[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN110086627B - Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp - Google Patents

Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp Download PDF

Info

Publication number
CN110086627B
CN110086627B CN201910325032.1A CN201910325032A CN110086627B CN 110086627 B CN110086627 B CN 110086627B CN 201910325032 A CN201910325032 A CN 201910325032A CN 110086627 B CN110086627 B CN 110086627B
Authority
CN
China
Prior art keywords
key
service station
party
encrypted
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910325032.1A
Other languages
Chinese (zh)
Other versions
CN110086627A (en
Inventor
富尧
钟一民
杨羽成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201910325032.1A priority Critical patent/CN110086627B/en
Publication of CN110086627A publication Critical patent/CN110086627A/en
Application granted granted Critical
Publication of CN110086627B publication Critical patent/CN110086627B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application relates to a quantum communication service station key agreement method and system based on an asymmetric key pool pair and a time stamp. In this application, the key fob used is a stand-alone hardware isolated device. The public key, the private key and other related parameters are stored in a data security area in the key fob, so that the possibility of stealing the key by malicious software or malicious operation is greatly reduced, and the key cannot be acquired and cracked by a quantum computer; meanwhile, the authentication flow based on the symmetric key algorithm is improved, so that data in the authentication flow is encrypted and protected by the asymmetric key, the data encrypted by the public key can only be decrypted by the private key owner, and any other person cannot decrypt the data, and therefore the security of the authentication flow based on the symmetric key algorithm is improved.

Description

Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp
Technical Field
The present disclosure relates to the field of secure communications technologies, and in particular, to a method and a system for quantum communication service station key negotiation based on asymmetric key pool pairs and timestamps.
Background
The rapidly developed Internet brings great convenience to the life and work of people, and people can sit at home to send and receive e-mails, make calls, conduct online shopping, bank transfer and other activities through the Internet. At the same time, network information security is becoming a potential huge problem. Generally, network information faces the following security risks: network information is stolen, information is tampered with, attacker counterfeits information, maliciously destroyed, etc.
Identity authentication is one of the means for protecting network information of people. Identity authentication is also called "identity verification" or "identity authentication," which refers to the process of confirming the identity of an operator in a computer and a computer network system, so as to determine whether the user has access and use rights to a certain resource, further enable the access policies of the computer and the network system to be reliably and effectively executed, prevent an attacker from impersonating a legal user to obtain the access rights of the resource, ensure the security of the system and data, and authorize the legal interests of the visitor.
While the current guarantee of successful authentication mainly depends on cryptography, in the field of cryptography today there are mainly two types of cryptosystems, namely symmetric key cryptosystems, i.e. the encryption key and decryption key use the same. The other is a public key cryptosystem, i.e. the encryption key and the decryption key are different, one of which can be disclosed. Most of the identity authentication using algorithms currently mainly rely on public key cryptography.
The encryption key (public key) and the decryption key (private key) employed by the public key encryption system are different. Since the encryption key is public, distribution and management of keys is simple, and the public key encryption system can easily implement digital signatures.
Since the advent of public key encryption, scholars have proposed many public key encryption methods, the security of which is based on complex mathematical problems. Classified according to the mathematical problem on which it is based, there are three types of systems currently considered safe and effective: large integer factorization systems (typically RSA), discrete logarithmic systems (typically DSA), and elliptic discrete logarithmic systems (ECC).
However, with the development of a quantum computer, the classical asymmetric key encryption algorithm is no longer safe, and the quantum computer can obtain a private key through public key calculation no matter encryption and decryption or a key exchange method, so that the currently commonly used asymmetric key becomes incomparable in the quantum age. The current quantum key distribution device QKD can ensure that the negotiated key cannot be obtained. But QKD is mainly used for quantum trunk, and the user equipment to quantum communication service station is still a classical network, so it is difficult to guarantee the security of the identity authentication process by means of asymmetric algorithm.
Problems of the prior art:
1. the symmetric key pool is used between the quantum communication service station and the quantum key card, the capacity is huge, and the key storage of the quantum communication service station is stressed;
2. Because of the huge key capacity of the symmetric key pool, the quantum communication service station has to store the key in a common storage medium such as a hard disk in an encrypted manner, but cannot store the key in a key fob of the quantum communication service station;
3. the key backup is troublesome because of the huge key capacity of the symmetric key pool.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a quantum communication service station key agreement method and system based on an asymmetric key pool pair and a timestamp.
The application discloses a quantum communication service station key negotiation method based on an asymmetric key pool pair and a timestamp, which is implemented on an active side, and comprises the following steps:
generating an authentication parameter NA and an encryption parameter KR, and transmitting the authentication parameter NA encrypted by the encryption parameter KR to the service station and the encryption parameter KR encrypted by the public key of the service station; the authentication parameter NA is used for a service station to generate a bill TICKET, and the bill TICKET is used for a passive party to verify;
acquiring an encryption parameter KA encrypted by an active party public key from a service station, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET, wherein the session key KAB is generated by the service station; decrypting and verifying the authentication parameter NA, and then sending the TICKET TICKET to a passive party by a trust session key KAB; the bill TICKET is used for the verification of the passive party;
Acquiring an authentication parameter NA and an authentication parameter NB encrypted by a session key KAB from a passive party, wherein the authentication parameter NB is generated by the passive party; decrypting and verifying the authentication parameter NA and then trust the session key KAB; an authentication parameter NB encrypted with the session key KAB is sent to the passive party, said authentication parameter NB being used for the passive party to verify and trust the session key KAB.
The application discloses a quantum communication service station key negotiation method based on an asymmetric key pool pair and a time stamp, which is implemented in a service station, and comprises the following steps:
acquiring an authentication parameter NA encrypted by utilizing an encryption parameter KR from an active party, and utilizing the encryption parameter KR encrypted by a public key of a service station; the authentication parameter NA and the encryption parameter KR are generated by the initiative; generating a session key KAB, an encryption parameter KA, an encryption parameter KB, a timestamp T1 of the current time and manufacturing a TICKET TICKET, wherein the TICKET TICKET comprises the encryption parameter KB encrypted by a passive party public key, an authentication parameter NA encrypted by the encryption parameter KB, the session key KAB and the timestamp T1; and sending an encryption parameter KA encrypted by the public key of the active party, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET to the active party.
The application discloses a quantum communication service station key negotiation method based on an asymmetric key pool pair and a timestamp, which is implemented on a passive side and comprises the following steps:
receiving a TICKET TICKET from an active party and generating a time stamp T2 of an acceptance message, wherein the TICKET TICKET comprises a service station generated encryption parameter KB encrypted by a passive party public key, an authentication parameter NA generated by the active party and encrypted by the encryption parameter KB, a session key KAB generated by the service station and the time stamp T1; decrypting and verifying that the difference between the time stamp T1 and the time stamp T2 is smaller than or equal to a preset value; trust bill TICKET and generating authentication parameter NB, and sending authentication parameter NA and authentication parameter NB encrypted by using session key KAB to the initiative; the authentication parameter NA is used for the authentication of the active party;
and acquiring an authentication parameter NB encrypted by the session key KAB from the initiative party, decrypting and verifying the authentication parameter NB, and then trusting the session key KAB.
The application discloses a quantum communication service station key agreement method based on an asymmetric key pool pair and a time stamp, wherein the quantum communication service station key agreement method comprises the following steps:
the master generates an authentication parameter NA and an encryption parameter KR, and sends the authentication parameter NA encrypted by the encryption parameter KR to the service station and the encryption parameter KR encrypted by the public key of the service station;
The server station obtains and decrypts the encrypted data to generate a session key KAB, an encryption parameter KA, an encryption parameter KB, a time stamp T1 of the current time and a bill TICKET, wherein the bill TICKET comprises the encryption parameter KB encrypted by the public key of the passive party, an authentication parameter NA encrypted by the encryption parameter KB, the session key KAB and the time stamp T1; sending an encryption parameter KA encrypted by an active party public key to the active party, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET;
the initiative obtains, decrypts and verifies the authentication parameter NA and then trusts the session key KAB to send the bill TICKET to the passive party;
the passive party acquires, decrypts and verifies that the difference between the time stamp T1 and the time stamp T2 is smaller than or equal to a preset value; trust bill TICKET and generating authentication parameter NB, and sending authentication parameter NA and authentication parameter NB encrypted by using session key KAB to the initiative;
the initiative obtains, decrypts and verifies the authentication parameter NA and then trusts the session key KAB; transmitting an authentication parameter NB encrypted with a session key KAB to a passive party;
the passive party acquires, decrypts and verifies the authentication parameter NB and then trusts the session key KAB.
Further, the service stations are divided into a service station QA and a service station QB, the active party is a sub-device of the service station QA, and the passive party is a sub-device of the service station QB;
the service station QA acquires an authentication parameter NA encrypted by an encryption parameter KR from an active party and the encryption parameter KR encrypted by a public key of the service station; decrypting and generating the session key KAB and encrypting and transmitting the authentication parameter NA and the session key KAB to the service station QB;
the service station QB acquires and decrypts the encrypted parameter KB, generates a timestamp T1 of the current time and makes a TICKET TICKET, wherein the TICKET TICKET comprises the encrypted parameter KB encrypted by the passive public key, an authentication parameter NA encrypted by the encrypted parameter KB, a session key KAB and the timestamp T1; encrypting and transmitting the TICKET TICKET to the service station QA;
the service station QA obtains and decrypts the TICKET TICKET, generates an encryption parameter KA, and sends the encryption parameter KA encrypted by the public key of the initiative, the authentication parameter NA encrypted by the encryption parameter KA, the session key KAB and the TICKET TICKET to the client.
Further, the session key KAB is split into a message encryption and decryption key KABE and a message authentication key KABA.
The application discloses an initiative device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the key negotiation method of the quantum communication service station in the technical scheme when executing the computer program.
The application discloses service station equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the quantum communication service station key negotiation method in the technical scheme when executing the computer program.
The application discloses passive side equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the key negotiation method of the quantum communication service station in the technical scheme when executing the computer program.
The application discloses a quantum communication service station identity authentication system based on an asymmetric key pool, which comprises an active party, a passive party, a service station and a communication network; the master is provided with a master key card, and a service station public key pool, a master public key and a master private key are stored in the master key card; the passive party is provided with a passive party key card, and a service station public key pool, a passive party public key and a passive party private key are stored in the passive party key card; the service station is configured with a service station key card, and a service station private key pool, an active party public key pool and a passive party public key pool are stored in the service station key card;
The active party, the passive party and the service station realize the key negotiation method of the quantum communication service station in the technical scheme through the communication network.
In this application, the key fob used is a stand-alone hardware isolated device. The public key, the private key and other related parameters are stored in a data security area in the key fob, so that the possibility of stealing the key by malicious software or malicious operation is greatly reduced, and the key cannot be acquired and cracked by a quantum computer. Because the classical network does not involve the transmission of public and private keys and algorithm parameters, the risk of cracking the asymmetric key is low, and in addition, the QKD is adopted between the service stations for encrypting and transmitting the message, so that the safety of the message is greatly ensured. The key fob ensures the communication safety of both communication parties in the group, and greatly improves the safety of identity authentication. Meanwhile, the asymmetric key pool solves the problem that the symmetric key pool brings key storage pressure to the quantum communication service station, and reduces storage cost. For example, the size of the original symmetric key pools of the users is 1G, the number of the users is N, the quantum communication service station needs to store the key pools of N G, and if the asymmetric key pools are stored, the size of the key pool stored by the user end is also 1G, and the quantum communication service station also only needs to store the key pool of 1G.
Meanwhile, the authentication flow based on the symmetric key algorithm is improved, so that data in the authentication flow is encrypted and protected by the asymmetric key, the data encrypted by the public key can only be decrypted by the private key owner, and any other person can not decrypt the data, and therefore the security of the authentication flow based on the symmetric key algorithm is improved.
Drawings
FIG. 1 is a schematic diagram of key pool distribution of a server key fob according to the present invention;
FIG. 2 is a schematic diagram of a key pool distribution of a client key fob according to the present invention;
FIG. 3 is a flowchart of authentication in embodiment 1;
fig. 4 is an authentication flow chart of embodiment 2.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. The service stations in the application are all quantum communication service stations under the condition of not making special description, and all names in the application are based on letter and number combination, for example, Q, the service station Q, and the service station refers to the same meaning hereinafter, namely the service station Q; for another example, the device parameter IDA, IDA means hereinafter the same meaning, i.e. the device parameter IDA, and the remaining names are the same.
The application discloses a quantum communication service station key negotiation method based on an asymmetric key pool pair and a timestamp, which is implemented on an active side and comprises the following steps of:
generating an authentication parameter NA and an encryption parameter KR, and transmitting the authentication parameter NA encrypted by the encryption parameter KR to the service station and the encryption parameter KR encrypted by the public key of the service station; the authentication parameter NA is used for a service station to generate a bill TICKET, and the bill TICKET is used for a passive party to verify;
acquiring an encryption parameter KA encrypted by an active party public key, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET from a service station; the session key KAB is generated by the service station; after decrypting and verifying the authentication parameter NA, the trust session key KAB sends a TICKET TICKET to the passive party; the bill TICKET is used for the passive party to verify and generate an authentication parameter NB;
acquiring an authentication parameter NA and an authentication parameter NB encrypted by a session key KAB from a passive party, wherein the authentication parameter NB is generated by the passive party; decrypting and verifying the authentication parameter NA and then trust the session key KAB; and sending an authentication parameter NB encrypted by the session key KAB to the passive party, wherein the authentication parameter NB is used for the passive party to verify and trust the session key KAB.
The application discloses a quantum communication service station key negotiation method based on an asymmetric key pool pair and a time stamp, which is implemented in a service station and comprises the following steps:
acquiring an authentication parameter NA encrypted by utilizing an encryption parameter KR from an active party, and utilizing the encryption parameter KR encrypted by a public key of a service station; authentication parameters NA, encryption parameters KR are generated by the initiative; generating a session key KAB, an encryption parameter KA, an encryption parameter KB, a timestamp T1 of the current time and manufacturing a TICKET TICKET, wherein the TICKET TICKET comprises the encryption parameter KB encrypted by a passive party public key, an authentication parameter NA encrypted by the encryption parameter KB, the session key KAB and the timestamp T1; sending an encryption parameter KA encrypted by an active party public key, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET to the active party; the TICKET is used for obtaining the session key KAB after the passive party verifies so as to spread communication.
The application discloses a quantum communication service station key negotiation method based on an asymmetric key pool pair and a timestamp, which is implemented on a passive side and comprises the following steps:
receiving a TICKET TICKET from an active party and generating a time stamp T2 of an acceptance message, wherein the TICKET TICKET comprises a service station generated encryption parameter KB encrypted by a passive party public key, an authentication parameter NA generated by the active party and encrypted by the encryption parameter KB, a session key KAB generated by the service station and the time stamp T1; decrypting and verifying that the difference between the time stamp T1 and the time stamp T2 is smaller than or equal to a preset value; trust bill TICKET and generating authentication parameter NB, and sending authentication parameter NA and authentication parameter NB encrypted by session key KAB to the active party; the authentication parameter NA is used for the authentication of the active party;
And acquiring an authentication parameter NB encrypted by the session key KAB from the initiative party, decrypting and verifying the authentication parameter NB, and then trusting the session key KAB.
The application discloses a quantum communication service station key agreement method based on an asymmetric key pool pair and a time stamp, wherein the quantum communication service station key agreement method comprises the following steps:
the master generates an authentication parameter NA and an encryption parameter KR, and sends the authentication parameter NA encrypted by the encryption parameter KR to the service station and the encryption parameter KR encrypted by the public key of the service station;
the service station acquires and decrypts the encrypted data to generate a session key KAB, an encryption parameter KA, an encryption parameter KB, a timestamp T1 of the current time and a TICKET TICKET, wherein the TICKET TICKET comprises the encryption parameter KB encrypted by the passive party public key, an authentication parameter NA encrypted by the encryption parameter KB, the session key KAB and the timestamp T1; sending an encryption parameter KA encrypted by an active party public key, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET to the active party;
after the active party acquires, decrypts and verifies the authentication parameter NA, the trust session key KAB sends a bill TICKET to the passive party;
the passive party acquires, decrypts and verifies that the difference between the time stamp T1 and the time stamp T2 is smaller than or equal to a preset value; trust bill TICKET and generating authentication parameter NB, and sending authentication parameter NA and authentication parameter NB encrypted by session key KAB to the active party;
The initiative side acquires, decrypts and verifies the authentication parameter NA and then trusts the session key KAB; transmitting an authentication parameter NB encrypted with a session key KAB to a passive party;
the passive party acquires, decrypts and verifies the authentication parameter NB and then trusts the session key KAB.
In an embodiment, as shown in embodiment 1, the service stations are divided into a service station QA and a service station QB, the active party is a subset of the service station QA, and the passive party is a subset of the service station QB;
the service station QA acquires an authentication parameter NA encrypted by an encryption parameter KR from the active party and encrypts the encryption parameter KR by a public key of the service station; decrypting and generating a session key KAB and encrypting and transmitting the authentication parameter NA and the session key KAB to the service station QB;
the service station QB acquires and decrypts the encrypted parameter KB, generates a timestamp T1 of the current time and makes a TICKET TICKET, wherein the TICKET TICKET comprises the encrypted parameter KB encrypted by the passive party public key, an authentication parameter NA encrypted by the encrypted parameter KB, a session key KAB and the timestamp T1; encrypting and sending a TICKET TICKET to a service station QA;
the service station QA obtains and decrypts the TICKET TICKET, generates an encryption parameter KA, and sends the encryption parameter KA encrypted by the public key of the active party, the authentication parameter NA encrypted by the encryption parameter KA, the session key KAB and the TICKET TICKET to the client.
In an embodiment, the session key KAB is split into a message encryption and decryption key KABE and a message authentication key KABA.
The application discloses an initiative side device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the key negotiation method of the quantum communication service station in the technical scheme when executing the computer program.
The application discloses service station equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the quantum communication service station key negotiation method in the technical scheme when executing the computer program.
The application discloses passive side equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the key negotiation method of the quantum communication service station in the technical scheme when executing the computer program.
The application discloses a quantum communication service station identity authentication system based on an asymmetric key pool, which comprises an active party, a passive party, a service station and a communication network; the master is provided with a master key card, and a service station public key pool, a master public key and a master private key are stored in the master key card; the passive party is provided with a passive party key card, and a service station public key pool, a passive party public key and a passive party private key are stored in the passive party key card; the service station is configured with a service station key card, and a service station private key pool, an active party public key pool and a passive party public key pool are stored in the service station key card;
The active party, the passive party and the service station realize the key negotiation method of the quantum communication service station in the technical scheme through a communication network.
The actual implementation scenario of the technical scheme in the application may be that any two objects A, B under an asymmetric key pool-based system perform mutual identity authentication. Each object in the key pool system has a key fob, can store keys with large data volume, and also has the capability of processing information. In the application, algorithms with corresponding requirements exist in the local systems of the object A and the object B.
The description of key fobs can be found in the patent application No. 201610843210.6. In the case of a mobile terminal, the key fob is preferably a key SD card; in the case of a fixed terminal, the key fob is preferably a key usb key or a host key fob.
The mechanism by which the key fob is issued is different compared to the patent of application number "201610843210.6". The key card issuer of the patent is the master of the key card and is generally the management department of a group, such as the management department of a certain enterprise or public institution; the issuer of the key fob is a member managed by the master of the key fob, typically a staff of a certain enterprise or business. The user first applies for an account opening to the master party of the key fob. When the user side performs registration and approval, a key fob (with a unique key fob ID) is obtained. The key fob stores customer registration information. The public key pools in the client key fobs under the same quantum communication service station are all downloaded from the same key management server, and the public key pools stored in each client key fobs issued by the public key fobs are completely consistent. Preferably, the key pool size stored in the key fob may be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G, and so on.
The key fob is developed from the smart card technology and is an identity authentication and encryption and decryption product combining cryptography technology, hardware security isolation technology and quantum physics technology (in the case of carrying a quantum random number generator). The embedded chip and the operating system of the key fob can provide the functions of secure storage of keys, cryptographic algorithms, and the like. Because of its independent data processing capability and good security, the key fob becomes a secure carrier for private keys and key pools. Each key fob is protected by a hardware PIN code, which constitutes two necessary factors for the user to use the key fob. The "two-factor authentication" is a process in which a user can log in to a system only by acquiring a key fob and a user PIN code that store related authentication information at the same time. Even if the PIN code of the user is revealed, the identity of the legal user cannot be imitated as long as the key fob held by the user is not stolen; if the key fob of the user is lost, the pick-up cannot impersonate the identity of the legitimate user because the user PIN code is not known. In a word, the key fob makes the secret information such as the key not appear in the disk and the memory of the host in a plaintext form, thereby effectively ensuring the safety of the secret information.
In this application, key fobs are classified into server key fobs and client (i.e., active and passive) key fobs. As shown in fig. 1, the key area of the service station key fob mainly stores a client (including an active party and a passive party) public key pool and a service station private key pool; as shown in fig. 2, the key zone of the client (including the active and passive parties) key fob mainly stores a service station public key pool and a pair of public and private key pairs. The key fobs are issued by a key management server.
The key management server may select an algorithm that supports both encryption and decryption and signing prior to issuing the key fob. The key management server generates a corresponding number of numbers meeting the algorithm specification as a private key and a public key according to the number of clients. The key management server generates a corresponding number of IDs, selects a corresponding number of public and private key pairs, combines the public key and the IDs to obtain an ID/public key, and writes the ID/public key into the same file to form a public key pool file, namely the public key pool of the client. Meanwhile, the key management server writes the corresponding private key into the file in the same way to form a private key pool file, namely a client private key pool. The ID of each private key in the client private key pool is the same as the ID of the corresponding public key in the client public key pool. The key management server again generates a large number of numbers meeting the algorithm specification as private and public keys. The key management server writes the public and private keys into two files to form a service station public key pool and a service station private key pool. The public key in the service station public key pool corresponds to the private key in the same position in the service station private key pool. The key management server defines the first key fob issued as a service station key fob and writes the service station private key pool and client public key pool and associated algorithm parameters to the key zone of the key fob. The key cards issued by the key management server subsequently are all client-side key cards. The key management server randomly selects an unassigned ID to be assigned to the key fob, and writes the public and private keys of the client public key pool and the client private key Chi Quxiang with the ID into the key area of the key fob together with the service station public key pool, and writes the relevant parameters into the key fob.
In the specific embodiment of the application, the client a is referred to as an active party, and the client B is referred to as a passive party.
Example 1
System description
As shown in fig. 3, the scenario of this embodiment includes a client a, i.e., an active party, a client B, i.e., a passive party, and a service station including a quantum communication service station QA and a quantum communication service station QB, which are simply referred to as a service station QA and a service station QB. QA and QB are provided with respective key management servers. Both client a and client B are provided with a client key fob and quantum communication service station QA and quantum communication service station QB are provided with a service station key fob. The client a belongs to the quantum communication service station QA, and the client B belongs to the quantum communication service station QB, that is, the key fob of A, B is issued by the key management servers of QA and QB, respectively. The ID of the client A is set as IDA, the public key is PKA, and the private key is SKA; let ID of client B be IDB, public key be PKB, private key be SKB.
Step 1: client a initiates an authentication request with client B to the service station QA.
The client A generates a Request for identity authentication with the client B, wherein the Request contains IDA I IDB and other necessary information. The client A generates true random numbers KR and NA according to the matched random number generator, and the client A symmetrically encrypts the Request and NA by using the KR to obtain { request||NA } KR.
The client a generates a true random number RI according to the matched random number generator, and calculates the true random number RI through the asymmetric key pointer function fkp to obtain the key position pointer kpI. The client a retrieves the public key PKQAI of the service station QA from the service station public key pool in its own key fob according to the key location pointer. And the client A encrypts the KR by using PKQAI to obtain { KR } PKQAI.
The client a transmits ri| { request|na } kr| { KR } PKQAI to the service station QA.
Step 2: the quantum communication service station QA forwards the request to the quantum communication service station QB.
After receiving RI { Request NA } KR { KR } PKQAI, the service station QA calculates the true random number RI by using an asymmetric key pointer function fkp to obtain a key position pointer kpI. The service station QA takes out its own private key SKQAI from the service station private key pool in its own key fob according to the key position pointer. The service station QA decrypts { KR } PKQAI by using SKQA1 to obtain KR. The service station QA decrypts { request|na } KR using the decrypted KR to obtain Request and NA.
The service station QA generates a session key KAB between the client a and the client B according to the matched key fob, encrypts { request|na||kab } with the QKD-negotiated key, and transmits it to QB.
Step 3: the quantum communication service station QB transmits the time back to the quantum communication service station QA.
The service station QB receives the message from the service station QA and decrypts it using the key negotiated by QKD to obtain the Request NA KAB.
The service station QB generates a true random number KB and symmetrically encrypts the Request NA KAB with KB. Also encrypted is a service station QB that obtains the time T1 as a time stamp. The service station QB then extracts the public key PKB of client B from the client public key pool to encrypt KB according to the IDB in the Request, obtain { Request |NA|KAB|T 1} KB|| { KB } PKB as TICKET. The TICKET is encrypted with the QKD negotiated key and sent to QA.
Step 4: the quantum communication service station QA transmits the time to the client a.
After receiving the encrypted time by the QKD key, the service station QA decrypts the time by using the QKD key, generates a true random number KA, and encrypts the time and the Request NA KAB by using KA. And extracting the public key PKA of the client A from the client public key pool according to the IDA in the Request to encrypt the KA. And sending { Request |NA|KAB|TICKET } KA|{ KA } PKA to the client A.
Step 5: and after the client A verifies the information, the TICKET is sent to the client B.
The client A uses the private key SKA to decrypt to obtain KA, uses KA to decrypt to obtain Request I NA I KAB I TICKET, identifies whether NA is equal to the local NA, if so, trusts KAB as a session key for communication with the client B. The TICKET is then sent to client B.
Step 6: client B verifies the timestamp validity.
After receiving the time, the client B takes the local time T2 of the acceptance message. And decrypting by using the private key SKB to obtain KB, and decrypting by using KB to obtain Request NA KAB T1. If the absolute value of the difference between T2 and T1 is not greater than the time threshold Δt, i.e., |t2-t1| < = Δt, then trust is valid. Δt can be set to 10s.
And the client B generates a random number NB according to the matched random number generator, encrypts NA and NB by using KAB and sends the NA and NB to the client A.
Step 7: client a authenticates client B and replies.
After receiving { NA||NB } KAB sent by the client B, the client A decrypts the { NA|NB } KAB by using the KAB to obtain NA and NB. And the client A judges whether the NA is equal to the local NA or not, and if so, the client A passes the authentication of the client B. Client a then sends to client B using KAB encryption NB.
Step 8: the client B completes authentication of the client a.
After receiving { NB } KAB sent by the client A, the client B decrypts the { NB } KAB to obtain NB, and the client B identifies whether NB is equal to the local NB or not, if so, the authentication of the client A is passed. And confirming the session key which is negotiated with the user terminal A as KAB.
Step 9: the client A and the client B perform secure communication.
The client A and the client B can utilize the key KAB to encrypt and decrypt the message and authenticate the message. Preferably, KAB is split into KABE and KABA, which are used as message encryption and decryption and message authentication keys, respectively.
Example 2
System description
The scenario of this embodiment is shown in fig. 4, in which the scenario includes a client a, i.e., an active party, a client B, i.e., a passive party, and a quantum communication service station Q, i.e., a service station, abbreviated as service station Q. Both client a and client B are provided with a client key fob and quantum communication service station Q is provided with a service station key fob. The key cards are all key cards of the same batch issued by the same key management server. The ID of the client A is set as IDA, the public key is PKA, and the private key is SKA; let ID of client B be IDB, public key be PKB, private key be SKB.
Step 1: client a initiates an authentication request with client B to service station Q.
The client A generates a Request for identity authentication with the client B, wherein the Request contains IDA I IDB and other necessary information. The client A generates true random numbers KR and NA according to the matched random number generator, and the client A symmetrically encrypts the Request and NA by using the KR to obtain { request||NA } KR.
The client a generates a true random number R according to the matched random number generator, and calculates the true random number R through the asymmetric key pointer function fkp to obtain the key position pointer kp. The client A takes out the public key PKQ of the service station Q from the service station public key pool in the key fob according to the key position pointer. The client A encrypts the KR by using PKQA to obtain { KR } PKQ.
The client a transmits r| { request|na } kr| { KR } PKQ to the service station Q.
Step 2: the quantum communication service station Q generates a session key and makes a time.
After receiving R|{ request|NA } KR|| { KR } PKQ, the service station Q calculates the true random number R through an asymmetric key pointer function fkp to obtain a key position pointer kp. And the service station Q takes out the self private key SKQ from the service station private key pool in the self key card according to the key position pointer. The service station Q decrypts the { KR } PKQ using the SKQ to obtain KR. The service station Q decrypts { request||na } KR using the decrypted KR to obtain Request and NA.
The server Q generates a session key KAB between client a and client B from the matched key fob, and also generates two keys KA and KB. The Request NA KAB is symmetrically encrypted using KB, and a service station Q is also encrypted to acquire the time T1 as a time stamp. And then the service station Q extracts the public key PKB of the client B from the client public key pool according to the IDB in the Request to encrypt KB, so as to obtain { Request NA KAB T1} KB { KB } PKB as a TICKET. The service station Q then encrypts the time and Request NA KAB using KA. And extracting the public key PKA of the client A from the client public key pool according to the IDA in the Request to encrypt the KA. And sending { Request |NA|KAB|TICKET } KA|{ KA } PKA to the client A.
Step 3: and after the client A verifies the information, the TICKET is sent to the client B.
The client A uses the private key SKA to decrypt to obtain KA, uses KA to decrypt to obtain Request I NA I KAB I TICKET, identifies whether NA is equal to the local NA, if so, trusts KAB as a session key for communication with the client B. The TICKET is then sent to client B.
Step 4: client B verifies the timestamp validity.
After receiving the time, the client B takes the local time T2 of the acceptance message. And decrypting by using the private key SKB to obtain KB, and decrypting by using KB to obtain Request NA KAB T1. If the absolute value of the difference between T2 and T1 is not greater than the preset value, i.e., the time threshold Δt, |t2-t1| < = Δt, then trust time is valid. Δt can be set to 10s.
And the client B generates a random number NB according to the matched random number generator, encrypts NA and NB by using KAB and sends the NA and NB to the client A.
Step 5: client a authenticates client B and replies.
After receiving { NA||NB } KAB sent by the client B, the client A decrypts the { NA|NB } KAB by using the KAB to obtain NA and NB. And the client A judges whether the NA is equal to the local NA or not, and if so, the client A passes the authentication of the client B. Client a then sends to client B using KAB encryption NB.
Step 6: the client B completes authentication of the client a.
After receiving { NB } KAB sent by the client A, the client B decrypts the { NB } KAB to obtain NB, and the client B identifies whether NB is equal to the local NB or not, if so, the authentication of the client A is passed. And confirming the session key which is negotiated with the user terminal A as KAB.
Step 7: the client A and the client B perform secure communication.
The client A and the client B can utilize the key KAB to encrypt and decrypt the message and authenticate the message. Preferably, KAB is split into KABE and KABA, which are used as message encryption and decryption and message authentication keys, respectively.
The summary of the specific steps according to the above disclosed technical solution may obtain a quantum communication service station key negotiation method based on an asymmetric key pool pair and a timestamp implemented on an active side, a quantum communication service station key negotiation method based on an asymmetric key pool pair and a timestamp implemented on a passive side, and a quantum communication service station key negotiation method based on an asymmetric key pool pair and a timestamp implemented on a service station in the claims, so that the description is omitted.
Specific limitations regarding the active device, the passive device, and the service station device and system can be found in the above description of the quantum communication service station authentication method, and will not be repeated here. The various modules in the various devices described above may be implemented in whole or in part in software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 3. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing relevant data of identity authentication. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program when executed by a processor implements a quantum communication service station key agreement method based on an asymmetric key pool pair and a timestamp.
It will be appreciated by those skilled in the art that the structure shown in fig. 3 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims (6)

1. The quantum communication service station key negotiation method based on the asymmetric key pool pair and the time stamp is characterized by being implemented by using an arranged active party, an arranged passive party, a service station and a communication network, wherein the active party is configured with an active party key fob, and the active party key fob stores a service station public key pool, an active party public key and an active party private key; the passive party is provided with a passive party key card, and a service station public key pool, a passive party public key and a passive party private key are stored in the passive party key card; the service station is configured with a service station key card, and a service station private key pool, an active party public key pool and a passive party public key pool are stored in the service station key card; the key card is an independent hardware isolation device, and both the public key and the private key are stored in a data security area in the key card;
The quantum communication service station key agreement method comprises the following steps implemented on an active party:
generating an authentication parameter NA and an encryption parameter KR, and transmitting the authentication parameter NA encrypted by the encryption parameter KR to the service station and the encryption parameter KR encrypted by the public key of the service station; the authentication parameter NA is used for the service station to generate a bill TICKET, and the bill TICKET is used for the verification of a passive party;
acquiring an encryption parameter KA encrypted by an active party public key from a service station, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET, wherein the session key KAB is generated by the service station; decrypting and verifying the authentication parameter NA, and then sending the TICKET TICKET to a passive party by a trust session key KAB; the bill TICKET is used for the verification of the passive party;
acquiring an authentication parameter NA and an authentication parameter NB encrypted by a session key KAB from a passive party, wherein the authentication parameter NB is generated by the passive party; decrypting and verifying the authentication parameter NA and then trust the session key KAB; an authentication parameter NB encrypted with the session key KAB is sent to the passive party, said authentication parameter NB being used for the passive party to verify and trust the session key KAB.
2. The quantum communication service station key negotiation method based on the asymmetric key pool pair and the time stamp is characterized by being implemented by using an arranged active party, an arranged passive party, a service station and a communication network, wherein the active party is configured with an active party key fob, and the active party key fob stores a service station public key pool, an active party public key and an active party private key; the passive party is provided with a passive party key card, and a service station public key pool, a passive party public key and a passive party private key are stored in the passive party key card; the service station is configured with a service station key card, and a service station private key pool, an active party public key pool and a passive party public key pool are stored in the service station key card; the key card is an independent hardware isolation device, and both the public key and the private key are stored in a data security area in the key card;
the quantum communication service station key agreement method comprises the following steps implemented in a service station:
acquiring an authentication parameter NA encrypted by utilizing an encryption parameter KR from an active party, and utilizing the encryption parameter KR encrypted by a public key of a service station; the authentication parameter NA and the encryption parameter KR are generated by the initiative; generating a session key KAB, an encryption parameter KA, an encryption parameter KB, a timestamp T1 of the current time and manufacturing a TICKET TICKET, wherein the TICKET TICKET comprises the encryption parameter KB encrypted by a passive party public key, an authentication parameter NA encrypted by the encryption parameter KB, the session key KAB and the timestamp T1; and sending an encryption parameter KA encrypted by the public key of the active party, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET to the active party.
3. The quantum communication service station key negotiation method based on the asymmetric key pool pair and the time stamp is characterized by being implemented by using an arranged active party, an arranged passive party, a service station and a communication network, wherein the active party is configured with an active party key fob, and the active party key fob stores a service station public key pool, an active party public key and an active party private key; the passive party is provided with a passive party key card, and a service station public key pool, a passive party public key and a passive party private key are stored in the passive party key card; the service station is configured with a service station key card, and a service station private key pool, an active party public key pool and a passive party public key pool are stored in the service station key card; the key card is an independent hardware isolation device, and both the public key and the private key are stored in a data security area in the key card;
the quantum communication service station key agreement method comprises the following steps implemented on a passive party:
receiving a TICKET TICKET from an active party and generating a time stamp T2 of an acceptance message, wherein the TICKET TICKET comprises a service station generated encryption parameter KB encrypted by a passive party public key, an authentication parameter NA generated by the active party and encrypted by the encryption parameter KB, a session key KAB generated by the service station and the time stamp T1; decrypting and verifying that the difference between the time stamp T1 and the time stamp T2 is smaller than or equal to a preset value; trust bill TICKET and generating authentication parameter NB, and sending authentication parameter NA and authentication parameter NB encrypted by using session key KAB to the initiative; the authentication parameter NA is used for the authentication of the active party;
And acquiring an authentication parameter NB encrypted by the session key KAB from the initiative party, decrypting and verifying the authentication parameter NB, and then trusting the session key KAB.
4. The quantum communication service station key negotiation method based on the asymmetric key pool pair and the time stamp is characterized by being implemented by using an arranged active party, an arranged passive party, a service station and a communication network, wherein the active party is configured with an active party key fob, and the active party key fob stores a service station public key pool, an active party public key and an active party private key; the passive party is provided with a passive party key card, and a service station public key pool, a passive party public key and a passive party private key are stored in the passive party key card; the service station is configured with a service station key card, and a service station private key pool, an active party public key pool and a passive party public key pool are stored in the service station key card; the key card is an independent hardware isolation device, and both the public key and the private key are stored in a data security area in the key card;
the quantum communication service station key agreement method comprises the following steps:
the master generates an authentication parameter NA and an encryption parameter KR, and sends the authentication parameter NA encrypted by the encryption parameter KR to the service station and the encryption parameter KR encrypted by the public key of the service station;
The server station obtains and decrypts the encrypted data to generate a session key KAB, an encryption parameter KA, an encryption parameter KB, a time stamp T1 of the current time and a bill TICKET, wherein the bill TICKET comprises the encryption parameter KB encrypted by the public key of the passive party, an authentication parameter NA encrypted by the encryption parameter KB, the session key KAB and the time stamp T1; sending an encryption parameter KA encrypted by an active party public key to the active party, an authentication parameter NA encrypted by the encryption parameter KA, a session key KAB and a TICKET TICKET;
the initiative obtains, decrypts and verifies the authentication parameter NA and then trusts the session key KAB to send the bill TICKET to the passive party;
the passive party acquires, decrypts and verifies that the difference between the time stamp T1 and the time stamp T2 is smaller than or equal to a preset value; trust bill TICKET and generating authentication parameter NB, and sending authentication parameter NA and authentication parameter NB encrypted by using session key KAB to the initiative;
the initiative obtains, decrypts and verifies the authentication parameter NA and then trusts the session key KAB; transmitting an authentication parameter NB encrypted with a session key KAB to a passive party;
the passive party acquires, decrypts and verifies the authentication parameter NB and then trusts the session key KAB.
5. The quantum communication service station key agreement method according to any one of claims 1 to 4, wherein the service station is divided into a service station QA and a service station QB, the active party being a child device of the service station QA and the passive party being a child device of the service station QB;
the service station QA acquires an authentication parameter NA encrypted by an encryption parameter KR from an active party and the encryption parameter KR encrypted by a public key of the service station; decrypting and generating the session key KAB and encrypting and transmitting the authentication parameter NA and the session key KAB to the service station QB;
the service station QB acquires and decrypts the encrypted parameter KB, generates a timestamp T1 of the current time and makes a TICKET TICKET, wherein the TICKET TICKET comprises the encrypted parameter KB encrypted by the passive public key, an authentication parameter NA encrypted by the encrypted parameter KB, a session key KAB and the timestamp T1; encrypting and transmitting the TICKET TICKET to the service station QA;
the service station QA obtains and decrypts the TICKET TICKET, generates an encryption parameter KA, and sends the encryption parameter KA encrypted by the public key of the initiative, the authentication parameter NA encrypted by the encryption parameter KA, the session key KAB and the TICKET TICKET to the client.
6. A quantum communication service station key agreement method according to any one of claims 1 to 4, wherein the session key KAB is split into a message encrypting and decrypting key KABE and a message authenticating key KABA.
CN201910325032.1A 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp Active CN110086627B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910325032.1A CN110086627B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910325032.1A CN110086627B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Publications (2)

Publication Number Publication Date
CN110086627A CN110086627A (en) 2019-08-02
CN110086627B true CN110086627B (en) 2023-08-04

Family

ID=67416078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910325032.1A Active CN110086627B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Country Status (1)

Country Link
CN (1) CN110086627B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245609B (en) * 2020-01-17 2023-02-28 南京如般量子科技有限公司 Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763563A (en) * 2016-04-19 2016-07-13 浙江神州量子网络科技有限公司 Identity authentication method during quantum secret key application process
CN106357396A (en) * 2016-09-23 2017-01-25 浙江神州量子网络科技有限公司 Digital signature method, digital signature system and quantum key card
CN107404461A (en) * 2016-05-19 2017-11-28 阿里巴巴集团控股有限公司 Data safe transmission method, client and service end method, apparatus and system
CN108574569A (en) * 2017-03-08 2018-09-25 中国移动通信有限公司研究院 A kind of authentication method and authentication device based on quantum key
CN108768653A (en) * 2018-03-01 2018-11-06 如般量子科技有限公司 Identity authorization system based on quantum key card
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3004041B1 (en) * 2013-03-28 2015-04-17 Commissariat Energie Atomique METHOD AND DEVICE FOR ESTABLISHING SESSION KEYS

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763563A (en) * 2016-04-19 2016-07-13 浙江神州量子网络科技有限公司 Identity authentication method during quantum secret key application process
CN107404461A (en) * 2016-05-19 2017-11-28 阿里巴巴集团控股有限公司 Data safe transmission method, client and service end method, apparatus and system
CN106357396A (en) * 2016-09-23 2017-01-25 浙江神州量子网络科技有限公司 Digital signature method, digital signature system and quantum key card
CN108574569A (en) * 2017-03-08 2018-09-25 中国移动通信有限公司研究院 A kind of authentication method and authentication device based on quantum key
CN108768653A (en) * 2018-03-01 2018-11-06 如般量子科技有限公司 Identity authorization system based on quantum key card
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Denis Butin.Post-quantum authentication in OpenSSL with hash-based signatures.2017 Tenth International Conference on Mobile Computing and Ubiquitous Network (ICMU).2018,全文. *

Also Published As

Publication number Publication date
CN110086627A (en) 2019-08-02

Similar Documents

Publication Publication Date Title
US11621833B2 (en) Secure multiparty loss resistant storage and transfer of cryptographic keys for blockchain based systems in conjunction with a wallet management system
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
US20200014538A1 (en) Methods and systems to facilitate authentication of a user
CN101032117B (en) Method of authentication based on polynomials, system, and method for demonstration device
CN110505055B (en) External network access identity authentication method and system based on asymmetric key pool pair and key fob
CN109981562B (en) Software development kit authorization method and device
CN110380845B (en) Quantum secret communication alliance chain transaction method, system and equipment based on group symmetric key pool
CN107920052B (en) Encryption method and intelligent device
KR101765081B1 (en) A secure attribute-based authentication method for cloud computing
CN112351037B (en) Information processing method and device for secure communication
CN109921905B (en) Anti-quantum computation key negotiation method and system based on private key pool
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN110493177B (en) Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number
CN113886771A (en) Software authorization authentication method
JP2010231404A (en) System, method, and program for managing secret information
CN113225302A (en) Data sharing system and method based on proxy re-encryption
CN110098925B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and random number
CN114143108A (en) Session encryption method, device, equipment and storage medium
CN113643134A (en) Internet of things block chain transaction method and system based on multi-key homomorphic encryption
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
CN110176989B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool
CN110365472B (en) Quantum communication service station digital signature method and system based on asymmetric key pool pair
CN114154181A (en) Privacy calculation method based on distributed storage
CN110266483B (en) Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant