CN106888084B

Movatterモバイル変換

Info

Publication number: CN106888084B
Application number: CN201710003788.5A
Authority: CN
Inventors: 富尧; 蔡晓宇; 钟一民
Original assignee: Zhejiang Shenzhou Liangzi Network Science & Technology Co ltd
Current assignee: Zhejiang Shenzhou Liangzi Network Science & Technology Co ltd
Priority date: 2017-01-04
Filing date: 2017-01-04
Publication date: 2021-02-19
Anticipated expiration: 2037-01-04
Also published as: CN106888084A

Abstract

The invention discloses a quantum bastion machine system and an authentication method thereof, wherein the system comprises a terminal user, a quantum bastion machine, a quantum communication network server resource, a quantum key issuing center and a quantum key card, and the authentication method comprises the following steps: s1, the quantum bastion machine manages and controls the terminal user to access the quantum communication network server resource; s2 the quantum key issuing center issues quantum random number key pairs to the terminal user and the quantum bastion machine, the quantum bastion machine and the quantum communication network server resource respectively; and S3, the terminal user logs in the quantum bastion machine, and mutual authentication is realized through the corresponding quantum random number key pair of the terminal user and the quantum bastion machine or the quantum bastion machine and the quantum communication network server resource, so that the corresponding access right is obtained. The invention authenticates the quantum random number generated by the quantum random number generation server, and can resist the attack of a quantum computer on an asymmetric algorithm.

Description

Quantum fort machine system and authentication method thereof

Technical Field

The invention relates to the technical field of quantum communication, in particular to a quantum fort machine system and an authentication method thereof.

Background

With the continuous deepening of the social informatization degree, the information data increasingly becomes the core assets of each enterprise and public institution, and the important work of ensuring the safety of the information data is that each enterprise and public institution works extremely. The popularization of network firewall, virus firewall, intrusion detection and other hardware devices effectively prevents the internal network of the enterprise from being attacked from the outside and strengthens the external defense line of the enterprise.

However, the problems of information data theft and leakage, damage to the operation of important system servers and the like exist in enterprises, and the influence on the information security of the enterprises is far better than that of hackers and viruses. In particular, because enterprise IT operation and maintenance personnel or managers often deal with core IT assets, the chances of contacting core secrets are the most, and enterprise internal information security events gradually turn to security and confidentiality management of the IT operation and maintenance personnel and managers. How to reinforce an internal defense system of an internal network of an organization, and how to eliminate or reduce serious consequences of information stealing, data tampering, system damage and the like caused by internal hidden dangers become a new topic of the international information security industry in the intranet security field in recent years.

Against this background, fortress machine (also called a fortress host) technology capable of preventing and auditing access and operation of internal management personnel to IT asset equipment has emerged. The fortress machine is a special system host for controlling the access of IT operation and maintenance personnel to core IT assets. The method takes over the access of the terminal computer to the network and the server by cutting off the direct access of the terminal computer to the network and the server resources and adopting a protocol proxy mode.

The application of the fort machine enables operation and maintenance personnel to carry out all operation and maintenance operations on the server through the fort machine. And the fortress machine records the operation of the operation and maintenance personnel into a log file for the auditing personnel to carry out safety audit and accountability.

The single sign-on is one of the core functions of the classic bastion machine, and means that in an application system, a user can access all mutually trusted application systems only by logging on once. The identity authentication of the operation and maintenance personnel logging in the bastion machine link and the mutual trust link between the bastion machine and the core IT assets is particularly important, and the security of the whole internal network is the first guarantee. The identity authentication of the conventional bastion system is based on the public key cryptosystem in the conventional network. The basic principle of the asymmetric key system for realizing identity authentication can be described as follows: during communication, the private key of the user signs the application request and submits the certificate, and the receiver decrypts the certificate of the user by using the public key of the certificate authority to obtain the public key of the user, so that the signature of the user is verified, and the identity of the user is confirmed.

The security of the asymmetric cryptosystem is based on some specific complex mathematical operations, and with the development of quantum computers, the operation speed of the computers is exponentially multiplied, so that the classical asymmetric encryption algorithm is at risk of being cracked.

Disclosure of Invention

The invention provides a quantum fort machine system, which realizes the identity authentication process of each manager or operation and maintenance personnel of a quantum communication network service station through a quantum random number key so as to ensure the information security inside the quantum communication network service station and improve the security of a quantum communication network.

Therefore, the invention adopts the following technical scheme:

a quantum fort machine system comprises a terminal user, a quantum fort machine and a quantum communication network server resource;

the quantum bastion machine manages and controls the terminal user to access the quantum communication network server resource;

the system is also provided with a quantum key issuing center and a quantum key card, wherein the quantum key card is issued by a terminal user after being registered in the quantum key issuing center; the quantum key issuing center generates quantum random numbers and issues the quantum random numbers to the quantum key card, the quantum bastion machine and the quantum communication network server resource as quantum random number keys respectively;

the system realizes mutual authentication through quantum key cards and quantum bastion machines or quantum bastion machines and quantum communication network server resource corresponding quantum random number key pairs, and realizes access of terminal users to quantum bastion machines or quantum communication network server resources.

Optionally, the terminal users include bastion machine operation and maintenance users and server operation and maintenance users; the quantum communication network server resources are all servers which need to be monitored by the quantum bastion machine in the quantum communication network service station. Optionally, the quantum key fob is a device issued to a legal end user after being authorized by a quantum key issuing center, and includes a CPU, a memory, a storage, and an operating system.

When the legal terminal user is a personal computer, the preferred expression form of the quantum KEY fob is a USB KEY or a personal computer motherboard card; when the legitimate end user is a mobile terminal, the preferred representation of the quantum KEY fob is an SD KEY or a mobile terminal motherboard chip.

The quantum key card is used for ensuring the security of the quantum random number key from the source, and preventing the quantum random number key from being stolen or tampered, thereby ensuring the security of the whole bastion machine system.

Optionally, the system of the present invention further includes a firewall, a switch, and a router, which connect the end user, the quantum bastion machine, and the quantum communication network server resource.

Optionally, the quantum bastion machine includes a security encryption module, a key storage module and an authentication module;

the security encryption module is used for encrypting and decrypting the quantum random number key, so that the security of the quantum random number key in the processes of storage and use is ensured, and the expression form of the security encryption module is preferably a mainboard board card;

the key storage module is used for storing the quantum random number key encrypted by the security encryption module;

the authentication module is used for performing mutual authentication between the quantum key card and the quantum bastion machine and between the quantum bastion machine and each server of the quantum communication network server resource.

Optionally, each server in the quantum communication network server resources includes a secure encryption module, a key storage module, and an authentication module;

the security encryption module is used for encrypting and decrypting the quantum random number key to ensure the security of the quantum random number key in the storage and use processes;

the authentication module is used for mutual authentication between the quantum bastion machine and each server of the quantum communication network server resource.

Optionally, the quantum key issuing center generates quantum random numbers through a quantum random number generation server, and issues the quantum random numbers between each terminal user and the quantum bastion machine, and between the quantum bastion machine and the quantum communication network server resource, respectively, to form a shared quantum random number key pair. The invention also aims to solve the technical problem of providing an authentication method of the quantum fort machine system, which comprises the following steps:

s1, the terminal user is connected with the quantum fort machine, and the quantum fort machine is accessed to the quantum communication network server resource;

s2 the quantum key issuing center issues quantum random number key pairs to the terminal user and the quantum bastion machine, the quantum bastion machine and the quantum communication network server resource respectively;

and S3, the terminal user logs in the quantum bastion machine, and mutual authentication is realized through the corresponding quantum random number key pair of the terminal user and the quantum bastion machine or the quantum bastion machine and the quantum communication network server resource, so that the corresponding access right is obtained.

Optionally, the quantum key issuing center generates quantum random numbers through a quantum random number generation server, and issues the quantum random numbers between each terminal user and the quantum bastion machine, and between the quantum bastion machine and the resource of the quantum communication network server, respectively, to form a shared quantum random number key pair.

Furthermore, the terminal user has a quantum key fob corresponding to the identity of the terminal user, the quantum key fob is issued by the terminal user after being registered in a quantum key issuing center, and the quantum key fob and the quantum bastion machine share a corresponding quantum random number key; and the quantum bastion machine and the quantum communication network server resource share a corresponding quantum random number key.

Optionally, the authentication request between the terminal user and the quantum bastion machine carries user identification information of the terminal user, the quantum bastion machine authenticates the authentication request through the user identification information, the user identification information is from a quantum key fob corresponding to the identity of the terminal user, and the quantum key fob is issued by the terminal user after being registered in a quantum key issuing center.

Optionally, the terminal users include bastion machine operation and maintenance users and server operation and maintenance users, and the quantum communication network server resources are all servers which need to be monitored by the quantum bastion machine in the quantum communication network service station.

Furthermore, after the terminal user successfully authenticates the quantum bastion machine,

when the quantum fort machine determines that the terminal user is a fort machine operation and maintenance user, the terminal user performs corresponding operation on the quantum fort machine according to the role authority of the terminal user;

and the quantum bastion machine determines that the terminal user is a server operation and maintenance user, determines the server and all role authorities thereof in the quantum communication network server resource corresponding to the terminal user, respectively authenticates the quantum bastion machine and the server in the quantum communication network server resource corresponding to the terminal user according to all the role authorities corresponding to the terminal user, and after all the role authorities are successfully authenticated, the terminal user obtains the authority for accessing the server in the quantum communication network server resource corresponding to the terminal user.

Optionally, the method for issuing the quantum random number key to the quantum bastion machine by the quantum key issuing center includes:

mode a, transmitting to the security encryption device via a mobile storage medium; or

The mode b is that the information is directly transmitted to the safety encryption device through a special communication line;

in the mode a and the mode b, the security encryption device encrypts the received quantum random number key and stores the encrypted quantum random number key in the key storage module of the quantum bastion machine.

The modes a and b are a local issuing mode and a remote issuing mode, wherein the quantum key issuing center issues a quantum random number key to the quantum bastion machine. The invention can select one of the issuing modes according to the actual situation.

Optionally, the method for the quantum key issuing center to issue the quantum random number key to each server in the quantum communication network server resource includes:

in the modes a and b, the security encryption device encrypts the received quantum random number key and stores the encrypted quantum random number key in the key storage module of each server in the quantum communication network server resource.

The modes a and b are a local issuing mode and a remote issuing mode of the quantum key issuing center to each server in the quantum communication network server resources. The invention can select one of the issuing modes according to the actual situation.

When the quantum key issuing center issues the quantum bastion machine or each server in the quantum communication network server resource remotely, the communication special line is preferably a quantum communication network, the remote issuing of the quantum random number key depends on the quantum communication network, a bastion machine system with the security ensured by the quantum random number key and the quantum communication network is formed, and the purpose is to protect various core devices in the quantum communication network.

In the authentication process, the used secret key is the quantum random number generated by a quantum random number generation server, namely a true random number, and the whole process only uses a symmetric encryption algorithm and a digest algorithm for identity authentication, completely abandons the process of using an asymmetric algorithm in classical communication, and can resist the attack of a quantum computer on the asymmetric algorithm.

In the quantum bastion system of the invention, each end user needs to hold a quantum key card which is issued uniformly by a special trusted authority, namely a quantum key issuing center. The quantum key card is a unique identification of the identity of the end user, and is also a device for storing a quantum random number key shared by the end user and the quantum bastion machine. And the terminal user performs identity authentication with the quantum bastion machine by using the quantum random number key shared in the quantum key card. And the quantum bastion machine and each server in the quantum communication network server resource complete bidirectional identity authentication through the shared quantum random number key issued by the quantum key issuing center. The method has the advantages that the quantum random number keys representing the identities and the authorities of the servers in the resources of the user side, the quantum bastion machine and the quantum communication network server are uniformly authorized and issued by a special trusted authority, namely a quantum key issuing center, instead of the situation that the servers in the resources of the quantum bastion machine and the quantum communication network server respectively authorize the identity information of the users, the uniform management of the roles and the authorities of the whole system is realized, and the safety of internal network communication is ensured.

The quantum bastion machine can remotely control the quantum communication network server resources through the quantum communication network, and the safety of the quantum bastion machine is ensured by the quantum communication network, so that the scattered core IT assets can be safely and uniformly controlled.

Drawings

Fig. 1 is a networking diagram of the quantum bastion machine system.

Fig. 2 is a schematic diagram of a key issuance process according to the present invention.

FIG. 3 is a flow chart of bidirectional identity authentication according to the present invention.

Detailed Description

The invention is further elucidated with reference to the following figures.

The first embodiment is as follows:

as shown in fig. 1, the system of the present invention mainly includes:

and the terminal users are mainly divided into fortress machine operation and maintenance users and server operation and maintenance users. The fortress operation and maintenance user only logs in a terminal for operating the fortress, and the terminal comprises managers at all levels, auditors at all levels and the like of the fortress; the server operation and maintenance user can access the quantum communication network server resources and can send maintenance and operation instructions to each server, wherein the maintenance and operation instructions comprise managers at all levels, auditors at all levels and the like of each server.

The quantum bastion machine is a special system for managing and controlling the access of a server operation and maintenance user to quantum communication network server resources, and comprises a strategy management module, a security encryption module, a key storage module, an auditing module, an authentication module and the like. The strategy module is used for configuring a corresponding security strategy and the operation authority which the terminal user should have; the security encryption module is mainly used for encrypting and decrypting the quantum random number key to ensure the security of the quantum random number key in the processes of storage and use, and the expression form of the security encryption module is preferably a mainboard board card; the secret key storage module is used for storing the quantum random number secret key encrypted by the security encryption module; and the auditing module is used for recording and auditing the operation behavior of the terminal user for accessing the resources of the quantum bastion machine or the quantum communication network server, and can count, analyze and generate a report for the formed record.

The quantum communication network server resource is a general name of all target devices needing to be monitored by the quantum bastion machine in the quantum communication network service station, and in the following embodiment, each server in the quantum communication network server resource interacting with the bastion machine is called a server for short.

It should be emphasized that each server, in addition to its proper functional modules, also includes a secure encryption module, a key storage module and an authentication module, where the secure encryption module is a device for performing encryption and decryption operations on a quantum random number key, and its expression form is preferably a motherboard card; and the key storage module is used for storing and managing the quantum random number key encrypted by the security encryption module, and preferably selects various databases. The authentication module is used for performing mutual authentication between the quantum key card and the quantum bastion machine and between the quantum bastion machine and each server of the quantum communication network server resource.

The quantum key issuing center internally comprises a quantum random number generation module, an authentication and authorization module, an authority strategy module and the like. The invention relates to a quantum random number generation module, which preferentially uses a quantum random number generation server and is responsible for the functions of generation, storage, management and the like of quantum random numbers; the authentication and authorization module is mainly used for authorizing terminal users of all servers in the quantum communication network service station (including managers or operation and maintenance personnel of servers such as quantum bastion machines and quantum communication network server resources) and issuing quantum random number keys to all servers, quantum bastion machines and terminal users in the quantum communication network server resources so as to form shared quantum random number key pairs between all terminal users and the quantum bastion machines and between the quantum bastion machines and the quantum communication network server resources; and the authority strategy module is mainly used for making access roles, authority strategies and the like for servers such as the quantum bastion machine, the quantum communication network server resources and the like, distributing roles and authorities for terminal users according to the authority strategies and distributing authorities between the quantum bastion machine and the quantum communication network server resources.

The quantum key card is a device which is authorized by a quantum key issuing center and then issued to a legal terminal user. The internal structure of the system comprises a CPU, a memory, a storage and an operating system, and user information (mainly comprising user ID, user personal information, current key amount, key expiration time and the like), a quantum random number key, an encryption strategy and the like can be stored. Each holder of the quantum key fob has a user ID, i.e., user identification information, that uniquely identifies it. When the terminal of the legal user is a personal computer, the preferred expression form of the quantum KEY card is USB KEY or a personal computer mainboard board card; when the terminal of the legal user is a mobile terminal, the preferred expression form of the quantum KEY fob is SD KEY or a mobile terminal motherboard chip.

And the other network equipment is used for connecting the firewall, the switch, the router and the like of the resources of the end user, the quantum bastion machine and the quantum communication network server.

The quantum bastion machine is used as a part of a quantum communication network and is accessed to quantum communication network server resources through a switch and other network equipment, when an end user accesses the quantum communication network server resources through a classical network (an internal network or an external network), the quantum bastion machine is accessed firstly through a firewall strategy, and the quantum bastion machine is replaced by each server in the access quantum communication network server resources.

The quantum bastion machine can also remotely control the quantum communication network server resources through a quantum communication network.

Example two:

the embodiment provides an authentication method based on the quantum fort machine system, which specifically comprises the following steps:

1. quantum fort machine deployment

The quantum bastion machine accesses to the quantum communication network server resource through the network equipment bypass, when the terminal user accesses the quantum communication network server resource through a classical network (an internal network or an external network), the terminal user accesses the quantum bastion machine through a firewall strategy, and the quantum bastion machine is replaced by each server in the access quantum communication network server resource.

2. Quantum random number key pair issuance

As shown in fig. 2, the quantum key issuer is a trusted center that issues quantum random number keys to end users, quantum basters and quantum communication network server resources, where the end users need to go to the quantum key issuer to obtain the quantum random number keys, and the quantum basters and quantum communication network server resources can go to the quantum key issuer to obtain the quantum random number keys and can supplement the quantum random number keys through remote issuance.

In the invention, the end user and the quantum bastion machine, and the quantum bastion machine and each server in the quantum communication network server resource need to have a shared quantum random number key to mutually authenticate each other. Therefore, it is necessary to issue a quantum random number key pair to the end user and the quantum bastion machine and each server in the quantum bastion machine and quantum communication network server resources before authentication, which is done by the quantum key issuing center. The method comprises the following specific steps:

2.1 Process for issuing Quantum random number Key pairs to end-users and Quantum bastion machines

Issuing a quantum random number key to an end user is embodied in charging information such as a quantum random number key into the end user's quantum key fob. The final result of issuing the quantum random number key to the quantum bastion machine is to charge information such as the quantum random number key corresponding to the end user into a key storage module of the quantum bastion machine.

The terminal user applies for issuing the quantum random number key to the acceptance point appointed by the quantum key issuing center, and the specific process is as follows:

(1) and the terminal user carries the relevant materials to a quantum key issuing center to apply for authorization.

(2) And the authentication authorization module of the quantum key issuing center verifies the terminal user material, allocates a user ID for the user after the verification is passed, and determines the role authority of the user, the ID of the quantum bastion machine logged in by the user and other information to the authority strategy module.

(3) And the authentication and authorization module of the quantum key issuing center acquires the quantum random number keys of the quantity specified by the user from the quantum random number generation module. And writing key information such as user information (mainly comprising user ID, user personal information, current key amount, key expiration time and the like), quantum random number keys, encryption strategies and the like into the quantum key fob, and issuing the quantum key fob to the end user.

The quantum key issuing center issues key information such as user information (mainly comprising user ID, user personal information, current key amount, key expiration time and the like), a quantum random number key, an encryption strategy and the like to the quantum bastion machine while finishing issuing the quantum random number key to the terminal user so as to realize the shared quantum random number key between the quantum bastion machine and the terminal user.

The process of issuing the quantum random number key to the quantum bastion machine by the quantum key issuing center is divided into two types:

1 if the data transmission between the quantum bastion machine and the quantum key issuing center is within an acceptable physical distance, corresponding key information can be copied from a mobile medium to a designated acceptance point of the quantum key issuing center, the obtained key information is taken to the quantum bastion machine, and the key information is encrypted by a security encryption module of the quantum bastion machine and then stored in a key storage module. Such an issuance within a metro network is also referred to as a local issuance, and the mobile medium is preferably a reliable mobile hard disk or a flash disk or the like held by a trusted person.

2 if the data transmission between the quantum bastion machine and the quantum key issuing center is within the acceptable physical distance, in addition to issuing the data locally to the designated acceptance point with more cost than the acceptable cost, the quantum bastion machine can issue the quantum random number key remotely, and the transmission of the quantum random number key passes through the quantum communication network. The specific process of remote issuance is as follows:

(1) the quantum key issuing center encrypts user information (mainly comprising user ID, user personal information, current key amount, key expiration time and the like), quantum random number keys, encryption strategies and other key information by using quantum keys generated by a quantum key distribution server in a local quantum communication network service station to obtain ciphertext data, and sends the ciphertext data. Among them, the method of encrypting the quantum random number key using the quantum key is preferably a one-time pad.

(2) The ciphertext data is transmitted to a quantum communication network service station local to the quantum bastion machine through a communication network.

(3) And the local quantum communication network service station of the quantum bastion machine decrypts the ciphertext data by using the shared quantum key generated by the quantum key distribution server to obtain key information, directly transmits the key information to a security encryption module of the quantum bastion machine through a secure private line, encrypts the key information by the security encryption module and stores the encrypted key information in a key storage module. The safe special line can be protected by special measures, such as strengthening the safety of a machine room, arranging special personnel, or shortening the distance of the special line.

(4) And the key storage module of the quantum bastion machine successfully stores the key information and returns a successful issuing message to the quantum key issuing center.

So far, the quantum key issuing center completes the issuing of quantum random number key pairs to the quantum bastion machine and the terminal user. And the terminal user shares the quantum random number key with the quantum bastion machine through the quantum key card. The quantum key fob is the only credential for the end user to log into the quantum bastion machine.

2.2 Process for issuing Quantum random number Key pairs to Quantum baster and Quantum communication network Server resources

Quantum key issuing center on quantum bastion machine and quantumBefore the communication network server resource issues the quantum random number key pair, the authority policy module needs to divide the role authorities of all operation and maintenance accounts of each server in the quantum communication network server resource according to corresponding policies. And dividing all operation and maintenance accounts of each server into different roles according to different authorities. The quantum key issuing center issues quantum random number key pairs by taking the roles of all operation and maintenance accounts of all servers in quantum communication network server resources as units. For example, the following steps are carried out: if the quantum communication network server resource has N target access servers and all operation and maintenance accounts of the ith target access server have

The quantum key issuing center issues the resources of the quantum bastion machine and the quantum communication network server according to the roles with different authorities

For a shared quantum random number key. The quantum random number key is stored in the key storage module of each server in the quantum bastion machine and quantum communication network server resources.

The quantum key issuing center issues quantum random number key pairs to the quantum bastion machine and the quantum communication network server resource, and the process is divided into local issuing and remote issuing. If the data transmission between a certain server in the quantum bastion machine or the quantum communication network server resource and the quantum key issuing center is within an acceptable physical distance, the corresponding quantum random number key can be copied to the designated acceptance point of the quantum key issuing center through the mobile medium, the obtained quantum random number key is taken to the quantum bastion machine or the quantum communication network server resource, and the quantum random number key is encrypted by the security encryption module of the certain server in the quantum bastion machine or the quantum communication network server resource and then stored in the key storage module. The removable medium is preferably a trusted removable hard disk or flash disk or the like held by a trusted person. If the data transmission between a certain server in the quantum bastion machine or the quantum communication network server resource and the quantum key issuing center is within the acceptable physical distance, the quantum random number key can be issued to the certain server in the quantum bastion machine or the quantum communication network server resource remotely, besides the local issuing to the appointed acceptance point with more cost than the acceptable cost, and the transmission of the quantum random number key passes through the quantum communication network. In the following, taking the quantum bastion machine and the quantum communication network server resource as an example of remote issuing, a specific process that the quantum key issuing center issues a shared quantum random number key to a role of a certain server in the quantum bastion machine and the quantum communication network server resource is described:

1) and the permission strategy module in the quantum key issuing center divides all operation and maintenance accounts of each server in the quantum communication network server resources into a plurality of roles according to the corresponding strategy protocol. And assigns a server ID to each server and a role ID to each role of each server. I.e. the role right assignment of each server is completed.

2) The quantum key issuing center obtains a certain amount of quantum random number keys from the quantum random number generation module, encrypts key information such as the server ID, the role ID, the quantum random number keys and the like by using quantum keys generated by a quantum key distribution server in a local quantum communication network service station to obtain ciphertext data, and sends the ciphertext. Among them, the method of encrypting the quantum random number key using the quantum key is preferably a one-time pad.

3) The ciphertext data is transmitted to a quantum communication network service station local to the quantum bastion machine or a quantum communication network service station where the quantum communication network server resource is located through a communication network.

4) The quantum communication network service station local to the quantum bastion machine or the quantum communication network service station where the quantum communication network server resource is located decrypts the ciphertext data by using the shared quantum key to obtain key information, the key information is directly transmitted to the security encryption module of the server appointed by the quantum bastion machine or the server ID through a secure dedicated line, and the key information is encrypted by the security encryption module and then stored in the key storage module.

The quantum random number key pairs of all roles of all servers in the resources of the quantum bastion machine and the quantum communication network server are issued by the method.

Therefore, quantum bastion machine and each server in the quantum communication network server resource realize quantum random number key sharing, and the quantum random number key shared by quantum bastion machine and each server is accurate to different roles of the server.

3. Process for logging in quantum fort machine system by terminal user

The terminal users are divided into two types, the first type is the operation and maintenance users of the bastion machine, including managers and auditors at all levels of the bastion machine, and the target access equipment is the quantum bastion machine. The second type is a server operation and maintenance user, including all levels of administrators and all levels of operation and maintenance personnel of the server, and the target access device is each server in the quantum communication network server resource.

In the invention, the server operation and maintenance user must log in the quantum bastion machine first, and the quantum bastion machine replaces the server operation and maintenance user to complete the authentication with each server in the quantum communication network server resource, thereby acquiring the authority of accessing the corresponding server.

Therefore, the user of the bastion machine operation and maintenance and the user of the server operation and maintenance only need to complete the authentication with the quantum bastion machine, and the authentication is preferably bidirectional identity authentication completed by a shared quantum random number key. The specific process is as follows:

(1) the end user sends the user ID, the IP port of the logged-in bastion machine, the authority information and the like as request messages to the quantum bastion machine through the quantum key card.

(2) And after receiving the request message, the quantum bastion machine generates a random number N1 and returns the random number to the end user.

(3) The end user receives the random number N1. First, the authentication code MAC1 is obtained by an authentication function using the quantum random number key K1 and the random number N1 shared with the quantum baster. The end user then generates a random number N2. Finally, the random number N2 and the authentication code MAC1 are returned to the quantum baster.

(4) The quantum bastion machine receives the random number N2 and the authentication code MAC 1. First, the quantum baster finds the quantum random number key K1 ' shared with the end user by the user ID, and passes K1 ' and the random number N1 through an authentication function to obtain MAC1 '.

Comparing MAC1 and MAC1 ', if MAC1= MAC 1' indicates that the quantum baster successfully authenticates the end user, the quantum baster returns a message of successful authentication to the end user. If the MAC1 is not equal to the MAC 1', the authentication failure of the quantum bastion machine to the terminal user is indicated, and the quantum bastion machine returns a message of authentication failure to the terminal user. If the quantum bastion machine successfully authenticates the end user, the quantum bastion machine uses a quantum random number key K2 shared by the end user to perform authentication function processing on a random number N2 to obtain an authentication code MAC2, and returns the authentication code MAC2 to the end user.

(5) The end user receives the authentication code MAC2 and performs an authentication function on the random number N2 using the quantum random number key K2 'shared with the quantum baster to obtain the authentication code MAC 2'.

MAC2 and MAC2 'are compared and if MAC2= MAC 2', a message is indicated that the end user successfully authenticated the quantum baster and returned to the quantum baster that the authentication was successful. If MAC2 ≠ MAC 2', it indicates that the end-user failed authentication with the quantum bastion machine and returns a message of authentication failure to the quantum bastion machine.

The authentication function used for generating the authentication code in the present invention is preferably an HMAC algorithm.

The bidirectional identity authentication between the quantum bastion machine and the terminal user is completed through the steps.

After the authentication is successful, the quantum bastion machine will completely determine the information of the type, role authority and the like of the end user, as shown in figure 3. If the terminal user is the operation and maintenance user of the bastion machine, the terminal user can perform corresponding safe operation on the quantum bastion machine according to the role authority of the terminal user. If the terminal user is a server operation and maintenance user, the quantum bastion machine determines the role authority of each server in the quantum communication network server resources owned by the server operation and maintenance user according to the role authority.

The quantum bastion machine finds quantum random number keys shared with different roles of the servers according to the role permissions of the servers owned by the server operation and maintenance user, completes bidirectional identity authentication with the different roles of the servers through the quantum random number keys, and shows that the server operation and maintenance user obtains the permission to access certain functions of the corresponding servers after the authentication is successful. The authentication process of the quantum bastion machine and a role authority is as follows:

a) after the quantum bastion machine and the server operation and maintenance user complete identity authentication, the identity of the user, the role authority and other information are determined, wherein the information comprises the ID of each server and the role ID thereof in the access quantum communication network server resource owned by the user.

b) The quantum bastion machine obtains a quantum random number key shared with the server ID and the role ID thereof from the key storage module through the security encryption module, and sends the server ID, the role ID and the like as request messages to the server corresponding to the server ID through the quantum key card.

c) After receiving the request message, the server generates a random number N3 and returns the random number to the quantum bastion machine.

d) The quantum baster receives the random number N3. First, the authentication code MAC3 is obtained by an authentication function using the quantum random number key K3 and the random number N3 shared with the server ID and its role ID. The quantum fort machine then generates a random number N4. Finally, the random number N4 and the authentication code MAC3 are returned to the server corresponding to the server ID.

e) The server corresponding to the server ID receives the random number N4 and the authentication code MAC 3. First, the server finds the shared quantum random number key K3 ' by role ID and gets the MAC3 ' by passing K3 ' and the random number N3 through the authentication function. Comparing MAC3 with MAC3 ', if MAC3= MAC 3' indicates that the server successfully authenticates the quantum baster, the server returns a message of authentication success to the quantum baster. If the MAC3 is not equal to the MAC 3', the authentication failure of the server to the quantum bastion machine is indicated, and the server returns a message of authentication failure to the quantum bastion machine. If the server successfully authenticates the quantum bastion machine, the server uses a quantum random number key K4 shared by the role ID to perform authentication function processing on a random number N4 to obtain an authentication code MAC4, and returns the authentication code MAC4 to the quantum bastion machine.

f) The quantum bastion machine receives the authentication code MAC4, and performs authentication function processing on the random number N4 by using the quantum random number key K4 'shared by the role IDs to obtain the authentication code MAC 4'. Comparing MAC4 with MAC4 ', if MAC4= MAC 4', it indicates that the quantum baster successfully authenticates the server and returns a message of authentication success to the server. If the MAC4 ≠ MAC 4', it indicates that the quantum baster failed to authenticate with the server and returns a message of authentication failure to the server.

g) And after the authentication is completed, the operation and maintenance user of the server can operate the server in the quantum communication network server resources according to the appointed authority strategy through the quantum bastion machine.

The identity authentication which needs to be completed by sharing the quantum random number key in the invention is preferably the bidirectional identity authentication. However, the present invention is not limited to the above two-way authentication, and may be a one-way authentication, and all the authentication relying on the shared quantum random number key falls within the protection scope of the present invention.

In the invention, the remote data communication process between any two of the quantum bastion machine, each server in the quantum communication network server resource and the quantum key issuing center can carry out data encryption transmission through the quantum communication network.

It should be noted that the description of the embodiments of the present invention is for illustration only and is not intended to limit the scope of the claims of the present invention. Meanwhile, any modification, improvement or equivalent replacement of the present invention by a person with ordinary skill in the art belongs to the protection scope of the present invention.

Claims

1. A quantum bastion machine system is characterized in that the system comprises a terminal user, a quantum bastion machine, a quantum communication network server resource and a quantum key issuing center;

the terminal users comprise bastion machine operation and maintenance users and server operation and maintenance users, the quantum communication network server resources are all servers needing to be monitored by the quantum bastion machine in the quantum communication network service station, and the quantum bastion machine manages and controls the terminal users to access the quantum communication network server resources;

the quantum key issuing center issues quantum random number keys between the terminal user and the quantum bastion machine and between the quantum bastion machine and each server in the quantum communication network server resources;

the quantum key issuing center issues the shared quantum random number key for the terminal user and the quantum bastion machine, and the steps are as follows:

a terminal user applies for issuing a quantum random number key to an acceptance point specified by a quantum key issuing center, the quantum key issuing center allocates a user ID for the terminal user and determines the role authority of the user and the ID of a quantum bastion machine logged in by the user, then quantum random number keys in the quantity specified by the user are generated, user information, the quantum random number keys and an encryption strategy are written into a quantum key card, and the quantum key card is issued to the terminal user; the quantum key issuing center encrypts user information, the quantum random number key and the encryption strategy into ciphertext data and then issues the ciphertext data to the quantum bastion machine while issuing the quantum random number key to the terminal user, and the quantum bastion machine decrypts the ciphertext data to obtain the user information, the quantum random number key and the encryption strategy;

the quantum key issuing center issues the shared quantum random number key for each server in the quantum bastion machine and quantum communication network server resources, and the steps are as follows: the quantum key issuing center divides all operation and maintenance accounts of each server into different roles according to different authorities, and issues quantum random number key pairs by taking the roles of all operation and maintenance accounts of each server in quantum communication network server resources as units;

the terminal user and the bastion machine perform identity authentication based on a symmetric key and a message authentication code according to a shared quantum random number key, after the authentication is completed, the quantum bastion machine determines the type and role authority of the terminal user, and if the terminal user is an operation and maintenance user of the bastion machine, the terminal user can perform corresponding safe operation on the quantum bastion machine according to the role authority of the terminal user; if the terminal user is a server operation and maintenance user, the quantum bastion machine determines the role authority of each server in the quantum communication network server resources owned by the server operation and maintenance user according to the role authority, finds quantum random number keys shared with different roles of the servers according to the role authority of each server owned by the server operation and maintenance user, completes identity authentication based on symmetric keys and message authentication codes between the quantum random number keys and different roles of the servers, and the server operation and maintenance user obtains the authority for accessing certain functions of the corresponding servers after the authentication is successful; the quantum bastion machine comprises a security encryption module, a key storage module and an authentication module, wherein the security encryption module in the quantum bastion machine is used for encrypting a quantum random number key, the key storage module in the quantum bastion machine is used for storing the quantum random number key encrypted by the security encryption module, and the authentication module is used for mutually authenticating a quantum key card and the quantum bastion machine and servers of quantum bastion machine and quantum communication network server resources;

each server in the quantum communication network server resource comprises a security encryption module, a key storage module and an authentication module; the security encryption module in the server is used for encrypting the quantum random number key, the key storage module in the server is used for storing the quantum random number key encrypted by the security encryption module, and the authentication module is used for mutual authentication between the quantum bastion machine and each server of the quantum communication network server resource.

2. An authentication method of a quantum fort machine system is characterized by comprising the following steps:

s1, the terminal user is connected with the quantum fort machine, and the quantum fort machine is accessed to the quantum communication network server resource; the terminal users comprise bastion machine operation and maintenance users and server operation and maintenance users, and the quantum communication network server resources are all servers needing to be monitored by the quantum bastion machine in the quantum communication network service station; the quantum key issuing center is used for generating quantum random numbers through the quantum random number generating server and respectively issuing the quantum random numbers to the positions between each terminal user and the quantum bastion machine and between the quantum bastion machine and the quantum communication network server resource to form a shared quantum random number key pair; the quantum bastion machine comprises a security encryption module, a key storage module and an authentication module, wherein the security encryption module is used for encrypting a quantum random number key; the secret key storage module is used for storing the quantum random number secret key encrypted by the security encryption module; the authentication module is used for performing mutual authentication between the quantum key card and the quantum bastion machine and between the quantum bastion machine and each server of the quantum communication network server resource;

s2 the quantum key issuing center issues quantum random number key pairs to the terminal user and the quantum bastion machine, the quantum bastion machine and the quantum communication network server resource respectively; wherein,

a terminal user applies for issuing a quantum random number key to an acceptance point specified by a quantum key issuing center, the quantum key issuing center allocates a user ID for the terminal user and determines the role authority of the user and the ID of a quantum bastion machine logged in by the user, then quantum random number keys in the quantity specified by the user are generated, user information, the quantum random number keys and an encryption strategy are written into a quantum key card, and the quantum key card is issued to the terminal user;

the quantum key issuing center issues quantum random number keys to the quantum bastion machine in two processes, wherein one process is local issuing, namely copying corresponding key information to a designated acceptance point of the quantum key issuing center through a mobile medium, bringing the acquired key information to the quantum bastion machine, encrypting the key information by a security encryption module of the quantum bastion machine, and storing the encrypted key information in a key storage module; the other is remote issuing, and the specific process is as follows: the quantum key issuing center encrypts user information, a quantum random number key and an encryption strategy by using a quantum key generated by a quantum key distribution server in a local quantum communication network service station to obtain ciphertext data and sends the ciphertext data out; the cipher text data are transmitted to a quantum communication network service station local to the quantum bastion machine through a communication network, the quantum communication network service station local to the quantum bastion machine decrypts the cipher text data by using a shared quantum key generated by a quantum key distribution server to obtain key information, the key information is directly transmitted to a safety encryption module of the quantum bastion machine through a safe special line, and the key information is stored in a key storage module after being encrypted by the safety encryption module; after the key information is successfully stored by the key storage module of the quantum bastion machine, returning a message of successful issuing to the quantum key issuing center;

s3, the terminal user logs in the quantum fort machine, and the identity authentication based on the symmetric key and the message authentication code is carried out through the quantum random number key shared by the terminal user and the quantum fort machine;

after the terminal user successfully authenticates the quantum bastion machine, the quantum bastion machine determines the type and role authority of the terminal user, and if the terminal user is a bastion machine operation and maintenance user, the terminal user can perform corresponding safe operation on the quantum bastion machine according to the role authority of the terminal user; if the terminal user is a server operation and maintenance user, the quantum bastion machine determines the role authority of each server in the quantum communication network server resources owned by the server operation and maintenance user according to the role authority, finds the quantum random number keys shared with different roles of the servers according to the role authority of each server owned by the server operation and maintenance user, completes identity authentication based on the symmetric keys and the message authentication codes between the terminal user and the different roles of the servers through the quantum random number keys, and the server operation and maintenance user obtains the authority for accessing certain functions of the corresponding servers after the authentication is successful.

3. The quantum bastion system authentication method of claim 2, wherein each server in the quantum communication network server resource comprises a security encryption module, a key storage module and an authentication module, the security encryption module in the server is used for encrypting the encrypted quantum random number key issued to the server by the quantum key issuing center, the key storage module in the server is used for storing the quantum random number key encrypted by the security encryption module, and the authentication module is used for mutual authentication between the quantum bastion machine and each server in the quantum communication network server resource.

4. The authentication method of the quantum bastion system as claimed in claim 3, wherein the manner of issuing the quantum random number key to each server in the server resources of the quantum communication network by the quantum key issuing center includes:

mode a, transmitting to the security encryption module via a mobile storage medium; or

The mode b is that the information is directly transmitted to the security encryption module through a special communication line;

in the mode a and the mode b, the security encryption module encrypts the received quantum random number key and stores the encrypted quantum random number key in the key storage module of each server in the quantum communication network server resource.