CN117155568A - IPv6 message encryption and decryption method based on quantum key application mechanism - Google Patents
IPv6 message encryption and decryption method based on quantum key application mechanism Download PDFInfo
- Publication number
- CN117155568A CN117155568A CN202311218729.1A CN202311218729A CN117155568A CN 117155568 A CN117155568 A CN 117155568A CN 202311218729 A CN202311218729 A CN 202311218729A CN 117155568 A CN117155568 A CN 117155568A
- Authority
- CN
- China
- Prior art keywords
- message
- ipv6
- encryption
- key
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000007246 mechanism Effects 0.000 title claims abstract description 8
- 238000005538 encapsulation Methods 0.000 claims abstract description 24
- 230000005540 biological transmission Effects 0.000 claims abstract description 20
- 230000008569 process Effects 0.000 claims abstract description 15
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000012795 verification Methods 0.000 claims description 65
- 230000006854 communication Effects 0.000 claims description 18
- 238000004891 communication Methods 0.000 claims description 17
- 238000009826 distribution Methods 0.000 claims description 16
- 238000003860 storage Methods 0.000 claims description 8
- 238000011084 recovery Methods 0.000 claims description 4
- 238000013524 data verification Methods 0.000 claims description 3
- 238000004806 packaging method and process Methods 0.000 claims description 2
- 238000003825 pressing Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 11
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000005610 quantum mechanics Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012858 packaging process Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/659—Internet protocol version 6 [IPv6] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an IPv6 message encryption and decryption method based on a quantum key application mechanism, which is realized by the cooperation of a sending end and a receiving end, and when transmission returns, the sending end and the receiving end exchange roles realize the message encryption transmission in the opposite direction by the same processing process; the message is directly encrypted by using the quantum key, and the message encapsulation is to use the self-expandable characteristic of the IPv6 protocol, and a new expansion message header is added in the header of the IPv6 message for recording parameters used for message encryption. The application directly combines the quantum key encryption with the IPv6 message as an innovation point, and directly uses the quantum key encryption during the encryption and decryption of the message, so that other key negotiation methods are not needed, and other network protocol negotiation keys are not needed to be referred to, thereby ensuring that the scheme is safer and simpler. The application encapsulates the encrypted message by utilizing the expansibility characteristic of the IPv6 protocol, so that the encrypted message is still a standard IPv6 message, and the message of the whole scheme conforms to the IPv6 protocol without additional protocol overhead.
Description
Technical Field
The application relates to the field of quantum communication, in particular to an IPv6 message encryption and decryption method based on a quantum key application mechanism.
Background
QKD-based IPSec (QKD-based IPSec): the ability to establish secure tunnels over traditional IP networks is achieved by combining Quantum Key Distribution (QKD) techniques with the IPsec protocol. Quantum Secure Socket Layer (QSSL), a quantum secure sockets layer, is a secure communication protocol based on quantum key distribution, by which the consistency and privacy of data transmission is protected.
The prior art does not see application schemes specific to IPv 6. The prior conventional VPN technology realizes similar message encryption function, the key of the VPN technology is the key sharing problem, the key sharing is realized mainly by using a pre-shared key, a Diffie-Hellman key exchange or an asymmetric key exchange mode in the conventional key sharing mode, and the well-known IKE and SSL protocols of IPSec are combined with the Diffie-Hellman key exchange and an asymmetric encryption algorithm and are used for negotiating and exchanging temporary symmetric encryption keys between two communication parties. The security of conventional such methods depends mainly on the selected encryption algorithm and key management method, and if the algorithm or key has a vulnerability, the risk of data leakage or hacking may be caused.
The traditional quantum VPN is modified by means of a traditional cryptographic protocol, IPSec is modified to support quantum key access of QKD or quantum keys are inserted into an SSL protocol to realize SSL key negotiation with a quantum key concept. The traditional protocol is not designed for the quantum key, the individual technical details are inevitably applied mechanically, and on the other hand, the traditional protocol is bound with the traditional key protocol, so that the complexity and redundancy of the application are increased, and the subsequent maintenance and upgrading are not facilitated.
With the rapid development of the internet, the problem of network security is increasingly prominent. Existing encryption schemes often need to rely on complex mathematical algorithms that may be attacked by future quantum computers. In order to solve the problem, quantum key encryption is an encryption technology which is paid attention to, and the quantum key encryption technology utilizes the principle of quantum mechanics to realize the safe distribution of the key in the transmission process.
On the other hand, IPv6 is gradually replacing IPv4 as a next generation internet protocol with its flexible expandability and strong address space. The IPv6 message header introduces the concept of an extension message header compared with the IPv4 message header, and the extension message header can be inserted as required to extend the function of the IPv6 message header. Thus, the custom or standardized extension can be flexibly added according to the requirement without changing the basic message header structure. This allows IPv6 to conveniently support new functions and protocols.
Disclosure of Invention
In order to solve the above-mentioned problems, in order to ensure the security of transmission, encryption protection processing is often performed on network traffic in network applications. The application provides an IPv6 message encryption and decryption method based on a quantum key application mechanism, which aims to improve the safety of IPv6 message transmission and protect the confidentiality and the integrity of data in the transmission process.
The application provides an IPv6 message encryption and decryption method based on a quantum key application mechanism, which is realized by the cooperation of a sending end and a receiving end, and when transmission returns, the sending end and the receiving end exchange roles realize the message encryption transmission in the opposite direction by the same processing process; the message encryption is to encrypt and verify the message by adopting a symmetric encryption and HMAC verification combination based on a quantum key generated by quantum communication; the method comprises the steps that a message is directly encrypted by using a quantum key, the quantum key generated by QKD distribution is stored in a security module, the security module is a hardware security module or a software key container, the encrypted message is obtained by using an encryption key identifier and a designated encryption algorithm to call an encryption service interface of the security module to encrypt an IPv6 message, and verification code generation is obtained by using a verification key identifier to call a verification service interface of the security module; and the message encapsulation is to use the self-expandable characteristic of the IPv6 protocol, add a new expansion message header in the header of the IPv6 message for recording parameters used for encrypting the message, and the new IPv6 load consists of a verification code calculated by a quantum key and an original load ciphertext, so that the messages before and after encryption and encapsulation still accord with the format definition of the IPv6 message, and the IPv6 message can be transmitted through an original link, thereby realizing the encryption transmission flow of the IPv6 message between two end points.
In one embodiment, an IPv6 message encryption and decryption method based on a quantum key application mechanism is provided, the method is achieved by the cooperation of a sending end and a receiving end, and when transmission returns, the sending end and the receiving end exchange roles achieve reverse message encryption transmission in the same processing process; the message encryption is to encrypt and verify the message by adopting a symmetric encryption and HMAC verification combination based on a quantum key generated by quantum communication; the method comprises the steps that a message is directly encrypted by using a quantum key, the quantum key generated by QKD distribution is stored in a security module, the security module is a hardware security module or a software key container, the encrypted message is obtained by using an encryption key identifier and a designated encryption algorithm to call an encryption service interface of the security module to encrypt an IPv6 message, and verification code generation is obtained by using a verification key identifier to call a verification service interface of the security module; and the message encapsulation is to use the self-expandable characteristic of the IPv6 protocol, add a new expansion message header in the header of the IPv6 message for recording parameters used for encrypting the message, and the new IPv6 load consists of a verification code calculated by a quantum key and an original load ciphertext, so that the messages before and after encryption and encapsulation still accord with the format definition of the IPv6 message, thereby realizing the encryption transmission flow of the IPv6 message between two end points through the whole process of encryption transmission of the IPv6 message by the quantum key.
In one embodiment, the method comprises the steps of: step 1: quantum communication is used for generating a quantum key, quantum secret communication lines and QKD equipment are used for realizing quantum key distribution, a consistent quantum key is generated between a sender and a receiver, a key storage pool is used for storing the generated quantum key, and an optional key storage method comprises a hardware security module or a software key container; step 2: message encryption, namely hooking an IPv6 protocol message from network equipment, determining an IPv6 channel identifier according to an IPv6 source address, a destination address and a stream tag, randomly acquiring key identifiers of two quantum keys from the security module, and binding the key identifiers with the IPv6 channel, wherein one of the key identifiers of the two quantum keys is an encryption key identifier for encrypting the message; the other is that the verification key identification is used for calculating a message verification code, and then the message is directly encrypted by using the quantum key; the message encryption processing is completed, and encryption key identification, verification key identification, message Wen Miwen, ciphertext verification code and encryption algorithm information used for encryption are transmitted to a subsequent message encapsulation link to carry out IPv6 message encapsulation; step 3: message encapsulation, namely, encapsulating the IPv6 ciphertext message, wherein the encapsulated IPv6 message is an IPv6 tunnel message; step 4: sending a message, pressing the IPv6 tunnel message back to a protocol stack, and enabling the protocol stack to be responsible for sending the message according to an original sending mode; step 5: receiving a message, wherein a receiving end receives the network message on the network equipment, and hooks the type of the head of the self-defined IPv6 protocol of the method through a hook for subsequent unpacking treatment; step 6: the message is unpacked, an extension message header of the IPv6 tunnel message is analyzed, an encryption key identifier, a verification key identifier, an encryption algorithm identifier and a verification algorithm identifier are extracted from the extension message header, and a verification code and a message Wen Miwen are analyzed from a load; and, step 7: and decrypting the message at the receiving end, decrypting and verifying the encrypted message according to the message decapsulation information, and recovering the original IPv6 load.
In one embodiment, in the step 3, the message encapsulation process is as follows:
step 1: an extended message header is newly added, the extended message header follows the definition of IPv6 message format, and each field is as follows:
step 2: the new extension message header is inserted into the front position of the first extension message header of the IPv6 message header;
step 3: packaging the load, wherein the new message load consists of an HMAC verification code and a message ciphertext, and is placed behind an IPv6 message header;
step 4: recalculating the payload length of the IPv6 message according to the IPv6 protocol and updating the payload length of the message header;
step 5: and (3) finishing the encapsulation of the IPv6 ciphertext message, wherein the encapsulated IPv6 message is the IPv6 tunnel message.
In one embodiment, in the step 7, the receiving-end message decryption process is as follows:
step 1: quantum key retrieval: searching a quantum key of the quantum key in the security module according to the unpacked encryption key identification and the verification key identification;
step 2: ciphertext data verification: according to the verification algorithm identification, a corresponding algorithm and the retrieved verification key identification are used for calling a verification service interface of the security module to verify the message, and verification is passed after the verification is confirmed to be consistent with the verification code analyzed in the load;
step 3: load recovery: and according to the encryption algorithm identification algorithm, a corresponding decryption algorithm and the retrieved quantum key identification are used for calling a decryption service interface of the security module to decrypt the message, and the original message is recovered.
The application directly combines the quantum key encryption and the IPv6 message as innovation points, and the specific technical innovation is also embodied in two aspects.
1. The method directly uses the quantum key for encryption when encrypting and decrypting the message, does not need to use other key negotiation methods and does not need to refer to other network protocol negotiation keys, so that the scheme is safer and simpler.
2. The method encapsulates the encrypted message by utilizing the expansibility characteristic of the IPv6 protocol, so that the encrypted message is still a standard IPv6 message, and the message of the whole scheme conforms to the IPv6 protocol without additional protocol overhead.
The method of the application is based on the quantum key distribution technology, and encrypts the IPv6 message by using the key distributed by the quantum key, and the advantages are mainly represented in the following aspects:
higher level of security: compared with the traditional key negotiation scheme, the key used by the method is obtained by quantum key distribution, and the quantum key distribution provides unconditional security, can detect eavesdropping behaviors, and utilizes the quantum mechanics principle to encrypt, so that the key distribution and communication process is safer and more reliable.
Simplifying the communication flow: because the quantum key distribution technology is used, the security of key distribution is ensured by utilizing the characteristics of unclonability and impossible eavesdropping in the quantum mechanics principle, so that communication parties can directly encrypt in the IPv6 protocol by using the distributed quantum key. Encrypting directly over the IPv6 protocol may simplify the communication flow compared to by means of conventional SSL or IPSec schemes. In the traditional scheme, the steps of handshake, negotiation, secure tunnel establishment and the like are needed to realize the encrypted communication, and the application can omit the handshake and the establishment processes, thereby reducing protocol overhead and simplifying the flow.
Better compatibility: the encryption function is more transparent and seamlessly integrated into the existing network equipment and protocol stacks by directly encrypting the IPv6 protocol. This means that they can utilize the cryptographic functions of the IPv6 protocol without additional configuration and modification, whether it be a network device or an application.
By combining the quantum key with the IPv6 protocol, the aim of encrypting and transmitting the IPv6 message is fulfilled. Because quantum encryption technology is used, quantum encryption utilizes the principle of quantum mechanics, and adopts a quantum-based encryption algorithm and protocol, higher-level security is provided than traditional encryption. The quantum encryption has the indestructibility and the information leakage detection capability, and can effectively resist attack methods which cannot be solved by the traditional computer, such as quantum computer attack and cracking.
Quantum encryption is an emerging encryption technology, and innovations are brought to the field of network security. Designing and implementing an IPv6 messaging system based on quantum encryption will promote the development of related technology research and applications, pushing the progress of the overall network security technology.
On the other hand, the IPv6 protocol has flexible expansibility and wide address space, is suitable for various network environments and application scenes, but IPv6 is not widely applied under the background of current network evolution, and the design and realization of an IPv6 message system based on quantum encryption can promote the application and further development of the IPv6 technology in the safety field. The popularization and promotion of IPv6 are accelerated, and a foundation is laid for constructing safer and more reliable Internet.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of the IPv6 message encryption implementation principle of the present application;
FIG. 2 is a schematic diagram of an IPv6 encrypted message package according to the present application;
fig. 3 is a diagram illustrating an encrypted IPv6 message format according to the present application.
Detailed Description
In order that those skilled in the art will better understand the technical solutions of the present application, the present application will be further described with reference to examples, and it is apparent that the described examples are only some of the examples of the present application, not all the examples. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, shall fall within the scope of the application. The application is further described below with reference to the drawings and examples.
As shown in fig. 1, the implementation of the method is completed by the cooperation of the sending end and the receiving end, and the process of once encrypting and transmitting the IPv6 message by using the method is described in the figure, and when the transmission returns, the sending end and the receiving end exchange roles realize the reverse message encrypting and transmitting by the same processing process. The implementation flow is described step by step as follows:
1. quantum communication generation of quantum keys
Quantum key distribution using quantum secret communication lines and QKD devices generates consistent quantum keys at the sender and receiver. The key generation process and the key usage process are performed asynchronously, wherein a key storage pool is used for storing the generated quantum key, and in order to protect the key from unauthorized access and theft, a proper key protection mode needs to be selected to ensure the key storage and use security. Alternative key storage methods are hardware security modules (Hardware Security Module, HSM) or software key containers, etc. And after the quantum key is stored, providing a key required by encryption and decryption for the subsequent message encryption and message decryption links.
2. Message encryption
The message encryption is based on a quantum key generated by quantum communication, and adopts a symmetrical encryption and HMAC verification combination to encrypt and verify the message. Firstly, an IPv6 protocol message is hooked from network equipment, then an IPv6 channel identifier is determined according to an IPv6 Source Address (Source Address), a destination Address (Destination Address) and a Flow Label (Flow Label), key identifiers of two quantum keys (one is an encryption key identifier used for encrypting the message, and the other is a verification key identifier used for calculating a message verification code) are randomly acquired from a key storage pool and bound with a channel, and the number or time of using the quantum keys by the channel depends on a quantum key updating strategy (a quantum key updating threshold value can be set according to a channel Flow value or a using time). Finally, the quantum key is used for directly encrypting the message, the quantum key generated by QKD distribution is stored in a hardware security module or a software key container and other security modules, the encrypted message is obtained by using an encrypted key identifier and a designated encryption algorithm to call an encrypted service interface of the security module to encrypt the IPv6 message, and the same verification code (HMAC verification code) is generated by using the verification key identifier to call a verification service interface of the security module for calculation. And (3) finishing the message encryption processing, and transmitting information such as encryption key identification, verification key identification, message Wen Miwen, ciphertext verification code, encryption algorithm and the like used for encryption to a subsequent message encapsulation group link to carry out IPv6 message encapsulation.
3. Message encapsulation
The message encapsulation is to add a new extension message header (Extension Headers) into the header of the IPv6 message by utilizing the self-expandable characteristic of the IPv6 protocol for recording the parameters used by the message encryption, so that the messages before and after encryption and encapsulation still accord with the IPv6 message format definition.
As shown in fig. 2, the upper table is an IPv6 header, and the lower table is an extended header newly added in the present solution. In the figure, an arrow <1> represents that the 'Next Header' of the original IPv6 is changed into a type value 0x89 customized by the scheme; "arrow <2>" indicates that the "Next Header" value of the original IPv6 is recorded to the "Next Header" field position of the newly added extension Header; the arrow <3> indicates the location where the entire newly added extension header is placed in the original IPv6 header.
The specific packaging process of the message is as follows:
3.1. an extended message header is newly added, the extended message header follows the definition of IPv6 message format, and each field is as follows:
table (1) newly added extended header format
3.2. The new extended message header is inserted into the front position of the first extended message header of the IPv6 message header.
3.3. The encapsulation load, as shown in fig. 3, is formed by connecting the HMAC verification code and the message ciphertext, and the new message load is placed behind the IPv6 message header.
3.4. And recalculating the payload length of the IPv6 message according to the IPv6 protocol and updating the payload length of the message header.
3.5. And finishing IPv6 ciphertext message encapsulation, wherein the new IPv6 message is the IPv6 tunnel message. And the packaged message is sent to a message sending link for further processing.
4. Transmitting a message
The IPv6 tunnel message packaged above is pushed back to the protocol stack, and the protocol stack is responsible for sending the message according to the original sending mode. And the sending end finishes the processing, the encrypted message reaches the receiving end, and the receiving end carries out the message decryption recovery processing.
5. Receiving a message
The receiving end receives the network message on the network device, and the hook is arranged to take out the header type 0x89 of the self-defined IPv6 protocol for subsequent decapsulation processing.
6. Message decapsulation
And analyzing an extended message Header corresponding to the Next Header and the 0x89 type of the IPv6 tunnel message, extracting an encryption key identifier, a verification key identifier, an encryption algorithm identifier and a verification algorithm identifier from the extended message Header, and analyzing a verification code and a message ciphertext from the load. And the analyzed and extracted information is transmitted to the subsequent message decryption link for message decryption.
7. Receiving end message decryption
Decrypting and verifying the encrypted message according to the message decapsulation information and recovering the original IPv6 load, wherein the decryption process is as follows:
7.1. quantum key retrieval: and searching the quantum key of the quantum key in the security module according to the unpacked encryption key identification and the verification key identification.
7.2. Ciphertext data verification: and calling a verification service interface of the security module to verify the message by using the corresponding algorithm and the retrieved verification key identifier according to the verification algorithm identifier, and confirming that the verification code is consistent with the verification code analyzed in the load, namely passing the verification.
7.3. Load recovery: and according to the encryption algorithm identification algorithm, a corresponding decryption algorithm and the retrieved quantum key identification are used for calling a decryption service interface of the security module to decrypt the message, and the original message is recovered.
After the steps are implemented, the whole process of the IPv6 message encrypted transmission through the quantum key is completed, and the encrypted transmission flow of the IPv6 message between two end points can be realized through the method.
It will be readily appreciated by those skilled in the art that the above advantageous ways can be freely combined and superimposed without conflict.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the application. The foregoing is merely a preferred embodiment of the present application, and it should be noted that it will be apparent to those skilled in the art that modifications and variations can be made without departing from the technical principles of the present application, and these modifications and variations should also be regarded as the scope of the application.
Claims (4)
1. The IPv6 message encryption and decryption method based on the quantum key application mechanism is characterized in that the method is achieved by the cooperation of a sending end and a receiving end, and the sending end and the receiving end exchange roles achieve reverse message encryption transmission in the same processing process when transmission returns; the message encryption is to encrypt and verify the message by adopting a symmetric encryption and HMAC verification combination based on a quantum key generated by quantum communication; the method comprises the steps that a message is directly encrypted by using a quantum key, the quantum key generated by QKD distribution is stored in a security module, the security module is a hardware security module or a software key container, the encrypted message is obtained by using an encryption key identifier and a designated encryption algorithm to call an encryption service interface of the security module to encrypt an IPv6 message, and verification code generation is obtained by using a verification key identifier to call a verification service interface of the security module; and the message encapsulation is to use the self-expandable characteristic of the IPv6 protocol, add a new expansion message header in the header of the IPv6 message for recording parameters used for encrypting the message, and the new IPv6 load consists of a verification code calculated by a quantum key and an original load ciphertext, so that the messages before and after encryption and encapsulation still accord with the format definition of the IPv6 message, and the IPv6 message can be transmitted through an original link, thereby realizing the encryption transmission flow of the IPv6 message between two end points.
2. The method according to claim 1, characterized in that it comprises the steps of:
step 1: quantum communication is used for generating a quantum key, quantum secret communication lines and QKD equipment are used for realizing quantum key distribution, a consistent quantum key is generated between a sender and a receiver, a key storage pool is used for storing the generated quantum key, and an optional key storage method comprises a hardware security module or a software key container;
step 2: message encryption, namely hooking an IPv6 protocol message from network equipment, determining an IPv6 channel identifier according to an IPv6 source address, a destination address and a stream tag, randomly acquiring key identifiers of two quantum keys from the security module, and binding the key identifiers with the IPv6 channel, wherein one of the key identifiers of the two quantum keys is an encryption key identifier for encrypting the message; the other is that the verification key identification is used for calculating a message verification code, and then the message is directly encrypted by using the quantum key; the message encryption processing is completed, and encryption key identification, verification key identification, message Wen Miwen, ciphertext verification code and encryption algorithm information used for encryption are transmitted to a subsequent message encapsulation link to carry out IPv6 message encapsulation;
step 3: message encapsulation, namely, encapsulating the IPv6 ciphertext message, wherein the encapsulated IPv6 message is an IPv6 tunnel message;
step 4: sending a message, pressing the IPv6 tunnel message back to a protocol stack, and enabling the protocol stack to be responsible for sending the message according to an original sending mode;
step 5: receiving a message, wherein a receiving end receives the network message on the network equipment, and hooks the type of the head of the self-defined IPv6 protocol of the method through a hook for subsequent unpacking treatment;
step 6: the message is unpacked, an extension message header of the IPv6 tunnel message is analyzed, an encryption key identifier, a verification key identifier, an encryption algorithm identifier and a verification algorithm identifier are extracted from the extension message header, and a verification code and a message Wen Miwen are analyzed from a load;
step 7: and decrypting the message at the receiving end, decrypting and verifying the encrypted message according to the message decapsulation information, and recovering the original IPv6 load.
3. The method according to claim 2, wherein in step 3, the message encapsulation procedure is as follows:
step 1: an extended message header is newly added, the extended message header follows the definition of IPv6 message format, and each field is as follows:
step 2: the new extension message header is inserted into the front position of the first extension message header of the IPv6 message header;
step 3: packaging the load, wherein the new message load consists of an HMAC verification code and a message ciphertext, and is placed behind an IPv6 message header;
step 4: recalculating the payload length of the IPv6 message according to the IPv6 protocol and updating the payload length of the message header;
step 5: and (3) finishing the encapsulation of the IPv6 ciphertext message, wherein the encapsulated IPv6 message is the IPv6 tunnel message.
4. The method according to claim 2, wherein in step 7, the receiving-side message decryption process is as follows:
step 1: quantum key retrieval: searching a quantum key of the quantum key in the security module according to the unpacked encryption key identification and the verification key identification;
step 2: ciphertext data verification: according to the verification algorithm identification, a corresponding algorithm and the retrieved verification key identification are used for calling a verification service interface of the security module to verify the message, and verification is passed after the verification is confirmed to be consistent with the verification code analyzed in the load;
step 3: load recovery: and according to the encryption algorithm identification algorithm, a corresponding decryption algorithm and the retrieved quantum key identification are used for calling a decryption service interface of the security module to decrypt the message, and the original message is recovered.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311218729.1A CN117155568A (en) | 2023-09-21 | 2023-09-21 | IPv6 message encryption and decryption method based on quantum key application mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311218729.1A CN117155568A (en) | 2023-09-21 | 2023-09-21 | IPv6 message encryption and decryption method based on quantum key application mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117155568A true CN117155568A (en) | 2023-12-01 |
Family
ID=88884179
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311218729.1A Pending CN117155568A (en) | 2023-09-21 | 2023-09-21 | IPv6 message encryption and decryption method based on quantum key application mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117155568A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118694527A (en) * | 2024-08-28 | 2024-09-24 | 中电信量子信息科技集团有限公司 | Information protection method, communication method, network device, communication system, and storage medium |
-
2023
- 2023-09-21 CN CN202311218729.1A patent/CN117155568A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118694527A (en) * | 2024-08-28 | 2024-09-24 | 中电信量子信息科技集团有限公司 | Information protection method, communication method, network device, communication system, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| CN102625995B (en) | Galois/counter mode encryption in a wireless network | |
| US9209969B2 (en) | System and method of per-packet keying | |
| US8379638B2 (en) | Security encapsulation of ethernet frames | |
| CN106357690B (en) | data transmission method, data sending device and data receiving device | |
| CN111614621B (en) | Internet of things communication method and system | |
| CN110061996A (en) | A kind of data transmission method, device, equipment and readable storage medium storing program for executing | |
| CN108900540B (en) | Service data processing method of power distribution terminal based on double encryption | |
| CN111756627A (en) | Cloud platform security access gateway of electric power monitored control system | |
| CN115567206A (en) | Method and system for realizing encryption and decryption of network data message by quantum distribution key | |
| CN113572766A (en) | Power data transmission method and system | |
| CN117155568A (en) | IPv6 message encryption and decryption method based on quantum key application mechanism | |
| CN113950802B (en) | Gateway device and method for performing site-to-site communication | |
| CN115567205A (en) | Method and system for realizing encryption and decryption of network session data stream by quantum key distribution | |
| CN115242392A (en) | Method and system for realizing industrial information safety transmission based on safety transmission protocol | |
| CN118214558B (en) | Data circulation processing method, system, device and storage medium | |
| CN113973001A (en) | Method and device for updating authentication key | |
| CN101325486B (en) | Method and apparatus for transferring field permission cryptographic key | |
| CN114039812B (en) | Data transmission channel establishment method, device, computer equipment and storage medium | |
| CN108111515B (en) | End-to-end secure communication encryption method suitable for satellite communication | |
| CN112787819B (en) | Industrial control safety communication system and communication method | |
| CN111935112B (en) | Cross-network data security ferrying device and method based on serial | |
| CN111310211A (en) | Method for encrypting database by using SM4 algorithm | |
| CN117544951B (en) | 5G internet of things security gateway | |
| CN118740374A (en) | Quantum encryption and national encryption integrated encryption equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |