[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113067699B - Data sharing method and device based on quantum key and computer equipment - Google Patents

Data sharing method and device based on quantum key and computer equipment Download PDF

Info

Publication number
CN113067699B
CN113067699B CN202110239183.2A CN202110239183A CN113067699B CN 113067699 B CN113067699 B CN 113067699B CN 202110239183 A CN202110239183 A CN 202110239183A CN 113067699 B CN113067699 B CN 113067699B
Authority
CN
China
Prior art keywords
data
quantum key
storage
key
transmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110239183.2A
Other languages
Chinese (zh)
Other versions
CN113067699A (en
Inventor
李红飞
陈旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Kedun Quantum Information Technology Co ltd
Original Assignee
Shenzhen Kedun Quantum Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Kedun Quantum Information Technology Co ltd filed Critical Shenzhen Kedun Quantum Information Technology Co ltd
Priority to CN202110239183.2A priority Critical patent/CN113067699B/en
Publication of CN113067699A publication Critical patent/CN113067699A/en
Application granted granted Critical
Publication of CN113067699B publication Critical patent/CN113067699B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a data sharing method and device based on quantum keys, computer equipment and a storage medium. The method comprises the following steps: when a data sharing request uploaded by a terminal is received, performing identity authentication based on an authentication quantum key to obtain an identity authentication result; when the identity authentication result is that the authentication is passed, target storage ciphertext data is obtained; target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key; carrying out ciphertext conversion on target storage ciphertext data through a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data; and sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data. By adopting the method, the safety of data sharing can be improved.

Description

Data sharing method and device based on quantum key and computer equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data sharing method and apparatus based on a quantum key, a computer device, and a storage medium.
Background
With the development of computer technology, various network applications enable people to obtain rich data resources through data sharing, such as obtaining various application data such as news data, social data, transaction data, and the like. With the wide application of data sharing, the focus of technology development has gradually been focused on ensuring the security of data in data sharing.
At present, in a conventional data sharing process, shared data is usually encrypted by a key pair consisting of a public key and a secret key, and a ciphertext obtained through encryption is transmitted. However, the key pair formed by the public key and the secret key is generally limited in length, and risks being cracked violently, so that the data sharing security is low.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a quantum key-based data sharing method, apparatus, computer device, and storage medium capable of improving security of data sharing.
A method of quantum key based data sharing, the method comprising:
when a data sharing request uploaded by a terminal is received, performing identity authentication based on an authentication quantum key to obtain an identity authentication result;
when the identity authentication result is that the authentication is passed, target storage ciphertext data is obtained; target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key;
carrying out ciphertext conversion on target storage ciphertext data through a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data;
and sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
In one embodiment, performing identity authentication based on the authentication quantum key, and obtaining an identity authentication result includes:
when the request type of the data sharing request is a dual identity authentication type, performing first identity authentication on the basis of a digital certificate of a user corresponding to the data sharing request to obtain a first identity authentication result;
when the first identity authentication result is that authentication is passed, determining an authentication quantum key;
and performing second identity authentication on the user corresponding to the data sharing request through the authentication quantum key to obtain an identity authentication result.
In one embodiment, performing second identity authentication on the user corresponding to the data sharing request through the authentication quantum key, and obtaining an identity authentication result includes:
carrying out key enhancement on the authentication quantum key through the authentication random number to obtain an enhanced quantum key;
sending the enhanced quantum key to the terminal; the enhanced quantum key is used for controlling the terminal to encrypt the identity of the user corresponding to the terminal into an identity ciphertext based on the enhanced quantum key;
and decrypting the identity ciphertext returned by the terminal according to the enhanced quantum key, and performing identity authentication according to the decryption result to obtain an identity authentication result.
In one embodiment, obtaining the target storage ciphertext data comprises:
determining a data identifier of target data requested by the data sharing request;
acquiring target storage ciphertext data corresponding to the target data from the storage ciphertext data according to the data identifier;
and the storage ciphertext data is obtained by encrypting the storage data to which the target data belongs through the storage quantum key.
In one embodiment, before obtaining the target storage ciphertext data, the method further includes:
when the data encryption condition is met, determining sensitive data and non-sensitive data from the stored data;
encrypting the sensitive data by storing the quantum key to obtain sensitive ciphertext data;
and obtaining storage ciphertext data corresponding to the storage data according to the sensitive ciphertext data and the non-sensitive data.
In one embodiment, the obtaining of the transmission ciphertext data by performing ciphertext conversion on the target storage ciphertext data through the transmission quantum key corresponding to the terminal includes:
decrypting the target storage ciphertext data through the storage quantum key to obtain target data;
acquiring a transmission quantum key corresponding to a terminal;
and encrypting the target data through the transmission quantum key to obtain transmission ciphertext data.
In one embodiment, the method further comprises:
when the key is triggered to be updated, acquiring an authentication updating key, storing the updating key and transmitting the updating key;
updating the authentication quantum key based on the authentication update key, and updating the storage quantum key based on the storage update key;
and sending the transmission updating key to the terminal so that the terminal updates the transmission quantum key based on the transmission updating key.
A quantum key based data sharing apparatus, the apparatus comprising:
the identity authentication module is used for carrying out identity authentication based on the authentication quantum key when receiving the data sharing request uploaded by the terminal to obtain an identity authentication result;
the target ciphertext data acquisition module is used for acquiring target storage ciphertext data when the identity authentication result is that the authentication is passed; target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key;
the ciphertext conversion module is used for performing ciphertext conversion on the target storage ciphertext data through the transmission quantum key corresponding to the terminal to obtain transmission ciphertext data;
and the ciphertext data transmission module is used for sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
when a data sharing request uploaded by a terminal is received, performing identity authentication based on an authentication quantum key to obtain an identity authentication result;
when the identity authentication result is that the authentication is passed, target storage ciphertext data is obtained; target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key;
carrying out ciphertext conversion on target storage ciphertext data through a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data;
and sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
when a data sharing request uploaded by a terminal is received, performing identity authentication based on an authentication quantum key to obtain an identity authentication result;
when the identity authentication result is that the authentication is passed, target storage ciphertext data is obtained; target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key;
carrying out ciphertext conversion on target storage ciphertext data through a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data;
and sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
According to the quantum key-based data sharing method, device, computer equipment and storage medium, when a data sharing request uploaded by a terminal is received, identity authentication is carried out based on an authentication quantum key, when the identity authentication passes, target storage ciphertext data obtained by encrypting the target data through the storage quantum key are obtained, ciphertext conversion is carried out on the target storage ciphertext data through a transmission quantum key corresponding to the terminal, the obtained transmission ciphertext data are sent to the terminal, and the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data. In the data sharing process, identity authentication is carried out through an authentication quantum key, target storage ciphertext data are obtained by encrypting the storage quantum key, transmission ciphertext data in the transmission process are obtained by encrypting the transmission quantum key, the randomness of the quantum key is fully utilized, the risk that the data are violently cracked is reduced, and the safety of data sharing is improved.
Drawings
FIG. 1 is a diagram of an application environment of a quantum key-based data sharing method in one embodiment;
FIG. 2 is a flow diagram that illustrates a quantum key-based data sharing method, according to an embodiment;
FIG. 3 is a schematic flow chart illustrating the encryption of stored data in one embodiment;
FIG. 4 is a diagram of an application environment of a quantum key-based data sharing method in another embodiment;
FIG. 5 is a block diagram of a quantum key-based data sharing apparatus according to one embodiment;
FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The quantum key-based data sharing method provided by the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The terminal 102 sends a data sharing request to the server 104, when receiving the data sharing request uploaded by the terminal 102, the server 104 performs identity authentication based on an authentication quantum key, when the identity authentication passes, obtains target storage ciphertext data obtained by encrypting the target data through the storage quantum key, performs ciphertext conversion on the target storage ciphertext data through a transmission quantum key corresponding to the terminal 102, and sends the obtained transmission ciphertext data to the terminal 102, so that the terminal 102 decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 104 may be implemented by an independent server or a server cluster formed by a plurality of servers.
In one embodiment, as shown in fig. 2, a quantum key based data sharing method is provided, which is described by taking the method as an example applied to the server in fig. 1, and includes the following steps:
step 202, when receiving a data sharing request uploaded by the terminal, performing identity authentication based on the authentication quantum key to obtain an identity authentication result.
The quantum key uses the characteristics of quantum mechanics to implement encryption tasks. Traditional public key encryption is generally referred to as conditional security, while quantum key encryption can be made unconditionally secure. The reliability of the quantum key is mainly determined by the basic characteristics of quantum mechanics, and most importantly, the heisenberg inaccuracy principle, that is, the process of completely copying any unknown quantum state in quantum mechanics is not realizable, because the premise of copying is measurement, and measurement generally changes the state of the quantum. The data sharing request is uploaded by the terminal and used for requesting shared data to the server, such as requesting to acquire transaction data from the server. The authentication quantum key is a key for identity authentication obtained based on a quantum cryptography technology, and the key is a parameter utilized in the process of converting plaintext data into ciphertext or converting the ciphertext into the plaintext data. Generally, for random keys, the security is derived from random numbers, however, in theory, conventional random number generators rely on computer simulation to generate pseudo-random numbers, or to extract random numbers from some classical physical noise (e.g. thermal noise, electrical noise, etc.), which can be simulated in view of all variables, except that the randomness generated by some quantum physical processes is completely truly random, such as quantum state collapse processes. The random number generator used by the quantum key is generated based on a quantum physical process, and the random number is more random. The randomness source of the quantum random number used by the quantum key is clearer, and the randomness of the quantum random number can be strictly proved by adopting a physical entropy theory, so that the quantum key has higher safety.
Specifically, when the server receives a data sharing request uploaded by the terminal, which indicates that the terminal needs to acquire shared data from the server, the server responds to the data sharing request, and performs identity authentication on a user corresponding to the terminal based on an authentication quantum key to determine the identity of the user corresponding to the terminal, so as to obtain an identity authentication result. In specific implementation, the server may directly perform identity authentication on the user corresponding to the terminal based on the authentication quantum key, or may perform key enhancement on the authentication quantum key, for example, perform key enhancement processing on the random number and the authentication quantum key, and perform identity authentication by using the enhanced authentication quantum key, thereby further improving the security of the identity authentication.
Step 204, when the identity authentication result is that the authentication is passed, acquiring target storage ciphertext data; and the target storage ciphertext data is obtained by encrypting the target data requested by the data sharing request through the storage quantum key.
The target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key, and the target data is data requested by the data sharing request, such as electronic archive data, transaction data or social data of a certain user, and the like. The storage quantum key is a key which is obtained based on quantum cryptography and used for encrypting and storing stored data. And the target storage ciphertext data is obtained by encrypting the target data through a storage quantum key in advance by the server.
Specifically, after the server performs identity authentication based on the authentication quantum key, when the obtained identity authentication result is that authentication is passed, it indicates that the identity of the user corresponding to the terminal is successfully confirmed, the server obtains target storage ciphertext data, the target storage ciphertext data is target data requested by the data sharing request, and the target storage ciphertext data is obtained by performing encryption processing through the storage quantum key. During specific implementation, the server can encrypt all stored data through the storage quantum key in advance to obtain encrypted data, and when target storage ciphertext data are obtained, data identifiers of the target data needing to be shared by the terminal can be extracted from the data sharing request, the data identifiers are used for distinguishing the data, and different data types can correspond to different data identifiers. For example, for archival data, the data identification can be the name, ID, etc. of the archive; for transaction data, the data identification may encode an order corresponding to the transaction. The server can obtain target storage ciphertext data corresponding to the target data from the encrypted data according to the data identifier of the target data.
And step 206, carrying out ciphertext conversion on the target storage ciphertext data through the transmission quantum key corresponding to the terminal to obtain transmission ciphertext data.
The transmission quantum key is a key which is obtained based on a quantum cryptography technology and is used for encrypting the data transmission process. Ciphertext transformation refers to transforming an encryption key of target storage ciphertext data, and specifically transforms the encryption key of the target storage ciphertext data from a storage quantum key to a transmission quantum key. The transmission ciphertext data is a ciphertext conversion result obtained by performing ciphertext conversion on the target storage ciphertext data through the transmission quantum key, namely the transmission ciphertext data is obtained by encrypting the target data through the transmission quantum key.
Specifically, after obtaining target storage ciphertext data corresponding to target data requested by the data sharing request, the server obtains a transmission quantum key corresponding to the terminal, and the transmission quantum key is sent to the server by the terminal. In a specific application, the data sharing request uploaded by the terminal may carry a transmission quantum key corresponding to the terminal, and the server may extract the transmission quantum key from the data sharing request after acquiring the target storage ciphertext data. In addition, the server may also send the identity authentication result to the terminal when the identity authentication result is that the authentication passes, so as to instruct the terminal to upload the corresponding transmission quantum key. The server may further send the identity authentication result to the terminal after confirming that there is target storage ciphertext data corresponding to the target data requested by the data sharing request, so as to instruct the terminal to upload the corresponding transmission quantum key. And the server performs ciphertext conversion on the obtained target storage ciphertext data based on the transmission quantum key corresponding to the terminal, and converts the encrypted ciphertext of the target storage ciphertext data from the storage quantum key to the transmission quantum key to obtain the transmission ciphertext data. The transmission ciphertext data is obtained by encrypting target data requested by the data sharing request through a transmission quantum key.
And step 208, sending the transmission ciphertext data to the terminal, so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
Specifically, the server sends the transmission ciphertext data to the terminal after obtaining the transmission ciphertext data, and the terminal decrypts the transmission ciphertext data according to the transmission quantum key after receiving the transmission ciphertext data, so that the target data is obtained by decryption and restoration from the transmission ciphertext data, and the target data is shared.
In the data sharing method based on the quantum key, when a data sharing request uploaded by a terminal is received, identity authentication is carried out based on an authentication quantum key, when the identity authentication passes, target storage ciphertext data obtained by encrypting the target data through the storage quantum key is obtained, ciphertext conversion is carried out on the target storage ciphertext data through a transmission quantum key corresponding to the terminal, the obtained transmission ciphertext data is sent to the terminal, and the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data. In the data sharing process, identity authentication is carried out through an authentication quantum key, target storage ciphertext data are obtained by encrypting the storage quantum key, transmission ciphertext data in the transmission process are obtained by encrypting the transmission quantum key, the randomness of the quantum key is fully utilized, the risk that the data are violently cracked is reduced, and the safety of data sharing is improved.
In one embodiment, performing identity authentication based on the authentication quantum key, and obtaining the identity authentication result includes: when the request type of the data sharing request is a dual identity authentication type, performing first identity authentication on the basis of a digital certificate of a user corresponding to the data sharing request to obtain a first identity authentication result; when the first identity authentication result is that authentication is passed, determining an authentication quantum key; and performing second identity authentication on the user corresponding to the data sharing request through the authentication quantum key to obtain an identity authentication result.
The request type of the data sharing request may be determined according to target data requested by the data sharing request, and different target data correspond to different request types, which may specifically include a dual identity authentication type, a digital certificate authentication type, and a quantum key authentication type. In specific application, different data correspond to different confidentiality levels, when target data requested by a terminal are data with high confidentiality levels, the request type of a data sharing request can be determined to be a dual identity authentication type, so that dual identity authentication is performed through two authentication modes of digital certificate authentication and quantum key authentication, and the security requirement of the high confidentiality level data can be met. For the target data with lower security level, the request type of the data sharing request can be determined to be a digital certificate authentication type or a quantum key authentication type, so that the processing efficiency of identity authentication is improved on the premise of ensuring the data security requirement. The security level of the data can be flexibly set according to actual needs, and different data in different application scenes can correspond to different security levels.
The digital certificate is a digital certificate for marking identity information of each communication party in internet communication, and the identity of the communication party can be identified by using the digital certificate. A digital Certificate is an electronic document in nature, and is a relatively authoritative and fair Certificate issued by an e-commerce authentication center (CA center), which has a significant impact on e-commerce activities, for example, when shopping is consumed on various e-commerce platforms, the digital Certificate must be installed on a computer to ensure the security of funds. The CA center adopts a digital certificate authentication technology taking a digital encryption technology as a core, and can perform various processing such as encryption, decryption, digital signature and signature authentication on various information transmitted on the Internet through the digital certificate, and meanwhile, the CA center can also ensure that the content cannot be checked by lawbreakers in the digital transmission process or even if the content cannot be checked by the lawbreakers.
Specifically, when the server receives a data sharing request uploaded by the terminal, the server determines a request type corresponding to the data sharing request, specifically, the server determines a data type of target data requested by the data sharing request, determines the request type of the data sharing request according to the data type of the target data, and when the request type of the data sharing request is a dual-identity authentication type, it indicates that dual-identity authentication needs to be performed on a user corresponding to the terminal, the server performs first identity authentication based on a digital certificate of the user corresponding to the data sharing request, and obtains a first identity authentication result. And when the first identity authentication result is authentication pass, namely the terminal corresponding to the user passes the digital certificate authentication, the server acquires an authentication quantum key, and the authentication quantum key is generated based on a quantum cryptography technology. And the server performs second identity authentication on the user corresponding to the data sharing request through the obtained authentication quantum key, so that double identity authentication on the user corresponding to the terminal is realized, an identity authentication result is obtained, and the security of the identity authentication is ensured. In a specific implementation, the Authentication quantum key may be used to perform identity Authentication on a user corresponding to the terminal based on a Message Authentication Code (MAC) technology. The message authentication code is a technology for confirming integrity and authenticating, and can confirm whether the message received by the message authentication code is the intention of a sender, that is, whether the message is falsified or not and whether the sender pretends to send the message or not can be judged by using the message authentication code. The input of the message authentication code includes a message of arbitrary length and a key shared between the sender and the recipient, which can output fixed length data, referred to as a MAC value. The shared key is required to be held for calculating the MAC value, the MAC value cannot be calculated without the shared key, and the message authentication code uses the property to complete authentication.
In this embodiment, when the request type of the data sharing request is a dual identity authentication type, the digital certificate and the quantum key are respectively used for performing dual identity authentication on a user corresponding to the data sharing request to obtain an identity authentication result, so that heterogeneous enhancement of identity authentication is realized, when security risk exists in digital certificate authentication, secondary security defense can be realized through the quantum key, and the security of identity authentication is improved.
In one embodiment, performing the second identity authentication on the user corresponding to the data sharing request through the authentication quantum key, and obtaining the identity authentication result includes: carrying out key enhancement on the authentication quantum key through the authentication random number to obtain an enhanced quantum key; sending the enhanced quantum key to the terminal; the enhanced quantum key is used for controlling the terminal to encrypt the identity of the user corresponding to the terminal into an identity ciphertext based on the enhanced quantum key; and decrypting the identity ciphertext returned by the terminal according to the enhanced quantum key, and performing identity authentication according to the decryption result to obtain an identity authentication result.
The authentication random number is a random number used for enhancing the authentication quantum key, and can be generated by a random number generator. The enhanced quantum key is obtained by performing key enhancement on the authentication quantum key through the authentication random number. The identity is identification information representing the identity of the user, such as a user account number, an ID, an identity card number, and the like, and when the user and the terminal are bound, the identity may also be identification information of the terminal, such as a Media Access Control Address (MAC Address) of the terminal. The identity ciphertext is ciphertext data obtained by encrypting the identity of the user corresponding to the terminal by using the enhanced quantum key.
Specifically, when the server performs the second identity authentication on the user corresponding to the terminal by using the authentication quantum key, the server may obtain the authentication random number generated by the random number generator to perform key enhancement on the authentication quantum key, and for example, may perform xor processing on the authentication random number and the authentication quantum key to obtain the enhanced quantum key. The server sends the enhanced quantum key to the terminal, after the terminal receives the enhanced quantum key, the terminal encrypts the identity of the user corresponding to the terminal by using the enhanced quantum key to obtain an identity ciphertext, and the identity ciphertext is uploaded to the server. And the server receives the identity ciphertext uploaded by the terminal and decrypts the identity ciphertext by enhancing the quantum key to obtain a decryption result. And the server performs identity authentication based on the decryption result, for example, the identity identification is verified to obtain an identity authentication result.
In the embodiment, the authentication quantum key is subjected to key enhancement through the authentication random number, the terminal encrypts the identity of the user corresponding to the terminal based on the enhanced quantum key to obtain the identity ciphertext, the server decrypts the identity ciphertext uploaded by the terminal according to the enhanced quantum key, and the identity authentication is performed based on the decryption result, so that the identity authentication based on the quantum key is realized, and the security of the identity authentication is ensured.
In one embodiment, obtaining the target storage ciphertext data comprises: determining a data identifier of target data requested by the data sharing request; acquiring target storage ciphertext data corresponding to the target data from the storage ciphertext data according to the data identifier; and the storage ciphertext data is obtained by encrypting the storage data to which the target data belongs through the storage quantum key.
The data identifier is used to distinguish each data, and different data types may correspond to different data identifiers. For example, for archival data, the data identification can be the name, ID, etc. of the archive; for transaction data, the data identification may encode an order corresponding to the transaction. The storage data are all data stored by the server, and the target data requested to be shared by the terminal belong to the storage data, namely the target data are data selected by the terminal from the storage data. The storage ciphertext data is obtained by encrypting the storage data by using the storage quantum key.
Specifically, after the server obtains the identity authentication result, if the identity authentication result is that the authentication is passed, which indicates that the user identity is not abnormal, the server determines the data identifier of the target data requested by the data sharing request. In specific implementation, the server may directly extract the data identifier of the target data from the data sharing request. And the server inquires storage ciphertext data obtained by encrypting the storage data corresponding to the target data by the storage quantum key, and acquires the target storage ciphertext data corresponding to the target data from the storage ciphertext data based on the obtained data identifier. And the target storage ciphertext data is obtained by encrypting the target data based on the storage quantum key. In specific application, the server can obtain the stored ciphertext data, and based on the data identifier of the target data, identifier matching is carried out on the stored ciphertext data, so that the target stored ciphertext data which are matched consistently are obtained from the stored ciphertext data.
In this embodiment, the server encrypts the storage data in advance to obtain storage ciphertext data, obtains target storage ciphertext data corresponding to the target data from the storage ciphertext data through the data identifier of the target data, and encrypts the storage data by using the quantum key, thereby ensuring the security of the data during storage.
In an embodiment, as shown in fig. 3, before obtaining the target storage ciphertext data, the method further includes a step of encrypting the storage data, which specifically includes:
step 302, when the data encryption condition is satisfied, determining sensitive data and non-sensitive data from the stored data.
The data encryption condition is used for triggering encryption of data stored in the server, and the data encryption condition can be set according to actual needs. For example, the data encryption condition may be determined according to the type of the data, such as dividing according to the security level of the data, and for the data with high security level, the encryption may be triggered. The data encryption condition may also be that the server encrypts the stored data when receiving an encryption trigger instruction, for example, receiving an encryption trigger instruction sent by the terminal. The data encryption condition may be considered to satisfy the data encryption condition when the stored data is updated, or the data update time period is reached, or the number of the updated data reaches a preset number threshold, and the stored data is triggered to be encrypted. The stored data are various shared data stored by the server, and the terminal can request the required target data from the stored data to realize sharing. The sensitive data refers to data which may bring serious harm to the society or individuals after being leaked, and specifically may include, but is not limited to, personal privacy data, such as names, identification numbers, addresses, telephones, bank accounts, mailboxes, passwords, medical information, educational backgrounds, and the like; data that is not suitable for publishing by the enterprise or social organization may also be included, such as the business situation of the enterprise, the network structure of the enterprise, an IP (Internet Protocol) address list, and the like. The non-sensitive data is data which can be normally disclosed, such as enterprise report data, official agency announcement data and the like. The storage quantum key is a key which is obtained based on quantum cryptography and used for encrypting data during storage.
Specifically, before the target storage ciphertext data is obtained, the server encrypts various stored shared data in advance based on a quantum cryptography technology. In specific application, the server monitors whether a data encryption condition is met, and when the data encryption condition is met, such as when data updating is detected or a data encryption period is reached, the server determines sensitive data and non-sensitive data from the stored data, and specifically, the stored data can be determined to be the sensitive data or the non-sensitive data according to the data type of the stored data.
And 304, encrypting the sensitive data by storing the quantum key to obtain sensitive ciphertext data.
The sensitive ciphertext data is obtained by encrypting the sensitive data based on the storage quantum key. Specifically, after the server determines the sensitive data in the stored data, the server encrypts the sensitive data through the storage quantum key to obtain sensitive ciphertext data.
And step 306, obtaining storage ciphertext data corresponding to the storage data according to the sensitive ciphertext data and the non-sensitive data.
And after the server encrypts the sensitive data through the storage quantum key to obtain the sensitive ciphertext data, the server obtains the storage ciphertext data corresponding to the storage data according to the sensitive ciphertext data and the non-sensitive data. In specific application, the server can directly combine the sensitive ciphertext data and the non-sensitive data to obtain the storage ciphertext data corresponding to the storage data.
In the embodiment, when the data encryption condition is met, the sensitive data in the storage data is encrypted through the storage quantum key, and the storage ciphertext data corresponding to the storage data is obtained according to the sensitive ciphertext data obtained after encryption and the non-sensitive data in the storage data, so that when the server stores the data, the quantum key is used for encrypting, and the safety of the data storage is ensured.
In one embodiment, the obtaining of the transmission ciphertext data by performing ciphertext conversion on the target storage ciphertext data through the transmission quantum key corresponding to the terminal includes: decrypting the target storage ciphertext data through the storage quantum key to obtain target data; acquiring a transmission quantum key corresponding to a terminal; and encrypting the target data through the transmission quantum key to obtain transmission ciphertext data.
In this embodiment, the target storage ciphertext data is subjected to ciphertext conversion, so that the target storage ciphertext data is converted from being encrypted by the transmission quantum key to be encrypted by the transmission quantum key corresponding to the terminal. Specifically, when ciphertext conversion is performed on target storage ciphertext data, the server acquires a storage quantum key obtained based on a quantum cryptography technology, and decrypts the target storage ciphertext data through the storage quantum key, so that the encrypted target storage ciphertext data is decrypted and restored, and the target data is obtained. The server obtains the transmission quantum key corresponding to the terminal, and specifically, the server may send a transmission key instruction to the terminal to instruct the terminal to upload the transmission quantum key. The server encrypts the target data through the transmission quantum key to obtain transmission ciphertext data, so that ciphertext conversion of target storage ciphertext data is achieved, and the target data is converted from being encrypted through the storage quantum key to being encrypted through the transmission quantum key.
In this embodiment, the target storage ciphertext data is decrypted by the storage quantum key, and after the target data is obtained, the target data is encrypted by the transmission quantum key corresponding to the terminal, so that the transmission ciphertext data is obtained, so that the target data is converted from the encryption by the storage quantum key to the encryption by the transmission quantum key, and the security of the target data in the transmission process is ensured.
In one embodiment, the quantum key-based data sharing method further comprises: when the key is triggered to be updated, acquiring an authentication updating key, storing the updating key and transmitting the updating key; updating the authentication quantum key based on the authentication update key, and updating the storage quantum key based on the storage update key; and sending the transmission updating key to the terminal so that the terminal updates the transmission quantum key based on the transmission updating key.
The authentication updating key is an updating key corresponding to the authentication quantum key, the storage updating key is an updating key corresponding to the storage quantum key, and the transmission updating key is an updating key corresponding to the transmission quantum key. The authentication renewal key, the storage renewal key, and the transmission renewal key may be obtained based on a quantum random number generated by a quantum random number generator.
Specifically, when a key update is triggered, such as when data is updated or a key update cycle is reached, the key update is triggered to update various quantum keys. The server acquires an authentication updating key, a storage updating key and a transmission updating key, and the authentication updating key, the storage updating key and the transmission updating key are obtained based on quantum random numbers generated by a quantum random number generator. The server updates the authentication quantum key based on the authentication update key and updates the storage quantum key based on the storage update key, thereby realizing the updating of the authentication quantum key and the storage quantum key. On the other hand, the server sends the transmission update key to the terminal, and after the terminal receives the transmission update key, the transmission quantum key is updated based on the transmission update key, so that the transmission quantum key is updated.
In this embodiment, when the key update condition is satisfied and the key update is triggered, the authentication quantum key, the storage quantum key, and the transmission quantum key are updated, so that various quantum keys in data sharing are updated, and the security of data sharing can be further ensured.
In an embodiment, the present application further provides an application scenario of archive data sharing, where the application scenario applies the data sharing method based on the quantum key. Specifically, the application of the quantum key-based data sharing method in the application scenario is as follows:
with the widespread application of computer network technology in archives (rooms), digital archives (electronic documents) have become the main mode and important carrier for information transmission, storage and utilization of government departments, so that the utilization efficiency of archive information is greatly improved, and the modern construction of archive management is greatly promoted. At present, most of archive data are mainly shared in two modes for safety reasons, wherein firstly, an artificial mode is adopted to transfer the medium of the archive data, and secondly, an archive management system is adopted to realize the regional sharing of the archive data.
The manual medium transfer mode is adopted, so that the safety is guaranteed, the archive data is huge and various, the manual operation efficiency is low, the requirement of government affairs convenience in the information era cannot be met, and the service capacity of an archive to the citizen is reduced. And the file management system is adopted to realize the services of on-line transfer and sharing of file data, filing and receiving of electronic files, long-term storage system, file inquiry and the like. But in the inquiry service, the system has security problems in identity authentication and data storage and transmission.
As for the identity authentication, generally, a manager at a query point in a village and town can log in a system by means of an account and a password, and the identity authentication in such a manner has certain limitations. On one hand, the password (password) is not long, the password which is too long is not easy to memorize, and meanwhile, the quality is not high (the randomness is not strong), so that the personal important information is often used as the password, the safety intensity is not enough, and the password is easy to be threatened by brute force; on the other hand, the password generally adopts english letters and numbers to form the password, for example, an eight-bit password, and then there are 628 combinations in total, about 218 trillion, which actually is just equivalent to a key with a length of 48 bits, that is, the key with the length can be cracked violently, and there is a certain safety hazard.
In the aspect of data storage and transmission, part of sensitive data may exist in the existing archive management data, and the existing archive management data is not suitable for directly providing query service in plain text; meanwhile, after the inquiry, the data is downloaded to the management terminal in a clear text mode, and the mode completely depends on the safety of the network. Although the tunnel mechanism adopted by the private network can ensure the security of information transmission to a certain extent, all security measures only improve the threshold of security defense, so that the difficulty of implementing attack by an attacker is greatly increased, but the data stealing by the attacker through the attack means of route counterfeiting, IP source address deception, counterfeiting, label packet replay and the like cannot be completely eliminated, and certain potential safety hazards exist.
In the data sharing method based on the quantum key provided in this embodiment, as shown in fig. 4, the archive management server and the terminal may communicate with each other, and the archive management server may provide a regional archive data sharing service for the terminal; the file management server comprises a server bottom layer module and a server key management module which are connected with each other, and the terminal comprises a terminal key management module, a terminal bottom layer module and a Ukey module which are connected in sequence. The server key management module and the terminal key management module can communicate to update the keys for the quantum keys in the Ukey; the server bottom layer module provides bottom layer functions for the server, such as providing a server security suite bottom layer library, and the function realization of the server key management module depends on the server bottom layer module; the terminal bottom layer module provides bottom layer functions for the terminal key management module, for example, a terminal security suite bottom layer library is provided, and the function realization of the terminal key management module depends on the terminal bottom layer module.
The system further comprises a cipher machine module and a quantum key service platform, wherein the cipher machine module is respectively communicated with the server bottom layer module and the quantum key service platform; the quantum key service platform is respectively communicated with the server key management module and the cipher machine module. The password machine module can provide password service for the file management server so as to realize the encryption of the stored file data by the server. The quantum key service platform comprises functional services such as support of cryptographic device certificate issuing service, cryptographic device online management service, quantum key production, quantum key management and the like. The quantum key service platform is connected with the cipher machine module to provide cipher equipment management and quantum key updating for the cipher machine module; the quantum key service platform is also connected with a key management server agent and provides quantum key distribution service; the quantum key service platform is also connected with a quantum key management tool set to provide quantum key management, equipment management initialization and the like; the quantum key service platform is also connected with a quantum key injector service to provide Ukey quantum key off-line updating; the quantum key service platform is also connected with a quantum random number generator to obtain a quantum random number.
Specifically, when the file data are shared, the file management server calls the cipher machine module periodically through the bottom layer module of the server, and the managed file data are encrypted and stored. The terminal initiates a file data sharing request to the file management server, firstly, identity authentication is carried out, and a terminal signature certificate is sent to the file management server. After the archive management server passes the certificate verification and the quantum enhanced identity verification is successful, the encrypted archive data are subjected to ciphertext conversion by using a quantum key of the terminal and adopting a symmetric encryption algorithm, and are sent to the terminal, and the terminal calls a terminal bottom layer module to decrypt the data so that a user can check the data.
Further, the server key management module periodically requests the quantum key service platform according to the set key updating strategy to produce a new quantum key, and sends the quantum key to the server key management module, and the server key management module calls the server bottom layer module to realize updating of the quantum key in the Ukey.
The signature/signature verification process of the existing Public and private Key system is often used for identity authentication, and in this embodiment, a quantum Key-based archive information system identity authentication technology and a quantum Key-based authentication enhancement technology are adopted, so that on the basis of the existing PKI (Public Key Infrastructure) authentication system, identity authentication is performed again through a message authentication code technology based on a quantum Key, thereby achieving heterogeneous enhancement of identity authentication. If the PKI system is unsafe, the quantum authentication enhancement scheme has a secondary security defense effect. Further, in the electronic archive encryption storage technology based on the quantum key in this embodiment, the quantum random number is used as an enhancement factor of the original system key (for example, the simplest enhancement mode is to perform exclusive or with the original key), so as to enhance the key strength, thereby improving the encryption strength. Sensitive archive data stored by a server are encrypted and then stored in a ciphertext mode by adopting a mode of combining a quantum key and a national cryptographic algorithm, so that the data storage safety is ensured; meanwhile, sensitive data is encrypted, so that network query service can be directly provided online, the file query efficiency is improved, and the convenient query requirement of a user is met. In addition, the encryption algorithm and the equipment related in the embodiment follow the relevant password standards, autonomous controllability can be realized, the data safety is guaranteed from the aspect of the algorithm and the equipment, the algorithm cracking risk is reduced, the hidden danger of the back door of the equipment is avoided, and the safety of file data sharing is ensured.
It should be understood that although the various steps in the flow charts of fig. 2-3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-3 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed in turn or alternately with other steps or at least some of the other steps.
In one embodiment, as shown in fig. 5, there is provided a quantum key based data sharing apparatus 500, including: an identity authentication module 502, a target ciphertext data acquisition module 504, a ciphertext conversion module 506, and a ciphertext data transmission module 508, wherein:
an identity authentication module 502, configured to perform identity authentication based on an authentication quantum key when receiving a data sharing request uploaded by a terminal, to obtain an identity authentication result;
a target ciphertext data obtaining module 504, configured to obtain target storage ciphertext data when the identity authentication result is that the authentication passes; target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key;
the ciphertext conversion module 506 is configured to perform ciphertext conversion on the target storage ciphertext data through a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data;
and the ciphertext data transmission module 508 is configured to send the transmission ciphertext data to the terminal, so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
In one embodiment, identity authentication module 502 includes a first identity authentication module, an authentication key determination module, and a second identity authentication module; wherein: the first identity authentication module is used for performing first identity authentication on the basis of a digital certificate of a user corresponding to the data sharing request to obtain a first identity authentication result when the request type of the data sharing request is a dual identity authentication type; the authentication key determining module is used for determining an authentication quantum key when the first identity authentication result is that authentication is passed; and the second identity authentication module is used for performing second identity authentication on the user corresponding to the data sharing request through the authentication quantum key to obtain an identity authentication result.
In one embodiment, the second identity authentication module comprises a key enhancement module, an enhanced key sending module and an identity ciphertext decryption module; wherein: the key enhancement module is used for carrying out key enhancement on the authentication quantum key through the authentication random number to obtain an enhanced quantum key; the enhanced secret key sending module is used for sending the enhanced quantum secret key to the terminal; the enhanced quantum key is used for controlling the terminal to encrypt the identity of the user corresponding to the terminal into an identity ciphertext based on the enhanced quantum key; and the identity ciphertext decryption module is used for decrypting the identity ciphertext returned by the terminal according to the enhanced quantum key and performing identity authentication according to the decryption result to obtain an identity authentication result.
In one embodiment, the target ciphertext data obtaining module 504 may include a data identifier determining module and a data identifier querying module; wherein: the data identification determining module is used for determining the data identification of the target data requested by the data sharing request; the data identification query module is used for acquiring target storage ciphertext data corresponding to the target data from the storage ciphertext data according to the data identification; and the storage ciphertext data is obtained by encrypting the storage data to which the target data belongs through the storage quantum key.
In one embodiment, the system further comprises an encryption triggering module, a sensitive data encryption module and a ciphertext data storage module; wherein: the encryption triggering module is used for determining sensitive data and non-sensitive data from the stored data when the data encryption condition is met; the sensitive data encryption module is used for encrypting the sensitive data through the storage quantum key to obtain sensitive ciphertext data; and the storage ciphertext data module is used for obtaining storage ciphertext data corresponding to the storage data according to the sensitive ciphertext data and the non-sensitive data.
In one embodiment, the ciphertext conversion module 506 includes a ciphertext decryption module, a transmission key determination module, and a transmission encryption module; wherein: the ciphertext decryption module is used for decrypting the target storage ciphertext data through the storage quantum key to obtain the target data; the transmission key determining module is used for acquiring a transmission quantum key corresponding to the terminal; and the transmission encryption module is used for encrypting the target data through the transmission quantum key to obtain transmission ciphertext data.
In one embodiment, the system further comprises an update key acquisition module, a server key update module and a terminal key update module; wherein: the updating key acquisition module is used for acquiring the authentication updating key, the storage updating key and the transmission updating key when the key updating is triggered; the server key updating module is used for updating the authentication quantum key based on the authentication updating key and updating the storage quantum key based on the storage updating key; and the terminal key updating module is used for sending the transmission updating key to the terminal so that the terminal updates the transmission quantum key based on the transmission updating key.
For specific limitations of the quantum key-based data sharing apparatus, reference may be made to the above limitations of the quantum key-based data sharing method, which are not described herein again. The modules in the quantum key-based data sharing device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used to store various quantum key data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a quantum key based data sharing method.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
when a data sharing request uploaded by a terminal is received, performing identity authentication based on an authentication quantum key to obtain an identity authentication result;
when the identity authentication result is that the authentication is passed, target storage ciphertext data is obtained; target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key;
carrying out ciphertext conversion on target storage ciphertext data through a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data;
and sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: when the request type of the data sharing request is a dual identity authentication type, performing first identity authentication on the basis of a digital certificate of a user corresponding to the data sharing request to obtain a first identity authentication result; when the first identity authentication result is that authentication is passed, determining an authentication quantum key; and performing second identity authentication on the user corresponding to the data sharing request through the authentication quantum key to obtain an identity authentication result.
In one embodiment, the processor, when executing the computer program, further performs the steps of: carrying out key enhancement on the authentication quantum key through the authentication random number to obtain an enhanced quantum key; sending the enhanced quantum key to the terminal; the enhanced quantum key is used for controlling the terminal to encrypt the identity of the user corresponding to the terminal into an identity ciphertext based on the enhanced quantum key; and decrypting the identity ciphertext returned by the terminal according to the enhanced quantum key, and performing identity authentication according to the decryption result to obtain an identity authentication result.
In one embodiment, the processor, when executing the computer program, further performs the steps of: determining a data identifier of target data requested by the data sharing request; acquiring target storage ciphertext data corresponding to the target data from the storage ciphertext data according to the data identifier; and the storage ciphertext data is obtained by encrypting the storage data to which the target data belongs through the storage quantum key.
In one embodiment, the processor, when executing the computer program, further performs the steps of: when the data encryption condition is met, determining sensitive data and non-sensitive data from the stored data; encrypting the sensitive data by storing the quantum key to obtain sensitive ciphertext data; and obtaining storage ciphertext data corresponding to the storage data according to the sensitive ciphertext data and the non-sensitive data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: decrypting the target storage ciphertext data through the storage quantum key to obtain target data; acquiring a transmission quantum key corresponding to a terminal; and encrypting the target data through the transmission quantum key to obtain transmission ciphertext data.
In one embodiment, the processor, when executing the computer program, further performs the steps of: when the key is triggered to be updated, acquiring an authentication updating key, storing the updating key and transmitting the updating key; updating the authentication quantum key based on the authentication update key, and updating the storage quantum key based on the storage update key; and sending the transmission updating key to the terminal so that the terminal updates the transmission quantum key based on the transmission updating key.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
when a data sharing request uploaded by a terminal is received, performing identity authentication based on an authentication quantum key to obtain an identity authentication result;
when the identity authentication result is that the authentication is passed, target storage ciphertext data is obtained; target storage ciphertext data is obtained by encrypting target data requested by the data sharing request through a storage quantum key;
carrying out ciphertext conversion on target storage ciphertext data through a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data;
and sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
In one embodiment, the computer program when executed by the processor further performs the steps of: when the request type of the data sharing request is a dual identity authentication type, performing first identity authentication on the basis of a digital certificate of a user corresponding to the data sharing request to obtain a first identity authentication result; when the first identity authentication result is that authentication is passed, determining an authentication quantum key; and performing second identity authentication on the user corresponding to the data sharing request through the authentication quantum key to obtain an identity authentication result.
In one embodiment, the computer program when executed by the processor further performs the steps of: carrying out key enhancement on the authentication quantum key through the authentication random number to obtain an enhanced quantum key; sending the enhanced quantum key to the terminal; the enhanced quantum key is used for controlling the terminal to encrypt the identity of the user corresponding to the terminal into an identity ciphertext based on the enhanced quantum key; and decrypting the identity ciphertext returned by the terminal according to the enhanced quantum key, and performing identity authentication according to the decryption result to obtain an identity authentication result.
In one embodiment, the computer program when executed by the processor further performs the steps of: determining a data identifier of target data requested by the data sharing request; acquiring target storage ciphertext data corresponding to the target data from the storage ciphertext data according to the data identifier; and the storage ciphertext data is obtained by encrypting the storage data to which the target data belongs through the storage quantum key.
In one embodiment, the computer program when executed by the processor further performs the steps of: when the data encryption condition is met, determining sensitive data and non-sensitive data from the stored data; encrypting the sensitive data by storing the quantum key to obtain sensitive ciphertext data; and obtaining storage ciphertext data corresponding to the storage data according to the sensitive ciphertext data and the non-sensitive data.
In one embodiment, the computer program when executed by the processor further performs the steps of: decrypting the target storage ciphertext data through the storage quantum key to obtain target data; acquiring a transmission quantum key corresponding to a terminal; and encrypting the target data through the transmission quantum key to obtain transmission ciphertext data.
In one embodiment, the computer program when executed by the processor further performs the steps of: when the key is triggered to be updated, acquiring an authentication updating key, storing the updating key and transmitting the updating key; updating the authentication quantum key based on the authentication update key, and updating the storage quantum key based on the storage update key; and sending the transmission updating key to the terminal so that the terminal updates the transmission quantum key based on the transmission updating key.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method for quantum key-based data sharing, the method comprising:
when a data sharing request uploaded by a terminal is received, performing identity authentication based on an authentication quantum key to obtain an identity authentication result;
when the identity authentication result is that the authentication is passed, target storage ciphertext data are obtained; the target storage ciphertext data is obtained by encrypting the target data requested by the data sharing request through a storage quantum key;
after the target storage ciphertext data is decrypted through the storage quantum key, a transmission quantum key corresponding to the terminal encrypts a decryption result to obtain transmission ciphertext data;
and sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
2. The method of claim 1, wherein performing identity authentication based on the authentication quantum key, and obtaining the identity authentication result comprises:
when the request type of the data sharing request is a dual identity authentication type, performing first identity authentication based on a digital certificate of a user corresponding to the data sharing request to obtain a first identity authentication result;
when the first identity authentication result is that authentication is passed, determining an authentication quantum key;
and performing second identity authentication on the user corresponding to the data sharing request through the authentication quantum key to obtain an identity authentication result.
3. The method according to claim 2, wherein performing the second identity authentication on the user corresponding to the data sharing request through the authentication quantum key to obtain an identity authentication result comprises:
carrying out key enhancement on the authentication quantum key through the authentication random number to obtain an enhanced quantum key;
sending the enhanced quantum key to the terminal; the enhanced quantum key is used for controlling the terminal to encrypt the identity of the user corresponding to the terminal into an identity ciphertext based on the enhanced quantum key;
and decrypting the identity ciphertext returned by the terminal according to the enhanced quantum key, and performing identity authentication according to a decryption result to obtain an identity authentication result.
4. The method of claim 1, wherein obtaining target storage ciphertext data comprises:
determining a data identifier of target data requested by the data sharing request;
acquiring target storage ciphertext data corresponding to the target data from storage ciphertext data according to the data identifier;
and the storage ciphertext data is obtained by encrypting the storage data to which the target data belongs through a storage quantum key.
5. The method of claim 4, further comprising, prior to said obtaining target storage ciphertext data:
when the data encryption condition is met, determining sensitive data and non-sensitive data from the stored data;
encrypting the sensitive data by a storage quantum key to obtain sensitive ciphertext data;
and obtaining storage ciphertext data corresponding to the storage data according to the sensitive ciphertext data and the non-sensitive data.
6. The method according to claim 1, wherein after decrypting the target storage ciphertext data by using the storage quantum key, encrypting a decryption result by using a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data comprises:
decrypting the target storage ciphertext data through the storage quantum key to obtain the target data;
acquiring a transmission quantum key corresponding to the terminal;
and encrypting the target data through the transmission quantum key to obtain transmission ciphertext data.
7. The method of any one of claims 1 to 6, further comprising:
when the key is triggered to be updated, acquiring an authentication updating key, storing the updating key and transmitting the updating key;
updating the authentication quantum key based on the authentication update key, and updating the storage quantum key based on the storage update key;
and sending the transmission updating key to the terminal so that the terminal updates the transmission quantum key based on the transmission updating key.
8. A quantum key based data sharing apparatus, the apparatus comprising:
the identity authentication module is used for carrying out identity authentication based on the authentication quantum key when receiving the data sharing request uploaded by the terminal to obtain an identity authentication result;
the target ciphertext data acquisition module is used for acquiring target storage ciphertext data when the identity authentication result is that the authentication is passed; the target storage ciphertext data is obtained by encrypting the target data requested by the data sharing request through a storage quantum key;
the ciphertext conversion module is used for decrypting the target storage ciphertext data through the storage quantum key and encrypting a decrypted result through a transmission quantum key corresponding to the terminal to obtain transmission ciphertext data;
and the ciphertext data transmission module is used for sending the transmission ciphertext data to the terminal so that the terminal decrypts the transmission ciphertext data according to the transmission quantum key to obtain the target data.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202110239183.2A 2021-03-04 2021-03-04 Data sharing method and device based on quantum key and computer equipment Active CN113067699B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110239183.2A CN113067699B (en) 2021-03-04 2021-03-04 Data sharing method and device based on quantum key and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110239183.2A CN113067699B (en) 2021-03-04 2021-03-04 Data sharing method and device based on quantum key and computer equipment

Publications (2)

Publication Number Publication Date
CN113067699A CN113067699A (en) 2021-07-02
CN113067699B true CN113067699B (en) 2021-12-03

Family

ID=76559633

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110239183.2A Active CN113067699B (en) 2021-03-04 2021-03-04 Data sharing method and device based on quantum key and computer equipment

Country Status (1)

Country Link
CN (1) CN113067699B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609087A (en) * 2021-08-05 2021-11-05 中科问天量子科技(天津)有限公司 Data sharing method and system based on quantum encryption
CN113849797B (en) * 2021-09-29 2024-09-06 深圳市电子商务安全证书管理有限公司 Method, device, equipment and storage medium for repairing data security hole
CN114244513B (en) * 2021-12-31 2024-02-09 日晷科技(上海)有限公司 Key negotiation method, device and storage medium
CN114465720A (en) * 2022-01-25 2022-05-10 中国工商银行股份有限公司 Key migration method and device, storage medium and electronic equipment
WO2023151427A1 (en) * 2022-02-14 2023-08-17 华为技术有限公司 Quantum key transmission method, device and system
CN114465734B (en) * 2022-04-11 2022-08-02 成方金融科技有限公司 Investor authentication method and storage medium
CN114567447B (en) * 2022-04-26 2022-07-19 佳瑛科技有限公司 Data sharing management method and device based on cloud server
CN115085918B (en) * 2022-06-29 2024-08-16 中国银行股份有限公司 Security authentication method, security authentication device, electronic equipment and computer storage medium
CN116232639B (en) * 2022-12-07 2024-05-03 深圳科盾量子信息科技有限公司 Data transmission method, device, computer equipment and storage medium
CN116318673A (en) * 2023-03-23 2023-06-23 中国工商银行股份有限公司 Processing method, processing system and processing device for out-of-service financial business
CN118568708A (en) * 2024-08-05 2024-08-30 天津润泰科技发展有限公司 Scientific research data management system based on distributed database

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769913A (en) * 2016-08-16 2018-03-06 广东国盾量子科技有限公司 A kind of communication means and system based on quantum UKey
CN111639361A (en) * 2020-05-15 2020-09-08 中国科学院信息工程研究所 Block chain key management method, multi-person common signature method and electronic device

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110314275A1 (en) * 2010-06-22 2011-12-22 Michael Gopshtein Managing encryption keys
JP5634427B2 (en) * 2012-03-23 2014-12-03 株式会社東芝 KEY GENERATION DEVICE, KEY GENERATION METHOD, AND PROGRAM
CN106295393B (en) * 2015-06-26 2022-02-22 阿里巴巴集团控股有限公司 Electronic prescription operation method, device and system
CN107959566A (en) * 2016-10-14 2018-04-24 阿里巴巴集团控股有限公司 Quantal data key agreement system and quantal data cryptographic key negotiation method
WO2018127118A1 (en) * 2017-01-06 2018-07-12 中国移动通信有限公司研究院 Identity authentication method and device
CN108429615A (en) * 2018-01-10 2018-08-21 如般量子科技有限公司 A kind of Stunnel communication means and Stunnel communication systems based on quantum key
CN109063438A (en) * 2018-08-06 2018-12-21 中钞信用卡产业发展有限公司杭州区块链技术研究院 A kind of data access method, device, local data secure access equipment and terminal
CN110650011B (en) * 2019-10-29 2024-07-26 江苏亨通问天量子信息研究院有限公司 Encryption storage method and encryption storage card based on quantum key
CN111404664B (en) * 2020-02-28 2023-03-14 南京如般量子科技有限公司 Quantum secret communication identity authentication system and method based on secret sharing and multiple mobile devices

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769913A (en) * 2016-08-16 2018-03-06 广东国盾量子科技有限公司 A kind of communication means and system based on quantum UKey
CN111639361A (en) * 2020-05-15 2020-09-08 中国科学院信息工程研究所 Block chain key management method, multi-person common signature method and electronic device

Also Published As

Publication number Publication date
CN113067699A (en) 2021-07-02

Similar Documents

Publication Publication Date Title
CN113067699B (en) Data sharing method and device based on quantum key and computer equipment
CN111079128B (en) Data processing method and device, electronic equipment and storage medium
CN111431713B (en) Private key storage method and device and related equipment
US20080031458A1 (en) System, methods, and apparatus for simplified encryption
CN112822255B (en) Block chain-based mail processing method, mail sending end, receiving end and equipment
CN103237305B (en) Password protection method for smart card on facing moving terminal
CN107920052B (en) Encryption method and intelligent device
CN109684129B (en) Data backup recovery method, storage medium, encryption machine, client and server
EP2414983B1 (en) Secure Data System
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN105025019A (en) Data safety sharing method
CN110445840B (en) File storage and reading method based on block chain technology
CN114244508B (en) Data encryption method, device, equipment and storage medium
CN102404337A (en) Data encryption method and device
CN104992100A (en) Iris dynamic encryption and decryption system and method for electronic document flowing
CN114154181A (en) Privacy calculation method based on distributed storage
CN111541708B (en) Identity authentication method based on power distribution
CN116709325B (en) Mobile equipment security authentication method based on high-speed encryption algorithm
CN107612691A (en) Authentication information transmission method and device and user information authentication system
CN114866317B (en) Multi-party data security calculation method and device, electronic equipment and storage medium
CN113656818B (en) Trusted-free third party cloud storage ciphertext deduplication method and system meeting semantic security
CN111539032B (en) Electronic signature application system resistant to quantum computing disruption and implementation method thereof
CN110401535B (en) Digital certificate generation, secure communication and identity authentication method and device
CN114553557A (en) Key calling method, key calling device, computer equipment and storage medium
CN116782210B (en) Dynamic encryption key generation method of high-speed encryption algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant