mechanisms in quantum key management related messages can resist replay attacks by attackers on quantum keys.
  • the embodiment of the present disclosure also provides a key management device, which is provided on the first device.
  • the device includes:
  • the first receiving unit 601 is used to receive the first message sent by the second device
  • Execution unit 602 configured to perform operations related to the first message, and obtain at least one of the following: a first key, a second key, and a third key;
  • the first sending unit 603 is used to send at least one of the first key, the second key and the third key to the second device.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the first sending unit 603 sends the first key to the second device, including:
  • the fourth key is a shared key between the first device and the second device.
  • the execution unit 602 obtains the first key, including:
  • the first sending unit 603 sends the first key to the second device, including:
  • the device further includes:
  • the first storage unit is used to store the first key and/or the corresponding first identification.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the first sending unit 603 sends the second key to the second device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the method further includes:
  • the third sending unit is used to send the second key to the third device.
  • the third sending unit sends the second key to the third device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the execution unit 602 obtains the second key, including:
  • the first sending unit 603 sends the second key to the second device and/or the third device, including:
  • the device further includes:
  • the second storage unit is used to store the second key and/or the corresponding second identification.
  • the third key is used for secure communication between the second device and the third device.
  • the first sending unit 603 sends the third key to the second device, including:
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the device further includes:
  • the fourth sending unit is used to send the third key to the third device.
  • the fourth sending unit sends the third key to the third device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the execution unit 602 obtains the third key, including:
  • the first sending unit 603 sends the third key to the second device and/or the third device, including:
  • the device further includes:
  • the third storage unit is used to store the third key and/or the corresponding third identification.
  • the message sent by the first device carries a timestamp.
  • the first sending unit 601, the first receiving unit 603, the third sending unit and the fourth sending unit can be implemented by the communication interface in the key management device; the execution unit 602, the first storage unit, the third sending unit The second storage unit and the third storage unit may be implemented by a processor in the key management device.
  • the embodiment of the present disclosure also provides a key management device, which is provided on the second device.
  • the device includes:
  • the second sending unit 701 is used to send the first message to the first device
  • the second receiving unit 702 is configured to receive at least one of the first key, the second key and the third key sent by the first device.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the second receiving unit 702 receives the first key sent by the first device, including:
  • the fourth key is used to decrypt the securely protected first key.
  • the second receiving unit 702 receives the first key sent by the first device, including:
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the second receiving unit 702 receives the second key sent by the first device, including:
  • the second key that is securely protected using the fifth key is sent to the third device.
  • the device further includes:
  • the fifth sending unit is used to send the second key and/or the corresponding second identification to the third device.
  • the third key is used for secure communication between the second device and the third device.
  • the second receiving unit 702 receives the third key sent by the first device, including:
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the second receiving unit 702 receives the third key, including:
  • the message sent by the second device carries a timestamp.
  • the second sending unit 701, the second receiving unit 702 and the fifth sending unit may be implemented by the communication interface in the key management device.
  • the embodiment of the present disclosure also provides a key management device, which is provided on the third device.
  • the device includes:
  • the third receiving unit 801 is configured to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the third receiving unit 801 receives the second key sent by the first device and/or the second device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the third receiving unit 801 receives the second key, including:
  • the third key is used for secure communication between the second device and the third device.
  • the third receiving unit 801 receives the third key sent by the second device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the third receiving unit 801 receives the third key sent by the first device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the third receiving unit 801 receives the third key, including:
  • the device further includes:
  • the sixth sending unit is used to send the second message to the first device; wherein,
  • the second message is used to return the result of key reception.
  • the message sent by the third device carries a timestamp.
  • the third receiving unit 803 and the sixth sending unit may be implemented by the communication interface in the key management device.
  • the key management device provided in the above embodiment performs key management
  • only the division of the above program modules is used as an example.
  • the above processing can be allocated to different modules as needed.
  • the program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above.
  • the key management device and the key management method embodiments provided in the above embodiments belong to the same concept. Please refer to the method embodiments for the specific implementation process, which will not be described again here.
  • the embodiment of the present disclosure also provides a first device.
  • the first device 900 includes:
  • the first communication interface 901 is capable of information exchange with other network nodes;
  • the first processor 902 is connected to the first communication interface 901 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the first device side when running a computer program.
  • the computer program is stored on the first memory 903 .
  • the first communication interface 901 is used to receive the first message sent by the second device;
  • the first processor 902 is configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
  • the first communication interface 901 is also used to send at least one of the first key, the second key and the third key to the second device.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the first communication interface 901 is used to send the first key that is securely protected by using the fourth key to the second device; wherein,
  • the fourth key is a shared key between the first device and the second device.
  • the first processor 902 is used to obtain the first key and the corresponding first identification
  • the first communication interface 901 is used to send the first key and/or the corresponding first identification to the second device.
  • the first processor 902 is also configured to store the first key and/or the corresponding first identification.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the first communication interface 901 is used to send the second key that is securely protected by using the fifth key to the second device; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the first communication interface 901 is also used to send the second key to the third device.
  • the first communication interface 901 is used to send the second key that is securely protected by using the fifth key to the third device; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the first processor 902 is used to obtain the second key and the corresponding second identification
  • the first communication interface 901 is used to send the second key and/or the corresponding second identification to the second device and/or the third device.
  • the first processor 902 is also configured to store the second key and/or the corresponding second identification.
  • the third key is used for secure communication between the second device and the third device.
  • the first communication interface 901 is used to send the third key that is securely protected using the fourth key and the fifth key to the second device; wherein,
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the first communication interface 901 is also used to send the third key to the third device.
  • the first communication interface 901 is used to send the third key that is securely protected using the fifth key to the third device; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the first processor 902 is used to obtain the third key and the corresponding third identification
  • the first communication interface 901 is used to send the third key and/or the corresponding third identification to the second device and/or the third device.
  • the first processor 902 is also configured to store the third key and/or the corresponding third identification.
  • the message sent by the first device carries a timestamp.
  • bus system 904 is used to implement connection communication between these components.
  • the bus system 904 also includes a power bus, a control bus and a status signal bus.
  • various buses are labeled as bus system 904 in FIG. 9 .
  • the first memory 903 in the embodiment of the present disclosure is used to store various types of data to support the operation of the first device 900 .
  • Examples of such data include any computer program for operating on the first device 900 .
  • the methods disclosed in the above embodiments of the present disclosure may be applied to the first processor 902 or implemented by the first processor 902 .
  • the first processor 902 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 902 .
  • the above-mentioned first processor 902 may be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the first processor 902 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the first memory 903.
  • the first processor 902 reads the information in the first memory 903, and completes the steps of the foregoing method in combination with its hardware.
  • the first device 900 may be one or more application specific integrated circuits (Application Specific Integrated Circuits, ASICs), DSPs, programmable logic devices (Programmable Logic Device, PLD), Complex Programmable Logic Device (CPLD), Field-Programmable Gate Array (FPGA), general-purpose processor, controller, microcontroller (Micro Controller) Unit (MCU), microprocessor (Microprocessor), or other electronic components for executing the aforementioned method.
  • ASICs Application Specific Integrated Circuits
  • DSPs digital signal processor
  • PLD programmable logic devices
  • CPLD Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • general-purpose processor controller
  • controller microcontroller (Micro Controller) Unit (MCU), microprocessor (Microprocessor), or other electronic components for executing the aforementioned method.
  • MCU microcontroller
  • Microprocessor Microprocessor
  • the embodiment of the disclosure also provides a second device.
  • the second device 1000 includes:
  • the second communication interface 1001 is capable of information exchange with other network nodes;
  • the second processor 1002 is connected to the second communication interface 1001 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the second device side when running a computer program.
  • the computer program is stored on the second memory 1003 .
  • the second communication interface 1001 is used to send a first message to a first device; and to receive at least one of the first key, the second key and the third key sent by the first device. .
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the second communication interface 1001 is used to receive a first key sent by a first device and protected by a fourth key; wherein the fourth key is a combination of the first device and the second key.
  • the device s shared secret key;
  • the second processor 1002 is configured to use the fourth key to decrypt the securely protected first key.
  • the second communication interface 1001 is used to receive the first key and/or the corresponding first identification
  • the second processor 1002 is used to store the first key and/or the corresponding first identification.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the second communication interface 1001 is used to receive a second key sent by the first device and protected by using a fifth key; wherein the fifth key is a link between the first device and the third key.
  • the shared key of the three devices; the second key protected by the fifth key is sent to the third device.
  • the second communication interface 1001 is also used to send the second key and/or the corresponding second identification to the third device.
  • the third key is used for secure communication between the second device and the third device.
  • the second communication interface 1001 is used to receive the third key sent by the first device and protected by using the fourth key and the fifth key respectively;
  • the second processor 1002 is also configured to use the fourth key to decrypt the third key protected by the fourth key;
  • the second communication interface 1001 is used to send the third key protected by the fifth key to the third device; wherein,
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the second communication interface 1001 is used to receive and store the third key and/or the corresponding third identification.
  • the message sent by the second device carries a timestamp.
  • bus system 1004. is used to implement connection communication between these components.
  • the bus system 1004 also includes a power bus, a control bus and a status signal bus.
  • various buses are labeled as bus system 1004 in FIG. 10 .
  • the second memory 1003 in the embodiment of the present disclosure is used to store various types of data to support the operation of the second device 1000. Examples of such data include: any data used to operate on the second device 1000 any computer program.
  • the methods disclosed in the above embodiments of the present disclosure can be applied to the second processor 1002 or implemented by the second processor 1002 .
  • the second processor 1002 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the second processor 1002 .
  • the above-mentioned second processor 1002 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the second processor 1002 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the second memory 1003.
  • the second processor 1002 reads the information in the second memory 1003, and completes the steps of the foregoing method in combination with its hardware.
  • the second device 1000 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the foregoing method.
  • the embodiment of the disclosure also provides a third device.
  • the third device 1100 includes:
  • the third communication interface 1101 is capable of information exchange with other network nodes
  • the third processor 1102 is connected to the third communication interface 1101 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the third device side when running a computer program.
  • the computer program is stored on the third memory 1103 .
  • the third communication interface 1101 is used to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  • the second key is used for security between the first device and the third device. communications, or secure storage of local information for third devices.
  • the third communication interface 1101 is used to receive the second key sent by the first device and/or the second device and protected by using the fifth key; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the third communication interface 1101 is used to receive and store the second key and/or the corresponding second identification.
  • the third key is used for secure communication between the second device and the third device.
  • the third communication interface 1101 is used to receive the third key sent by the second device and protected by the fifth key security
  • the third processor 1102 is configured to use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the third communication interface 1101 is used to receive the third key sent by the first device and protected by the fifth key;
  • the third processor 1102 is configured to use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the third communication interface 1101 is used to receive the third key and/or the corresponding third identification
  • the third processor 1102 is used to store the third key and/or the corresponding third identification.
  • the third communication interface 1101 is also used to send the second message to the first device; wherein,
  • the second message is used to return the result of key reception.
  • the message sent by the third device carries a timestamp.
  • bus System 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus.
  • bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus.
  • bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus.
  • bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus.
  • the various buses are labeled bus system 1104 in FIG. 11 .
  • the third memory 1103 in the embodiment of the present disclosure is used to store various types of data to support the operation of the third device 1100. Examples of such data include: any computer program for operating on the third device 1100 .
  • the methods disclosed in the above embodiments of the present disclosure can be applied to the third processor 1102 or implemented by the third processor 1102 .
  • the third processor 1102 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the third processor 1102 .
  • the above-mentioned third processor 1102 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the third processor 1102 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the third memory 1103.
  • the third processor 1102 reads the information in the third memory 1103, and completes the steps of the foregoing method in combination with its hardware.
  • the third device 1100 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the foregoing method.
  • the memory in the embodiment of the present disclosure can be a volatile memory or a non-volatile memory, and can also include volatile and non-volatile memories. Both. Among them, the non-volatile memory can be read-only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-Only Memory, PROM), erasable programmable read-only memory (Erasable Programmable Read-Only Memory).
  • ROM Read Only Memory
  • PROM Programmable Read-Only Memory
  • Erasable Programmable Read-Only Memory Erasable Programmable Read-Only Memory
  • EPROM electrically erasable programmable read-only memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • FRAM ferromagnetic random access memory
  • Flash Memory magnetic surface memory
  • optical disk optical disk
  • CD Compact Disc Read-Only Memory
  • magnetic surface memory can be disk memory or tape memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM Random Access Memory
  • SRAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Enhanced Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM SyncLink Dynamic Random Access Memory
  • DRRAM Direct Rambus Random Access Memory
  • the embodiment of the present disclosure also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, such as a first memory 903 that stores a computer program.
  • the computer program can be stored in a first device.
  • the first processor 902 of 900 executes to complete the steps described in the foregoing first device-side method.
  • Another example includes a second memory 1003 that stores a computer program.
  • the computer program can be executed by the second processor 1002 of the second device 1000 to complete the steps described in the second device-side method.
  • Another example includes a third memory 1103 that stores a computer program.
  • the computer program can be executed by the third processor 1102 of the third device 1100 to complete the steps described in the third device-side method.
  • the computer-readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM etc. memory.
  • a and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations.
  • at least one in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Provided in the present disclosure are a key management method and apparatus, and a device and a storage medium. The method comprises: a first device receiving a first message, which is sent by a second device; executing an operation related to the first message, and obtaining at least one of the following: a first key, a second key, and a third key; and sending at least one of the first key, the second key and the third key to the second device.

Description

密钥管理方法、装置、设备及存储介质Key management method, device, equipment and storage medium
相关申请的交叉引用Cross-references to related applications
本公开主张在2022年07月15日在中国提交的中国专利申请No.202210837670.3的优先权,其全部内容通过引用包含于此。This disclosure claims priority to Chinese Patent Application No. 202210837670.3 filed in China on July 15, 2022, the entire content of which is incorporated herein by reference.
技术领域Technical field
本公开涉及通信技术领域,尤其涉及一种密钥管理方法、装置、设备及存储介质。The present disclosure relates to the field of communication technology, and in particular, to a key management method, device, equipment and storage medium.
背景技术Background technique
密钥技术是目前通信领域中为了保护传输内容的安全常用的技术手段,包括对称密钥、非对称密钥等。可以理解的是,密钥具有时效性,需要不断的更新才能确保密钥的新鲜,以保证通信的安全。但目前密钥更新的方式较为复杂,因此如何能够及时有效、简单地进行密钥更新是当下亟待解决的问题。Key technology is a commonly used technical means in the current communication field to protect the security of transmission content, including symmetric keys, asymmetric keys, etc. It is understandable that keys are time-sensitive and require constant updating to ensure the freshness of keys and the security of communications. However, the current key update method is relatively complicated, so how to update the key in a timely, effective and simple manner is an urgent problem that needs to be solved.
发明内容Contents of the invention
为解决相关技术问题,本公开实施例提供一种密钥管理方法、装置、设备及存储介质。In order to solve related technical problems, embodiments of the present disclosure provide a key management method, device, equipment and storage medium.
本公开实施例的技术方案是这样实现的:The technical solution of the embodiment of the present disclosure is implemented as follows:
本公开实施例提供了一种密钥管理方法,应用于第一设备,包括:The embodiment of the present disclosure provides a key management method, applied to the first device, including:
接收第二设备发送的第一消息;receiving the first message sent by the second device;
执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;Perform an operation related to the first message, and obtain at least one of the following: a first key, a second key, and a third key;
将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。At least one of the first key, the second key, and the third key is sent to the second device.
本公开实施例还提供了一种密钥管理方法,应用于第二设备,包括:The embodiment of the present disclosure also provides a key management method, applied to the second device, including:
向第一设备发送的第一消息; a first message sent to the first device;
接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。Receive at least one of the first key, the second key and the third key sent by the first device.
本公开实施例还提供了一种密钥管理方法,应用于第三设备,包括:Embodiments of the present disclosure also provide a key management method, applied to a third device, including:
接收第一设备和/或第二设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。Receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
本公开实施例还提供了一种密钥管理装置,包括:An embodiment of the present disclosure also provides a key management device, including:
第一接收单元,用于接收第二设备发送的第一消息;A first receiving unit configured to receive the first message sent by the second device;
执行单元,用于执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;An execution unit, configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
第一发送单元,用于将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。The first sending unit is used to send at least one of the first key, the second key and the third key to the second device.
本公开实施例还提供了一种密钥管理装置,包括:An embodiment of the present disclosure also provides a key management device, including:
第二发送单元,用于向第一设备发送的第一消息;The second sending unit is used to send the first message to the first device;
接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。Receive at least one of the first key, the second key and the third key sent by the first device.
本公开实施例还提供了一种密钥管理装置,包括:An embodiment of the present disclosure also provides a key management device, including:
第二接收单元,用于接收第一设备和/或第二设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。The second receiving unit is configured to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
本公开实施例还提供了一种第一设备,包括:第一处理器及第一通信接口;其中,An embodiment of the present disclosure also provides a first device, including: a first processor and a first communication interface; wherein,
所述第一通信接口,用于接收第二设备发送的第一消息;The first communication interface is used to receive the first message sent by the second device;
所述第一处理器,用于执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;The first processor is configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
所述第一通信接口,还用于将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。The first communication interface is also used to send at least one of the first key, the second key and the third key to the second device.
本公开实施例还提供了一种第二设备,包括:第二处理器及第二通信接 口;其中,An embodiment of the present disclosure also provides a second device, including: a second processor and a second communication interface mouth; among them,
所述第二通信接口,用于向第一设备发送的第一消息;以及接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。The second communication interface is used to send a first message to the first device; and to receive at least one of the first key, the second key and the third key sent by the first device.
本公开实施例还提供了一种第三设备,包括:第三处理器及第三通信接口;其中,Embodiments of the present disclosure also provide a third device, including: a third processor and a third communication interface; wherein,
所述第三通信接口,用于接收第一设备和/或第二设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。The third communication interface is used to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
本公开实施例还提供了一种第一设备,包括:第一处理器和用于存储能够在处理器上运行的计算机程序的第一存储器,An embodiment of the present disclosure also provides a first device, including: a first processor and a first memory for storing a computer program capable of running on the processor,
其中,所述第一处理器用于运行所述计算机程序时,执行上述第一设备侧任一方法的步骤。Wherein, the first processor is configured to execute the steps of any method on the first device side when running the computer program.
本公开实施例还提供了一种第二设备,包括:第二处理器和用于存储能够在处理器上运行的计算机程序的第二存储器,An embodiment of the present disclosure also provides a second device, including: a second processor and a second memory for storing a computer program capable of running on the processor,
其中,所述第二处理器用于运行所述计算机程序时,执行上述第二设备侧任一方法的步骤。Wherein, the second processor is configured to execute the steps of any method on the second device side when running the computer program.
本公开实施例还提供了一种第三设备,包括:第三处理器和用于存储能够在处理器上运行的计算机程序的第三存储器,Embodiments of the present disclosure also provide a third device, including: a third processor and a third memory for storing a computer program capable of running on the processor,
其中,所述第三处理器用于运行所述计算机程序时,执行上述第三设备侧任一方法的步骤。Wherein, the third processor is configured to execute the steps of any method on the third device side when running the computer program.
本公开实施例还提供了一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述第一设备侧任一方法的步骤,或者实现上述第二设备侧任一方法的步骤,或者实现上述第三设备侧任一方法的步骤。Embodiments of the present disclosure also provide a storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps of any method on the first device side are implemented, or any method on the second device side is implemented. or implement any of the above methods on the third device side.
本公开实施例提供的密钥管理方法、装置、设备及存储介质中,第一设备接收第二设备发送的第一消息;执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。基于上述方案,第一设备在执 行第一消息相关操作的同时,为第二设备生成密钥,从而在无需第二设备增加安全介质的存储空间的同时,能够及时补充新的密钥,低成本并高效地保证了第二设备始终预置充足的密钥。In the key management method, device, equipment and storage medium provided by the embodiments of the present disclosure, the first device receives the first message sent by the second device; performs operations related to the first message, and obtains at least one of the following: The first key, the second key and the third key; sending at least one of the first key, the second key and the third key to the second device. Based on the above solution, the first device performs While performing operations related to the first message, a key is generated for the second device. This eliminates the need for the second device to increase the storage space of the secure medium and can promptly replenish new keys, ensuring that the second device secures the security of the second device in a low-cost and efficient manner. Always provision sufficient keys.
附图说明Description of drawings
图1为本公开实施例一种密钥管理方法流程示意图;Figure 1 is a schematic flow chart of a key management method according to an embodiment of the present disclosure;
图2为本公开实施例另一种密钥管理方法流程示意图;Figure 2 is a schematic flow chart of another key management method according to an embodiment of the present disclosure;
图3为本公开实施例第三种密钥管理方法流程示意图;Figure 3 is a schematic flow chart of a third key management method according to an embodiment of the present disclosure;
图4为本公开应用实施例一种密钥管理方法交互流程示意图;Figure 4 is a schematic diagram of the interaction flow of a key management method according to an application embodiment of the present disclosure;
图5为本公开应用实施例另一种密钥管理方法交互流程示意图;Figure 5 is a schematic diagram of the interaction flow of another key management method according to an application embodiment of the present disclosure;
图6为本公开实施例一种密钥管理装置结构示意图;Figure 6 is a schematic structural diagram of a key management device according to an embodiment of the present disclosure;
图7为本公开实施例另一种密钥管理装置结构示意图;Figure 7 is a schematic structural diagram of another key management device according to an embodiment of the present disclosure;
图8为本公开实施例第三种密钥管理装置结构示意图;Figure 8 is a schematic structural diagram of a third key management device according to an embodiment of the present disclosure;
图9为本公开实施例第一设备结构示意图;Figure 9 is a schematic structural diagram of the first equipment according to the embodiment of the present disclosure;
图10为本公开实施例第二设备结构示意图;Figure 10 is a schematic structural diagram of the second equipment according to the embodiment of the present disclosure;
图11为本公开实施例第三设备结构示意图。Figure 11 is a schematic structural diagram of a third device according to an embodiment of the present disclosure.
具体实施方式Detailed ways
目前密钥更新的方式较为复杂:一般来说,各个通信设备会存储一定量的密钥,用于与对端进行安全通信或用于本地信息安全存储。由于密钥具有时效性,且设备预先存储的一定量密钥随着使用会逐渐被消耗,因此需要定期或不定期地进行密钥更新。然而,相关技术中的密钥更新方式需要设置额外的密钥更新流程,且密钥更新的流程本身也需要消耗预先存储的密钥,因此增加了设备密钥更新的成本以及信息交互的开销。The current key update method is relatively complex: generally speaking, each communication device stores a certain amount of keys for secure communication with the peer or for secure storage of local information. Since keys are time-sensitive and a certain amount of keys pre-stored by the device will be gradually consumed with use, keys need to be updated regularly or irregularly. However, the key update method in the related art requires setting up an additional key update process, and the key update process itself also requires consuming pre-stored keys, thus increasing the cost of device key update and the overhead of information interaction.
对于普通密钥而言,相关技术中密钥更新技术的成本较高,对于量子密钥而言,该问题尤为突出。For ordinary keys, the cost of key update technology in related technologies is relatively high. For quantum keys, this problem is particularly prominent.
量子密钥是指:基于量子力学基本原理,通过量子随机数发生器产生的量子密钥,或者,通过量子密钥分发(Quantum Key Distribution,QKD)网 络协商生成的量子密钥具有内禀随机性和不可复制性,因此,量子密钥比物理噪声源、伪随机等传统方式产生的密钥更加安全,难以被攻击者破解。相比于传统密钥,在保密通信系统中使用量子密钥能够确保密钥的安全性,提高系统的整体安全水平。Quantum key refers to: a quantum key generated by a quantum random number generator based on the basic principles of quantum mechanics, or through the Quantum Key Distribution (QKD) network The quantum keys generated by network negotiation are inherently random and non-replicable. Therefore, quantum keys are more secure than keys generated by traditional methods such as physical noise sources and pseudo-randomness, and are difficult to be cracked by attackers. Compared with traditional keys, the use of quantum keys in secure communication systems can ensure the security of the keys and improve the overall security level of the system.
在量子保密通信系统中,参与通信的多方设备需要通过协商获取一致的量子密钥,用于对用户之间传递的数据信息进行加密保护,防止攻击者对信息内容发起非法窃听、篡改、重放等攻击,造成信息泄露。由于终端设备一般不具备产生量子密钥的能力,因此,量子密钥通信由量子密钥管理中心产生,再分发给终端设备使用。通常,量子密钥管理中心采用离线灌装的方式将量子对称密钥置于终端设备的安全介质和/或安全存储空间之中,终端可使用预置的量子对称密钥来安全接入量子密钥管理中心,并实现安全通信。例如,基于预置的量子对称密钥实现设备身份认证、消息加密、完整性保护、源认证等。In a quantum secure communication system, multiple devices participating in the communication need to obtain a consistent quantum key through negotiation, which is used to encrypt and protect the data information transmitted between users to prevent attackers from illegally eavesdropping, tampering, and replaying the information content. and other attacks, causing information leakage. Since terminal devices generally do not have the ability to generate quantum keys, quantum key communications are generated by the quantum key management center and then distributed to terminal devices for use. Usually, the quantum key management center uses offline filling to place the quantum symmetric key in the secure medium and/or secure storage space of the terminal device. The terminal can use the preset quantum symmetric key to securely access the quantum key. key management center and achieve secure communication. For example, device identity authentication, message encryption, integrity protection, source authentication, etc. are implemented based on preset quantum symmetric keys.
为了确保终端与量子密钥管理中心通信时的信息安全,预置的量子对称密钥是一次性的,使用完毕后即被销毁。因此,每一次安全通信都将消耗一个预置的量子对称密钥,直至终端侧预置的量子对称密钥消耗殆尽。为了满足用户长期或频繁的量子保密通信应用需求,终端设备需要能够预先存储大量的量子对称密钥。然而,终端设备本地安全介质的存储空间有限,一次灌装所能容纳的量子对称密钥数量有限,若要扩大终端设备安全介质的存储空间,实现量子对称密钥的大量存储,会导致终端成本数量级的增加。如果终端设备预置的量子对称密钥的数量有限,又会迫使用户需要频繁前往量子密钥服务站点为终端离线加注量子对称密钥,降低了用户的应用体验。In order to ensure information security when the terminal communicates with the quantum key management center, the preset quantum symmetric key is one-time and will be destroyed after use. Therefore, each secure communication will consume a preset quantum symmetric key until the preset quantum symmetric key on the terminal side is exhausted. In order to meet users' long-term or frequent quantum secure communication application requirements, terminal equipment needs to be able to store a large number of quantum symmetric keys in advance. However, the storage space of the local security medium of the terminal device is limited, and the number of quantum symmetric keys that can be accommodated in one filling is limited. To expand the storage space of the security medium of the terminal device and achieve large-scale storage of quantum symmetric keys will lead to terminal costs. An order of magnitude increase. If the number of preset quantum symmetric keys on the terminal device is limited, users will be forced to frequently go to the quantum key service site to refill the quantum symmetric key offline for the terminal, which reduces the user's application experience.
基于此,本公开各实施例中,第一设备接收第二设备发送的第一消息;执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。基于上述方案,第一设备在执行第一消息相关操作的同时,为第 二设备生成密钥,从而在无需第二设备增加安全介质的存储空间的同时,能够及时补充新的密钥,低成本并高效地保证了第二设备始终预置充足的密钥。Based on this, in various embodiments of the present disclosure, the first device receives the first message sent by the second device; performs operations related to the first message, and obtains at least one of the following: a first key, a second key and a third key; sending at least one of the first key, the second key, and the third key to the second device. Based on the above solution, while performing the first message-related operation, the first device The second device generates the key, thereby eliminating the need for the second device to increase the storage space of the secure medium and simultaneously replenishing new keys in a timely manner. This low-cost and efficient method ensures that the second device is always preset with sufficient keys.
下面结合附图及实施例对本公开再作进一步详细的描述。The present disclosure will be described in further detail below with reference to the accompanying drawings and embodiments.
本公开实施例提供了一种密钥管理方法,应用于第一设备,参照图1,该方法包括:An embodiment of the present disclosure provides a key management method, applied to a first device. Referring to Figure 1, the method includes:
步骤101:接收第二设备发送的第一消息。Step 101: Receive the first message sent by the second device.
这里,第一设备可以是密钥管理中心,也可以是QKD网络的密钥管理器(Key Manager,KM)。实际应用时,第一设备可以为统一的安全服务平台、密钥管理系统或密钥管理中心等,用于为多种不同业务提供统一的密钥管理服务;也可以为某种具体业务的密钥管理平台、密钥管理系统、密钥管理中心或密钥管理服务器,例如,第一设备可以为长期演进语音承载(Voice over Long-Term Evolution,VoLTE)加密通话业务的密钥管理平台,用于专门为VoLTE加密通话业务提供密钥管理服务,可以为加密消息业务的密钥管理平台,用于专门为短消息、第五代移动通信技术(5th Generation Mobile Communication Technology,5G)消息、融合通信(Rich Communication Suite,RCS)消息、即时消息等消息通信业务提供密钥管理服务。Here, the first device may be a key management center or a key manager (Key Manager, KM) of the QKD network. In actual application, the first device can be a unified security service platform, key management system or key management center, etc., used to provide unified key management services for a variety of different businesses; it can also be a key management device for a specific business. Key management platform, key management system, key management center or key management server. For example, the first device can be a key management platform for long-term evolution voice bearer (Voice over Long-Term Evolution, VoLTE) encrypted call service. It is specially designed to provide key management services for VoLTE encrypted call services, and can be used as a key management platform for encrypted message services, specifically for short messages, fifth generation mobile communication technology (5th Generation Mobile Communication Technology, 5G) messages, and integrated communications. (Rich Communication Suite, RCS) message, instant messaging and other message communication services provide key management services.
实际应用时,第一设备也可以称为密码安全服务中心、密码服务中心、安全服务中心或安全中心等。In actual application, the first device may also be called a password security service center, password service center, security service center or security center, etc.
需要说明的是,本公开实施例不仅适用于传统网络和/或系统使用普通密钥的场景,还可以适用于量子密钥的场景。容易理解地,在本公开实施例应用于量子密钥场景时,“密钥”可以进一步理解为“量子密钥”,“密码安全服务中心”可以进一步理解为“量子密码安全服务中心”,“密码服务中心”可以进一步理解为“量子密码服务中心”,“安全服务中心”可以进一步理解为“量子安全服务中心”,“安全中心”可以进一步理解为“量子安全中心”,诸如此类,不再赘述。It should be noted that the embodiments of the present disclosure are not only applicable to scenarios where traditional networks and/or systems use ordinary keys, but can also be applied to scenarios where quantum keys are used. It is easy to understand that when the embodiment of the present disclosure is applied to a quantum key scenario, "key" can be further understood as "quantum key", "cryptographic security service center" can be further understood as "quantum cryptographic security service center", " "Cryptographic Service Center" can be further understood as "Quantum Crypto Service Center", "Security Service Center" can be further understood as "Quantum Security Service Center", "Security Center" can be further understood as "Quantum Security Center", and so on, which will not be repeated. .
第二设备可以为终端设备,也可以为其他设备。例如,加密网关、加密 路由器、加密交换机等。可以是移动设备也可以是固定设备,可以是有线设备也可以是无线设备。The second device may be a terminal device or other devices. For example, encryption gateway, encryption Routers, encryption switches, etc. It can be a mobile device or a fixed device, a wired device or a wireless device.
第一消息可以为通信交互过程中的请求消息,例如查询请求、访问请求、更新请求、删除请求、接入请求、认证请求、鉴权请求、业务请求、密钥请求等,第一消息还可以为通信交互过程中的通知、响应、应答等其他消息。以上仅为举例,本公开实施例对第一消息的形式不做任何限定。The first message may be a request message during the communication interaction process, such as a query request, an access request, an update request, a deletion request, an access request, an authentication request, an authentication request, a service request, a key request, etc. The first message may also be It is notification, response, response and other messages during communication interaction. The above are only examples, and the embodiment of the present disclosure does not place any limitation on the form of the first message.
步骤102:执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥。Step 102: Perform an operation related to the first message, and obtain at least one of the following: a first key, a second key, and a third key.
步骤103:将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。Step 103: Send at least one of the first key, the second key and the third key to the second device.
这里,第一设备执行与第一消息相关的操作,可以理解为:当第一消息为请求消息时,第一设备执行相应的请求对应的操作。例如,第一消息用于请求查询信息1,那么第一设备执行对于信息1的查询操作;又例如,第一消息用于请求接入认证,那么第一设备执行对接入端的认证,包括第一设备对接入端进行认证,或者请求其他设备对接入端进行认证;当第一消息为通知消息时,第一设备执行相应的通知对应的操作。例如,第一设备存储相应的通知所告知的信息内容,或不进行操作,或向对端设备发送关于通知的确认响应等。当第一消息为响应消息或应答消息时,第一设备执行相应的响应或应答对应的操作。例如,第一设备向第二设备发送消息1,第二设备回复关于消息1的响应或应答,第一设备对该响应或应答进行处理,比如判断响应或应答的内容是否正确,再例如存储响应或应答的信息内容,再例如对响应或应答不做处理等。Here, the first device performs an operation related to the first message, which can be understood as: when the first message is a request message, the first device performs an operation corresponding to the corresponding request. For example, if the first message is used to request query information 1, then the first device performs a query operation for information 1; for another example, if the first message is used to request access authentication, then the first device performs authentication of the access end, including the first A device authenticates the access terminal, or requests other devices to authenticate the access terminal; when the first message is a notification message, the first device performs an operation corresponding to the corresponding notification. For example, the first device stores the information content informed by the corresponding notification, or does not perform an operation, or sends a confirmation response about the notification to the peer device, etc. When the first message is a response message or an answer message, the first device performs a corresponding response or an operation corresponding to the response. For example, the first device sends message 1 to the second device, and the second device replies with a response or response about message 1. The first device processes the response or response, such as determining whether the content of the response or response is correct, and for example, storing the response. Or the information content of the response, for example, no processing of the response or response, etc.
在步骤102中,并不限定“执行与第一消息相关的操作”与“获得以下中的至少一种:第一密钥、第二密钥以及第三密钥”之间执行的时间先后关系,而应理解为在接收到第一消息之后,第一设备要执行与第一消息相关的操作,以及还要获得对应的密钥。 In step 102, the execution time sequence between "performing the operation related to the first message" and "obtaining at least one of the following: the first key, the second key, and the third key" is not limited. , but it should be understood that after receiving the first message, the first device needs to perform operations related to the first message and also obtain the corresponding key.
这里,第一密钥可以由第一设备生成,也可以由第一设备从其他设备处获得,或者,也可以是由第一设备从其他设备处获得中间密钥或随机数,再给过第一设备的处理,得到第一密钥。Here, the first key may be generated by the first device, or may be obtained by the first device from other devices, or the first device may obtain an intermediate key or a random number from other devices, and then provide the first key to the first key. A device is processed to obtain the first key.
实际应用时,第一密钥可以是QKD网络提供的量子密钥,也可以是量子随机数发生器产生的量子随机数或量子密钥,也可以是物理噪声源产生的普通密钥,也可以是伪随机数发生器产生的普通密钥等。第一密钥可以是对称密钥,也可以是非对称密钥。当第一密钥为对称密钥时,第一设备除了要向第二设备发送第一密钥,还需要将第一密钥保存在本地,实现密钥共享。当第一密钥为非对称密钥时,第一密钥可以是公钥和/或私钥。In practical applications, the first key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc. The first key may be a symmetric key or an asymmetric key. When the first key is a symmetric key, in addition to sending the first key to the second device, the first device also needs to store the first key locally to achieve key sharing. When the first key is an asymmetric key, the first key may be a public key and/or a private key.
在一实施例中,第一密钥用于第一设备与第二设备之间的安全通信,或用于第二设备的本地信息的安全存储。In one embodiment, the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
这里,第一设备与第二设备之间的安全通信,可以理解为直接使用第一密钥对第一设备与第二设备之间交互的信息进行安全保护,或直接使用第一密钥对第一设备与第二设备双方进行身份认证,也可以理解为使用第一密钥进一步衍生出其他密钥,用于对第一设备与第二设备交互的信息进行安全保护,或用于第一设备与第二设备双方进行身份认证。其中,安全保护包括加密和/或完整性保护等。Here, the secure communication between the first device and the second device can be understood as directly using the first key to securely protect the information exchanged between the first device and the second device, or directly using the first key to securely protect the information exchanged between the first device and the second device. The identity authentication between one device and the second device can also be understood as using the first key to further derive other keys, which are used to securely protect the information interacted between the first device and the second device, or for the first device Perform identity authentication with the second device. Among them, security protection includes encryption and/or integrity protection, etc.
第二设备的本地信息的安全存储,可以理解为直接使用第一密钥或利用第一密钥衍生出的其他密钥,对第二设备的本地信息进行安全存储,例如加密和/或完整性保护等。The secure storage of the local information of the second device can be understood as the secure storage of the local information of the second device, such as encryption and/or integrity, by directly using the first key or other keys derived from the first key. Protection etc.
在一实施例中,将第一密钥发送给第二设备,包括:In one embodiment, sending the first key to the second device includes:
将利用第四密钥进行安全保护后的第一密钥发送给第二设备。The first key that is securely protected by the fourth key is sent to the second device.
其中,第四密钥为第一设备与第二设备的共享密钥。The fourth key is a shared key between the first device and the second device.
这里,第四密钥可以理解为第一设备与第二设备的共享密钥,例如对第一消息进行安全保护的密钥等。Here, the fourth key can be understood as a shared key between the first device and the second device, such as a key for security protection of the first message.
在一实施例中,获得第一密钥,包括: In one embodiment, obtaining the first key includes:
获得第一密钥及对应的第一标识;Obtain the first key and the corresponding first identifier;
将第一密钥发送给第二设备,包括:Send the first key to the second device, including:
将第一密钥和/或对应的第一标识发送给第二设备。Send the first key and/or the corresponding first identification to the second device.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
存储第一密钥和/或对应的第一标识。Store the first key and/or the corresponding first identification.
在一实施例中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。In one embodiment, the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
这里,第一设备与第三设备之间的安全通信,可以理解为直接使用第二密钥对第一设备与第三设备之间交互的信息进行安全保护,或直接使用第二密钥对第一设备与第三设备双方进行身份认证,也可以理解为使用第二密钥进一步衍生出其他密钥,用于对第一设备与第三设备交互的信息进行安全保护,或用于第一设备与第三设备双方进行身份认证。其中,安全保护包括加密和/或完整性保护等。Here, the secure communication between the first device and the third device can be understood as directly using the second key to securely protect the information exchanged between the first device and the third device, or directly using the second key to securely protect the third device. The identity authentication between the first device and the third device can also be understood as using the second key to further derive other keys, which are used to securely protect the information interacted between the first device and the third device, or for the first device Perform identity authentication on both sides with the third device. Among them, security protection includes encryption and/or integrity protection, etc.
实际应用时,第二密钥可以是QKD网络提供的量子密钥,也可以是量子随机数发生器产生的量子随机数或量子密钥,也可以是物理噪声源产生的普通密钥,也可以是伪随机数发生器产生的普通密钥等。第二密钥可以是对称密钥,也可以是非对称密钥。当第二密钥为对称密钥时,第一设备除了要向第三设备发送第二密钥,还需要将第二密钥保存在本地,实现密钥共享。当第二密钥为非对称密钥时,第二密钥可以是公钥和/或私钥。In actual application, the second key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc. The second key may be a symmetric key or an asymmetric key. When the second key is a symmetric key, in addition to sending the second key to the third device, the first device also needs to store the second key locally to achieve key sharing. When the second key is an asymmetric key, the second key may be a public key and/or a private key.
第三设备可以为终端设备,也可以为其他设备。例如,加密网关、加密路由器、加密交换机等。可以是移动设备也可以是固定设备,可以是有线设备也可以是无线设备。The third device may be a terminal device or other devices. For example, encryption gateway, encryption router, encryption switch, etc. It can be a mobile device or a fixed device, a wired device or a wireless device.
第三设备的本地信息的安全存储,可以理解为直接使用第二密钥或利用第二密钥衍生出的其他密钥,对第三设备的本地信息进行安全存储,例如加密和/或完整性保护等。The secure storage of the local information of the third device can be understood as the secure storage of the local information of the third device by directly using the second key or other keys derived from the second key, such as encryption and/or integrity. Protection etc.
在一实施例中,将第二密钥发送给第二设备,包括: In one embodiment, sending the second key to the second device includes:
将利用第五密钥进行安全保护后的第二密钥发送给第二设备。The second key that is securely protected using the fifth key is sent to the second device.
其中,第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
这里,第五密钥可以理解为第一设备与第三设备共享的密钥,因此,即使第二设备获得了第二密钥,但由于第二密钥是由第五密钥加密的,而第二设备无法获知第五密钥,因此保证了第二密钥传输的安全性。Here, the fifth key can be understood as the key shared by the first device and the third device. Therefore, even if the second device obtains the second key, since the second key is encrypted by the fifth key, The second device cannot learn the fifth key, thus ensuring the security of the transmission of the second key.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
向第三设备发送第二密钥。Send the second key to the third device.
在一实施例中,所述向第三设备发送第二密钥,包括:In one embodiment, sending the second key to the third device includes:
将利用第五密钥进行安全保护后的第二密钥发送给第三设备。The second key that is securely protected using the fifth key is sent to the third device.
其中,第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,获得第二密钥,包括:In one embodiment, obtaining the second key includes:
获得第二密钥及对应的第二标识;Obtain the second key and the corresponding second identification;
将第二密钥发送给第二设备和/或第三设备,包括:Send the second key to the second device and/or the third device, including:
将第二密钥和/或对应的第二标识发送给第二设备和/或第三设备。Send the second key and/or the corresponding second identification to the second device and/or the third device.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
存储第二密钥和/或对应的第二标识。Store the second key and/or the corresponding second identification.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
这里,第二设备与第三设备之间的安全通信,可以理解为直接使用第三密钥对第二设备与第三设备之间交互的信息进行安全保护,或直接使用第三密钥对第二设备与第三设备双方进行身份认证,也可以理解为使用第三密钥进一步衍生出其他密钥,用于对第二设备与第三设备交互的信息进行安全保护,或用于第二设备与第三设备双方进行身份认证。其中,安全保护包括加密和/或完整性保护等。Here, the secure communication between the second device and the third device can be understood as directly using the third key to securely protect the information exchanged between the second device and the third device, or directly using the third key to securely protect the information exchanged between the second device and the third device. The identity authentication between the second device and the third device can also be understood as using the third key to further derive other keys, which are used to securely protect the information interacted between the second device and the third device, or for the second device Perform identity authentication on both sides with the third device. Among them, security protection includes encryption and/or integrity protection, etc.
在一实施例中,将第三密钥发送给第二设备,包括:In one embodiment, sending the third key to the second device includes:
将利用第四密钥和第五密钥分别进行安全保护后的第三密钥发送给第二设备。 The third key that is securely protected by using the fourth key and the fifth key is sent to the second device.
其中,第四密钥为第一设备与第二设备的共享密钥,第五密钥为第一设备与第三设备的共享密钥。The fourth key is a shared key between the first device and the second device, and the fifth key is a shared key between the first device and the third device.
这里,利用第四密钥和第五密钥分别对所述第三密钥进行安全保护,也就是,利用第四密钥对第三密钥进行安全保护得到第一信息,利用第五密钥对第三密钥进行安全保护得到第二信息,将第一和第二信息都发给第二设备,第二设备接收到之后可以利用共享的第四密钥对第一信息进行解密,获得第三密钥。同时第二设备将第二信息传输给第三设备。第三设备接收到第二信息后,可以利用共享的第五密钥对第二信息进行解密,从而获得第三密钥。Here, the fourth key and the fifth key are used to securely protect the third key, that is, the fourth key is used to securely protect the third key to obtain the first information, and the fifth key is used to securely protect the third key. Securely protect the third key to obtain the second information, and send both the first and second information to the second device. After receiving it, the second device can use the shared fourth key to decrypt the first information and obtain the second information. Three keys. At the same time, the second device transmits the second information to the third device. After receiving the second information, the third device can decrypt the second information using the shared fifth key, thereby obtaining the third key.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
向第三设备发送第三密钥。Send the third key to the third device.
在一实施例中,所述向第三设备发送第三密钥,包括:In one embodiment, sending the third key to the third device includes:
将利用第五密钥进行安全保护后的第三密钥发送给第三设备。The third key that is securely protected by the fifth key is sent to the third device.
其中,第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,获得第三密钥,包括:In one embodiment, obtaining the third key includes:
获得第三密钥及对应的第三标识;Obtain the third key and the corresponding third identification;
将第三密钥发送给第二设备和/或第三设备,包括:Send the third key to the second device and/or the third device, including:
将第三密钥和/或对应的第三标识发送给第二设备和/或第三设备。Send the third key and/or the corresponding third identification to the second device and/or the third device.
实际应用时,第三密钥可以是QKD网络提供的量子密钥,也可以是量子随机数发生器产生的量子随机数或量子密钥,也可以是物理噪声源产生的普通密钥,也可以是伪随机数发生器产生的普通密钥等。第三密钥可以是对称密钥,也可以是非对称密钥。In practical applications, the third key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc. The third key may be a symmetric key or an asymmetric key.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
存储第三密钥和/或对应的第三标识。Store the third key and/or the corresponding third identification.
在一实施例中,第一设备发送的消息中携带时间戳。In one embodiment, the message sent by the first device carries a timestamp.
这里,在第一设备发送的消息中携带时间戳,该时间戳用于防止消息重放攻击,进一步地,在量子密钥管理相关消息中携带时间戳,可抵御攻击者 对于量子密钥的重放攻击。Here, a timestamp is carried in the message sent by the first device, and the timestamp is used to prevent message replay attacks. Furthermore, a timestamp is carried in the quantum key management related message to resist attackers. Replay attacks on quantum keys.
需要说明的是,这里,第一设备发送的消息,包括但不限于第一设备用于将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备和/或第三设备的消息。第一设备发送的消息可以包括:由第一设备发出的、用于第一设备与第二设备、第三设备和/或其他设备之间进行交互的所有消息或部分消息。It should be noted that here, the message sent by the first device includes, but is not limited to, the first device is used to send at least one of the first key, the second key and the third key to the second device and/or Messages from the third device. The messages sent by the first device may include: all or part of the messages sent by the first device for interaction between the first device and the second device, the third device and/or other devices.
相应地,本公开实施例还提供了一种密钥管理方法,应用于第二设备,参照图2,该方法包括:Correspondingly, the embodiment of the present disclosure also provides a key management method, applied to the second device. Referring to Figure 2, the method includes:
步骤201:向第一设备发送的第一消息。Step 201: Send the first message to the first device.
步骤202:接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。Step 202: Receive at least one of the first key, the second key and the third key sent by the first device.
在一实施例中,第一密钥用于第一设备与第二设备之间的安全通信,或用于第二设备的本地信息的安全存储。In one embodiment, the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
在一实施例中,接收第一设备发送的第一密钥,包括:In one embodiment, receiving the first key sent by the first device includes:
接收第一设备发送的、利用第四密钥进行安全保护后的第一密钥;其中,第四密钥为第一设备与第二设备的共享密钥;Receive the first key sent by the first device and protected by the fourth key; wherein the fourth key is the shared key between the first device and the second device;
利用第四密钥对安全保护后的第一密钥进行解密。The fourth key is used to decrypt the securely protected first key.
在一实施例中,接收第一设备发送的第一密钥,包括:In one embodiment, receiving the first key sent by the first device includes:
接收并存储第一密钥和/或对应的第一标识。Receive and store the first key and/or the corresponding first identification.
在一实施例中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。In one embodiment, the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
在一实施例中,接收第一设备发送的第二密钥,包括:In one embodiment, receiving the second key sent by the first device includes:
接收第一设备发送的、利用第五密钥进行安全保护后的第二密钥;其中,第五密钥为第一设备与第三设备的共享密钥;Receive the second key sent by the first device and protected by using the fifth key; wherein the fifth key is the shared key between the first device and the third device;
将利用第五密钥进行安全保护后的第二密钥发送给第三设备。The second key that is securely protected using the fifth key is sent to the third device.
在一实施例中,所述方法还包括: In one embodiment, the method further includes:
将第二密钥和/或对应的第二标识发送给第三设备。Send the second key and/or the corresponding second identification to the third device.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
在一实施例中,接收第一设备发送的第三密钥,包括:In one embodiment, receiving the third key sent by the first device includes:
接收第一设备发送的、利用第四密钥和第五密钥分别进行安全保护后的第三密钥;Receive the third key sent by the first device and protected by using the fourth key and the fifth key respectively;
利用第四密钥对经第四密钥保护后的第三密钥进行解密;Using the fourth key to decrypt the third key protected by the fourth key;
将经第五密钥保护后的第三密钥发送给第三设备;其中,Send the third key protected by the fifth key to the third device; wherein,
第四密钥为第一设备与第二设备的共享密钥,第五密钥为第一设备与第三设备的共享密钥。The fourth key is a shared key between the first device and the second device, and the fifth key is a shared key between the first device and the third device.
在一实施例中,接收第三密钥,包括:In one embodiment, receiving the third key includes:
接收并存储第三密钥和/或对应的第三标识。Receive and store the third key and/or the corresponding third identification.
在一实施例中,第二设备发送的消息中携带时间戳。In one embodiment, the message sent by the second device carries a timestamp.
这里,在第二设备发送的消息中携带时间戳,该时间戳用于防止消息重放攻击,进一步地,在量子密钥管理相关消息中携带时间戳,可抵御攻击者对于量子密钥的重放攻击。Here, a timestamp is carried in the message sent by the second device, which is used to prevent message replay attacks. Furthermore, a timestamp is carried in the message related to quantum key management, which can resist the attacker's replay of the quantum key. Let attack.
需要说明的是,这里,第二设备发送的消息,包括但不限于第二设备向第一设备和/或第三设备发送的第一消息。第二设备发送的消息可以包括:由第二设备发出的、用于第二设备与第一设备、第三设备和/或其他设备之间进行交互的所有消息或部分消息。It should be noted that here, the message sent by the second device includes but is not limited to the first message sent by the second device to the first device and/or the third device. The messages sent by the second device may include: all or part of the messages sent by the second device for interaction between the second device and the first device, the third device and/or other devices.
相应地,本公开实施例还提供了一种密钥管理方法,应用于第三设备,参照图3,该方法包括:Correspondingly, embodiments of the present disclosure also provide a key management method, applied to a third device. Referring to Figure 3, the method includes:
步骤301:接收第一设备和/或第二设备发送的第二密钥以及第三密钥中的至少一个密钥。Step 301: Receive at least one of the second key and the third key sent by the first device and/or the second device.
这里,第二密钥以及第三密钥可以由第三设备从同一个设备中接收,例如,都从第一设备接收或都从第二设备接收,也可以由第三设备从不同设备接收,例如从第一设备接收第二密钥,从第二设备接收第三密钥。 Here, the second key and the third key may be received by the third device from the same device, for example, both are received from the first device or both are received from the second device, or they may be received by the third device from different devices. For example, the second key is received from the first device, and the third key is received from the second device.
在一实施例中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。In one embodiment, the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
在一实施例中,接收第一设备和/或第二设备发送的第二密钥,包括:In one embodiment, receiving the second key sent by the first device and/or the second device includes:
接收第一设备和/或第二设备发送的、利用第五密钥进行安全保护后的第二密钥。Receive the second key sent by the first device and/or the second device and protected by using the fifth key.
其中,第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,接收第二密钥,包括:In one embodiment, receiving the second key includes:
接收并存储第二密钥和/或对应的第二标识。Receive and store the second key and/or the corresponding second identification.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
在一实施例中,接收第二设备发送的第三密钥,包括:In one embodiment, receiving the third key sent by the second device includes:
接收第二设备发送的、经第五密钥安全保护的第三密钥;Receive the third key sent by the second device and securely protected by the fifth key;
利用第五密钥对经第五密钥安全保护的第三密钥进行解密。The third key secured by the fifth key is decrypted using the fifth key.
其中,所述第五密钥为第一设备与第三设备的共享密钥。Wherein, the fifth key is a shared key between the first device and the third device.
在一实施例中,接收第一设备发送的第三密钥,包括:In one embodiment, receiving the third key sent by the first device includes:
接收第一设备发送的、经第五密钥安全保护的第三密钥;Receive the third key sent by the first device and securely protected by the fifth key;
利用第五密钥对经第五密钥安全保护的第三密钥进行解密。The third key secured by the fifth key is decrypted using the fifth key.
其中,所述第五密钥为第一设备与第三设备的共享密钥。Wherein, the fifth key is a shared key between the first device and the third device.
在一实施例中,接收第三密钥,包括:In one embodiment, receiving the third key includes:
接收并存储第三密钥和/或对应的第三标识。Receive and store the third key and/or the corresponding third identification.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
向第一设备发送第二消息;其中,Send a second message to the first device; wherein,
所述第二消息用于表示返回密钥接收的结果。The second message is used to indicate the result of returning the key reception.
在一实施例中,第三设备发送的消息中携带时间戳。In one embodiment, the message sent by the third device carries a timestamp.
这里,在第三设备发送的消息中携带时间戳,该时间戳用于防止消息重放攻击,进一步地,在量子密钥管理相关消息中携带时间戳,可抵御攻击者对于量子密钥的重放攻击。 Here, a timestamp is carried in the message sent by the third device, which is used to prevent message replay attacks. Furthermore, a timestamp is carried in the message related to quantum key management to resist the attacker's replay of the quantum key. Let attack.
需要说明的是,这里,第三设备发送的消息,包括但不限于:由第三设备发出的、用于第三设备与第一设备、第二设备和/或其他设备之间进行交互的所有消息或部分消息。It should be noted that here, the messages sent by the third device include but are not limited to: all messages sent by the third device for interaction between the third device and the first device, the second device and/or other devices. message or part of a message.
结合上文实施例,第一设备在执行第一消息相关操作的同时,为第二设备生成密钥,也就是说,第一设备在接收到第一消息之后,认为与第二设备进行第一消息相关的通信会消耗密钥,或者第一设备在接收到第一消息后发现第二设备在一段时间内未更新密钥,进而在执行第一消息相关操作的同时,为第二设备补充新的密钥,从而在无需第二设备增加安全介质的存储空间的前提下,低成本并高效地保证了第二设备始终预置充足的密钥。In conjunction with the above embodiment, the first device generates a key for the second device while performing operations related to the first message. That is to say, after receiving the first message, the first device considers that the first device is conducting the first communication with the second device. Message-related communication will consume the key, or the first device finds that the second device has not updated the key within a period of time after receiving the first message, and then supplements the new key for the second device while performing the first message-related operation. key, thus ensuring that the second device is always preset with sufficient keys at low cost and efficiently without the need for the second device to increase the storage space of the security medium.
此外,凡是在终端使用本地存储的(量子)对称密钥/(量子)非对称密钥与(量子)密钥管理中心进行安全交互的任何场景,都可使用本公开实施例方案实现普通或量子对称/非对称密钥的随用补充。(这里的(量子)表示量子是可能的场景,举例来说,(量子)对称密钥可以理解为:普通对称密钥或量子对称密钥,后续的括号所表示的含义相同,不再赘述)。例如,在终端接入(量子)密钥管理中心,基于(量子)对称密钥进行身份认证、建立安全通道的过程中,在终端访问(量子)密钥管理中心,基于(量子)对称密钥建立的安全通道进行号码绑定、业务鉴权/授权、(量子)密钥更新、(量子)密钥销毁、业务状态变更的过程中,均可使用本公开实施例方案实现(量子)对称密钥的随用补充。实际应用时,在与终端共享的(量子)对称密钥被使用消耗的情况下,例如,终端接入(量子)密钥中心时进行身份认证的情况下,在终端与(量子)密钥中心对交互的消息进行安全保护的情况下,(量子)密钥中心在对终端的相关消息进行业务处理的同时,还产生新的(量子)对称密钥,并使用旧的(量子)对称密钥对新的(量子)对称密钥进行安全保护,之后,将经过安全保护的新的(量子)对称密钥提供给终端。终端使用旧的(量子)对称密钥对接收到的新的(量子)对称密钥进行解密和/或完整性保护校验,并在解密和/或完整性保护校验成功后将新的(量子)对称密钥 安全存储,从而及时地补充了终端本地的(量子)对称密钥。可选地,终端可以向(量子)密钥中心返回消息,以确认新的(量子)对称密钥接收的结果(例如接收成功或者接收失败);或者不返回任何消息,表明(量子)对称密钥接收失败。这样,(量子)密钥中心可以在终端接收成功的情况下销毁旧的(量子)对称密钥,而新的(量子)对称密钥存储于(量子)密钥中心和终端本地的密钥池中,待后续有需要时使用。In addition, in any scenario where the terminal uses a locally stored (quantum) symmetric key/(quantum) asymmetric key to interact securely with the (quantum) key management center, the solutions of the disclosed embodiments can be used to implement ordinary or quantum Handy complement of symmetric/asymmetric keys. ((Quantum) here means a scenario where quantum is possible. For example, (quantum) symmetric key can be understood as: ordinary symmetric key or quantum symmetric key. The subsequent brackets have the same meaning and will not be repeated.) . For example, when the terminal accesses the (quantum) key management center and performs identity authentication and establishes a secure channel based on the (quantum) symmetric key, when the terminal accesses the (quantum) key management center, based on the (quantum) symmetric key In the process of number binding, business authentication/authorization, (quantum) key update, (quantum) key destruction, and business status change in the established secure channel, the solutions of the disclosed embodiments can be used to implement (quantum) symmetric encryption. A handy addition to the key. In practical applications, when the (quantum) symmetric key shared with the terminal is used and consumed, for example, when the terminal performs identity authentication when accessing the (quantum) key center, there is a gap between the terminal and the (quantum) key center. In the case of security protection of interactive messages, the (quantum) key center not only processes the relevant messages of the terminal, but also generates new (quantum) symmetric keys and uses the old (quantum) symmetric keys. The new (quantum) symmetric key is securely protected, and then the securely protected new (quantum) symmetric key is provided to the terminal. The terminal uses the old (quantum) symmetric key to decrypt and/or integrity protection check the new (quantum) symmetric key received, and after the decryption and/or integrity protection check is successful, the new ( Quantum) symmetric key Secure storage, thereby promptly replenishing the terminal's local (quantum) symmetric key. Optionally, the terminal can return a message to the (quantum) key center to confirm the result of the new (quantum) symmetric key reception (such as successful reception or reception failure); or it may not return any message to indicate that the (quantum) symmetric key has been successfully received. Key reception failed. In this way, the (quantum) key center can destroy the old (quantum) symmetric key when the terminal receives it successfully, and the new (quantum) symmetric key is stored in the (quantum) key center and the terminal's local key pool in for later use when necessary.
为了进一步对本公开实施例方案进行解释说明,给出以下应用实施例,需要说明的是,以下均使用量子对称密钥来进行举例说明,不难理解的是,下述多个实施例所示例的方法也可以应用于普通对称密钥、普通非对称密钥或量子非对称密钥。In order to further explain the embodiments of the present disclosure, the following application examples are given. It should be noted that quantum symmetric keys are used for illustration below. It is easy to understand that the following examples are Methods can also be applied to ordinary symmetric keys, ordinary asymmetric keys, or quantum asymmetric keys.
图4示出了本公开应用实施例提供的终端A发起号码绑定业务的交互流程示意图,参照图4,该交互流程包括:Figure 4 shows a schematic diagram of the interaction process of terminal A initiating the number binding service provided by the application embodiment of the present disclosure. Referring to Figure 4, the interaction process includes:
步骤1:当需要与量子密钥管理中心交互,将手机号码与密码卡和/或密码资源相互绑定时,终端A向量子密钥管理中心发送业务请求消息。Step 1: When it is necessary to interact with the quantum key management center and bind the mobile phone number to the password card and/or password resources, terminal A sends a service request message to the quantum key management center.
其中,为了确保消息传输的安全性,终端A从本地预配置的量子对称密钥池中选取一个有效的量子对称密钥KA,并使用KA或者基于KA衍生得到的对称密钥KA’,对业务请求消息的全部或部分信息内容进行加密和/或完整性保护。Among them, in order to ensure the security of message transmission, terminal A selects a valid quantum symmetric key KA from the local preconfigured quantum symmetric key pool, and uses KA or a symmetric key KA derived based on KA ', encrypt and/or integrity protect all or part of the information content of the service request message.
业务请求消息中携带终端A的标识、手机号码绑定的业务类型、以及用于对消息进行完整性保护的哈希运算消息认证码(Hash-based Message Authentication Code,HMAC),可选地,还携带KA的密钥标识KID_A、时间戳或序列号等信息,用于防止消息重放。The service request message carries the identity of terminal A, the service type bound to the mobile phone number, and a Hash-based Message Authentication Code (HMAC) used to protect the integrity of the message. Optionally, It carries KA 's key identification K ID _A, timestamp or sequence number and other information to prevent message replay.
步骤2:量子密钥管理中心根据终端标识及密钥标识进行查询,获取与终端A之间通过预配置方式共享的量子对称密钥KA,并使用KA或者基于KA衍生得到的对称密钥KA’,对业务请求消息进行完整性保护校验及解密。之后,对于终端A请求的号码绑定业务进行处理。 Step 2: The quantum key management center queries based on the terminal identification and key identification, obtains the quantum symmetric key KA shared with terminal A through pre-configuration, and uses KA or the symmetric key derived based on KA Key K A ' is used to perform integrity protection verification and decryption of the service request message. Afterwards, the number binding service requested by terminal A is processed.
与此同时,量子密钥管理中心为主被叫终端A生成新的量子对称密钥KA_new,对应分配新的密钥标识KID_A_new。其中,量子对称密钥通过量子随机数发生器产生。At the same time, the quantum key management center generates a new quantum symmetric key K A _new for the called terminal A, and correspondingly distributes a new key identification K ID _A_new. Among them, the quantum symmetric key is generated by a quantum random number generator.
步骤3:量子密钥管理中心向终端A返回业务响应消息,其中携带业务相关信息、新产生的量子对称密钥KA_new,可选地,还携带新的密钥标识KID_A_new、时间戳或序列号等信息。业务响应消息的全部或部分信息内容使用KA或者基于KA衍生得到的对称密钥KA’进行加密和/或完整性保护。Step 3: The quantum key management center returns a service response message to terminal A, which carries business-related information, the newly generated quantum symmetric key K A _new, and optionally also carries the new key identification K ID _A_new and a timestamp. or serial number and other information. All or part of the information content of the service response message is encrypted and/or integrity protected using KA or the symmetric key KA ' derived based on KA .
步骤4:终端A使用KA或者基于KA衍生得到的对称密钥KA’对业务响应消息进行校验并解密,完成业务相关处理。同时,获取量子密钥管理中心产生的新的量子对称密钥KA_new,可选地,终端A还获取对应的密钥标识KID_A_new,并将获取到的新的量子对称密钥KA_new和/或对应的密钥标识KID_A_new安全存储,从而使预共享的量子对称密钥得到补充。此外,如果业务响应消息中没有携带密钥标识KID_A_new,终端A需要根据事先与量子密钥管理中心约定的方式产生相应的密钥标识KID_A_new。Step 4: Terminal A uses KA or the symmetric key KA ' derived based on KA to verify and decrypt the service response message to complete business-related processing. At the same time, obtain the new quantum symmetric key K A _new generated by the quantum key management center. Optionally, terminal A also obtains the corresponding key identification K ID _A_new, and will obtain the new quantum symmetric key K A _new and/or the corresponding key identification K ID _A_new are securely stored, allowing the pre-shared quantum symmetric key to be supplemented. In addition, if the service response message does not carry the key identification K ID _A_new, terminal A needs to generate the corresponding key identification K ID _A_new according to the method agreed with the quantum key management center in advance.
可选地,步骤5:终端A向量子密钥管理中心返回消息,其中携带密钥标识KID_A_new,用于确认量子密钥KA_new已成功接收,可选地,消息中还携带时间戳或序列号等信息。该消息可基于KA或者基于KA衍生得到的对称密钥KA’进行安全保护。之后,终端A和量子密钥管理中心将使用过的KA销毁。此外,如果不执行步骤5,那么量子密钥管理中心在步骤3之后,终端A在步骤4之后将使用过的KA销毁。Optionally, step 5: Terminal A returns a message to the quantum key management center, which carries the key identification K ID _A_new to confirm that the quantum key K A _new has been successfully received. Optionally, the message also carries a timestamp. or serial number and other information. The message can be securely protected based on KA or the symmetric key KA ' derived from KA . Afterwards, terminal A and the quantum key management center will destroy the used K A. In addition, if step 5 is not performed, then the quantum key management center will destroy the used K A after step 3 and terminal A after step 4.
图5示出了本公开应用实施例提供的终端A发起号码绑定业务的交互流程示意图,参照图5,该交互流程包括:Figure 5 shows a schematic diagram of the interaction process of terminal A initiating the number binding service provided by the application embodiment of the present disclosure. Referring to Figure 5, the interaction process includes:
步骤1:用户拨打加密电话时,主叫终端A发起加密电话呼叫请求。Step 1: When the user makes an encrypted phone call, the calling terminal A initiates an encrypted phone call request.
步骤2:主叫终端A及被叫终端B通过应用服务器(Application Server,AS)进行呼叫接续。Step 2: The calling terminal A and the called terminal B perform call connection through the application server (Application Server, AS).
其中,对于基于IP的语音传输(Voice over Internet Protocol,VoIP)的加 密电话业务,AS是负责实现电话业务功能的会话初始协议(Session initialization Protocol,SIP)服务器;对于基于VoLTE或新空口承载语音(Voice over New Radio,VoNR)或固定电话的加密电话业务,AS是IP多媒体子系统(IP Multimedia Subsystem,IMS)系统负责电话业务的服务器,例如VoLTE AS。Among them, the addition of IP-based voice transmission (Voice over Internet Protocol, VoIP) For encrypted telephone services, AS is the Session Initialization Protocol (SIP) server responsible for implementing telephone service functions; for encrypted telephone services based on VoLTE or New Radio (Voice over New Radio, VoNR) or fixed telephone, AS is The IP Multimedia Subsystem (IMS) system is responsible for the server of telephone services, such as VoLTE AS.
步骤3:在呼叫接续的过程中,主叫终端A同步向量子密钥管理中心发送密钥请求消息,为本次加密电话呼叫申请获取量子会话密钥,用于对用户的语音信息进行加密保护。请求消息中携带主叫终端A及被叫终端B的标识、可选地,还携带会话标识、时间戳或者序列号等信息。其中,时间戳或者序列号信息用于防止消息重放。Step 3: During the call connection process, the calling terminal A synchronously sends a key request message to the quantum key management center to apply for the quantum session key for this encrypted phone call, which is used to encrypt and protect the user's voice information. . The request message carries the identities of the calling terminal A and the called terminal B. Optionally, it also carries information such as a session identifier, a timestamp or a sequence number. Among them, timestamp or sequence number information is used to prevent message replay.
为了确保密钥请求消息的安全性,主叫终端A从本地获取一个未使用过的预配置的量子对称密钥KA,并使用KA或者基于KA衍生得到的对称密钥KA’对请求消息的全部或部分信息内容进行加密和/或完整性保护。In order to ensure the security of the key request message, the calling terminal A obtains an unused preconfigured quantum symmetric key K A from the local area, and uses K A or the symmetric key K A ' derived based on K A to Request that all or part of the information content of a message be encrypted and/or integrity protected.
步骤4:接收到密钥请求消息之后,量子密钥管理中心根据主叫终端标识及密钥标识,查询获取与主叫终端A之间通过预配置方式共享的量子对称密钥KA,并使用KA或者基于KA衍生得到的对称密钥KA’对密钥请求消息进行完整性保护校验及解密。之后,如果密钥请求消息中携带时间戳或者序列号,则根据时间戳或者序列号验证密钥请求消息的新鲜性。Step 4: After receiving the key request message, the quantum key management center queries and obtains the quantum symmetric key K A shared with the calling terminal A through pre-configuration based on the calling terminal identification and key identification, and uses KA or the symmetric key KA' derived based on KA performs integrity protection verification and decryption of the key request message. Afterwards, if the key request message carries a timestamp or sequence number, the freshness of the key request message is verified based on the timestamp or sequence number.
密钥请求消息的完整性及新鲜性验证通过后,量子密钥管理中心根据被叫终端标识查询,获取一个与被叫终端B之间通过预配置方式共享的量子对称密钥KB以及KB对应的密钥标识KID_B。同时,量子密钥管理中心为本次呼叫产生量子会话密钥,为主叫终端A及被叫终端B分别生成新的量子对称密钥KA_new和KB_new,对应分配新的密钥标识KID_A_new和KID_B_new。这里量子会话密钥以及新的量子对称密钥通过量子随机数发生器产生。After the integrity and freshness of the key request message are verified, the quantum key management center queries the called terminal ID and obtains a quantum symmetric key K B and K B shared with the called terminal B in a pre-configured manner. Corresponding key identification K ID _B. At the same time, the quantum key management center generates a quantum session key for this call, generates new quantum symmetric keys K A _new and K B _new for the calling terminal A and the called terminal B respectively, and distributes new key identifiers accordingly. KID_A_new and KID_B_new . Here the quantum session key as well as the new quantum symmetric key are generated by a quantum random number generator.
步骤5:量子密钥管理中心组建密钥响应消息,向主叫终端A及被叫终端B提供本次呼叫所使用的会话密钥Ks,生成的新的量子对称密钥KA_new 和KB_new,可选地,还提供新的密钥标识KID_A_new和KID_B_new及其他相关信息。若量子密钥管理中心在密钥响应消息中不传输KID_A_new和KID_B_new,则主叫终端A和被叫终端B在接收到KA_new和KB_new之后,应采用事先与量子密钥管理中心约定的某种方法,为量子密钥同步分配新的KID_A_new和KID_B_new,从而保持与量子密钥管理中心的同步。Step 5: The quantum key management center forms a key response message, provides the session key Ks used in this call to the calling terminal A and the called terminal B, and generates a new quantum symmetric key K A _new and K B _new, optionally, also provide new key identifiers K ID _A_new and K ID _B_new and other related information. If the quantum key management center does not transmit K ID _A_new and K ID _B_new in the key response message, then the calling terminal A and the called terminal B, after receiving K A _new and K B _new, should use the quantum encryption method in advance. A certain method agreed upon by the key management center to allocate new K ID _A_new and K ID _B_new for quantum key synchronization, thereby maintaining synchronization with the quantum key management center.
对于主叫终端A,量子密钥管理中心向主叫终端A提供:量子会话密钥Ks、密钥标识KID_A、主被叫终端标识、新的量子对称密钥KA_new,可选地,还提供会话标识和/或新的密钥标识KID_A_new和/或时间戳或者序列号等信息。为了防止消息内容被窃听、篡改,确保传输过程的安全性,量子密钥管理中心应使用KA或者基于KA衍生得到的对称密钥KA’,对Ks,以及,可选地,KA_new、KID_A_new等相关信息进行加密和/或完整性保护,获得完整性保护的验证结果,如HMACAFor the calling terminal A, the quantum key management center provides the calling terminal A with: quantum session key Ks, key identification K ID_A , calling terminal identification and new quantum symmetric key K A _new, optionally , and also provide session identification and/or new key identification K ID _A_new and/or timestamp or sequence number and other information. In order to prevent the message content from being eavesdropped and tampered with, and ensure the security of the transmission process, the quantum key management center should use KA or the symmetric key KA ' derived based on KA , for Ks, and, optionally, KA _new, K ID _A_new and other related information are encrypted and/or integrity protected to obtain integrity protected verification results, such as HMAC A.
同理,对于被叫终端B,量子密钥管理中心向B提供:量子会话密钥Ks、密钥标识KID_B、主被叫终端标识、新的量子对称密钥KB_new,可选地,还提供会话标识和/或新的密钥标识KID_B_new和/或时间戳或者序列号等信息。为了防止此部分消息内容被窃听、篡改,确保传输过程的安全性,量子密钥管理中心使用KB或者基于KB衍生得到的对称密钥KB’,对Ks,以及,可选地,对KB_new、KID_B_new等相关信息进行加密和/或完整性保护,获得完整性保护的验证结果,如HMACBIn the same way, for the called terminal B, the quantum key management center provides B with: quantum session key Ks, key identification K ID _B, calling terminal identification, new quantum symmetric key K B _new, optionally , and also provide session identification and/or new key identification K ID _B_new and/or timestamp or sequence number and other information. In order to prevent this part of the message content from being eavesdropped and tampered with, and to ensure the security of the transmission process, the quantum key management center uses K B or the symmetric key K B ' derived based on K B , for Ks, and, optionally, for K B _new, K ID _B_new and other related information are encrypted and/or integrity protected to obtain integrity protected verification results, such as HMAC B.
之后,量子密钥管理中心通过密钥响应消息将新生成的量子对称密钥,以及,可选地,密钥标识等信息发送给主叫终端A。响应消息包括:Msg_A、HMACA、Msg_B、HMACB等。这里,Msg_A包含经过安全保护后的KA_new、KID_A_new、Ks、时间戳或者序列号等相关信息,Msg_B包含经过安全保护后的KB_new、KID_B_new、Ks、时间戳或者序列号等相关信息。Afterwards, the quantum key management center sends the newly generated quantum symmetric key, and, optionally, key identification and other information to the calling terminal A through the key response message. Response messages include: Msg_A, HMAC A , Msg_B, HMAC B , etc. Here, Msg_A contains relevant information such as K A _new, K ID _A_new, Ks, timestamp or serial number after security protection, and Msg_B contains K B _new, K ID _B_new, Ks, timestamp or serial number after security protection and other related information.
步骤6:主叫终端A使用KA或者基于KA衍生得到的对称密钥KA’解密Msg_A,获取量子密钥管理中心产生的新的量子对称密钥KA_new,以及可选 地,获取密钥标识KID_A_new、Ks、时间戳或者序列号等相关信息,并将有关的量子密钥安全存储,从而使预共享的量子对称密钥得到补充。如果Msg_A中包含时间戳或者序列号,主叫终端A可验证密钥响应消息Msg_A的新鲜性。Step 6: The calling terminal A uses KA or the symmetric key KA ' derived based on KA to decrypt Msg_A, and obtains the new quantum symmetric key KA _new generated by the quantum key management center, and optionally Ground, obtain relevant information such as key identification K ID _A_new, Ks, timestamp or serial number, and securely store the relevant quantum key, thereby supplementing the pre-shared quantum symmetric key. If Msg_A contains a timestamp or sequence number, the calling terminal A can verify the freshness of the key response message Msg_A.
可选地,步骤7:主叫终端A向量子密钥管理中心返回消息,其中携带KID_A_new,可选地,还携带时间戳或者序列号等信息,用于确认KA_new已成功接收。该消息可基于KA或者KA’进行安全保护。之后,主叫终端A和量子密钥管理中心将使用过的KA销毁。Optionally, step 7: The calling terminal A returns a message to the subkey management center, which carries K ID _A_new. Optionally, it also carries information such as a timestamp or sequence number to confirm that K A _new has been successfully received. The message can be secured based on KA or KA '. Afterwards, the calling terminal A and the quantum key management center destroy the used K A.
此外,如果不执行步骤7,那么量子密钥管理中心在步骤5之后,主叫终端A在步骤6之后将使用过的KA销毁。In addition, if step 7 is not performed, then the quantum key management center will destroy the used KA after step 5, and the calling terminal A will destroy the used KA after step 6.
步骤8:主叫终端A向被叫终端B发送会话密钥,消息中携带量子密钥管理中心向被叫被叫终端B提供的相关信息,包括Msg_B、HMACB等。Step 8: The calling terminal A sends the session key to the called terminal B. The message carries the relevant information provided by the quantum key management center to the called terminal B, including Msg_B, HMAC B , etc.
步骤9:被叫终端B使用KB或者基于KB衍生得到的对称密钥KB’解密Msg_B,获取量子密钥管理中心产生的新的量子对称密钥KB_new和Ks,可选地,还获取密钥标识KID_B_new、时间戳或者序列号等相关信息,并将有关的量子密钥安全存储,从而使预共享的量子对称密钥得到补充。如果Msg_B中包含时间戳或者序列号,被叫终端B可验证密钥响应消息Msg_B的新鲜性。Step 9: The called terminal B uses K B or the symmetric key K B ' derived based on K B to decrypt Msg_B, and obtains the new quantum symmetric keys K B _new and Ks generated by the quantum key management center. Optionally, Relevant information such as key identification K ID _B_new, timestamp or serial number is also obtained, and the relevant quantum key is securely stored, thereby supplementing the pre-shared quantum symmetric key. If Msg_B contains a timestamp or sequence number, the called terminal B can verify the freshness of the key response message Msg_B.
可选地,步骤10:被叫终端B向量子密钥管理中心返回消息,其中携带KID_B_new,可选地,还携带时间戳或者序列号等信息,用于确认KB_new已成功接收。该消息可基于KB或者KB’进行安全保护。之后,被叫终端B和量子密钥管理中心将使用过的KB销毁。Optionally, step 10: The called terminal B returns a message to the subkey management center, which carries K ID _B_new. Optionally, it also carries information such as a timestamp or sequence number to confirm that K B _new has been successfully received. The message can be secured based on K B or K B '. Afterwards, the called terminal B and the quantum key management center destroy the used K B.
此外,如果不执行步骤10,那么量子密钥管理中心在步骤5之后,被叫终端B在步骤9之后将使用过的KB销毁。In addition, if step 10 is not performed, then the quantum key management center will destroy the used K B after step 5, and the called terminal B will destroy the used K B after step 9.
步骤11:被叫终端B返回会话密钥确认消息,向主叫终端A确认量子会话密钥Ks已成功接收。Step 11: The called terminal B returns a session key confirmation message and confirms to the calling terminal A that the quantum session key Ks has been successfully received.
步骤12:主叫终端A确认被叫终端B已成功获取量子会话密钥Ks。 Step 12: The calling terminal A confirms that the called terminal B has successfully obtained the quantum session key Ks.
步骤13:主叫终端A与被叫终端B使用Ks对用户之间交互的话音信息进行加密保护,开始加密通话。通话结束后,主被叫终端将本次使用的量子会话密钥Ks销毁。Step 13: The calling terminal A and the called terminal B use Ks to encrypt and protect the voice information exchanged between the users, and start the encrypted call. After the call ends, the calling and called terminals destroy the quantum session key Ks used this time.
基于上文各实施例,需要说明,首先,本公开实施例可应用于加密语音和/或视频电话、加密短消息、加密即时消息、加密语音和/或视频、加密对讲消息、加密邮件等各种基于量子密钥的保密通信业务。上文仅以量子加密语音电话业务为例进行说明。这里所述的量子密钥管理中心,可以是指统一的量子密钥管理平台,为多种不同业务提供统一的密管服务,也可以是某种具体业务的密钥管理平台,例如,量子VoLTE加密通话业务的密管平台,专为量子VoLTE加密通话业务提供密钥管理服务。Based on the above embodiments, it needs to be noted that first of all, the disclosed embodiments can be applied to encrypted voice and/or video calls, encrypted short messages, encrypted instant messages, encrypted voice and/or videos, encrypted intercom messages, encrypted emails, etc. Various secure communication services based on quantum keys. The above description only takes the quantum encrypted voice phone service as an example. The quantum key management center described here can refer to a unified quantum key management platform that provides unified key management services for a variety of different businesses, or it can be a key management platform for a specific business, such as quantum VoLTE. A key management platform for encrypted call services, specifically providing key management services for quantum VoLTE encrypted call services.
其次,量子密钥管理中心与终端之间共享的量子对称密钥,起到对保密通信业务过程中终端与量子密钥管理中心间交互的相关信息(如,会话标识、量子会话密钥Ks、新的量子对称密钥KA_new和/或KB_new、密钥标识KID_A_new/KID_B_new等)进行加密、完整性保护、源认证等安全保护的作用,因此该共享对称密钥也可称为基础密钥、工作密钥、密钥保护密钥、认证密钥或者接入密钥等等。Secondly, the quantum symmetric key shared between the quantum key management center and the terminal plays a role in the interaction between the terminal and the quantum key management center during the secure communication process (such as session identification, quantum session key Ks, The new quantum symmetric key K A _new and/or K B _new, key identification K ID _A_new/K ID _B_new, etc.) perform security protection functions such as encryption, integrity protection, source authentication, etc., so the shared symmetric key also It can be called a basic key, a working key, a key protection key, an authentication key or an access key, etc.
再次,本公开实施例除了适用于两个终端参与的保密通信业务之外,还可适用于多个终端开展的保密通信业务,满足保密多方通话、保密语音和/或视频会议、保密群组消息、保密多方对讲等业务应用的需要。此时,量子密钥管理中心应基于当前正在使用的、与每一终端分别共享的量子对称密钥对新产生的量子对称密钥,可选地,新分配的量子密钥标识及相关信息,做加密保护,之后通过发起密钥请求的终端将加密保护后的新的量子对称密钥及相关信息发送给各个终端。可以统一发送,也可以分别发送。随后,各终端解密获取新产生的量子对称密钥。Thirdly, in addition to being applicable to secure communication services involving two terminals, the disclosed embodiments are also applicable to secure communication services carried out by multiple terminals, meeting the needs of secure multi-party calls, secure voice and/or video conferencing, and secure group messages. , confidential multi-party intercom and other business applications. At this time, the quantum key management center should newly generate a quantum symmetric key based on the quantum symmetric key currently in use and shared with each terminal, optionally, the newly distributed quantum key identification and related information, Perform encryption protection, and then send the encrypted and protected new quantum symmetric key and related information to each terminal through the terminal that initiated the key request. They can be sent together or separately. Subsequently, each terminal decrypts and obtains the newly generated quantum symmetric key.
本公开实施例通过量子对称密钥的随用补充,无需扩大设备的安全介质的存储空间,就能够使本地量子对称密钥存储数量较少的设备满足用户长期 或频繁的量子保密通信业务使用的需要,适用于安全介质存储空间较小的设备,可降低设备成本。进一步地,在量子密钥管理相关消息中采用时间戳或序列号的机制,可抵御攻击者对于量子密钥的重放攻击。The disclosed embodiments can enable devices with a small number of local quantum symmetric key storage to meet the long-term needs of users by supplementing the quantum symmetric key without expanding the storage space of the device's security medium. Or the need for frequent quantum secure communication services, it is suitable for equipment with small security medium storage space, which can reduce equipment costs. Furthermore, the use of time stamp or sequence number mechanisms in quantum key management related messages can resist replay attacks by attackers on quantum keys.
为了实现本公开实施例的方法,本公开实施例还提供了一种密钥管理装置,设置在第一设备上,如图6所示,该装置包括:In order to implement the method of the embodiment of the present disclosure, the embodiment of the present disclosure also provides a key management device, which is provided on the first device. As shown in Figure 6, the device includes:
第一接收单元601,用于接收第二设备发送的第一消息;The first receiving unit 601 is used to receive the first message sent by the second device;
执行单元602,用于执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;Execution unit 602, configured to perform operations related to the first message, and obtain at least one of the following: a first key, a second key, and a third key;
第一发送单元603,用于将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。The first sending unit 603 is used to send at least one of the first key, the second key and the third key to the second device.
其中,在一实施例中,第一密钥用于第一设备与第二设备之间的安全通信,或用于第二设备的本地信息的安全存储。In one embodiment, the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
在一实施例中,第一发送单元603将第一密钥发送给第二设备,包括:In an embodiment, the first sending unit 603 sends the first key to the second device, including:
将利用第四密钥进行安全保护后的第一密钥发送给第二设备;其中,Send the first key that is securely protected using the fourth key to the second device; wherein,
第四密钥为第一设备与第二设备的共享密钥。The fourth key is a shared key between the first device and the second device.
在一实施例中,执行单元602获得第一密钥,包括:In an embodiment, the execution unit 602 obtains the first key, including:
获得第一密钥及对应的第一标识;Obtain the first key and the corresponding first identifier;
第一发送单元603将第一密钥发送给第二设备,包括:The first sending unit 603 sends the first key to the second device, including:
将第一密钥和/或对应的第一标识发送给第二设备。Send the first key and/or the corresponding first identification to the second device.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第一存储单元,用于存储第一密钥和/或对应的第一标识。The first storage unit is used to store the first key and/or the corresponding first identification.
在一实施例中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。In one embodiment, the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
在一实施例中,第一发送单元603将第二密钥发送给第二设备,包括:In an embodiment, the first sending unit 603 sends the second key to the second device, including:
将利用第五密钥进行安全保护后的第二密钥发送给第二设备;其中,Send the second key that is securely protected using the fifth key to the second device; wherein,
第五密钥为第一设备与第三设备的共享密钥。 The fifth key is a shared key between the first device and the third device.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
第三发送单元,用于向第三设备发送第二密钥。The third sending unit is used to send the second key to the third device.
在一实施例中,所述第三发送单元向第三设备发送第二密钥,包括:In an embodiment, the third sending unit sends the second key to the third device, including:
将利用第五密钥进行安全保护后的第二密钥发送给第三设备;其中,Send the second key protected by the fifth key to the third device; wherein,
第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,执行单元602获得第二密钥,包括:In an embodiment, the execution unit 602 obtains the second key, including:
获得第二密钥及对应的第二标识;Obtain the second key and the corresponding second identification;
第一发送单元603将第二密钥发送给第二设备和/或第三设备,包括:The first sending unit 603 sends the second key to the second device and/or the third device, including:
将第二密钥和/或对应的第二标识发送给第二设备和/或第三设备。Send the second key and/or the corresponding second identification to the second device and/or the third device.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第二存储单元,用于存储第二密钥和/或对应的第二标识。The second storage unit is used to store the second key and/or the corresponding second identification.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
在一实施例中,第一发送单元603将第三密钥发送给第二设备,包括:In an embodiment, the first sending unit 603 sends the third key to the second device, including:
将利用第四密钥和第五密钥分别进行安全保护后的第三密钥发送给第二设备;其中,Send the third key that is securely protected using the fourth key and the fifth key to the second device; wherein,
第四密钥为第一设备与第二设备的共享密钥,第五密钥为第一设备与第三设备的共享密钥。The fourth key is a shared key between the first device and the second device, and the fifth key is a shared key between the first device and the third device.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第四发送单元,用于向第三设备发送第三密钥。The fourth sending unit is used to send the third key to the third device.
在一实施例中,所述第四发送单元向第三设备发送第三密钥,包括:In an embodiment, the fourth sending unit sends the third key to the third device, including:
将利用第五密钥进行安全保护后的第三密钥发送给第三设备;其中,Send the third key that is securely protected using the fifth key to the third device; wherein,
第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,执行单元602获得第三密钥,包括:In an embodiment, the execution unit 602 obtains the third key, including:
获得第三密钥及对应的第三标识;Obtain the third key and the corresponding third identification;
第一发送单元603将第三密钥发送给第二设备和/或第三设备,包括:The first sending unit 603 sends the third key to the second device and/or the third device, including:
将第三密钥和/或对应的第三标识发送给第二设备和/或第三设备。 Send the third key and/or the corresponding third identification to the second device and/or the third device.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第三存储单元,用于存储第三密钥和/或对应的第三标识。The third storage unit is used to store the third key and/or the corresponding third identification.
在一实施例中,第一设备发送的消息中携带时间戳。In one embodiment, the message sent by the first device carries a timestamp.
实际应用时,所述第一发送单元601、第一接收单元603、第三发送单元及第四发送单元可由密钥管理装置中的通信接口实现;所述执行单元602、第一存储单元、第二存储单元及第三存储单元可由密钥管理装置中的处理器实现。In actual application, the first sending unit 601, the first receiving unit 603, the third sending unit and the fourth sending unit can be implemented by the communication interface in the key management device; the execution unit 602, the first storage unit, the third sending unit The second storage unit and the third storage unit may be implemented by a processor in the key management device.
为了实现本公开实施例的方法,本公开实施例还提供了一种密钥管理装置,设置在第二设备上,如图7所示,该装置包括:In order to implement the method of the embodiment of the present disclosure, the embodiment of the present disclosure also provides a key management device, which is provided on the second device. As shown in Figure 7, the device includes:
第二发送单元701,用于向第一设备发送的第一消息;The second sending unit 701 is used to send the first message to the first device;
第二接收单元702,用于接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。The second receiving unit 702 is configured to receive at least one of the first key, the second key and the third key sent by the first device.
其中,在一实施例中,第一密钥用于第一设备与第二设备之间的安全通信,或用于第二设备的本地信息的安全存储。In one embodiment, the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
在一实施例中,第二接收单元702接收第一设备发送的第一密钥,包括:In an embodiment, the second receiving unit 702 receives the first key sent by the first device, including:
接收第一设备发送的、利用第四密钥进行安全保护后的第一密钥;其中,第四密钥为第一设备与第二设备的共享密钥;Receive the first key sent by the first device and protected by the fourth key; wherein the fourth key is the shared key between the first device and the second device;
利用第四密钥对安全保护后的第一密钥进行解密。The fourth key is used to decrypt the securely protected first key.
在一实施例中,第二接收单元702接收第一设备发送的第一密钥,包括:In an embodiment, the second receiving unit 702 receives the first key sent by the first device, including:
接收并存储第一密钥和/或对应的第一标识。Receive and store the first key and/or the corresponding first identification.
在一实施例中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。In one embodiment, the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
在一实施例中,第二接收单元702接收第一设备发送的第二密钥,包括:In an embodiment, the second receiving unit 702 receives the second key sent by the first device, including:
接收第一设备发送的、利用第五密钥进行安全保护后的第二密钥;其中,第五密钥为第一设备与第三设备的共享密钥;Receive the second key sent by the first device and protected by using the fifth key; wherein the fifth key is the shared key between the first device and the third device;
将利用第五密钥进行安全保护后的第二密钥发送给第三设备。 The second key that is securely protected using the fifth key is sent to the third device.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第五发送单元,用于将第二密钥和/或对应的第二标识发送给第三设备。The fifth sending unit is used to send the second key and/or the corresponding second identification to the third device.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
在一实施例中,第二接收单元702接收第一设备发送的第三密钥,包括:In an embodiment, the second receiving unit 702 receives the third key sent by the first device, including:
接收第一设备发送的、利用第四密钥和第五密钥分别进行安全保护后的第三密钥;Receive the third key sent by the first device and protected by using the fourth key and the fifth key respectively;
利用第四密钥对经第四密钥保护后的第三密钥进行解密;Using the fourth key to decrypt the third key protected by the fourth key;
将经第五密钥保护后的第三密钥发送给第三设备;其中,Send the third key protected by the fifth key to the third device; wherein,
第四密钥为第一设备与第二设备的共享密钥,第五密钥为第一设备与第三设备的共享密钥。The fourth key is a shared key between the first device and the second device, and the fifth key is a shared key between the first device and the third device.
在一实施例中,第二接收单元702接收第三密钥,包括:In an embodiment, the second receiving unit 702 receives the third key, including:
接收并存储第三密钥和/或对应的第三标识。Receive and store the third key and/or the corresponding third identification.
在一实施例中,第二设备发送的消息中携带时间戳。In one embodiment, the message sent by the second device carries a timestamp.
实际应用时,所述第二发送单元701、第二接收单元702和第五发送单元可由密钥管理装置中的通信接口实现。In actual application, the second sending unit 701, the second receiving unit 702 and the fifth sending unit may be implemented by the communication interface in the key management device.
为了实现本公开实施例的方法,本公开实施例还提供了一种密钥管理装置,设置在第三设备上,如图8所示,该装置包括:In order to implement the method of the embodiment of the present disclosure, the embodiment of the present disclosure also provides a key management device, which is provided on the third device. As shown in Figure 8, the device includes:
第三接收单元801,用于接收第一设备和/或第二设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。The third receiving unit 801 is configured to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
其中,在一实施例中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。In one embodiment, the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
在一实施例中,第三接收单元801接收第一设备和/或第二设备发送的第二密钥,包括:In one embodiment, the third receiving unit 801 receives the second key sent by the first device and/or the second device, including:
接收第一设备和/或第二设备发送的、利用第五密钥进行安全保护后的第二密钥;其中,Receive the second key sent by the first device and/or the second device and protected by using the fifth key; wherein,
第五密钥为第一设备与第三设备的共享密钥。 The fifth key is a shared key between the first device and the third device.
在一实施例中,第三接收单元801接收第二密钥,包括:In an embodiment, the third receiving unit 801 receives the second key, including:
接收并存储第二密钥和/或对应的第二标识。Receive and store the second key and/or the corresponding second identification.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
在一实施例中,第三接收单元801接收第二设备发送的第三密钥,包括:In an embodiment, the third receiving unit 801 receives the third key sent by the second device, including:
接收第二设备发送的、经第五密钥安全保护的第三密钥;Receive the third key sent by the second device and securely protected by the fifth key;
利用第五密钥对经第五密钥安全保护的第三密钥进行解密;其中,Use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
所述第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,第三接收单元801接收第一设备发送的第三密钥,包括:In an embodiment, the third receiving unit 801 receives the third key sent by the first device, including:
接收第一设备发送的、经第五密钥安全保护的第三密钥;Receive the third key sent by the first device and securely protected by the fifth key;
利用第五密钥对经第五密钥安全保护的第三密钥进行解密;其中,Use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
所述第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,第三接收单元801接收第三密钥,包括:In an embodiment, the third receiving unit 801 receives the third key, including:
接收并存储第三密钥和/或对应的第三标识。Receive and store the third key and/or the corresponding third identification.
在一实施例中,所述装置还包括:In one embodiment, the device further includes:
第六发送单元,用于向第一设备发送第二消息;其中,The sixth sending unit is used to send the second message to the first device; wherein,
所述第二消息用于返回密钥接收的结果。The second message is used to return the result of key reception.
在一实施例中,第三设备发送的消息中携带时间戳。In one embodiment, the message sent by the third device carries a timestamp.
实际应用时,所述第三接收单元803及第六发送单元可由密钥管理装置中的通信接口实现。In actual application, the third receiving unit 803 and the sixth sending unit may be implemented by the communication interface in the key management device.
需要说明的是:上述实施例提供的由密钥管理装置在进行由密钥管理时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的由密钥管理装置与由密钥管理方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the key management device provided in the above embodiment performs key management, only the division of the above program modules is used as an example. In actual application, the above processing can be allocated to different modules as needed. The program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the key management device and the key management method embodiments provided in the above embodiments belong to the same concept. Please refer to the method embodiments for the specific implementation process, which will not be described again here.
基于上述程序模块的硬件实现,且为了实现本公开实施例第一设备侧的 方法,本公开实施例还提供了一种第一设备,如图9所示,第一设备900包括:Based on the hardware implementation of the above program module, and in order to implement the first device side of the embodiment of the present disclosure, Method, the embodiment of the present disclosure also provides a first device. As shown in Figure 9, the first device 900 includes:
第一通信接口901,能够与其他网络节点进行信息交互;The first communication interface 901 is capable of information exchange with other network nodes;
第一处理器902,与所述第一通信接口901连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述第一设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器903上。The first processor 902 is connected to the first communication interface 901 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the first device side when running a computer program. The computer program is stored on the first memory 903 .
具体地,所述第一通信接口901,用于接收第二设备发送的第一消息;Specifically, the first communication interface 901 is used to receive the first message sent by the second device;
所述第一处理器902,用于执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;The first processor 902 is configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
所述第一通信接口901,还用于将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。The first communication interface 901 is also used to send at least one of the first key, the second key and the third key to the second device.
其中,在一实施例中,第一密钥用于第一设备与第二设备之间的安全通信,或用于第二设备的本地信息的安全存储。In one embodiment, the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
在一实施例中,所述第一通信接口901,用于将利用第四密钥进行安全保护后的第一密钥发送给第二设备;其中,In one embodiment, the first communication interface 901 is used to send the first key that is securely protected by using the fourth key to the second device; wherein,
第四密钥为第一设备与第二设备的共享密钥。The fourth key is a shared key between the first device and the second device.
在一实施例中,所述第一处理器902,用于获得第一密钥及对应的第一标识;In one embodiment, the first processor 902 is used to obtain the first key and the corresponding first identification;
所述第一通信接口901,用于将第一密钥和/或对应的第一标识发送给第二设备。The first communication interface 901 is used to send the first key and/or the corresponding first identification to the second device.
在一实施例中,所述第一处理器902,还用于存储第一密钥和/或对应的第一标识。In one embodiment, the first processor 902 is also configured to store the first key and/or the corresponding first identification.
在一实施例中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。In one embodiment, the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
在一实施例中,所述第一通信接口901,用于将利用第五密钥进行安全保护后的第二密钥发送给第二设备;其中, In one embodiment, the first communication interface 901 is used to send the second key that is securely protected by using the fifth key to the second device; wherein,
第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,所述第一通信接口901,还用于向第三设备发送第二密钥。In one embodiment, the first communication interface 901 is also used to send the second key to the third device.
在一实施例中,所述第一通信接口901,用于将利用第五密钥进行安全保护后的第二密钥发送给第三设备;其中,In one embodiment, the first communication interface 901 is used to send the second key that is securely protected by using the fifth key to the third device; wherein,
第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,所述第一处理器902,用于获得第二密钥及对应的第二标识;In one embodiment, the first processor 902 is used to obtain the second key and the corresponding second identification;
所述第一通信接口901,用于将第二密钥和/或对应的第二标识发送给第二设备和/或第三设备。The first communication interface 901 is used to send the second key and/or the corresponding second identification to the second device and/or the third device.
在一实施例中,所述第一处理器902,还用于存储第二密钥和/或对应的第二标识。In one embodiment, the first processor 902 is also configured to store the second key and/or the corresponding second identification.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
在一实施例中,所述第一通信接口901,用于将利用第四密钥和第五密钥分别进行安全保护后的第三密钥发送给第二设备;其中,In one embodiment, the first communication interface 901 is used to send the third key that is securely protected using the fourth key and the fifth key to the second device; wherein,
第四密钥为第一设备与第二设备的共享密钥,第五密钥为第一设备与第三设备的共享密钥。The fourth key is a shared key between the first device and the second device, and the fifth key is a shared key between the first device and the third device.
在一实施例中,所述第一通信接口901,还用于向第三设备发送第三密钥。In one embodiment, the first communication interface 901 is also used to send the third key to the third device.
在一实施例中,所述第一通信接口901,用于将利用第五密钥进行安全保护后的第三密钥发送给第三设备;其中,In one embodiment, the first communication interface 901 is used to send the third key that is securely protected using the fifth key to the third device; wherein,
第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,所述第一处理器902,用于获得第三密钥及对应的第三标识;In one embodiment, the first processor 902 is used to obtain the third key and the corresponding third identification;
所述第一通信接口901,用于将第三密钥和/或对应的第三标识发送给第二设备和/或第三设备。 The first communication interface 901 is used to send the third key and/or the corresponding third identification to the second device and/or the third device.
在一实施例中,所述第一处理器902,还用于存储第三密钥和/或对应的第三标识。In one embodiment, the first processor 902 is also configured to store the third key and/or the corresponding third identification.
在一实施例中,第一设备发送的消息中携带时间戳。In one embodiment, the message sent by the first device carries a timestamp.
需要说明的是:第一处理器902和第一通信接口901的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the first processor 902 and the first communication interface 901 can be understood with reference to the above method.
当然,实际应用时,第一设备900中的各个组件通过总线系统904耦合在一起。可理解,总线系统904用于实现这些组件之间的连接通信。总线系统904除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图9中将各种总线都标为总线系统904。Of course, in actual application, various components in the first device 900 are coupled together through the bus system 904 . It can be understood that the bus system 904 is used to implement connection communication between these components. In addition to the data bus, the bus system 904 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are labeled as bus system 904 in FIG. 9 .
本公开实施例中的第一存储器903用于存储各种类型的数据以支持第一设备900的操作。这些数据的示例包括:用于在第一设备900上操作的任何计算机程序。The first memory 903 in the embodiment of the present disclosure is used to store various types of data to support the operation of the first device 900 . Examples of such data include any computer program for operating on the first device 900 .
上述本公开实施例揭示的方法可以应用于所述第一处理器902中,或者由所述第一处理器902实现。所述第一处理器902可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器902中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器902可以是通用处理器、数字信号处理器(Digital Signal Processor,DSP),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器902可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本公开实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器903,所述第一处理器902读取第一存储器903中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present disclosure may be applied to the first processor 902 or implemented by the first processor 902 . The first processor 902 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 902 . The above-mentioned first processor 902 may be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The first processor 902 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the first memory 903. The first processor 902 reads the information in the first memory 903, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,第一设备900可以被一个或多个应用专用集成电路(Application Specific Integrated Circuit,ASIC)、DSP、可编程逻辑器件 (Programmable Logic Device,PLD)、复杂可编程逻辑器件(Complex Programmable Logic Device,CPLD)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)、通用处理器、控制器、微控制器(Micro Controller Unit,MCU)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the first device 900 may be one or more application specific integrated circuits (Application Specific Integrated Circuits, ASICs), DSPs, programmable logic devices (Programmable Logic Device, PLD), Complex Programmable Logic Device (CPLD), Field-Programmable Gate Array (FPGA), general-purpose processor, controller, microcontroller (Micro Controller) Unit (MCU), microprocessor (Microprocessor), or other electronic components for executing the aforementioned method.
基于上述程序模块的硬件实现,且为了实现本公开实施例第二设备侧的方法,本公开实施例还提供了一种第二设备,如图10所示,该第二设备1000包括:Based on the hardware implementation of the above program module, and in order to implement the method on the second device side of the embodiment of the disclosure, the embodiment of the disclosure also provides a second device. As shown in Figure 10, the second device 1000 includes:
第二通信接口1001,能够与其他网络节点进行信息交互;The second communication interface 1001 is capable of information exchange with other network nodes;
第二处理器1002,与所述第二通信接口1001连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述第二设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第二存储器1003上。The second processor 1002 is connected to the second communication interface 1001 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the second device side when running a computer program. The computer program is stored on the second memory 1003 .
具体地,所述第二通信接口1001,用于向第一设备发送的第一消息;以及接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。Specifically, the second communication interface 1001 is used to send a first message to a first device; and to receive at least one of the first key, the second key and the third key sent by the first device. .
其中,在一实施例中,第一密钥用于第一设备与第二设备之间的安全通信,或用于第二设备的本地信息的安全存储。In one embodiment, the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
在一实施例中,所述第二通信接口1001用于接收第一设备发送的、利用第四密钥进行安全保护后的第一密钥;其中,第四密钥为第一设备与第二设备的共享密钥;In one embodiment, the second communication interface 1001 is used to receive a first key sent by a first device and protected by a fourth key; wherein the fourth key is a combination of the first device and the second key. The device’s shared secret key;
所述第二处理器1002,用于利用第四密钥对安全保护后的第一密钥进行解密。The second processor 1002 is configured to use the fourth key to decrypt the securely protected first key.
在一实施例中,所述第二通信接口1001,用于接收第一密钥和/或对应的第一标识;In one embodiment, the second communication interface 1001 is used to receive the first key and/or the corresponding first identification;
所述第二处理器1002,用于存储第一密钥和/或对应的第一标识。The second processor 1002 is used to store the first key and/or the corresponding first identification.
在一实施例中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。 In one embodiment, the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
在一实施例中,所述第二通信接口1001,用于接收第一设备发送的、利用第五密钥进行安全保护后的第二密钥;其中,第五密钥为第一设备与第三设备的共享密钥;将利用第五密钥进行安全保护后的第二密钥发送给第三设备。In one embodiment, the second communication interface 1001 is used to receive a second key sent by the first device and protected by using a fifth key; wherein the fifth key is a link between the first device and the third key. The shared key of the three devices; the second key protected by the fifth key is sent to the third device.
在一实施例中,所述第二通信接口1001,还用于将第二密钥和/或对应的第二标识发送给第三设备。In one embodiment, the second communication interface 1001 is also used to send the second key and/or the corresponding second identification to the third device.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
在一实施例中,所述第二通信接口1001,用于接收第一设备发送的、利用第四密钥和第五密钥分别进行安全保护后的第三密钥;In one embodiment, the second communication interface 1001 is used to receive the third key sent by the first device and protected by using the fourth key and the fifth key respectively;
第二处理器1002,还用于利用第四密钥对经第四密钥保护后的第三密钥进行解密;The second processor 1002 is also configured to use the fourth key to decrypt the third key protected by the fourth key;
所述第二通信接口1001,用于将经第五密钥保护后的第三密钥发送给第三设备;其中,The second communication interface 1001 is used to send the third key protected by the fifth key to the third device; wherein,
第四密钥为第一设备与第二设备的共享密钥,第五密钥为第一设备与第三设备的共享密钥。The fourth key is a shared key between the first device and the second device, and the fifth key is a shared key between the first device and the third device.
在一实施例中,所述第二通信接口1001,用于接收并存储第三密钥和/或对应的第三标识。In one embodiment, the second communication interface 1001 is used to receive and store the third key and/or the corresponding third identification.
在一实施例中,第二设备发送的消息中携带时间戳。In one embodiment, the message sent by the second device carries a timestamp.
需要说明的是:第二处理器1002和第二通信接口1001的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the second processor 1002 and the second communication interface 1001 can be understood with reference to the above method.
当然,实际应用时,第二设备1000中的各个组件通过总线系统1004耦合在一起。可理解,总线系统1004用于实现这些组件之间的连接通信。总线系统1004除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图10中将各种总线都标为总线系统1004。Of course, in actual application, various components in the second device 1000 are coupled together through the bus system 1004. It can be understood that the bus system 1004 is used to implement connection communication between these components. In addition to the data bus, the bus system 1004 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, various buses are labeled as bus system 1004 in FIG. 10 .
本公开实施例中的第二存储器1003用于存储各种类型的数据以支持第二设备1000操作。这些数据的示例包括:用于在第二设备1000上操作的任 何计算机程序。The second memory 1003 in the embodiment of the present disclosure is used to store various types of data to support the operation of the second device 1000. Examples of such data include: any data used to operate on the second device 1000 any computer program.
上述本公开实施例揭示的方法可以应用于所述第二处理器1002中,或者由所述第二处理器1002实现。所述第二处理器1002可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第二处理器1002中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第二处理器1002可以是通用处理器、DSP,或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第二处理器1002可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本公开实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第二存储器1003,所述第二处理器1002读取第二存储器1003中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present disclosure can be applied to the second processor 1002 or implemented by the second processor 1002 . The second processor 1002 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the second processor 1002 . The above-mentioned second processor 1002 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The second processor 1002 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the second memory 1003. The second processor 1002 reads the information in the second memory 1003, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,第二设备1000可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the second device 1000 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the foregoing method.
基于上述程序模块的硬件实现,且为了实现本公开实施例第三设备侧的方法,本公开实施例还提供了一种第三设备,如图11所示,该第三设备1100包括:Based on the hardware implementation of the above program module, and in order to implement the method on the third device side of the embodiment of the disclosure, the embodiment of the disclosure also provides a third device. As shown in Figure 11, the third device 1100 includes:
第三通信接口1101,能够与其他网络节点进行信息交互;The third communication interface 1101 is capable of information exchange with other network nodes;
第三处理器1102,与所述第三通信接口1101连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述第三设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第三存储器1103上。The third processor 1102 is connected to the third communication interface 1101 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the third device side when running a computer program. The computer program is stored on the third memory 1103 .
具体地,所述第三通信接口1101,用于接收第一设备和/或第二设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。Specifically, the third communication interface 1101 is used to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
其中,在一实施例中,第二密钥用于第一设备与第三设备之间进行安全 通信,或用于第三设备的本地信息的安全存储。In one embodiment, the second key is used for security between the first device and the third device. communications, or secure storage of local information for third devices.
在一实施例中,第三通信接口1101,用于接接收第一设备和/或第二设备发送的、利用第五密钥进行安全保护后的第二密钥;其中,In one embodiment, the third communication interface 1101 is used to receive the second key sent by the first device and/or the second device and protected by using the fifth key; wherein,
第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,第三通信接口1101,用于接收并存储第二密钥和/或对应的第二标识。In one embodiment, the third communication interface 1101 is used to receive and store the second key and/or the corresponding second identification.
在一实施例中,第三密钥用于第二设备与第三设备之间进行安全通信。In one embodiment, the third key is used for secure communication between the second device and the third device.
在一实施例中,第三通信接口1101,用于接收第二设备发送的、经第五密钥安全保护的第三密钥;In one embodiment, the third communication interface 1101 is used to receive the third key sent by the second device and protected by the fifth key security;
第三处理器1102,用于利用第五密钥对经第五密钥安全保护的第三密钥进行解密;其中,The third processor 1102 is configured to use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
所述第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,第三通信接口1101,用于接收第一设备发送的、经第五密钥安全保护的第三密钥;In one embodiment, the third communication interface 1101 is used to receive the third key sent by the first device and protected by the fifth key;
第三处理器1102,用于利用第五密钥对经第五密钥安全保护的第三密钥进行解密;其中,The third processor 1102 is configured to use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
所述第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
在一实施例中,第三通信接口1101,用于接收第三密钥和/或对应的第三标识;In one embodiment, the third communication interface 1101 is used to receive the third key and/or the corresponding third identification;
第三处理器1102,用于存储第三密钥和/或对应的第三标识。The third processor 1102 is used to store the third key and/or the corresponding third identification.
在一实施例中,第三通信接口1101,还用于向第一设备发送第二消息;其中,In one embodiment, the third communication interface 1101 is also used to send the second message to the first device; wherein,
所述第二消息用于返回密钥接收的结果。The second message is used to return the result of key reception.
在一实施例中,第三设备发送的消息中携带时间戳。In one embodiment, the message sent by the third device carries a timestamp.
当然,实际应用时,第三设备1100中的各个组件通过总线系统1104耦合在一起。可理解,总线系统1104用于实现这些组件之间的连接通信。总线 系统1104除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图11中将各种总线都标为总线系统1104。Of course, in actual application, various components in the third device 1100 are coupled together through the bus system 1104 . It can be understood that the bus system 1104 is used to implement connection communication between these components. bus System 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus. However, for the sake of clarity, the various buses are labeled bus system 1104 in FIG. 11 .
本公开实施例中的第三存储器1103用于存储各种类型的数据以支持第三设备1100操作。这些数据的示例包括:用于在第三设备1100上操作的任何计算机程序。The third memory 1103 in the embodiment of the present disclosure is used to store various types of data to support the operation of the third device 1100. Examples of such data include: any computer program for operating on the third device 1100 .
上述本公开实施例揭示的方法可以应用于所述第三处理器1102中,或者由所述第三处理器1102实现。所述第三处理器1102可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第三处理器1102中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第三处理器1102可以是通用处理器、DSP,或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第三处理器1102可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本公开实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第三存储器1103,所述第三处理器1102读取第三存储器1103中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present disclosure can be applied to the third processor 1102 or implemented by the third processor 1102 . The third processor 1102 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the third processor 1102 . The above-mentioned third processor 1102 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The third processor 1102 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the third memory 1103. The third processor 1102 reads the information in the third memory 1103, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,第三设备1100可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the third device 1100 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the foregoing method.
可以理解,本公开实施例的存储器(第一存储器903、第二存储器1003、第三存储器1103)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read Only Memory,ROM)、可编程只读存储器(Programmable Read-Only Memory,PROM)、可擦除可编程只读存储器(Erasable Programmable Read-Only Memory,EPROM)、电可擦除可编程只读存储器(Electrically Erasable  Programmable Read-Only Memory,EEPROM)、磁性随机存取存储器(ferromagnetic random access memory,FRAM)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(Compact Disc Read-Only Memory,CD-ROM);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(Static Random Access Memory,SRAM)、同步静态随机存取存储器(Synchronous Static Random Access Memory,SSRAM)、动态随机存取存储器(Dynamic Random Access Memory,DRAM)、同步动态随机存取存储器(Synchronous Dynamic Random Access Memory,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate Synchronous Dynamic Random Access Memory,DDRSDRAM)、增强型同步动态随机存取存储器(Enhanced Synchronous Dynamic Random Access Memory,ESDRAM)、同步连接动态随机存取存储器(SyncLink Dynamic Random Access Memory,SLDRAM)、直接内存总线随机存取存储器(Direct Rambus Random Access Memory,DRRAM)。本公开实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (first memory 903, second memory 1003, third memory 1103) in the embodiment of the present disclosure can be a volatile memory or a non-volatile memory, and can also include volatile and non-volatile memories. Both. Among them, the non-volatile memory can be read-only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-Only Memory, PROM), erasable programmable read-only memory (Erasable Programmable Read-Only Memory). , EPROM), electrically erasable programmable read-only memory (Electrically Erasable Programmable Read-Only Memory (EEPROM), ferromagnetic random access memory (FRAM), Flash Memory, magnetic surface memory, optical disk, or Compact Disc Read-Only Memory (CD) -ROM); magnetic surface memory can be disk memory or tape memory. The volatile memory may be random access memory (RAM), which is used as an external cache. By way of illustration, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory Memory (Dynamic Random Access Memory, DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), SyncLink Dynamic Random Access Memory (SLDRAM), Direct Rambus Random Access Memory (DRRAM) ). Memories described in embodiments of the present disclosure are intended to include, but are not limited to, these and any other suitable types of memory.
在示例性实施例中,本公开实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的第一存储器903,上述计算机程序可由第一设备900的第一处理器902执行,以完成前述第一设备侧方法所述步骤。再比如包括存储计算机程序的第二存储器1003,上述计算机程序可由第二设备1000的第二处理器1002执行,以完成前述第二设备侧方法所述步骤。再比如包括存储计算机程序的第三存储器1103,上述计算机程序可由第三设备1100的第三处理器1102执行,以完成前述第三设备侧方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM 等存储器。In an exemplary embodiment, the embodiment of the present disclosure also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, such as a first memory 903 that stores a computer program. The computer program can be stored in a first device. The first processor 902 of 900 executes to complete the steps described in the foregoing first device-side method. Another example includes a second memory 1003 that stores a computer program. The computer program can be executed by the second processor 1002 of the second device 1000 to complete the steps described in the second device-side method. Another example includes a third memory 1103 that stores a computer program. The computer program can be executed by the third processor 1102 of the third device 1100 to complete the steps described in the third device-side method. The computer-readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM etc. memory.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that "first", "second", etc. are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中术语“至少一种”表示多个中的任意一种或多种中的至少两种的任意组合,例如,包括A、B、C中的至少一种,可以表示包括从A、B和C构成的集合中选择的任意一个或多个元素。The term "and/or" in this article is just an association relationship that describes related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations. In addition, the term "at least one" in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.
另外,本公开实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present disclosure may be combined arbitrarily as long as there is no conflict.
以上所述,仅为本公开的较佳实施例而已,并非用于限定本公开的保护范围。 The above descriptions are only preferred embodiments of the present disclosure and are not intended to limit the scope of the present disclosure.

Claims (49)

  1. 一种密钥管理方法,应用于第一设备,所述方法包括:A key management method, applied to a first device, the method includes:
    接收第二设备发送的第一消息;receiving the first message sent by the second device;
    执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;Perform an operation related to the first message, and obtain at least one of the following: a first key, a second key, and a third key;
    将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。At least one of the first key, the second key, and the third key is sent to the second device.
  2. 根据权利要求1所述的方法,其中,第一密钥用于第一设备与第二设备之间的安全通信,或用于第二设备的本地信息的安全存储。The method of claim 1, wherein the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  3. 根据权利要求1所述的方法,其中,将第一密钥发送给第二设备,包括:The method of claim 1, wherein sending the first key to the second device includes:
    将利用第四密钥进行安全保护后的第一密钥发送给第二设备;其中,Send the first key that is securely protected using the fourth key to the second device; wherein,
    第四密钥为第一设备与第二设备的共享密钥。The fourth key is a shared key between the first device and the second device.
  4. 根据权利要求1所述的方法,其中,获得第一密钥,包括:The method of claim 1, wherein obtaining the first key includes:
    获得第一密钥及对应的第一标识;Obtain the first key and the corresponding first identifier;
    将第一密钥发送给第二设备,包括:Send the first key to the second device, including:
    将第一密钥和/或对应的第一标识发送给第二设备。Send the first key and/or the corresponding first identification to the second device.
  5. 根据权利要求1或4所述的方法,所述方法还包括:The method according to claim 1 or 4, further comprising:
    存储第一密钥和/或对应的第一标识。Store the first key and/or the corresponding first identification.
  6. 根据权利要求1所述的方法,其中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。The method of claim 1, wherein the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  7. 根据权利要求6所述的方法,其中,将第二密钥发送给第二设备,包括:The method of claim 6, wherein sending the second key to the second device includes:
    将利用第五密钥进行安全保护后的第二密钥发送给第二设备;其中,Send the second key that is securely protected using the fifth key to the second device; wherein,
    第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
  8. 根据权利要求6所述的方法,所述方法还包括: The method of claim 6, further comprising:
    向第三设备发送第二密钥。Send the second key to the third device.
  9. 根据权利要求8所述的方法,其中,所述向第三设备发送第二密钥,包括:The method according to claim 8, wherein sending the second key to the third device includes:
    将利用第五密钥进行安全保护后的第二密钥发送给第三设备;其中,Send the second key protected by the fifth key to the third device; wherein,
    第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
  10. 根据权利要求6-9任一项所述的方法,其中,获得第二密钥,包括:The method according to any one of claims 6-9, wherein obtaining the second key includes:
    获得第二密钥及对应的第二标识;Obtain the second key and the corresponding second identification;
    将第二密钥发送给第二设备和/或第三设备,包括:Send the second key to the second device and/or the third device, including:
    将第二密钥和/或对应的第二标识发送给第二设备和/或第三设备。Send the second key and/or the corresponding second identification to the second device and/or the third device.
  11. 根据权利要求6或10所述的方法,所述方法还包括:The method according to claim 6 or 10, further comprising:
    存储第二密钥和/或对应的第二标识。Store the second key and/or the corresponding second identification.
  12. 根据权利要求1所述的方法,其中,第三密钥用于第二设备与第三设备之间进行安全通信。The method of claim 1, wherein the third key is used for secure communication between the second device and the third device.
  13. 根据权利要求12所述的方法,其中,将第三密钥发送给第二设备,包括:The method of claim 12, wherein sending the third key to the second device includes:
    将利用第四密钥和第五密钥分别进行安全保护后的第三密钥发送给第二设备;其中,Send the third key that is securely protected using the fourth key and the fifth key to the second device; wherein,
    第四密钥为第一设备与第二设备的共享密钥,第五密钥为第一设备与第三设备的共享密钥。The fourth key is a shared key between the first device and the second device, and the fifth key is a shared key between the first device and the third device.
  14. 根据权利要求12所述的方法,所述方法还包括:The method of claim 12, further comprising:
    向第三设备发送第三密钥。Send the third key to the third device.
  15. 根据权利要求14所述的方法,其中,所述向第三设备发送第三密钥,包括:The method of claim 14, wherein sending the third key to the third device includes:
    将利用第五密钥进行安全保护后的第三密钥发送给第三设备;其中,Send the third key that is securely protected using the fifth key to the third device; wherein,
    第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
  16. 根据权利要求12-15任一项所述的方法,其中,获得第三密钥,包 括:The method according to any one of claims 12-15, wherein the third key is obtained, including include:
    获得第三密钥及对应的第三标识;Obtain the third key and the corresponding third identification;
    将第三密钥发送给第二设备和/或第三设备,包括:Send the third key to the second device and/or the third device, including:
    将第三密钥和/或对应的第三标识发送给第二设备和/或第三设备。Send the third key and/or the corresponding third identification to the second device and/or the third device.
  17. 根据权利要求12或16所述的方法,所述方法还包括:The method according to claim 12 or 16, further comprising:
    存储第三密钥和/或对应的第三标识。Store the third key and/or the corresponding third identification.
  18. 根据权利要求1至17任一项所述的方法,其中,第一设备发送的消息中携带时间戳。The method according to any one of claims 1 to 17, wherein the message sent by the first device carries a timestamp.
  19. 一种密钥管理方法,应用于第二设备,所述方法包括:A key management method, applied to a second device, the method includes:
    向第一设备发送的第一消息;a first message sent to the first device;
    接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。Receive at least one of the first key, the second key and the third key sent by the first device.
  20. 根据权利要求19所述的方法,其中,第一密钥用于第一设备与第二设备之间的安全通信,或用于第二设备的本地信息的安全存储。The method of claim 19, wherein the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  21. 根据权利要求19或20所述的方法,其中,接收第一设备发送的第一密钥,包括:The method according to claim 19 or 20, wherein receiving the first key sent by the first device includes:
    接收第一设备发送的、利用第四密钥进行安全保护后的第一密钥;其中,第四密钥为第一设备与第二设备的共享密钥;Receive the first key sent by the first device and protected by the fourth key; wherein the fourth key is the shared key between the first device and the second device;
    利用第四密钥对安全保护后的第一密钥进行解密。The fourth key is used to decrypt the securely protected first key.
  22. 根据权利要求19所述的方法,其中,接收第一设备发送的第一密钥,包括:The method of claim 19, wherein receiving the first key sent by the first device includes:
    接收并存储第一密钥和/或对应的第一标识。Receive and store the first key and/or the corresponding first identification.
  23. 根据权利要求19所述的方法,其中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。The method of claim 19, wherein the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  24. 根据权利要求23所述的方法,其中,接收第一设备发送的第二密钥,包括: The method of claim 23, wherein receiving the second key sent by the first device includes:
    接收第一设备发送的、利用第五密钥进行安全保护后的第二密钥;其中,第五密钥为第一设备与第三设备的共享密钥;Receive the second key sent by the first device and protected by using the fifth key; wherein the fifth key is the shared key between the first device and the third device;
    将利用第五密钥进行安全保护后的第二密钥发送给第三设备。The second key that is securely protected using the fifth key is sent to the third device.
  25. 根据权利要求23或24所述的方法,所述方法还包括:The method according to claim 23 or 24, further comprising:
    将第二密钥和/或对应的第二标识发送给第三设备。Send the second key and/or the corresponding second identification to the third device.
  26. 根据权利要求19所述的方法,其中,第三密钥用于第二设备与第三设备之间进行安全通信。The method of claim 19, wherein the third key is used for secure communication between the second device and the third device.
  27. 根据权利要求26所述的方法,其中,接收第一设备发送的第三密钥,包括:The method of claim 26, wherein receiving the third key sent by the first device includes:
    接收第一设备发送的、利用第四密钥和第五密钥分别进行安全保护后的第三密钥;Receive the third key sent by the first device and protected by using the fourth key and the fifth key respectively;
    利用第四密钥对经第四密钥保护后的第三密钥进行解密;Using the fourth key to decrypt the third key protected by the fourth key;
    将经第五密钥保护后的第三密钥发送给第三设备;其中,Send the third key protected by the fifth key to the third device; wherein,
    第四密钥为第一设备与第二设备的共享密钥,第五密钥为第一设备与第三设备的共享密钥。The fourth key is a shared key between the first device and the second device, and the fifth key is a shared key between the first device and the third device.
  28. 根据权利要求26或27所述的方法,其中,接收第一设备发送的第三密钥,包括:The method according to claim 26 or 27, wherein receiving the third key sent by the first device includes:
    接收并存储第三密钥和/或对应的第三标识。Receive and store the third key and/or the corresponding third identification.
  29. 根据权利要求19至28任一项所述的方法,其中,第二设备发送的消息中携带时间戳。The method according to any one of claims 19 to 28, wherein the message sent by the second device carries a timestamp.
  30. 一种密钥管理方法,应用于第三设备,所述方法包括:A key management method, applied to a third device, the method includes:
    接收第一设备和/或第二设备发送的第二密钥以及第三密钥中的至少一个密钥。Receive at least one of the second key and the third key sent by the first device and/or the second device.
  31. 根据权利要求30所述的方法,其中,第二密钥用于第一设备与第三设备之间进行安全通信,或用于第三设备的本地信息的安全存储。The method of claim 30, wherein the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  32. 根据权利要求30或31所述的方法,其中,接收第一设备和/或第二 设备发送的第二密钥,包括:The method according to claim 30 or 31, wherein receiving the first device and/or the second The second key sent by the device, including:
    接收第一设备和/或第二设备发送的、利用第五密钥进行安全保护后的第二密钥;其中,Receive the second key sent by the first device and/or the second device and protected by using the fifth key; wherein,
    第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
  33. 根据权利要求30-32任一项所述的方法,其中,接收第二密钥,包括:The method according to any one of claims 30-32, wherein receiving the second key includes:
    接收并存储第二密钥和/或对应的第二标识。Receive and store the second key and/or the corresponding second identification.
  34. 根据权利要求30所述的方法,其中,第三密钥用于第二设备与第三设备之间进行安全通信。The method of claim 30, wherein the third key is used for secure communication between the second device and the third device.
  35. 根据权利要求34所述的方法,其中,接收第二设备发送的第三密钥,包括:The method of claim 34, wherein receiving the third key sent by the second device includes:
    接收第二设备发送的、经第五密钥安全保护的第三密钥;Receive the third key sent by the second device and securely protected by the fifth key;
    利用第五密钥对经第五密钥安全保护的第三密钥进行解密;其中,Use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
    所述第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
  36. 根据权利要求30所述的方法,其中,接收第一设备发送的第三密钥,包括:The method of claim 30, wherein receiving the third key sent by the first device includes:
    接收第一设备发送的、经第五密钥安全保护的第三密钥;Receive the third key sent by the first device and securely protected by the fifth key;
    利用第五密钥对经第五密钥安全保护的第三密钥进行解密;其中,Use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
    所述第五密钥为第一设备与第三设备的共享密钥。The fifth key is a shared key between the first device and the third device.
  37. 根据权利要求30-36任一项所述的方法,其中,接收第一设备和/或第二设备发送的第三密钥,包括:The method according to any one of claims 30 to 36, wherein receiving the third key sent by the first device and/or the second device includes:
    接收并存储第三密钥和/或对应的第三标识。Receive and store the third key and/or the corresponding third identification.
  38. 根据权利要求30所述的方法,所述方法还包括:The method of claim 30, further comprising:
    向第一设备发送第二消息;其中,Send a second message to the first device; wherein,
    所述第二消息用于返回密钥接收的结果。The second message is used to return the result of key reception.
  39. 根据权利要求30-38任一所述的方法,其中,第三设备发送的消息 中携带时间戳。The method according to any one of claims 30-38, wherein the message sent by the third device carries the timestamp.
  40. 一种密钥管理装置,包括:A key management device, including:
    第一接收单元,用于接收第二设备发送的第一消息;A first receiving unit configured to receive the first message sent by the second device;
    执行单元,用于执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;An execution unit, configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
    第一发送单元,用于将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。The first sending unit is used to send at least one of the first key, the second key and the third key to the second device.
  41. 一种密钥管理装置,包括:A key management device, including:
    第二发送单元,用于向第一设备发送的第一消息;The second sending unit is used to send the first message to the first device;
    第二接收单元,用于接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。The second receiving unit is configured to receive at least one of the first key, the second key and the third key sent by the first device.
  42. 一种密钥管理装置,包括:A key management device, including:
    第三接收单元,用于接收第一设备和/或第二设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。The third receiving unit is configured to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  43. 一种第一设备,包括:第一处理器及第一通信接口;其中,A first device including: a first processor and a first communication interface; wherein,
    所述第一通信接口,用于接收第二设备发送的第一消息;The first communication interface is used to receive the first message sent by the second device;
    所述第一处理器,用于执行与第一消息相关的操作,并获得以下中的至少一种:第一密钥、第二密钥以及第三密钥;The first processor is configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
    所述第一通信接口,还用于将第一密钥、第二密钥以及第三密钥中的至少一个发送给第二设备。The first communication interface is also used to send at least one of the first key, the second key and the third key to the second device.
  44. 一种第二设备,包括:第二处理器及第二通信接口;其中,A second device including: a second processor and a second communication interface; wherein,
    所述第二通信接口,用于向第一设备发送的第一消息;以及接收第一设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。The second communication interface is used to send a first message to the first device; and to receive at least one of the first key, the second key and the third key sent by the first device.
  45. 一种第三设备,包括:第三处理器及第三通信接口;其中,A third device including: a third processor and a third communication interface; wherein,
    所述第三通信接口,用于接收第一设备和/或第二设备发送的第一密钥、第二密钥以及第三密钥中的至少一个密钥。 The third communication interface is used to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  46. 一种第一设备,包括:第一处理器和用于存储能够在处理器上运行的计算机程序的第一存储器,A first device comprising: a first processor and a first memory for storing a computer program capable of running on the processor,
    其中,所述第一处理器用于运行所述计算机程序时,执行权利要求1至18任一项所述方法的步骤。Wherein, the first processor is configured to perform the steps of the method described in any one of claims 1 to 18 when running the computer program.
  47. 一种第二设备,包括:第二处理器和用于存储能够在处理器上运行的计算机程序的第二存储器,a second device comprising: a second processor and a second memory for storing a computer program capable of running on the processor,
    其中,所述第二处理器用于运行所述计算机程序时,执行权利要求19至29任一项所述方法的步骤。Wherein, the second processor is configured to perform the steps of the method described in any one of claims 19 to 29 when running the computer program.
  48. 一种第三设备,包括:第三处理器和用于存储能够在处理器上运行的计算机程序的第三存储器,A third device including: a third processor and a third memory for storing a computer program capable of running on the processor,
    其中,所述第三处理器用于运行所述计算机程序时,执行权利要求30至39任一项所述方法的步骤。Wherein, the third processor is configured to perform the steps of the method described in any one of claims 30 to 39 when running the computer program.
  49. 一种存储介质,其上存储有计算机程序,其中,所述计算机程序被处理器执行时实现权利要求1至18任一项所述方法的步骤,或者实现权利要求19至29任一项所述方法的步骤,或者实现权利要求30至39任一项所述方法的步骤。 A storage medium with a computer program stored thereon, wherein when the computer program is executed by a processor, the steps of the method described in any one of claims 1 to 18 are implemented, or the steps of any one of claims 19 to 29 are implemented. The steps of the method, or the steps of implementing the method of any one of claims 30 to 39.
PCT/CN2023/107243 2022-07-15 2023-07-13 Key management method and apparatus, and device and storage medium WO2024012529A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210837670.3A CN117439734A (en) 2022-07-15 2022-07-15 Key management method, device, equipment and storage medium
CN202210837670.3 2022-07-15

Publications (1)

Publication Number Publication Date
WO2024012529A1 true WO2024012529A1 (en) 2024-01-18

Family

ID=89535632

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/107243 WO2024012529A1 (en) 2022-07-15 2023-07-13 Key management method and apparatus, and device and storage medium

Country Status (2)

Country Link
CN (1) CN117439734A (en)
WO (1) WO2024012529A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3148152A1 (en) * 2015-09-22 2017-03-29 BAE Systems PLC Cryptographic key distribution
CN108847928A (en) * 2018-04-26 2018-11-20 如般量子科技有限公司 The communication system and communication means of the transmission of information encryption and decryption are realized based on group's type quantum key card
CN109787763A (en) * 2019-03-05 2019-05-21 山东鲁能软件技术有限公司 A kind of Mobile Authentication method, system, terminal and storage medium based on quantum key
CN112512038A (en) * 2020-11-19 2021-03-16 建信金融科技有限责任公司 Method and device for generating session key, electronic equipment and readable storage medium
CN114553418A (en) * 2022-03-24 2022-05-27 中国电信股份有限公司 Service method, device, system and terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3148152A1 (en) * 2015-09-22 2017-03-29 BAE Systems PLC Cryptographic key distribution
CN108847928A (en) * 2018-04-26 2018-11-20 如般量子科技有限公司 The communication system and communication means of the transmission of information encryption and decryption are realized based on group's type quantum key card
CN109787763A (en) * 2019-03-05 2019-05-21 山东鲁能软件技术有限公司 A kind of Mobile Authentication method, system, terminal and storage medium based on quantum key
CN112512038A (en) * 2020-11-19 2021-03-16 建信金融科技有限责任公司 Method and device for generating session key, electronic equipment and readable storage medium
CN114553418A (en) * 2022-03-24 2022-05-27 中国电信股份有限公司 Service method, device, system and terminal

Also Published As

Publication number Publication date
CN117439734A (en) 2024-01-23

Similar Documents

Publication Publication Date Title
US11240218B2 (en) Key distribution and authentication method and system, and apparatus
US20190068591A1 (en) Key Distribution And Authentication Method And System, And Apparatus
EP1994715B1 (en) Sim based authentication
KR101516909B1 (en) Discovery of security associations for key management relying on public keys
KR100961087B1 (en) Context limited shared secret
US8837737B2 (en) Key management in a communication network
US20070086590A1 (en) Method and apparatus for establishing a security association
US8625787B2 (en) Hierarchical key management for secure communications in multimedia communication system
US8875236B2 (en) Security in communication networks
EP2767029B1 (en) Secure communication
JP2014514860A (en) How to find security associations
WO2020020007A1 (en) Network access method and device, terminal, base station, and readable storage medium
CN114338618A (en) Multi-party call method, system, conference server and electronic equipment
CN115473655B (en) Terminal authentication method, device and storage medium for access network
WO2024012529A1 (en) Key management method and apparatus, and device and storage medium
CN112906032B (en) File secure transmission method, system and medium based on CP-ABE and block chain
WO2021236078A1 (en) Simplified method for onboarding and authentication of identities for network access
WO2024041498A1 (en) Secret communication processing method, first terminal, and storage medium
GB2551358A (en) Low latency security
Hu et al. Identification Model of Power Network Information Based on Multi-dimensional Identity Authentication Technology
CN115102698A (en) Quantum encrypted digital signature method and system
CN116633612A (en) Cloud mobile phone login method and device, storage medium and electronic equipment
CN113556732A (en) Internet of things communication method, equipment, system and storage medium
Bian Off-the-record secure chat room via public IM services

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23839019

Country of ref document: EP

Kind code of ref document: A1