WO2024012529A1 - Procédé et appareil de gestion de clé, et dispositif et support de stockage - Google Patents

Procédé et appareil de gestion de clé, et dispositif et support de stockage Download PDF

Info

Publication number
WO2024012529A1
WO2024012529A1 PCT/CN2023/107243 CN2023107243W WO2024012529A1 WO 2024012529 A1 WO2024012529 A1 WO 2024012529A1 CN 2023107243 W CN2023107243 W CN 2023107243W WO 2024012529 A1 WO2024012529 A1 WO 2024012529A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
sent
quantum
message
send
Prior art date
Application number
PCT/CN2023/107243
Other languages
English (en)
Chinese (zh)
Inventor
田野
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2024012529A1 publication Critical patent/WO2024012529A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/068Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to the field of communication technology, and in particular, to a key management method, device, equipment and storage medium.
  • Key technology is a commonly used technical means in the current communication field to protect the security of transmission content, including symmetric keys, asymmetric keys, etc. It is understandable that keys are time-sensitive and require constant updating to ensure the freshness of keys and the security of communications.
  • the current key update method is relatively complicated, so how to update the key in a timely, effective and simple manner is an urgent problem that needs to be solved.
  • embodiments of the present disclosure provide a key management method, device, equipment and storage medium.
  • the embodiment of the present disclosure provides a key management method, applied to the first device, including:
  • Perform an operation related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
  • At least one of the first key, the second key, and the third key is sent to the second device.
  • the embodiment of the present disclosure also provides a key management method, applied to the second device, including:
  • Embodiments of the present disclosure also provide a key management method, applied to a third device, including:
  • An embodiment of the present disclosure also provides a key management device, including:
  • a first receiving unit configured to receive the first message sent by the second device
  • An execution unit configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
  • the first sending unit is used to send at least one of the first key, the second key and the third key to the second device.
  • An embodiment of the present disclosure also provides a key management device, including:
  • the second sending unit is used to send the first message to the first device
  • An embodiment of the present disclosure also provides a key management device, including:
  • the second receiving unit is configured to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  • An embodiment of the present disclosure also provides a first device, including: a first processor and a first communication interface; wherein,
  • the first communication interface is used to receive the first message sent by the second device
  • the first processor is configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
  • the first communication interface is also used to send at least one of the first key, the second key and the third key to the second device.
  • An embodiment of the present disclosure also provides a second device, including: a second processor and a second communication interface mouth; among them,
  • the second communication interface is used to send a first message to the first device; and to receive at least one of the first key, the second key and the third key sent by the first device.
  • Embodiments of the present disclosure also provide a third device, including: a third processor and a third communication interface; wherein,
  • the third communication interface is used to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  • An embodiment of the present disclosure also provides a first device, including: a first processor and a first memory for storing a computer program capable of running on the processor,
  • the first processor is configured to execute the steps of any method on the first device side when running the computer program.
  • An embodiment of the present disclosure also provides a second device, including: a second processor and a second memory for storing a computer program capable of running on the processor,
  • the second processor is configured to execute the steps of any method on the second device side when running the computer program.
  • Embodiments of the present disclosure also provide a third device, including: a third processor and a third memory for storing a computer program capable of running on the processor,
  • the third processor is configured to execute the steps of any method on the third device side when running the computer program.
  • Embodiments of the present disclosure also provide a storage medium on which a computer program is stored.
  • the computer program is executed by a processor, the steps of any method on the first device side are implemented, or any method on the second device side is implemented. or implement any of the above methods on the third device side.
  • the first device receives the first message sent by the second device; performs operations related to the first message, and obtains at least one of the following: The first key, the second key and the third key; sending at least one of the first key, the second key and the third key to the second device.
  • the first device performs While performing operations related to the first message, a key is generated for the second device. This eliminates the need for the second device to increase the storage space of the secure medium and can promptly replenish new keys, ensuring that the second device secures the security of the second device in a low-cost and efficient manner. Always provision sufficient keys.
  • Figure 1 is a schematic flow chart of a key management method according to an embodiment of the present disclosure
  • Figure 2 is a schematic flow chart of another key management method according to an embodiment of the present disclosure.
  • Figure 3 is a schematic flow chart of a third key management method according to an embodiment of the present disclosure.
  • Figure 4 is a schematic diagram of the interaction flow of a key management method according to an application embodiment of the present disclosure
  • Figure 5 is a schematic diagram of the interaction flow of another key management method according to an application embodiment of the present disclosure.
  • Figure 6 is a schematic structural diagram of a key management device according to an embodiment of the present disclosure.
  • Figure 7 is a schematic structural diagram of another key management device according to an embodiment of the present disclosure.
  • Figure 8 is a schematic structural diagram of a third key management device according to an embodiment of the present disclosure.
  • Figure 9 is a schematic structural diagram of the first equipment according to the embodiment of the present disclosure.
  • Figure 10 is a schematic structural diagram of the second equipment according to the embodiment of the present disclosure.
  • Figure 11 is a schematic structural diagram of a third device according to an embodiment of the present disclosure.
  • each communication device stores a certain amount of keys for secure communication with the peer or for secure storage of local information. Since keys are time-sensitive and a certain amount of keys pre-stored by the device will be gradually consumed with use, keys need to be updated regularly or irregularly.
  • the key update method in the related art requires setting up an additional key update process, and the key update process itself also requires consuming pre-stored keys, thus increasing the cost of device key update and the overhead of information interaction.
  • Quantum key refers to: a quantum key generated by a quantum random number generator based on the basic principles of quantum mechanics, or through the Quantum Key Distribution (QKD) network
  • QKD Quantum Key Distribution
  • quantum secure communication system multiple devices participating in the communication need to obtain a consistent quantum key through negotiation, which is used to encrypt and protect the data information transmitted between users to prevent attackers from illegally eavesdropping, tampering, and replaying the information content. and other attacks, causing information leakage.
  • terminal devices generally do not have the ability to generate quantum keys
  • quantum key communications are generated by the quantum key management center and then distributed to terminal devices for use.
  • the quantum key management center uses offline filling to place the quantum symmetric key in the secure medium and/or secure storage space of the terminal device.
  • the terminal can use the preset quantum symmetric key to securely access the quantum key.
  • key management center and achieve secure communication. For example, device identity authentication, message encryption, integrity protection, source authentication, etc. are implemented based on preset quantum symmetric keys.
  • the preset quantum symmetric key is one-time and will be destroyed after use. Therefore, each secure communication will consume a preset quantum symmetric key until the preset quantum symmetric key on the terminal side is exhausted.
  • terminal equipment needs to be able to store a large number of quantum symmetric keys in advance.
  • the storage space of the local security medium of the terminal device is limited, and the number of quantum symmetric keys that can be accommodated in one filling is limited.
  • To expand the storage space of the security medium of the terminal device and achieve large-scale storage of quantum symmetric keys will lead to terminal costs. An order of magnitude increase. If the number of preset quantum symmetric keys on the terminal device is limited, users will be forced to frequently go to the quantum key service site to refill the quantum symmetric key offline for the terminal, which reduces the user's application experience.
  • the first device receives the first message sent by the second device; performs operations related to the first message, and obtains at least one of the following: a first key, a second key and a third key; sending at least one of the first key, the second key, and the third key to the second device.
  • the first device while performing the first message-related operation, the first device The second device generates the key, thereby eliminating the need for the second device to increase the storage space of the secure medium and simultaneously replenishing new keys in a timely manner. This low-cost and efficient method ensures that the second device is always preset with sufficient keys.
  • An embodiment of the present disclosure provides a key management method, applied to a first device.
  • the method includes:
  • Step 101 Receive the first message sent by the second device.
  • the first device may be a key management center or a key manager (Key Manager, KM) of the QKD network.
  • the first device can be a unified security service platform, key management system or key management center, etc., used to provide unified key management services for a variety of different businesses; it can also be a key management device for a specific business.
  • the first device can be a key management platform for long-term evolution voice bearer (Voice over Long-Term Evolution, VoLTE) encrypted call service.
  • VoLTE long-term evolution voice bearer
  • the first device may also be called a password security service center, password service center, security service center or security center, etc.
  • the embodiments of the present disclosure are not only applicable to scenarios where traditional networks and/or systems use ordinary keys, but can also be applied to scenarios where quantum keys are used. It is easy to understand that when the embodiment of the present disclosure is applied to a quantum key scenario, "key” can be further understood as “quantum key”, “cryptographic security service center” can be further understood as “quantum cryptographic security service center”, “ “Cryptographic Service Center” can be further understood as “Quantum Crypto Service Center”, “Security Service Center” can be further understood as “Quantum Security Service Center”, “Security Center” can be further understood as “Quantum Security Center”, and so on, which will not be repeated. .
  • the second device may be a terminal device or other devices.
  • encryption gateway encryption Routers, encryption switches, etc. It can be a mobile device or a fixed device, a wired device or a wireless device.
  • the first message may be a request message during the communication interaction process, such as a query request, an access request, an update request, a deletion request, an access request, an authentication request, an authentication request, a service request, a key request, etc.
  • the first message may also be It is notification, response, response and other messages during communication interaction. The above are only examples, and the embodiment of the present disclosure does not place any limitation on the form of the first message.
  • Step 102 Perform an operation related to the first message, and obtain at least one of the following: a first key, a second key, and a third key.
  • Step 103 Send at least one of the first key, the second key and the third key to the second device.
  • the first device performs an operation related to the first message, which can be understood as: when the first message is a request message, the first device performs an operation corresponding to the corresponding request. For example, if the first message is used to request query information 1, then the first device performs a query operation for information 1; for another example, if the first message is used to request access authentication, then the first device performs authentication of the access end, including the first A device authenticates the access terminal, or requests other devices to authenticate the access terminal; when the first message is a notification message, the first device performs an operation corresponding to the corresponding notification. For example, the first device stores the information content informed by the corresponding notification, or does not perform an operation, or sends a confirmation response about the notification to the peer device, etc.
  • the first device When the first message is a response message or an answer message, the first device performs a corresponding response or an operation corresponding to the response. For example, the first device sends message 1 to the second device, and the second device replies with a response or response about message 1.
  • the first device processes the response or response, such as determining whether the content of the response or response is correct, and for example, storing the response. Or the information content of the response, for example, no processing of the response or response, etc.
  • step 102 the execution time sequence between "performing the operation related to the first message” and “obtaining at least one of the following: the first key, the second key, and the third key” is not limited. , but it should be understood that after receiving the first message, the first device needs to perform operations related to the first message and also obtain the corresponding key.
  • the first key may be generated by the first device, or may be obtained by the first device from other devices, or the first device may obtain an intermediate key or a random number from other devices, and then provide the first key to the first key.
  • a device is processed to obtain the first key.
  • the first key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc.
  • the first key may be a symmetric key or an asymmetric key.
  • the first key is a symmetric key, in addition to sending the first key to the second device, the first device also needs to store the first key locally to achieve key sharing.
  • the first key is an asymmetric key
  • the first key may be a public key and/or a private key.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the secure communication between the first device and the second device can be understood as directly using the first key to securely protect the information exchanged between the first device and the second device, or directly using the first key to securely protect the information exchanged between the first device and the second device.
  • the identity authentication between one device and the second device can also be understood as using the first key to further derive other keys, which are used to securely protect the information interacted between the first device and the second device, or for the first device Perform identity authentication with the second device.
  • security protection includes encryption and/or integrity protection, etc.
  • the secure storage of the local information of the second device can be understood as the secure storage of the local information of the second device, such as encryption and/or integrity, by directly using the first key or other keys derived from the first key. Protection etc.
  • sending the first key to the second device includes:
  • the first key that is securely protected by the fourth key is sent to the second device.
  • the fourth key is a shared key between the first device and the second device.
  • the fourth key can be understood as a shared key between the first device and the second device, such as a key for security protection of the first message.
  • obtaining the first key includes:
  • Send the first key to the second device including:
  • the method further includes:
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the secure communication between the first device and the third device can be understood as directly using the second key to securely protect the information exchanged between the first device and the third device, or directly using the second key to securely protect the third device.
  • the identity authentication between the first device and the third device can also be understood as using the second key to further derive other keys, which are used to securely protect the information interacted between the first device and the third device, or for the first device Perform identity authentication on both sides with the third device.
  • security protection includes encryption and/or integrity protection, etc.
  • the second key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc.
  • the second key may be a symmetric key or an asymmetric key.
  • the second key is a symmetric key, in addition to sending the second key to the third device, the first device also needs to store the second key locally to achieve key sharing.
  • the second key is an asymmetric key
  • the second key may be a public key and/or a private key.
  • the third device may be a terminal device or other devices.
  • encryption gateway encryption router, encryption switch, etc. It can be a mobile device or a fixed device, a wired device or a wireless device.
  • the secure storage of the local information of the third device can be understood as the secure storage of the local information of the third device by directly using the second key or other keys derived from the second key, such as encryption and/or integrity. Protection etc.
  • sending the second key to the second device includes:
  • the second key that is securely protected using the fifth key is sent to the second device.
  • the fifth key is a shared key between the first device and the third device.
  • the fifth key can be understood as the key shared by the first device and the third device. Therefore, even if the second device obtains the second key, since the second key is encrypted by the fifth key, The second device cannot learn the fifth key, thus ensuring the security of the transmission of the second key.
  • the method further includes:
  • sending the second key to the third device includes:
  • the second key that is securely protected using the fifth key is sent to the third device.
  • the fifth key is a shared key between the first device and the third device.
  • obtaining the second key includes:
  • Send the second key to the second device and/or the third device including:
  • the method further includes:
  • the third key is used for secure communication between the second device and the third device.
  • the secure communication between the second device and the third device can be understood as directly using the third key to securely protect the information exchanged between the second device and the third device, or directly using the third key to securely protect the information exchanged between the second device and the third device.
  • the identity authentication between the second device and the third device can also be understood as using the third key to further derive other keys, which are used to securely protect the information interacted between the second device and the third device, or for the second device Perform identity authentication on both sides with the third device.
  • security protection includes encryption and/or integrity protection, etc.
  • sending the third key to the second device includes:
  • the third key that is securely protected by using the fourth key and the fifth key is sent to the second device.
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the fourth key and the fifth key are used to securely protect the third key, that is, the fourth key is used to securely protect the third key to obtain the first information, and the fifth key is used to securely protect the third key.
  • Securely protect the third key to obtain the second information and send both the first and second information to the second device.
  • the second device can use the shared fourth key to decrypt the first information and obtain the second information.
  • Three keys At the same time, the second device transmits the second information to the third device. After receiving the second information, the third device can decrypt the second information using the shared fifth key, thereby obtaining the third key.
  • the method further includes:
  • sending the third key to the third device includes:
  • the third key that is securely protected by the fifth key is sent to the third device.
  • the fifth key is a shared key between the first device and the third device.
  • obtaining the third key includes:
  • Send the third key to the second device and/or the third device including:
  • the third key can be a quantum key provided by the QKD network, or a quantum random number or quantum key generated by a quantum random number generator, or an ordinary key generated by a physical noise source, or It is an ordinary key generated by a pseudo-random number generator, etc.
  • the third key may be a symmetric key or an asymmetric key.
  • the method further includes:
  • the message sent by the first device carries a timestamp.
  • a timestamp is carried in the message sent by the first device, and the timestamp is used to prevent message replay attacks. Furthermore, a timestamp is carried in the quantum key management related message to resist attackers. Replay attacks on quantum keys.
  • the message sent by the first device includes, but is not limited to, the first device is used to send at least one of the first key, the second key and the third key to the second device and/or Messages from the third device.
  • the messages sent by the first device may include: all or part of the messages sent by the first device for interaction between the first device and the second device, the third device and/or other devices.
  • the embodiment of the present disclosure also provides a key management method, applied to the second device.
  • the method includes:
  • Step 201 Send the first message to the first device.
  • Step 202 Receive at least one of the first key, the second key and the third key sent by the first device.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • receiving the first key sent by the first device includes:
  • the fourth key is used to decrypt the securely protected first key.
  • receiving the first key sent by the first device includes:
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • receiving the second key sent by the first device includes:
  • the second key that is securely protected using the fifth key is sent to the third device.
  • the method further includes:
  • the third key is used for secure communication between the second device and the third device.
  • receiving the third key sent by the first device includes:
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • receiving the third key includes:
  • the message sent by the second device carries a timestamp.
  • a timestamp is carried in the message sent by the second device, which is used to prevent message replay attacks. Furthermore, a timestamp is carried in the message related to quantum key management, which can resist the attacker's replay of the quantum key. Let attack.
  • the message sent by the second device includes but is not limited to the first message sent by the second device to the first device and/or the third device.
  • the messages sent by the second device may include: all or part of the messages sent by the second device for interaction between the second device and the first device, the third device and/or other devices.
  • embodiments of the present disclosure also provide a key management method, applied to a third device.
  • the method includes:
  • Step 301 Receive at least one of the second key and the third key sent by the first device and/or the second device.
  • the second key and the third key may be received by the third device from the same device, for example, both are received from the first device or both are received from the second device, or they may be received by the third device from different devices.
  • the second key is received from the first device
  • the third key is received from the second device.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • receiving the second key sent by the first device and/or the second device includes:
  • the fifth key is a shared key between the first device and the third device.
  • receiving the second key includes:
  • the third key is used for secure communication between the second device and the third device.
  • receiving the third key sent by the second device includes:
  • the third key secured by the fifth key is decrypted using the fifth key.
  • the fifth key is a shared key between the first device and the third device.
  • receiving the third key sent by the first device includes:
  • the third key secured by the fifth key is decrypted using the fifth key.
  • the fifth key is a shared key between the first device and the third device.
  • receiving the third key includes:
  • the method further includes:
  • the second message is used to indicate the result of returning the key reception.
  • the message sent by the third device carries a timestamp.
  • a timestamp is carried in the message sent by the third device, which is used to prevent message replay attacks. Furthermore, a timestamp is carried in the message related to quantum key management to resist the attacker's replay of the quantum key. Let attack.
  • the messages sent by the third device include but are not limited to: all messages sent by the third device for interaction between the third device and the first device, the second device and/or other devices. message or part of a message.
  • the first device generates a key for the second device while performing operations related to the first message. That is to say, after receiving the first message, the first device considers that the first device is conducting the first communication with the second device. Message-related communication will consume the key, or the first device finds that the second device has not updated the key within a period of time after receiving the first message, and then supplements the new key for the second device while performing the first message-related operation. key, thus ensuring that the second device is always preset with sufficient keys at low cost and efficiently without the need for the second device to increase the storage space of the security medium.
  • the solutions of the disclosed embodiments can be used to implement ordinary or quantum Handy complement of symmetric/asymmetric keys.
  • (Quantum) here means a scenario where quantum is possible.
  • (quantum) symmetric key can be understood as: ordinary symmetric key or quantum symmetric key. The subsequent brackets have the same meaning and will not be repeated.) .
  • the terminal accesses the (quantum) key management center and performs identity authentication and establishes a secure channel based on the (quantum) symmetric key
  • the terminal accesses the (quantum) key management center, based on the (quantum) symmetric key
  • the solutions of the disclosed embodiments can be used to implement (quantum) symmetric encryption.
  • a handy addition to the key when the (quantum) symmetric key shared with the terminal is used and consumed, for example, when the terminal performs identity authentication when accessing the (quantum) key center, there is a gap between the terminal and the (quantum) key center.
  • the (quantum) key center not only processes the relevant messages of the terminal, but also generates new (quantum) symmetric keys and uses the old (quantum) symmetric keys.
  • the new (quantum) symmetric key is securely protected, and then the securely protected new (quantum) symmetric key is provided to the terminal.
  • the terminal uses the old (quantum) symmetric key to decrypt and/or integrity protection check the new (quantum) symmetric key received, and after the decryption and/or integrity protection check is successful, the new ( Quantum) symmetric key Secure storage, thereby promptly replenishing the terminal's local (quantum) symmetric key.
  • the terminal can return a message to the (quantum) key center to confirm the result of the new (quantum) symmetric key reception (such as successful reception or reception failure); or it may not return any message to indicate that the (quantum) symmetric key has been successfully received. Key reception failed.
  • the (quantum) key center can destroy the old (quantum) symmetric key when the terminal receives it successfully, and the new (quantum) symmetric key is stored in the (quantum) key center and the terminal's local key pool in for later use when necessary.
  • quantum symmetric keys are used for illustration below. It is easy to understand that the following examples are Methods can also be applied to ordinary symmetric keys, ordinary asymmetric keys, or quantum asymmetric keys.
  • FIG 4 shows a schematic diagram of the interaction process of terminal A initiating the number binding service provided by the application embodiment of the present disclosure.
  • the interaction process includes:
  • Step 1 When it is necessary to interact with the quantum key management center and bind the mobile phone number to the password card and/or password resources, terminal A sends a service request message to the quantum key management center.
  • terminal A selects a valid quantum symmetric key KA from the local preconfigured quantum symmetric key pool, and uses KA or a symmetric key KA derived based on KA ', encrypt and/or integrity protect all or part of the information content of the service request message.
  • the service request message carries the identity of terminal A, the service type bound to the mobile phone number, and a Hash-based Message Authentication Code (HMAC) used to protect the integrity of the message.
  • HMAC Hash-based Message Authentication Code
  • It carries KA 's key identification K ID _A, timestamp or sequence number and other information to prevent message replay.
  • Step 2 The quantum key management center queries based on the terminal identification and key identification, obtains the quantum symmetric key KA shared with terminal A through pre-configuration, and uses KA or the symmetric key derived based on KA Key K A ' is used to perform integrity protection verification and decryption of the service request message. Afterwards, the number binding service requested by terminal A is processed.
  • the quantum key management center generates a new quantum symmetric key K A _new for the called terminal A, and correspondingly distributes a new key identification K ID _A_new.
  • the quantum symmetric key is generated by a quantum random number generator.
  • Step 3 The quantum key management center returns a service response message to terminal A, which carries business-related information, the newly generated quantum symmetric key K A _new, and optionally also carries the new key identification K ID _A_new and a timestamp. or serial number and other information. All or part of the information content of the service response message is encrypted and/or integrity protected using KA or the symmetric key KA ' derived based on KA .
  • Step 4 Terminal A uses KA or the symmetric key KA ' derived based on KA to verify and decrypt the service response message to complete business-related processing. At the same time, obtain the new quantum symmetric key K A _new generated by the quantum key management center. Optionally, terminal A also obtains the corresponding key identification K ID _A_new, and will obtain the new quantum symmetric key K A _new and/or the corresponding key identification K ID _A_new are securely stored, allowing the pre-shared quantum symmetric key to be supplemented. In addition, if the service response message does not carry the key identification K ID _A_new, terminal A needs to generate the corresponding key identification K ID _A_new according to the method agreed with the quantum key management center in advance.
  • step 5 Terminal A returns a message to the quantum key management center, which carries the key identification K ID _A_new to confirm that the quantum key K A _new has been successfully received.
  • the message also carries a timestamp. or serial number and other information.
  • the message can be securely protected based on KA or the symmetric key KA ' derived from KA .
  • terminal A and the quantum key management center will destroy the used K A.
  • step 5 is not performed, then the quantum key management center will destroy the used K A after step 3 and terminal A after step 4.
  • Figure 5 shows a schematic diagram of the interaction process of terminal A initiating the number binding service provided by the application embodiment of the present disclosure.
  • the interaction process includes:
  • Step 1 When the user makes an encrypted phone call, the calling terminal A initiates an encrypted phone call request.
  • Step 2 The calling terminal A and the called terminal B perform call connection through the application server (Application Server, AS).
  • AS Application Server
  • AS is the Session Initialization Protocol (SIP) server responsible for implementing telephone service functions; for encrypted telephone services based on VoLTE or New Radio (Voice over New Radio, VoNR) or fixed telephone, AS is The IP Multimedia Subsystem (IMS) system is responsible for the server of telephone services, such as VoLTE AS.
  • SIP Session Initialization Protocol
  • IMS IP Multimedia Subsystem
  • Step 3 During the call connection process, the calling terminal A synchronously sends a key request message to the quantum key management center to apply for the quantum session key for this encrypted phone call, which is used to encrypt and protect the user's voice information.
  • the request message carries the identities of the calling terminal A and the called terminal B. Optionally, it also carries information such as a session identifier, a timestamp or a sequence number. Among them, timestamp or sequence number information is used to prevent message replay.
  • the calling terminal A obtains an unused preconfigured quantum symmetric key K A from the local area, and uses K A or the symmetric key K A ' derived based on K A to Request that all or part of the information content of a message be encrypted and/or integrity protected.
  • Step 4 After receiving the key request message, the quantum key management center queries and obtains the quantum symmetric key K A shared with the calling terminal A through pre-configuration based on the calling terminal identification and key identification, and uses KA or the symmetric key KA' derived based on KA performs integrity protection verification and decryption of the key request message. Afterwards, if the key request message carries a timestamp or sequence number, the freshness of the key request message is verified based on the timestamp or sequence number.
  • the quantum key management center After the integrity and freshness of the key request message are verified, the quantum key management center queries the called terminal ID and obtains a quantum symmetric key K B and K B shared with the called terminal B in a pre-configured manner. Corresponding key identification K ID _B. At the same time, the quantum key management center generates a quantum session key for this call, generates new quantum symmetric keys K A _new and K B _new for the calling terminal A and the called terminal B respectively, and distributes new key identifiers accordingly. KID_A_new and KID_B_new .
  • the quantum session key as well as the new quantum symmetric key are generated by a quantum random number generator.
  • Step 5 The quantum key management center forms a key response message, provides the session key Ks used in this call to the calling terminal A and the called terminal B, and generates a new quantum symmetric key K A _new and K B _new, optionally, also provide new key identifiers K ID _A_new and K ID _B_new and other related information. If the quantum key management center does not transmit K ID _A_new and K ID _B_new in the key response message, then the calling terminal A and the called terminal B, after receiving K A _new and K B _new, should use the quantum encryption method in advance. A certain method agreed upon by the key management center to allocate new K ID _A_new and K ID _B_new for quantum key synchronization, thereby maintaining synchronization with the quantum key management center.
  • the quantum key management center For the calling terminal A, the quantum key management center provides the calling terminal A with: quantum session key Ks, key identification K ID_A , calling terminal identification and new quantum symmetric key K A _new, optionally , and also provide session identification and/or new key identification K ID _A_new and/or timestamp or sequence number and other information.
  • the quantum key management center should use KA or the symmetric key KA ' derived based on KA , for Ks, and, optionally, KA _new, K ID _A_new and other related information are encrypted and/or integrity protected to obtain integrity protected verification results, such as HMAC A.
  • the quantum key management center provides B with: quantum session key Ks, key identification K ID _B, calling terminal identification, new quantum symmetric key K B _new, optionally , and also provide session identification and/or new key identification K ID _B_new and/or timestamp or sequence number and other information.
  • the quantum key management center uses K B or the symmetric key K B ' derived based on K B , for Ks, and, optionally, for K B _new, K ID _B_new and other related information are encrypted and/or integrity protected to obtain integrity protected verification results, such as HMAC B.
  • the quantum key management center sends the newly generated quantum symmetric key, and, optionally, key identification and other information to the calling terminal A through the key response message.
  • Response messages include: Msg_A, HMAC A , Msg_B, HMAC B , etc.
  • Msg_A contains relevant information such as K A _new, K ID _A_new, Ks, timestamp or serial number after security protection
  • Msg_B contains K B _new, K ID _B_new, Ks, timestamp or serial number after security protection and other related information.
  • Step 6 The calling terminal A uses KA or the symmetric key KA ' derived based on KA to decrypt Msg_A, and obtains the new quantum symmetric key KA _new generated by the quantum key management center, and optionally Ground, obtain relevant information such as key identification K ID _A_new, Ks, timestamp or serial number, and securely store the relevant quantum key, thereby supplementing the pre-shared quantum symmetric key. If Msg_A contains a timestamp or sequence number, the calling terminal A can verify the freshness of the key response message Msg_A.
  • step 7 The calling terminal A returns a message to the subkey management center, which carries K ID _A_new. Optionally, it also carries information such as a timestamp or sequence number to confirm that K A _new has been successfully received.
  • the message can be secured based on KA or KA '. Afterwards, the calling terminal A and the quantum key management center destroy the used K A.
  • step 7 the quantum key management center will destroy the used KA after step 5, and the calling terminal A will destroy the used KA after step 6.
  • Step 8 The calling terminal A sends the session key to the called terminal B.
  • the message carries the relevant information provided by the quantum key management center to the called terminal B, including Msg_B, HMAC B , etc.
  • Step 9 The called terminal B uses K B or the symmetric key K B ' derived based on K B to decrypt Msg_B, and obtains the new quantum symmetric keys K B _new and Ks generated by the quantum key management center.
  • Relevant information such as key identification K ID _B_new, timestamp or serial number is also obtained, and the relevant quantum key is securely stored, thereby supplementing the pre-shared quantum symmetric key. If Msg_B contains a timestamp or sequence number, the called terminal B can verify the freshness of the key response message Msg_B.
  • step 10 The called terminal B returns a message to the subkey management center, which carries K ID _B_new. Optionally, it also carries information such as a timestamp or sequence number to confirm that K B _new has been successfully received. The message can be secured based on K B or K B '. Afterwards, the called terminal B and the quantum key management center destroy the used K B.
  • step 10 the quantum key management center will destroy the used K B after step 5, and the called terminal B will destroy the used K B after step 9.
  • Step 11 The called terminal B returns a session key confirmation message and confirms to the calling terminal A that the quantum session key Ks has been successfully received.
  • Step 12 The calling terminal A confirms that the called terminal B has successfully obtained the quantum session key Ks.
  • Step 13 The calling terminal A and the called terminal B use Ks to encrypt and protect the voice information exchanged between the users, and start the encrypted call. After the call ends, the calling and called terminals destroy the quantum session key Ks used this time.
  • the disclosed embodiments can be applied to encrypted voice and/or video calls, encrypted short messages, encrypted instant messages, encrypted voice and/or videos, encrypted intercom messages, encrypted emails, etc.
  • Various secure communication services based on quantum keys The above description only takes the quantum encrypted voice phone service as an example.
  • the quantum key management center described here can refer to a unified quantum key management platform that provides unified key management services for a variety of different businesses, or it can be a key management platform for a specific business, such as quantum VoLTE.
  • a key management platform for encrypted call services specifically providing key management services for quantum VoLTE encrypted call services.
  • the quantum symmetric key shared between the quantum key management center and the terminal plays a role in the interaction between the terminal and the quantum key management center during the secure communication process (such as session identification, quantum session key Ks,
  • the new quantum symmetric key K A _new and/or K B _new, key identification K ID _A_new/K ID _B_new, etc.) perform security protection functions such as encryption, integrity protection, source authentication, etc., so the shared symmetric key also It can be called a basic key, a working key, a key protection key, an authentication key or an access key, etc.
  • the disclosed embodiments are also applicable to secure communication services carried out by multiple terminals, meeting the needs of secure multi-party calls, secure voice and/or video conferencing, and secure group messages. , confidential multi-party intercom and other business applications.
  • the quantum key management center should newly generate a quantum symmetric key based on the quantum symmetric key currently in use and shared with each terminal, optionally, the newly distributed quantum key identification and related information, Perform encryption protection, and then send the encrypted and protected new quantum symmetric key and related information to each terminal through the terminal that initiated the key request. They can be sent together or separately. Subsequently, each terminal decrypts and obtains the newly generated quantum symmetric key.
  • the disclosed embodiments can enable devices with a small number of local quantum symmetric key storage to meet the long-term needs of users by supplementing the quantum symmetric key without expanding the storage space of the device's security medium. Or the need for frequent quantum secure communication services, it is suitable for equipment with small security medium storage space, which can reduce equipment costs. Furthermore, the use of time stamp or sequence number mechanisms in quantum key management related messages can resist replay attacks by attackers on quantum keys.
  • the embodiment of the present disclosure also provides a key management device, which is provided on the first device.
  • the device includes:
  • the first receiving unit 601 is used to receive the first message sent by the second device
  • Execution unit 602 configured to perform operations related to the first message, and obtain at least one of the following: a first key, a second key, and a third key;
  • the first sending unit 603 is used to send at least one of the first key, the second key and the third key to the second device.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the first sending unit 603 sends the first key to the second device, including:
  • the fourth key is a shared key between the first device and the second device.
  • the execution unit 602 obtains the first key, including:
  • the first sending unit 603 sends the first key to the second device, including:
  • the device further includes:
  • the first storage unit is used to store the first key and/or the corresponding first identification.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the first sending unit 603 sends the second key to the second device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the method further includes:
  • the third sending unit is used to send the second key to the third device.
  • the third sending unit sends the second key to the third device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the execution unit 602 obtains the second key, including:
  • the first sending unit 603 sends the second key to the second device and/or the third device, including:
  • the device further includes:
  • the second storage unit is used to store the second key and/or the corresponding second identification.
  • the third key is used for secure communication between the second device and the third device.
  • the first sending unit 603 sends the third key to the second device, including:
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the device further includes:
  • the fourth sending unit is used to send the third key to the third device.
  • the fourth sending unit sends the third key to the third device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the execution unit 602 obtains the third key, including:
  • the first sending unit 603 sends the third key to the second device and/or the third device, including:
  • the device further includes:
  • the third storage unit is used to store the third key and/or the corresponding third identification.
  • the message sent by the first device carries a timestamp.
  • the first sending unit 601, the first receiving unit 603, the third sending unit and the fourth sending unit can be implemented by the communication interface in the key management device; the execution unit 602, the first storage unit, the third sending unit The second storage unit and the third storage unit may be implemented by a processor in the key management device.
  • the embodiment of the present disclosure also provides a key management device, which is provided on the second device.
  • the device includes:
  • the second sending unit 701 is used to send the first message to the first device
  • the second receiving unit 702 is configured to receive at least one of the first key, the second key and the third key sent by the first device.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the second receiving unit 702 receives the first key sent by the first device, including:
  • the fourth key is used to decrypt the securely protected first key.
  • the second receiving unit 702 receives the first key sent by the first device, including:
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the second receiving unit 702 receives the second key sent by the first device, including:
  • the second key that is securely protected using the fifth key is sent to the third device.
  • the device further includes:
  • the fifth sending unit is used to send the second key and/or the corresponding second identification to the third device.
  • the third key is used for secure communication between the second device and the third device.
  • the second receiving unit 702 receives the third key sent by the first device, including:
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the second receiving unit 702 receives the third key, including:
  • the message sent by the second device carries a timestamp.
  • the second sending unit 701, the second receiving unit 702 and the fifth sending unit may be implemented by the communication interface in the key management device.
  • the embodiment of the present disclosure also provides a key management device, which is provided on the third device.
  • the device includes:
  • the third receiving unit 801 is configured to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the third receiving unit 801 receives the second key sent by the first device and/or the second device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the third receiving unit 801 receives the second key, including:
  • the third key is used for secure communication between the second device and the third device.
  • the third receiving unit 801 receives the third key sent by the second device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the third receiving unit 801 receives the third key sent by the first device, including:
  • the fifth key is a shared key between the first device and the third device.
  • the third receiving unit 801 receives the third key, including:
  • the device further includes:
  • the sixth sending unit is used to send the second message to the first device; wherein,
  • the second message is used to return the result of key reception.
  • the message sent by the third device carries a timestamp.
  • the third receiving unit 803 and the sixth sending unit may be implemented by the communication interface in the key management device.
  • the key management device provided in the above embodiment performs key management
  • only the division of the above program modules is used as an example.
  • the above processing can be allocated to different modules as needed.
  • the program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above.
  • the key management device and the key management method embodiments provided in the above embodiments belong to the same concept. Please refer to the method embodiments for the specific implementation process, which will not be described again here.
  • the embodiment of the present disclosure also provides a first device.
  • the first device 900 includes:
  • the first communication interface 901 is capable of information exchange with other network nodes;
  • the first processor 902 is connected to the first communication interface 901 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the first device side when running a computer program.
  • the computer program is stored on the first memory 903 .
  • the first communication interface 901 is used to receive the first message sent by the second device;
  • the first processor 902 is configured to perform operations related to the first message and obtain at least one of the following: a first key, a second key, and a third key;
  • the first communication interface 901 is also used to send at least one of the first key, the second key and the third key to the second device.
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the first communication interface 901 is used to send the first key that is securely protected by using the fourth key to the second device; wherein,
  • the fourth key is a shared key between the first device and the second device.
  • the first processor 902 is used to obtain the first key and the corresponding first identification
  • the first communication interface 901 is used to send the first key and/or the corresponding first identification to the second device.
  • the first processor 902 is also configured to store the first key and/or the corresponding first identification.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the first communication interface 901 is used to send the second key that is securely protected by using the fifth key to the second device; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the first communication interface 901 is also used to send the second key to the third device.
  • the first communication interface 901 is used to send the second key that is securely protected by using the fifth key to the third device; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the first processor 902 is used to obtain the second key and the corresponding second identification
  • the first communication interface 901 is used to send the second key and/or the corresponding second identification to the second device and/or the third device.
  • the first processor 902 is also configured to store the second key and/or the corresponding second identification.
  • the third key is used for secure communication between the second device and the third device.
  • the first communication interface 901 is used to send the third key that is securely protected using the fourth key and the fifth key to the second device; wherein,
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the first communication interface 901 is also used to send the third key to the third device.
  • the first communication interface 901 is used to send the third key that is securely protected using the fifth key to the third device; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the first processor 902 is used to obtain the third key and the corresponding third identification
  • the first communication interface 901 is used to send the third key and/or the corresponding third identification to the second device and/or the third device.
  • the first processor 902 is also configured to store the third key and/or the corresponding third identification.
  • the message sent by the first device carries a timestamp.
  • bus system 904 is used to implement connection communication between these components.
  • the bus system 904 also includes a power bus, a control bus and a status signal bus.
  • various buses are labeled as bus system 904 in FIG. 9 .
  • the first memory 903 in the embodiment of the present disclosure is used to store various types of data to support the operation of the first device 900 .
  • Examples of such data include any computer program for operating on the first device 900 .
  • the methods disclosed in the above embodiments of the present disclosure may be applied to the first processor 902 or implemented by the first processor 902 .
  • the first processor 902 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 902 .
  • the above-mentioned first processor 902 may be a general-purpose processor, a digital signal processor (Digital Signal Processor, DSP), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the first processor 902 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the first memory 903.
  • the first processor 902 reads the information in the first memory 903, and completes the steps of the foregoing method in combination with its hardware.
  • the first device 900 may be one or more application specific integrated circuits (Application Specific Integrated Circuits, ASICs), DSPs, programmable logic devices (Programmable Logic Device, PLD), Complex Programmable Logic Device (CPLD), Field-Programmable Gate Array (FPGA), general-purpose processor, controller, microcontroller (Micro Controller) Unit (MCU), microprocessor (Microprocessor), or other electronic components for executing the aforementioned method.
  • ASICs Application Specific Integrated Circuits
  • DSPs digital signal processor
  • PLD programmable logic devices
  • CPLD Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • general-purpose processor controller
  • controller microcontroller (Micro Controller) Unit (MCU), microprocessor (Microprocessor), or other electronic components for executing the aforementioned method.
  • MCU microcontroller
  • Microprocessor Microprocessor
  • the embodiment of the disclosure also provides a second device.
  • the second device 1000 includes:
  • the second communication interface 1001 is capable of information exchange with other network nodes;
  • the second processor 1002 is connected to the second communication interface 1001 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the second device side when running a computer program.
  • the computer program is stored on the second memory 1003 .
  • the second communication interface 1001 is used to send a first message to a first device; and to receive at least one of the first key, the second key and the third key sent by the first device. .
  • the first key is used for secure communication between the first device and the second device, or for secure storage of local information of the second device.
  • the second communication interface 1001 is used to receive a first key sent by a first device and protected by a fourth key; wherein the fourth key is a combination of the first device and the second key.
  • the device s shared secret key;
  • the second processor 1002 is configured to use the fourth key to decrypt the securely protected first key.
  • the second communication interface 1001 is used to receive the first key and/or the corresponding first identification
  • the second processor 1002 is used to store the first key and/or the corresponding first identification.
  • the second key is used for secure communication between the first device and the third device, or for secure storage of local information of the third device.
  • the second communication interface 1001 is used to receive a second key sent by the first device and protected by using a fifth key; wherein the fifth key is a link between the first device and the third key.
  • the shared key of the three devices; the second key protected by the fifth key is sent to the third device.
  • the second communication interface 1001 is also used to send the second key and/or the corresponding second identification to the third device.
  • the third key is used for secure communication between the second device and the third device.
  • the second communication interface 1001 is used to receive the third key sent by the first device and protected by using the fourth key and the fifth key respectively;
  • the second processor 1002 is also configured to use the fourth key to decrypt the third key protected by the fourth key;
  • the second communication interface 1001 is used to send the third key protected by the fifth key to the third device; wherein,
  • the fourth key is a shared key between the first device and the second device
  • the fifth key is a shared key between the first device and the third device.
  • the second communication interface 1001 is used to receive and store the third key and/or the corresponding third identification.
  • the message sent by the second device carries a timestamp.
  • bus system 1004. is used to implement connection communication between these components.
  • the bus system 1004 also includes a power bus, a control bus and a status signal bus.
  • various buses are labeled as bus system 1004 in FIG. 10 .
  • the second memory 1003 in the embodiment of the present disclosure is used to store various types of data to support the operation of the second device 1000. Examples of such data include: any data used to operate on the second device 1000 any computer program.
  • the methods disclosed in the above embodiments of the present disclosure can be applied to the second processor 1002 or implemented by the second processor 1002 .
  • the second processor 1002 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the second processor 1002 .
  • the above-mentioned second processor 1002 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the second processor 1002 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the second memory 1003.
  • the second processor 1002 reads the information in the second memory 1003, and completes the steps of the foregoing method in combination with its hardware.
  • the second device 1000 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the foregoing method.
  • the embodiment of the disclosure also provides a third device.
  • the third device 1100 includes:
  • the third communication interface 1101 is capable of information exchange with other network nodes
  • the third processor 1102 is connected to the third communication interface 1101 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the third device side when running a computer program.
  • the computer program is stored on the third memory 1103 .
  • the third communication interface 1101 is used to receive at least one of the first key, the second key and the third key sent by the first device and/or the second device.
  • the second key is used for security between the first device and the third device. communications, or secure storage of local information for third devices.
  • the third communication interface 1101 is used to receive the second key sent by the first device and/or the second device and protected by using the fifth key; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the third communication interface 1101 is used to receive and store the second key and/or the corresponding second identification.
  • the third key is used for secure communication between the second device and the third device.
  • the third communication interface 1101 is used to receive the third key sent by the second device and protected by the fifth key security
  • the third processor 1102 is configured to use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the third communication interface 1101 is used to receive the third key sent by the first device and protected by the fifth key;
  • the third processor 1102 is configured to use the fifth key to decrypt the third key securely protected by the fifth key; wherein,
  • the fifth key is a shared key between the first device and the third device.
  • the third communication interface 1101 is used to receive the third key and/or the corresponding third identification
  • the third processor 1102 is used to store the third key and/or the corresponding third identification.
  • the third communication interface 1101 is also used to send the second message to the first device; wherein,
  • the second message is used to return the result of key reception.
  • the message sent by the third device carries a timestamp.
  • bus System 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus.
  • bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus.
  • bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus.
  • bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to a data bus.
  • the various buses are labeled bus system 1104 in FIG. 11 .
  • the third memory 1103 in the embodiment of the present disclosure is used to store various types of data to support the operation of the third device 1100. Examples of such data include: any computer program for operating on the third device 1100 .
  • the methods disclosed in the above embodiments of the present disclosure can be applied to the third processor 1102 or implemented by the third processor 1102 .
  • the third processor 1102 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the third processor 1102 .
  • the above-mentioned third processor 1102 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the third processor 1102 can implement or execute the disclosed methods, steps and logical block diagrams in the embodiments of the present disclosure.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in conjunction with the embodiments of the present disclosure can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the third memory 1103.
  • the third processor 1102 reads the information in the third memory 1103, and completes the steps of the foregoing method in combination with its hardware.
  • the third device 1100 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general processors, controllers, MCUs, Microprocessors, or other electronic components for performing the foregoing method.
  • the memory in the embodiment of the present disclosure can be a volatile memory or a non-volatile memory, and can also include volatile and non-volatile memories. Both. Among them, the non-volatile memory can be read-only memory (Read Only Memory, ROM), programmable read-only memory (Programmable Read-Only Memory, PROM), erasable programmable read-only memory (Erasable Programmable Read-Only Memory).
  • ROM Read Only Memory
  • PROM Programmable Read-Only Memory
  • Erasable Programmable Read-Only Memory Erasable Programmable Read-Only Memory
  • EPROM electrically erasable programmable read-only memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • FRAM ferromagnetic random access memory
  • Flash Memory magnetic surface memory
  • optical disk optical disk
  • CD Compact Disc Read-Only Memory
  • magnetic surface memory can be disk memory or tape memory.
  • the volatile memory may be random access memory (RAM), which is used as an external cache.
  • RAM Random Access Memory
  • SRAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Enhanced Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM SyncLink Dynamic Random Access Memory
  • DRRAM Direct Rambus Random Access Memory
  • the embodiment of the present disclosure also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, such as a first memory 903 that stores a computer program.
  • the computer program can be stored in a first device.
  • the first processor 902 of 900 executes to complete the steps described in the foregoing first device-side method.
  • Another example includes a second memory 1003 that stores a computer program.
  • the computer program can be executed by the second processor 1002 of the second device 1000 to complete the steps described in the second device-side method.
  • Another example includes a third memory 1103 that stores a computer program.
  • the computer program can be executed by the third processor 1102 of the third device 1100 to complete the steps described in the third device-side method.
  • the computer-readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM etc. memory.
  • a and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations.
  • at least one in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente divulgation concerne un procédé et un appareil de gestion de clé, ainsi qu'un dispositif et un support de stockage. Le procédé comprend les étapes suivantes : un premier dispositif reçoit un premier message qui est envoyé par un deuxième dispositif ; exécute une opération associée au premier message et obtient une première clé et/ou une deuxième clé et/ou une troisième clé ; et envoie la première clé et/ou la deuxième clé et/ou la troisième clé au deuxième dispositif.
PCT/CN2023/107243 2022-07-15 2023-07-13 Procédé et appareil de gestion de clé, et dispositif et support de stockage WO2024012529A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210837670.3A CN117439734A (zh) 2022-07-15 2022-07-15 密钥管理方法、装置、设备及存储介质
CN202210837670.3 2022-07-15

Publications (1)

Publication Number Publication Date
WO2024012529A1 true WO2024012529A1 (fr) 2024-01-18

Family

ID=89535632

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/107243 WO2024012529A1 (fr) 2022-07-15 2023-07-13 Procédé et appareil de gestion de clé, et dispositif et support de stockage

Country Status (2)

Country Link
CN (1) CN117439734A (fr)
WO (1) WO2024012529A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3148152A1 (fr) * 2015-09-22 2017-03-29 BAE Systems PLC Distribution de clé cryptographique
CN108847928A (zh) * 2018-04-26 2018-11-20 如般量子科技有限公司 基于群组型量子密钥卡实现信息加解密传输的通信系统和通信方法
CN109787763A (zh) * 2019-03-05 2019-05-21 山东鲁能软件技术有限公司 一种基于量子密钥的移动通信认证方法、系统、终端及存储介质
CN112512038A (zh) * 2020-11-19 2021-03-16 建信金融科技有限责任公司 会话密钥的生成方法、装置、电子设备及可读存储介质
CN114553418A (zh) * 2022-03-24 2022-05-27 中国电信股份有限公司 业务方法、装置、系统和终端

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3148152A1 (fr) * 2015-09-22 2017-03-29 BAE Systems PLC Distribution de clé cryptographique
CN108847928A (zh) * 2018-04-26 2018-11-20 如般量子科技有限公司 基于群组型量子密钥卡实现信息加解密传输的通信系统和通信方法
CN109787763A (zh) * 2019-03-05 2019-05-21 山东鲁能软件技术有限公司 一种基于量子密钥的移动通信认证方法、系统、终端及存储介质
CN112512038A (zh) * 2020-11-19 2021-03-16 建信金融科技有限责任公司 会话密钥的生成方法、装置、电子设备及可读存储介质
CN114553418A (zh) * 2022-03-24 2022-05-27 中国电信股份有限公司 业务方法、装置、系统和终端

Also Published As

Publication number Publication date
CN117439734A (zh) 2024-01-23

Similar Documents

Publication Publication Date Title
US11240218B2 (en) Key distribution and authentication method and system, and apparatus
US20190068591A1 (en) Key Distribution And Authentication Method And System, And Apparatus
EP1994715B1 (fr) Authentification basée sur le sim
KR101516909B1 (ko) 공개키에 의존하는 키 관리를 위한 보안 연계의 발견
US20070086590A1 (en) Method and apparatus for establishing a security association
US8625787B2 (en) Hierarchical key management for secure communications in multimedia communication system
US8875236B2 (en) Security in communication networks
EP2767029B1 (fr) Communication sécurisée
KR20070102749A (ko) 콘텍스트 한정된 공유 비밀
JP2014514860A (ja) セキュリティアソシエーションの発見法
WO2020020007A1 (fr) Procédé et dispositif d'accès réseau, terminal, station de base et support de stockage lisible
CN115473655B (zh) 接入网络的终端认证方法、装置及存储介质
CN114338618A (zh) 多方通话的方法、系统、会议服务器以及电子设备
WO2024041498A1 (fr) Procédé de traitement de communication secrète, premier terminal et support de stockage
CN105591748B (zh) 一种认证方法和装置
WO2024012529A1 (fr) Procédé et appareil de gestion de clé, et dispositif et support de stockage
CN112906032B (zh) 基于cp-abe与区块链的文件安全传输方法、系统及介质
WO2021236078A1 (fr) Procédé simplifié d'intégration et d'authentification d'identités pour accéder à un réseau
WO2024183628A1 (fr) Procédé de communication, terminal, dispositif et support
GB2551358A (en) Low latency security
Hu et al. Identification Model of Power Network Information Based on Multi-dimensional Identity Authentication Technology
CN118450383A (zh) 网络接入方法及系统
CN115102698A (zh) 量子加密的数字签名方法及系统
CN118740400A (zh) 加密通信方法、装置、相关设备及存储介质
CN116633612A (zh) 云手机登录方法、装置、存储介质及电子设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23839019

Country of ref document: EP

Kind code of ref document: A1