技术领域Technical Field
本申请涉及网络安全领域,更具体而言,涉及一种通信网络的密码设备安全通道协议的抗量子安全增强方法。The present application relates to the field of network security, and more specifically, to a method for enhancing the anti-quantum security of a secure channel protocol of a cryptographic device of a communication network.
背景技术Background Art
以量子计算为代表的算力飞跃,在安全性方面对经典密码学中的相关算法造成较大影响。可以理解地,随着大型量子计算机实现,会对经典密码学中密钥协商、加密、签名等应用产生一定影响。因而提供可抵抗量子计算攻击的密码技术成为亟待解决的问题。The leap in computing power represented by quantum computing has a significant impact on the security of related algorithms in classical cryptography. Understandably, with the realization of large-scale quantum computers, it will have a certain impact on key negotiation, encryption, signature and other applications in classical cryptography. Therefore, providing cryptographic technology that can resist quantum computing attacks has become an urgent problem to be solved.
发明内容Summary of the invention
本申请提供了一种通信网络的密码设备安全通道协议的抗量子安全增强方法。The present application provides a method for enhancing the anti-quantum security of a cryptographic device secure channel protocol of a communication network.
本申请实施方式提供一种通信网络的密码设备安全通道协议的抗量子安全增强方法,所述通信网络包括第一网络设备和第二网络设备,所述方法用于所述第一网络设备,所述方法包括:The embodiment of the present application provides a method for enhancing the quantum security of a cryptographic device secure channel protocol of a communication network, wherein the communication network includes a first network device and a second network device, and the method is used for the first network device, and the method includes:
与所述第二网络设备进行密钥协商得到初始会话密钥;Performing key negotiation with the second network device to obtain an initial session key;
自接入所述第一网络设备的服务节点获取第一量子密钥和量子密钥标识符;Acquire a first quantum key and a quantum key identifier from a service node connected to the first network device;
对所述量子密钥标识符进行后量子密码加密处理得到第一加密结果,并将所述第一加密结果发送给所述第二网络设备;Performing post-quantum cryptographic encryption processing on the quantum key identifier to obtain a first encryption result, and sending the first encryption result to the second network device;
对接收到的由所述第二网络设备发送的第二加密结果进行解密处理得到第二解密结果,所述第二加密结果由所述第二网络设备对第一解密结果进行后量子加密处理得到,所述第一解密结果由所述第二网络设备对第一加密结果进行解密处理得到;decrypting the received second encryption result sent by the second network device to obtain a second decryption result, where the second encryption result is obtained by the second network device performing post-quantum encryption on the first decryption result, and the first decryption result is obtained by the second network device performing decryption on the first encryption result;
根据所述初始会话密钥、所述第一加密结果、所述第二解密结果和所述第一量子密钥生成最终会话密钥,以对所述第一网络设备和所述第二网络设备的通信进行加密。A final session key is generated according to the initial session key, the first encryption result, the second decryption result and the first quantum key to encrypt communication between the first network device and the second network device.
如此,在第一网络设备和第二网络设备的通信过程中,第一网络设备和第二网络设备进行密钥协商获得初始会话密钥。随后,第一网络设备和第二网络设备申请获得量子密钥,并利用后量子密码算法对量子密钥标识符进行加密处理生成能够抵抗量子计算攻击的第一加密结果,后量子密码算法是一系列旨在抵御量子计算攻击的加密算法。接着,第一网络设备通过对第二网络设备发送的第二加密结果进行解密得到第二解密结果。最后,第一网络设备根据初始会话密钥、第一加密结果、第二解密结果和量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。这样,通过量子密钥分发技术和后量子密码算法增强了第一网络设备申请访问第二网络设备资源的通信过程的抗量子计算攻击能力。In this way, during the communication process between the first network device and the second network device, the first network device and the second network device perform key negotiation to obtain an initial session key. Subsequently, the first network device and the second network device apply for a quantum key, and use a post-quantum cryptographic algorithm to encrypt the quantum key identifier to generate a first encryption result that can resist quantum computing attacks. The post-quantum cryptographic algorithm is a series of encryption algorithms designed to resist quantum computing attacks. Next, the first network device obtains a second decryption result by decrypting the second encryption result sent by the second network device. Finally, the first network device generates a final session key based on the initial session key, the first encryption result, the second decryption result and the quantum key to encrypt the communication between the first network device and the second network device. In this way, the quantum key distribution technology and the post-quantum cryptographic algorithm enhance the ability of the first network device to resist quantum computing attacks in the communication process of applying for access to the resources of the second network device.
在某些实施方式中,所述方法还包括:In certain embodiments, the method further comprises:
与所述第二网络设备进行身份认证,得到所述第二网络设备的第二身份标识。Perform identity authentication with the second network device to obtain a second identity identifier of the second network device.
如此,第一网络设备与第二网络设备进行身份认证,得到第二网络设备的第二身份标识。这样,第一网络设备得到了第二网络设备的第二身份标识,可用于后续进程中生成用于验证消息来源的第一签名消息。In this way, the first network device performs identity authentication with the second network device to obtain the second identity of the second network device. In this way, the first network device obtains the second identity of the second network device, which can be used to generate a first signature message for verifying the source of the message in a subsequent process.
某些实施方式中,所述自接入所述第一网络设备的服务节点获取第一量子密钥和量子密钥标识符,包括:In some implementations, the obtaining the first quantum key and the quantum key identifier from the service node connected to the first network device includes:
利用服务节点对所述第一网络设备的密码模块充注多个密钥;Using a service node to inject multiple keys into a cryptographic module of the first network device;
向所述服务节点发送量子密钥申请,所述量子密钥申请由保护密钥保护,所述保护密钥是从充注到所述密码模块的多个密钥中随机使用的一个;Sending a quantum key application to the service node, wherein the quantum key application is protected by a protection key, and the protection key is a randomly used one from a plurality of keys injected into the cryptographic module;
接收所述服务节点根据所述保护密钥对所述第一量子密钥和所述量子密钥标识符进行加密处理得到的量子密钥加密结果,所述第一量子密钥由接入所述服务节点的第一网络节点产生并分发给所述服务节点,所述量子密钥标识符由所述第一网络节点根据所述第一网络节点的识别码对所述第一量子密钥进行标识得到;receiving a quantum key encryption result obtained by the service node encrypting the first quantum key and the quantum key identifier according to the protection key, where the first quantum key is generated by a first network node connected to the service node and distributed to the service node, and the quantum key identifier is obtained by the first network node identifying the first quantum key according to an identification code of the first network node;
对所述量子密钥加密结果进行解密处理得到所述第一量子密钥和所述量子密钥标识符。The quantum key encryption result is decrypted to obtain the first quantum key and the quantum key identifier.
如此,第一网络设备利用服务节点对第一网络设备的密码模块充注多个密钥。接着,第一网络设备根据接收到的由第二网络设备发送的授权码,向服务节点发送量子密钥申请,量子密钥申请由保护密钥保护,保护密钥是从充注到密码模块的多个密钥中随机使用的一个。然后,第一网络设备接收服务节点根据保护密钥对第一量子密钥进行加密处理得到的量子密钥加密结果,第一量子密钥由接入服务节点的第一网络节点产生并分发给服务节点。最后,第一网络设备对量子密钥加密结果进行解密处理得到第一量子密钥。第一网络设备获得了第一量子密钥和量子密钥标识符,可用于后续生成抗量子计算攻击能力更强的密钥。In this way, the first network device uses the service node to charge multiple keys into the cryptographic module of the first network device. Then, the first network device sends a quantum key application to the service node based on the authorization code received from the second network device. The quantum key application is protected by a protection key, which is a randomly used one of the multiple keys charged into the cryptographic module. Then, the first network device receives the quantum key encryption result obtained by the service node by encrypting the first quantum key according to the protection key. The first quantum key is generated by the first network node accessing the service node and distributed to the service node. Finally, the first network device decrypts the quantum key encryption result to obtain the first quantum key. The first network device obtains the first quantum key and the quantum key identifier, which can be used to subsequently generate keys with stronger resistance to quantum computing attacks.
在某些实施方式中,所述对所述量子密钥标识符进行后量子密码加密处理得到第一加密结果,并将所述第一加密结果发送给所述第二网络设备,包括:In some embodiments, performing post-quantum cryptographic encryption processing on the quantum key identifier to obtain a first encryption result, and sending the first encryption result to the second network device, includes:
对所述量子密钥标识符和所述第一网络设备随机生成的第一随机数进行拼接处理得到第一拼接体;Concatenating the quantum key identifier and a first random number randomly generated by the first network device to obtain a first concatenated body;
对所述第一拼接体和所述初始会话密钥进行异或处理得到第一异或消息;Performing XOR processing on the first concatenated body and the initial session key to obtain a first XOR message;
对所述第一异或消息进行后量子加密处理得到第一加密密钥;Performing post-quantum encryption processing on the first XOR message to obtain a first encryption key;
对所述第一异或消息进行后量子加密封装处理得到第一临时加密结果中的第一封装消息;Performing post-quantum encryption encapsulation processing on the first XOR message to obtain a first encapsulated message in a first temporary encryption result;
对所述量子密钥标识符、所述第一网络设备的第一身份标识和所述第二身份标识进行拼接处理得到第一验证拼接体;Concatenating the quantum key identifier, the first identity of the first network device, and the second identity to obtain a first verification concatenation;
对所述第一验证拼接体进行后量子签名处理得到第一临时加密结果中的第一签名消息;Performing post-quantum signature processing on the first verification splice to obtain a first signature message in a first temporary encryption result;
根据所述初始会话密钥对所述第一临时加密结果进行加密处理得到所述第一加密结果;Encrypting the first temporary encryption result according to the initial session key to obtain the first encryption result;
将所述第一加密结果发送给所述第二网络设备。The first encryption result is sent to the second network device.
如此,第一网络设备对量子密钥标识符和第一网络设备随机生成的第一随机数进行拼接处理得到第一拼接体。接着,第一网络设备对第一拼接体和初始会话密钥进行异或处理得到第一异或消息。然后,第一网络设备对第一异或消息进行后量子加密处理得到第一加密密钥。并且对第一异或消息进行后量子加密封装处理得到第一临时加密结果中的第一封装消息。第一网络设备再对量子密钥标识符、第一网络设备的第一身份标识和第二身份标识进行拼接处理得到第一验证拼接体。并且对第一验证拼接体进行后量子签名处理得到第一临时加密结果中的第一签名消息。随后,第一网络设备根据初始会话密钥对第一临时加密结果进行加密处理得到第一加密结果。最后,第一网络设备将第一加密结果发送给第二网络设备。这样,第一网络设备通过利用量子密钥标识符、随机生成的第一随机数和初始会话密钥获得了具有良好抗量子能力的第一加密密钥,可用于生成后续的最终会话密钥。还生成了可用于验证消息来源和正确性的第一签名消息,用于在传输过程中防止数据被未授权访问和篡改。并且,第一加密结果在初始会话密钥的保护下发送给第二网络设备,增强了第一加密结果的机密性。In this way, the first network device performs a splicing process on the quantum key identifier and the first random number randomly generated by the first network device to obtain a first splicing body. Then, the first network device performs an XOR process on the first splicing body and the initial session key to obtain a first XOR message. Then, the first network device performs a post-quantum encryption process on the first XOR message to obtain a first encryption key. And the first XOR message is subjected to a post-quantum encryption encapsulation process to obtain a first encapsulated message in the first temporary encryption result. The first network device then performs a splicing process on the quantum key identifier, the first identity identifier of the first network device, and the second identity identifier to obtain a first verification splicing body. And the first verification splicing body is subjected to a post-quantum signature process to obtain a first signature message in the first temporary encryption result. Subsequently, the first network device performs an encryption process on the first temporary encryption result according to the initial session key to obtain a first encryption result. Finally, the first network device sends the first encryption result to the second network device. In this way, the first network device obtains a first encryption key with good quantum resistance by using the quantum key identifier, the randomly generated first random number, and the initial session key, which can be used to generate a subsequent final session key. A first signature message is also generated to verify the source and correctness of the message, which is used to prevent unauthorized access and tampering of the data during transmission. In addition, the first encryption result is sent to the second network device under the protection of the initial session key, which enhances the confidentiality of the first encryption result.
在某些实施方式中,所述对接收到的由所述第二网络设备发送的第二加密结果进行解密处理得到第二解密结果,包括:In some implementations, the decrypting the received second encryption result sent by the second network device to obtain the second decryption result includes:
接收所述第二网络设备发送的所述第二加密结果;receiving the second encryption result sent by the second network device;
根据所述初始会话密钥对所述第二加密结果进行解密得到第二临时加密结果;Decrypting the second encryption result according to the initial session key to obtain a second temporary encryption result;
对所述第二临时加密结果进行解密处理得到第二解密结果,所述第二解密结果包括第二加密封装消息和第二签名消息。The second temporary encryption result is decrypted to obtain a second decryption result, where the second decryption result includes a second encrypted encapsulation message and a second signature message.
如此,第一网络设备接收第二网络设备发送的第二加密结果。接着,第一网络设备根据初始会话密钥对第二加密结果进行解密得到第二临时加密结果。并对第二临时加密结果进行解密处理得到第二解密结果,第二解密结果包括第二加密封装消息和第二签名消息。这样,第一网络设备确定了与第二网络设备之间用于通信的通道的可用性,并得到了第二加密封装消息和第二签名消息,可根据第二加密封装消息得到第二加密密钥,用于生成最终会话密钥,第二签名消息可用于验证第二加密结果的正确性。In this way, the first network device receives the second encryption result sent by the second network device. Then, the first network device decrypts the second encryption result according to the initial session key to obtain the second temporary encryption result. The second temporary encryption result is decrypted to obtain the second decryption result, and the second decryption result includes the second encrypted encapsulation message and the second signature message. In this way, the first network device determines the availability of the channel for communication with the second network device, and obtains the second encrypted encapsulation message and the second signature message. The second encryption key can be obtained according to the second encrypted encapsulation message to generate the final session key, and the second signature message can be used to verify the correctness of the second encryption result.
在某些实施方式中,所述方法还包括:In certain embodiments, the method further comprises:
根据所述第二加密封装消息得到第二异或消息;Obtain a second XOR message according to the second encrypted encapsulated message;
对所述第二异或消息进行后量子加密处理得到第二加密密钥;Performing post-quantum encryption processing on the second XOR message to obtain a second encryption key;
对所述第二异或消息和所述初始会话密钥进行异或处理得到第二拼接体;Performing XOR processing on the second XOR message and the initial session key to obtain a second concatenated body;
根据所述第二拼接体得到量子密钥标识符。A quantum key identifier is obtained according to the second spliced body.
如此,第一网络设备根据第二加密封装消息得到第二异或消息。接着,第一网络设备对第二异或消息进行后量子加密处理得到第二加密密钥。第一网络设备再对第二异或消息和初始会话密钥进行异或处理得到第二拼接体。最后,第一网络设备根据第二拼接体得到量子密钥标识符。这样,第一网络设备得到了用于生成最终会话密钥的第二加密密钥,第二加密密钥具有良好的抗量子能力。并得到了量子密钥标识符,能够用于确认第二网络设备收到的量子密钥标识符是正确的。In this way, the first network device obtains the second XOR message according to the second encrypted encapsulated message. Then, the first network device performs post-quantum encryption processing on the second XOR message to obtain the second encryption key. The first network device then performs XOR processing on the second XOR message and the initial session key to obtain the second splice. Finally, the first network device obtains the quantum key identifier according to the second splice. In this way, the first network device obtains the second encryption key used to generate the final session key, and the second encryption key has good quantum resistance. And a quantum key identifier is obtained, which can be used to confirm that the quantum key identifier received by the second network device is correct.
在某些实施方式中,所述方法还包括:In certain embodiments, the method further comprises:
根据所述第二签名消息得到第二验证拼接体;Obtain a second verification concatenation according to the second signature message;
对所述第二签名消息进行后量子密码验签处理,以确认所述第二验证拼接体的正确性,所述第二验证拼接体由所述第二网络设备对所述量子密钥标识符、所述第一身份标识和所述第二身份标识进行拼接处理得到。The second signature message is subjected to post-quantum cryptographic signature verification to confirm the correctness of the second verification splice, where the second verification splice is obtained by splicing the quantum key identifier, the first identity, and the second identity by the second network device.
如此,第一网络设备根据第二签名消息得到第二验证拼接体。并对第二签名消息进行后量子密码验签处理,以确认第二验证拼接体的正确性,第二验证拼接体由第二网络设备对量子密钥标识符、第一身份标识和第二身份标识进行拼接处理得到。这样,通过对第二签名消息进行后量子密码验签处理,确定第一网络设备所接收的第二网络设备发送的量子密钥标识符、第一身份标识和第二身份标识的正确性,为后续的数据传输提供安全保障。In this way, the first network device obtains the second verification splice according to the second signature message. The second signature message is subjected to post-quantum cryptographic signature verification to confirm the correctness of the second verification splice, which is obtained by the second network device splicing the quantum key identifier, the first identity identifier, and the second identity identifier. In this way, by performing post-quantum cryptographic signature verification on the second signature message, the correctness of the quantum key identifier, the first identity identifier, and the second identity identifier sent by the second network device received by the first network device is determined, providing security for subsequent data transmission.
在某些实施方式中,所述根据所述初始会话密钥、所述第一加密结果、所述第二解密结果和所述第一量子密钥生成最终会话密钥,以对所述第一网络设备和所述第二网络设备的通信进行加密,包括:In some embodiments, generating a final session key according to the initial session key, the first encryption result, the second decryption result, and the first quantum key to encrypt communication between the first network device and the second network device includes:
对所述初始会话密钥、所述第一加密密钥、所述第二加密密钥和所述第一量子密钥进行异或处理得到最终会话密钥,以对所述第一网络设备和所述第二网络设备的通信进行加密。The initial session key, the first encryption key, the second encryption key and the first quantum key are XOR-ed to obtain a final session key to encrypt communication between the first network device and the second network device.
如此,第一网络设备对初始会话密钥、第一加密密钥、第二加密密钥和第一量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。这样,通过使用结合量子密钥分发技术和后量子密码学技术,生成了最终会话密钥,能够增强第一网络设备和第二网络设备间通信的抗量子计算攻击的能力,保护通信过程中传输的数据。In this way, the first network device performs XOR processing on the initial session key, the first encryption key, the second encryption key and the first quantum key to obtain the final session key to encrypt the communication between the first network device and the second network device. In this way, by combining quantum key distribution technology and post-quantum cryptography technology, the final session key is generated, which can enhance the ability of the communication between the first network device and the second network device to resist quantum computing attacks and protect the data transmitted during the communication process.
在某些实施方式中,所述方法还包括:In certain embodiments, the method further comprises:
接收所述第二网络设备发送的第二会话密钥验证消息;Receiving a second session key verification message sent by the second network device;
根据所述最终会话密钥对所述第一验证拼接体进行计算得到第一会话密钥验证消息;Calculating the first verification concatenation according to the final session key to obtain a first session key verification message;
对所述第一会话密钥验证消息和所述第二会话密钥验证消息进行比较处理,以确定所述第一网络设备获得的最终会话密钥和所述第二网络设备获得的最终会话密钥一致。The first session key verification message and the second session key verification message are compared and processed to determine whether a final session key obtained by the first network device is consistent with a final session key obtained by the second network device.
如此,第一网络设备接收第二网络设备发送的第二会话密钥验证消息。接着,第一网络设备再根据最终会话密钥对第一验证拼接体进行计算得到第一会话密钥验证消息。最后,第一网络设备对第一会话密钥验证消息和第二会话密钥验证消息进行比较处理,以确定第一网络设备获得的最终会话密钥和第二网络设备获得的最终会话密钥一致。这样,通过计算得到第一会话密钥验证消息,并与第二会话密钥验证消息进行比较,确定第一网络设备最终得到的最终会话密钥和第二网络设备获得的最终会话密钥是一致的,避免出现通信失败。In this way, the first network device receives the second session key verification message sent by the second network device. Then, the first network device calculates the first verification concatenation according to the final session key to obtain the first session key verification message. Finally, the first network device compares the first session key verification message with the second session key verification message to determine that the final session key obtained by the first network device is consistent with the final session key obtained by the second network device. In this way, by calculating the first session key verification message and comparing it with the second session key verification message, it is determined that the final session key obtained by the first network device is consistent with the final session key obtained by the second network device, thereby avoiding communication failure.
本申请实施方式提供一种通信网络的密码设备安全通道协议的抗量子安全增强方法,所述通信网络包括第一网络设备和第二网络设备,所述方法用于所述第二网络设备,所述方法包括:The embodiment of the present application provides a method for enhancing the anti-quantum security of a cryptographic device secure channel protocol of a communication network, wherein the communication network includes a first network device and a second network device, and the method is used for the second network device, and the method includes:
与所述第一网络设备进行密钥协商得到初始会话密钥;Performing key negotiation with the first network device to obtain an initial session key;
接收所述第一网络设备对量子密钥标识符进行后量子密码加密处理的第一加密结果,所述量子密钥标识符由所述第一网络设备自接入所述第一网络设备的服务节点获取;receiving a first encryption result of post-quantum cryptographic encryption processing performed by the first network device on a quantum key identifier, where the quantum key identifier is obtained by the first network device from a service node connected to the first network device;
对所述第一加密结果进行解密处理得到第一解密结果;Decrypting the first encryption result to obtain a first decryption result;
对所述第一解密结果进行后量子密码加密处理得到第二加密结果,并将所述第二加密结果发送给所述第一网络设备;Performing post-quantum cryptographic encryption processing on the first decryption result to obtain a second encryption result, and sending the second encryption result to the first network device;
根据所述初始会话密钥、所述第一解密结果、所述第二加密结果和第二量子密钥生成最终会话密钥,以对所述第一网络设备和所述第二网络设备的通信进行加密。A final session key is generated according to the initial session key, the first decryption result, the second encryption result and the second quantum key to encrypt communication between the first network device and the second network device.
如此,在第一网络设备和第二网络设备的通信过程中,第一网络设备和第二网络设备进行密钥协商获得初始会话密钥。随后,第一网络设备和第二网络设备申请获得量子密钥,并利用后量子密码算法对量子密钥标识符进行加密处理生成能够抵抗量子计算攻击的第一加密结果,后量子密码算法是一系列旨在抵御量子计算攻击的加密算法。接着,第一网络设备通过对第二网络设备发送的第二加密结果进行解密得到第二解密结果。最后,第一网络设备根据初始会话密钥、第一加密结果、第二解密结果和量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。这样,通过量子密钥分发技术和后量子密码算法增强了第一网络设备申请访问第二网络设备资源的通信过程的抗量子计算攻击能力。In this way, during the communication process between the first network device and the second network device, the first network device and the second network device perform key negotiation to obtain an initial session key. Subsequently, the first network device and the second network device apply for a quantum key, and use a post-quantum cryptographic algorithm to encrypt the quantum key identifier to generate a first encryption result that can resist quantum computing attacks. The post-quantum cryptographic algorithm is a series of encryption algorithms designed to resist quantum computing attacks. Next, the first network device obtains a second decryption result by decrypting the second encryption result sent by the second network device. Finally, the first network device generates a final session key based on the initial session key, the first encryption result, the second decryption result and the quantum key to encrypt the communication between the first network device and the second network device. In this way, the quantum key distribution technology and the post-quantum cryptographic algorithm enhance the ability of the first network device to resist quantum computing attacks in the communication process of applying for access to the resources of the second network device.
在某些实施方式中,所述方法还包括:In certain embodiments, the method further comprises:
通过预先建立的信道接入第二网络节点;accessing a second network node through a pre-established channel;
加载所述第一网络设备的安全证书或所述第二网络设备的安全证书。Load the security certificate of the first network device or the security certificate of the second network device.
如此,第二网络设备通过预先建立的信道接入第二网络节点。接着,第二网络设备加载所述第一网络设备的安全证书或所述第二网络设备的安全证书。这样,第二网络设备通过信道接入网络节点,可获取第二量子密钥。此外,第二网络设备还获取了安全证书用于对通信过程中传输的数据信息进行加解密。In this way, the second network device accesses the second network node through the pre-established channel. Then, the second network device loads the security certificate of the first network device or the security certificate of the second network device. In this way, the second network device accesses the network node through the channel and can obtain the second quantum key. In addition, the second network device also obtains the security certificate for encrypting and decrypting the data information transmitted during the communication process.
在某些实施方式中,所述方法还包括:In certain embodiments, the method further comprises:
与所述第一网络设备进行身份认证,得到所述第一网络设备的第一身份标识。Perform identity authentication with the first network device to obtain a first identity identifier of the first network device.
如此,第二网络设备与第一网络设备进行身份认证,得到第一网络设备的第一身份标识。这样,第二网络设备得到了第一网络设备的第一身份标识,可用于后续进程中用于对第一签名消息进行验签处理,及生成后续的第二会话密钥验证消息。In this way, the second network device performs identity authentication with the first network device and obtains the first identity of the first network device. In this way, the second network device obtains the first identity of the first network device, which can be used in subsequent processes to verify the signature of the first signature message and generate a subsequent second session key verification message.
在某些实施方式中,所述第一解密结果包括第一加密封装消息,所述方法还包括:In some embodiments, the first decryption result includes a first encrypted encapsulated message, and the method further includes:
根据所述第一加密封装消息得到第一异或消息;Obtain a first XOR message according to the first encrypted encapsulated message;
对所述第一异或消息进行后量子加密处理得到第一加密密钥;Performing post-quantum encryption processing on the first XOR message to obtain a first encryption key;
对所述第一异或消息和所述初始会话密钥获得所述量子密钥标识符。The quantum key identifier is obtained for the first XOR message and the initial session key.
如此,第二网络设备根据第一加密封装消息得到第一异或消息。接着,第二网络设备对第一异或消息进行后量子加密处理得到第一加密密钥。第二网络设备再对第一异或消息和初始会话密钥获得量子密钥标识符。这样,第二网络设备获得了第一加密密钥,能够用于后续生成具有良好抗量子能力的最终会话密钥。并得到了量子密钥标识符,用于后续申请得到第二量子密钥。In this way, the second network device obtains the first XOR message according to the first encrypted encapsulated message. Then, the second network device performs post-quantum encryption processing on the first XOR message to obtain the first encryption key. The second network device then obtains the quantum key identifier for the first XOR message and the initial session key. In this way, the second network device obtains the first encryption key, which can be used to subsequently generate the final session key with good quantum resistance. And obtains the quantum key identifier, which is used to subsequently apply for the second quantum key.
在某些实施方式中,所述第一解密结果包括第一签名消息,所述方法还包括:In some embodiments, the first decryption result includes a first signed message, and the method further includes:
根据所述第一签名消息得到第一验证拼接体;Obtain a first verification splice according to the first signed message;
对所述第一签名消息进行后量子密码验签处理,以确认获得正确的第一验证拼接体,所述第一验证拼接体由所述第二网络设备对所述量子密钥标识符、所述第一身份标识和所述第二网络设备的第二身份标识进行拼接处理得到;Performing post-quantum cryptographic signature verification on the first signature message to confirm that a correct first verification splice is obtained, where the first verification splice is obtained by the second network device splicing the quantum key identifier, the first identity, and the second identity of the second network device;
在所述量子密钥标识符正确的情况下,根据所述量子密钥标识符向所述第二网络节点发送量子密钥申请;When the quantum key identifier is correct, sending a quantum key application to the second network node according to the quantum key identifier;
接收所述第二网络节点根据所述量子密钥申请发送的第二量子密钥。Receive a second quantum key sent by the second network node according to the quantum key application.
如此,第二网络设备根据第一签名消息得到第一验证拼接体。接着,第二网络设备对第一签名消息进行后量子密码验签处理,以确认获得正确的第一验证拼接体,第一验证拼接体由第二网络设备对量子密钥标识符、第一身份标识和第二网络设备的第二身份标识进行拼接处理得到。然后,在获得的量子密钥标识符正确的情况下,第二网络设备根据量子密钥标识符向第二网络节点发送量子密钥申请。最后,第二网络设备接收第二网络节点根据量子密钥申请发送的第二量子密钥。这样,第二网络设备通过对第一签名消息进行后量子密码验签处理,确认接收到的第一网络设备发送的数据信息正确且没有被未授权访问。此外,通过量子密钥标识符向第二网络节点申请得到了与第一量子密钥相匹配的第二量子密钥,第二量子密钥具有良好的抗量子计算攻击能力,能够用于后续生成最终会话密钥。In this way, the second network device obtains the first verification splice according to the first signature message. Then, the second network device performs post-quantum cryptographic signature verification on the first signature message to confirm that the correct first verification splice is obtained. The first verification splice is obtained by the second network device splicing the quantum key identifier, the first identity identifier and the second identity identifier of the second network device. Then, if the obtained quantum key identifier is correct, the second network device sends a quantum key application to the second network node according to the quantum key identifier. Finally, the second network device receives the second quantum key sent by the second network node according to the quantum key application. In this way, the second network device confirms that the data information sent by the first network device is correct and has not been unauthorizedly accessed by performing post-quantum cryptographic signature verification on the first signature message. In addition, a second quantum key matching the first quantum key is obtained by applying to the second network node through the quantum key identifier. The second quantum key has good resistance to quantum computing attacks and can be used to generate the final session key later.
在某些实施方式中,所述对所述第一解密结果进行后量子密码加密处理得到第二加密结果,并将所述第二加密结果发送给所述第一网络设备,包括:In some embodiments, performing post-quantum cryptographic encryption processing on the first decryption result to obtain a second encryption result, and sending the second encryption result to the first network device, includes:
对所述量子密钥标识符和所述第二网络设备随机生成的第二随机数进行拼接处理得到第二拼接体;Concatenating the quantum key identifier and a second random number randomly generated by the second network device to obtain a second concatenated body;
对所述第二拼接体和所述初始会话密钥进行异或处理得到第二异或消息;Performing XOR processing on the second concatenated body and the initial session key to obtain a second XOR message;
对所述第二异或消息进行后量子加密处理得到第二加密密钥;Performing post-quantum encryption processing on the second XOR message to obtain a second encryption key;
对所述第二异或消息进行后量子加密封装处理得到第二临时加密结果中的第二封装消息;Performing post-quantum encryption encapsulation processing on the second XOR message to obtain a second encapsulated message in a second temporary encryption result;
对所述量子密钥标识符、所述第一身份标识和所述第二身份标识进行拼接处理得到第二验证拼接体;Concatenating the quantum key identifier, the first identity identifier, and the second identity identifier to obtain a second verification concatenation;
对所述第二验证拼接体进行后量子签名处理得到第二临时加密结果中的第二签名消息;Performing post-quantum signature processing on the second verification splice to obtain a second signature message in a second temporary encryption result;
根据所述初始会话密钥对所述第二临时加密结果进行加密处理得到所述第二加密结果;Encrypting the second temporary encryption result according to the initial session key to obtain the second encryption result;
将所述第二加密结果发送给所述第一网络设备。The second encryption result is sent to the first network device.
如此,第二网络设备对量子密钥标识符和第二网络设备随机生成的第二随机数进行拼接处理得到第二拼接体。接着,第二网络设备对第二拼接体和初始会话密钥进行异或处理得到第二异或消息。然后,第二网络设备对第二异或消息进行后量子加密处理得到第二加密密钥。并对第二异或消息进行后量子加密封装处理得到第二临时加密结果中的第二封装消息。随后,第二网络设备对量子密钥标识符、第一身份标识和第二身份标识进行拼接处理得到第二验证拼接体。第二网络设备再对第二验证拼接体进行后量子签名处理得到第二临时加密结果中的第二签名消息。随后,第二网络设备根据初始会话密钥对第二临时加密结果进行加密处理得到第二加密结果。最后,第二网络设备将第二加密结果发送给第一网络设备。这样,第二网络设备通过利用量子密钥标识符、随机生成的第二随机数和初始会话密钥获得了具有良好抗量子能力的第二加密密钥,可用于生成后续的最终会话密钥。还生成了可用于验证消息来源和正确性的第二签名消息,用于在传输过程中防止数据被未授权访问和篡改。In this way, the second network device performs a splicing process on the quantum key identifier and the second random number randomly generated by the second network device to obtain a second splicing body. Then, the second network device performs an XOR process on the second splicing body and the initial session key to obtain a second XOR message. Then, the second network device performs a post-quantum encryption process on the second XOR message to obtain a second encryption key. And the second XOR message is subjected to a post-quantum encryption encapsulation process to obtain a second encapsulated message in the second temporary encryption result. Subsequently, the second network device performs a splicing process on the quantum key identifier, the first identity identifier, and the second identity identifier to obtain a second verification splicing body. The second network device then performs a post-quantum signature process on the second verification splicing body to obtain a second signature message in the second temporary encryption result. Subsequently, the second network device performs an encryption process on the second temporary encryption result according to the initial session key to obtain a second encryption result. Finally, the second network device sends the second encryption result to the first network device. In this way, the second network device obtains a second encryption key with good quantum resistance by using the quantum key identifier, the randomly generated second random number, and the initial session key, which can be used to generate a subsequent final session key. A second signature message is also generated that can be used to verify the source and correctness of the message, and is used to prevent unauthorized access and tampering of data during transmission.
在某些实施方式中,所述根据所述初始会话密钥、所述第一解密结果、所述第二加密结果和第二量子密钥生成最终会话密钥,以对所述第一网络设备和所述第二网络设备的通信进行加密,包括:In some embodiments, generating a final session key according to the initial session key, the first decryption result, the second encryption result, and the second quantum key to encrypt communication between the first network device and the second network device includes:
对所述初始会话密钥、所述第一加密密钥、所述第二加密密钥和所述第二量子密钥进行异或处理得到最终会话密钥,以对所述第一网络设备和所述第二网络设备的通信进行加密。The initial session key, the first encryption key, the second encryption key and the second quantum key are XOR-ed to obtain a final session key to encrypt communication between the first network device and the second network device.
如此,第二网络设备对初始会话密钥、第一加密密钥、第二加密密钥和第二量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。这样,通过使用结合量子密钥分发技术和后量子密码学技术,生成了最终会话密钥,能够增强第一网络设备和第二网络设备间通信的抗量子计算攻击的能力,保护通信过程中传输的数据。In this way, the second network device performs XOR processing on the initial session key, the first encryption key, the second encryption key, and the second quantum key to obtain a final session key to encrypt the communication between the first network device and the second network device. In this way, by combining quantum key distribution technology and post-quantum cryptography technology, the final session key is generated, which can enhance the ability of the communication between the first network device and the second network device to resist quantum computing attacks and protect the data transmitted during the communication process.
在某些实施方式中,所述方法还包括:In certain embodiments, the method further comprises:
根据所述最终会话密钥对所述第二验证拼接体进行加密处理得到第二会话密钥验证消息;Encrypting the second verification concatenation according to the final session key to obtain a second session key verification message;
将所述第二会话密钥验证消息发送给所述第一网络设备,所述第二会话密钥验证消息由所述初始会话密钥进行加密保护。The second session key verification message is sent to the first network device, where the second session key verification message is encrypted and protected by the initial session key.
如此,第二网络设备根据最终会话密钥对第二验证拼接体进行加密处理得到第二会话密钥验证消息。将第二会话密钥验证消息发送给第一网络设备,第二会话密钥验证消息由初始会话密钥进行加密保护。这样,第二网络设备将生成的第二会话密钥验证消息在初始会话密钥的保护下发送给第一网络设备,使第一网络设备能够根据第二会话密钥验证消息验证第一网络设备生成的最终会话密钥和第二网络设备生成的最终会话密钥的一致性。In this way, the second network device encrypts the second verification concatenation according to the final session key to obtain a second session key verification message. The second session key verification message is sent to the first network device, and the second session key verification message is encrypted and protected by the initial session key. In this way, the second network device sends the generated second session key verification message to the first network device under the protection of the initial session key, so that the first network device can verify the consistency of the final session key generated by the first network device and the final session key generated by the second network device according to the second session key verification message.
本申请的实施方式的附加方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本申请的实施方式的实践了解到。Additional aspects and advantages of the embodiments of the present application will be given in part in the description below, and in part will become apparent from the description below, or will be learned through the practice of the embodiments of the present application.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
本申请的上述和/或附加的方面和优点从结合下面附图对实施方式的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of the present application will become apparent and easily understood from the description of the embodiments in conjunction with the following drawings, in which:
图1是本申请实施方式的方法的流程示意图之一;FIG1 is a schematic diagram of a method according to an embodiment of the present invention;
图2是本申请实施方式的方法的架构图;FIG2 is a schematic diagram of a method according to an embodiment of the present application;
图3是本申请实施方式的方法的信令图;FIG3 is a signaling diagram of a method according to an embodiment of the present application;
图4是本申请实施方式的方法的流程示意图之二;FIG4 is a second flow chart of the method according to the embodiment of the present application;
图5是本申请实施方式的方法的流程示意图之三;FIG5 is a third flow chart of the method according to the embodiment of the present application;
图6是本申请实施方式的方法的流程示意图之四;FIG6 is a fourth flow chart of the method according to an embodiment of the present application;
图7是本申请实施方式的方法的流程示意图之五;FIG7 is a fifth flow chart of a method according to an embodiment of the present application;
图8是本申请实施方式的方法的流程示意图之六;FIG8 is a sixth flow chart of the method according to the embodiment of the present application;
图9是本申请实施方式的方法的流程示意图之七;FIG9 is a seventh flow chart of a method according to an embodiment of the present application;
图10是本申请实施方式的方法的流程示意图之八;FIG10 is a flowchart of an eighth embodiment of the method of the present application;
图11是本申请实施方式的方法的流程示意图之九;FIG11 is a ninth flowchart of a method according to an embodiment of the present application;
图12是本申请实施方式的方法的流程示意图之十;FIG12 is a tenth flowchart of a method according to an embodiment of the present application;
图13是本申请实施方式的方法的流程示意图之十一;FIG13 is a schematic diagram of the eleventh flow chart of the method according to the embodiment of the present application;
图14是本申请实施方式的方法的流程示意图之十二;FIG14 is a twelfth flowchart of a method according to an embodiment of the present application;
图15是本申请实施方式的方法的流程示意图之十三;FIG15 is a thirteenth schematic diagram of a flow chart of a method according to an embodiment of the present application;
图16是本申请实施方式的方法的流程示意图之十四;FIG16 is a fourteenth flowchart of a method according to an embodiment of the present application;
图17是本申请实施方式的方法的流程示意图之十五;FIG17 is a fifteenth flowchart of a method according to an embodiment of the present application;
图18是本申请实施方式的方法的流程示意图之十六;FIG18 is a flowchart of the method according to an embodiment of the present application;
图19是本申请实施方式的方法的流程示意图之十七。FIG. 19 is the seventeenth flowchart of the method according to the embodiment of the present application.
具体实施方式DETAILED DESCRIPTION
下面详细描述本申请的实施方式,实施方式的示例在附图中示出,其中,相同或类似的标号自始至终表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施方式是示例性的,仅用于解释本申请的实施方式,而不能理解为对本申请的实施方式的限制。The embodiments of the present application are described in detail below, and examples of the embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals represent the same or similar elements or elements having the same or similar functions from beginning to end. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the embodiments of the present application, and cannot be understood as limiting the embodiments of the present application.
以量子计算为代表的算力飞跃,在安全性方面对经典密码学中的相关算法造成较大影响。也就是说,量子计算对经典密码构成了更直接、更紧迫的破解威胁。如Shor量子算法可以在多项式时间内,解决大整数分解和离散对数求解等复杂数学问题,对广泛使用的RSA、ECC、DSA、ElGamal等公钥密码算法进行快速破解。可以理解地,随着大型量子计算机实现,会对经典密码学中密钥协商、加密、签名等应用产生一定影响。The leap in computing power represented by quantum computing has a significant impact on the security of related algorithms in classical cryptography. In other words, quantum computing poses a more direct and urgent threat to classical cryptography. For example, Shor's quantum algorithm can solve complex mathematical problems such as large integer decomposition and discrete logarithm solution in polynomial time, and quickly crack widely used public key cryptographic algorithms such as RSA, ECC, DSA, ElGamal, etc. Understandably, with the realization of large-scale quantum computers, it will have a certain impact on key negotiation, encryption, signature and other applications in classical cryptography.
如此,使用经典密码学算法保护通信过程的互联网的安全深受量子计算攻击的威胁。例如,GM/T0050《密码设备管理 设备管理技术规范》中定义的密码设备安全通道协议,用于密码设备与设备管理中心之间的安全通信。密码设备安全通道协议采用SM2数字签名算法以及SM2非对称加解密算法进行通信双方的身份认证和密钥的交换协商,提供了相对强大的安全性和前向保密性,但SM2仍然属于椭圆曲线算法,缺乏抗量子计算的能力。In this way, the security of the Internet, which uses classical cryptographic algorithms to protect the communication process, is deeply threatened by quantum computing attacks. For example, the cryptographic device secure channel protocol defined in GM/T0050 "Cryptographic Device Management - Technical Specifications for Device Management" is used for secure communication between cryptographic devices and device management centers. The cryptographic device secure channel protocol uses the SM2 digital signature algorithm and the SM2 asymmetric encryption and decryption algorithm to perform identity authentication and key exchange negotiation between the two communicating parties, providing relatively strong security and forward secrecy, but SM2 is still an elliptic curve algorithm and lacks the ability to resist quantum computing.
目前,国际上应对量子计算攻击威胁的技术主要分为两类:一类是针对使用非对称算法进行(对称)密钥协商、再通过对称算法加密传输的场景,研究使用量子密钥分发(Quantum Key Distribution,QKD)网络进行对称密钥协商,保护密钥的安全性;另一类是研究后量子密码算法(Post-Quantum Cryptography,PQC),直接替换现有的非对称算法。量子密钥分发技术利用量子力学原理,能够生成无法被第三方窃取的密钥,确保密钥传输的安全性。它特别适用于密钥交换的场景,可以替代现有的非对称密钥协商算法,如RSA或ECC,以提高密钥的安全性。然而,量子密钥分发技术目前无法完全替代非对称算法的所有应用,例如签名验证、完整性保护和抗抵赖等场景,仍然需要使用非对称算法。At present, the international technologies for dealing with the threat of quantum computing attacks are mainly divided into two categories: one is to use asymmetric algorithms for (symmetric) key negotiation and then encrypt and transmit through symmetric algorithms, and study the use of quantum key distribution (QKD) networks for symmetric key negotiation to protect the security of keys; the other is to study post-quantum cryptography (PQC) algorithms to directly replace existing asymmetric algorithms. Quantum key distribution technology uses the principles of quantum mechanics to generate keys that cannot be stolen by third parties, ensuring the security of key transmission. It is particularly suitable for key exchange scenarios and can replace existing asymmetric key negotiation algorithms, such as RSA or ECC, to improve the security of keys. However, quantum key distribution technology cannot currently completely replace all applications of asymmetric algorithms. For example, scenarios such as signature verification, integrity protection, and non-repudiation still require the use of asymmetric algorithms.
后量子密码算法是基于新的数学难题设计的非对称密码算法,旨在抵御量子计算机可能带来的威胁。NIST已经公布了第一批4种拟标准化的后量子密码算法,包括Kyber、Dilithium、Falcon和SPHINCS+,这些算法覆盖了多种技术路线,以降低单一技术被破解的风险。后量子密码算法理论上可以替代所有非对称算法,并且更加通用。然而,后量子密码算法的安全性仍然依赖于计算难题的复杂度,未来可能面临新的破解方法或随着计算能力的提升而变得不再安全。此外,后量子密码算法标准尚未正式公布,相关产品的生产和认证也需要时间,因此其规模化应用还需要较长的周期。Post-quantum cryptographic algorithms are asymmetric cryptographic algorithms designed based on new mathematical problems, aimed at resisting the possible threats posed by quantum computers. NIST has announced the first batch of four post-quantum cryptographic algorithms to be standardized, including Kyber, Dilithium, Falcon, and SPHINCS+. These algorithms cover a variety of technical routes to reduce the risk of a single technology being cracked. Post-quantum cryptographic algorithms can theoretically replace all asymmetric algorithms and are more general. However, the security of post-quantum cryptographic algorithms still depends on the complexity of computational problems, and may face new cracking methods in the future or become unsafe as computing power increases. In addition, the post-quantum cryptographic algorithm standard has not yet been officially announced, and the production and certification of related products also take time, so its large-scale application still requires a long period of time.
后量子密码算法和量子密钥分发技术均有抵御量子计算攻击的能力,但各自都有局限性,因而提供成本相对较低并具有较高安全性的可抵抗量子计算攻击的密码技术成为亟待解决的问题。Both post-quantum cryptographic algorithms and quantum key distribution technologies have the ability to resist quantum computing attacks, but each has its limitations. Therefore, providing relatively low-cost and highly secure cryptographic technology that can resist quantum computing attacks has become an urgent problem to be solved.
基于上述的问题,请参阅图1,本申请实施方式提供一种通信网络的密码设备安全通道协议的抗量子安全增强方法,通信网络包括第一网络设备和第二网络设备,方法用于第一网络设备,方法包括:Based on the above problems, please refer to FIG1 . An embodiment of the present application provides a method for enhancing the anti-quantum security of a cryptographic device secure channel protocol of a communication network. The communication network includes a first network device and a second network device. The method is used for the first network device. The method includes:
011:与第二网络设备进行密钥协商得到初始会话密钥;011: Perform key negotiation with the second network device to obtain an initial session key;
012:自接入第一网络设备的服务节点获取第一量子密钥和量子密钥标识符;012: Obtaining a first quantum key and a quantum key identifier from a service node connected to the first network device;
013:对量子密钥标识符进行后量子密码加密处理得到第一加密结果,并将第一加密结果发送给第二网络设备;013: Perform post-quantum cryptographic encryption processing on the quantum key identifier to obtain a first encryption result, and send the first encryption result to the second network device;
014:对接收到的由第二网络设备发送的第二加密结果进行解密处理得到第二解密结果;014: decrypting the second encryption result received and sent by the second network device to obtain a second decryption result;
015:根据初始会话密钥、第一加密结果、第二解密结果和第一量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。015: Generate a final session key according to the initial session key, the first encryption result, the second decryption result and the first quantum key to encrypt the communication between the first network device and the second network device.
本申请实施方式还提供了一种第一网络设备,包括存储器和处理器。本申请实施方式的方法可以由本申请实施方式的第一网络设备实现。具体地,存储器中存储有计算机程序,处理器用于与第二网络设备进行密钥协商得到初始会话密钥,及自接入第一网络设备的服务节点获取第一量子密钥和量子密钥标识符。以及对量子密钥标识符进行后量子密码加密处理得到第一加密结果,并将第一加密结果发送给第二网络设备。处理器还用于对接收到的由第二网络设备发送的第二加密结果进行解密处理得到第二解密结果。处理器还用于根据初始会话密钥、第一加密结果、第二解密结果和第一量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。The embodiment of the present application also provides a first network device, including a memory and a processor. The method of the embodiment of the present application can be implemented by the first network device of the embodiment of the present application. Specifically, a computer program is stored in the memory, and the processor is used to negotiate a key with the second network device to obtain an initial session key, and obtain a first quantum key and a quantum key identifier from a service node connected to the first network device. And the quantum key identifier is subjected to post-quantum cryptographic encryption processing to obtain a first encryption result, and the first encryption result is sent to the second network device. The processor is also used to decrypt the second encryption result received by the second network device to obtain a second decryption result. The processor is also used to generate a final session key based on the initial session key, the first encryption result, the second decryption result and the first quantum key to encrypt the communication between the first network device and the second network device.
本申请实施方式还提供了一种第一网络设备抗量子安全增强装置。本申请实施方式的方法可以由本申请实施方式的第一网络设备抗量子安全增强装置实现。具体地,第一网络设备抗量子安全增强装置包括协商模块、获取模块、加密模块、解密模块和派生模块。协商模块用于与第二网络设备进行密钥协商得到初始会话密钥。获取模块用于自接入第一网络设备的服务节点获取第一量子密钥和量子密钥标识符。加密模块用于对量子密钥标识符进行后量子密码加密处理得到第一加密结果,并将第一加密结果发送给第二网络设备。解密模块用于对接收到的由第二网络设备发送的第二加密结果进行解密处理得到第二解密结果。派生模块用于根据初始会话密钥、第一加密结果、第二解密结果和第一量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。The embodiment of the present application also provides a first network device anti-quantum security enhancement device. The method of the embodiment of the present application can be implemented by the first network device anti-quantum security enhancement device of the embodiment of the present application. Specifically, the first network device anti-quantum security enhancement device includes a negotiation module, an acquisition module, an encryption module, a decryption module and a derivation module. The negotiation module is used to negotiate a key with the second network device to obtain an initial session key. The acquisition module is used to obtain a first quantum key and a quantum key identifier from a service node connected to the first network device. The encryption module is used to perform post-quantum cryptographic encryption processing on the quantum key identifier to obtain a first encryption result, and send the first encryption result to the second network device. The decryption module is used to decrypt the second encryption result received by the second network device to obtain a second decryption result. The derivation module is used to generate a final session key based on the initial session key, the first encryption result, the second decryption result and the first quantum key to encrypt the communication between the first network device and the second network device.
本申请提供了一种基于密码设备安全通道协议的通信系统,通信系统包括上述实施方式的第一网络设备、第二网络设备和量子密钥分发网络,量子密钥分发网络被配置为向第一网络设备或第二网络设备分发量子密钥。The present application provides a communication system based on a cryptographic device secure channel protocol, the communication system comprising a first network device, a second network device and a quantum key distribution network of the above-mentioned implementation mode, the quantum key distribution network being configured to distribute quantum keys to the first network device or the second network device.
具体地,量子密钥分发网络包括网络节点、量子网络链路控制中心,网络节点在量子密钥分发网络中用于存储和分发量子密钥。量子网络链路中心能够按照网络节点的名称建立网络节点间的量子密钥分发及中继链路,量子密钥分发及中继链路用于数据中转等功能。量子密钥分发网络用于实现量子密钥生成、量子密钥中继、量子密钥提供等服务。Specifically, the quantum key distribution network includes network nodes and a quantum network link control center. Network nodes are used to store and distribute quantum keys in the quantum key distribution network. The quantum network link center can establish quantum key distribution and relay links between network nodes according to the names of network nodes. Quantum key distribution and relay links are used for functions such as data transfer. The quantum key distribution network is used to realize services such as quantum key generation, quantum key relay, and quantum key provision.
请参阅图2,在某些实施方式中,第一网络设备和第二网络设备通过安全通道进行通信,安全通道是指一个加密的通信路径,用于在第一网络设备和第二网络设备之间安全地传输数据、指令和控制信息。这个通道确保了数据在传输过程中的机密性、完整性和真实性,防止未授权访问和数据泄露。第一网络设备接入一个服务节点,这个服务节点是第一网络设备用于与网络节点连接的中转站,用于充注密钥给第一网络设备和中转、存储量子密钥。当第一网络设备发送量子密钥申请后,网络节点将量子密钥分发网络产生的量子密钥发送给接入第一网络设备的服务节点,服务节点再将量子密钥发送给第一网络设备。第一网络设备和第二网络设备获取量子密钥的简单过程如下:首先,第一网络设备向接入第一网络设备的服务节点发送量子密钥申请。然后,服务节点向接入服务节点的第一网络节点申请量子密钥。接着,第一网络节点将根据量子密钥申请生成的量子密钥,分发给服务节点,服务节点再将量子密钥分发给第一网络设备。同时,量子网络链路控制中心同步使接入第二网络设备的第二网络节点产生量子密钥,但该量子密钥不会立即分发给接入第二网络设备,而是先存储在网络节点中。上述的第一网络设备、第二网络设备、服务节点和网络节点的对应关系均由管控平台提供Please refer to Figure 2. In some embodiments, the first network device and the second network device communicate through a secure channel. The secure channel refers to an encrypted communication path for securely transmitting data, instructions and control information between the first network device and the second network device. This channel ensures the confidentiality, integrity and authenticity of the data during transmission, and prevents unauthorized access and data leakage. The first network device accesses a service node, which is a transfer station for the first network device to connect to the network node, and is used to inject keys into the first network device and transfer and store quantum keys. When the first network device sends a quantum key application, the network node sends the quantum key generated by the quantum key distribution network to the service node connected to the first network device, and the service node sends the quantum key to the first network device. The simple process of the first network device and the second network device obtaining the quantum key is as follows: First, the first network device sends a quantum key application to the service node connected to the first network device. Then, the service node applies for a quantum key from the first network node connected to the service node. Then, the first network node distributes the quantum key generated according to the quantum key application to the service node, and the service node distributes the quantum key to the first network device. At the same time, the quantum network link control center synchronizes the second network node connected to the second network device to generate a quantum key, but the quantum key will not be immediately distributed to the second network device, but will be stored in the network node first. The corresponding relationship between the first network device, the second network device, the service node and the network node is provided by the management and control platform.
需要说明地,本申请实施方式以FIPS203 Module-Lattice-based Key-Encapsulation Mechanism Standard作为PQC密钥封装算法,采用FIPS 204 Module-Lattice-Based Digital Signature Standard作为PQC数字签名算法为例进行解释说明,以下和PQC算法相关操作描述均参见以上FIPS标准。当然,在其他实施方式中,也可采用NewHope算法、Sidh算法、HQC算法等其他算法作为PQC的相关算法。还需说明的是,本申请的实施例针对GM/T0050《密码设备管理 设备管理技术规范》中定义的密码设备安全通道协议,以下简称安全通道协议。It should be noted that the implementation method of this application uses FIPS203 Module-Lattice-based Key-Encapsulation Mechanism Standard as the PQC key encapsulation algorithm and FIPS 204 Module-Lattice-Based Digital Signature Standard as the PQC digital signature algorithm for example for explanation and explanation. The following descriptions of operations related to the PQC algorithm refer to the above FIPS standard. Of course, in other implementations, other algorithms such as the NewHope algorithm, the Sidh algorithm, the HQC algorithm, etc. can also be used as PQC related algorithms. It should also be noted that the embodiments of this application are directed to the cryptographic device secure channel protocol defined in GM/T0050 "Cryptographic Device Management - Technical Specifications for Device Management", hereinafter referred to as the secure channel protocol.
具体地,第一网络设备和第二网络设备进行密钥协商,二者都得到初始会话密钥。接着,第一网络设备向接入到第一网络设备的第一网络节点发送量子密钥申请,然后从第一网络节点中第一量子密钥和量子密钥标识符,第一量子密钥和量子密钥标识符可用于生成具有抗量子计算攻击的密钥,量子密钥标识符有助于使用和管理量子密钥。在获得第一量子密钥和量子密钥标识符后,第一网络设备对量子密钥标识符进行后量子密码加密处理得到第一加密结果,并将第一加密结果发送给第二网络设备。通过对量子密钥标识符进行后量子密码加密处理的方式,将量子密钥分发技术与后量子密码算法结合使用提升密钥的复杂性,并将加密结果发送给第二网络设备共享以使第一网络设备和第二网络设备在通信网络中的通信数据保持一致。Specifically, the first network device and the second network device perform key negotiation, and both obtain an initial session key. Next, the first network device sends a quantum key application to the first network node connected to the first network device, and then obtains a first quantum key and a quantum key identifier from the first network node. The first quantum key and the quantum key identifier can be used to generate a key that is resistant to quantum computing attacks, and the quantum key identifier helps to use and manage the quantum key. After obtaining the first quantum key and the quantum key identifier, the first network device performs post-quantum cryptographic encryption processing on the quantum key identifier to obtain a first encryption result, and sends the first encryption result to the second network device. By performing post-quantum cryptographic encryption processing on the quantum key identifier, the quantum key distribution technology is combined with the post-quantum cryptographic algorithm to improve the complexity of the key, and the encryption result is sent to the second network device for sharing so that the communication data of the first network device and the second network device in the communication network remain consistent.
然后,第二网络设备接收到第一网络设备发送的第一加密结果,对第一加密结果进行解密处理获得第一解密结果。第二网络设备再对第一解密结果进行后量子密码加密处理得到第二加密结果。在获得第二加密结果后,第二网络设备将第二加密结果发送给第一网络设备以使第一网络设备也能共享第二网络设备信息及生成的密钥。第二网络设备再根据初始会话密钥、第一解密结果、第二加密结果和第二量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。Then, the second network device receives the first encryption result sent by the first network device, and decrypts the first encryption result to obtain the first decryption result. The second network device then performs post-quantum cryptographic encryption on the first decryption result to obtain the second encryption result. After obtaining the second encryption result, the second network device sends the second encryption result to the first network device so that the first network device can also share the second network device information and the generated key. The second network device then generates a final session key based on the initial session key, the first decryption result, the second encryption result and the second quantum key to encrypt the communication between the first network device and the second network device.
同时,第一网络设备接收第二网络设备发送的第二加密结果,并对第二加密结果进行解密处理得到第二解密结果。第一网络设备再根据初始会话密钥、第一加密结果、第二解密结果和第一量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。At the same time, the first network device receives the second encryption result sent by the second network device, and decrypts the second encryption result to obtain a second decryption result. The first network device then generates a final session key based on the initial session key, the first encryption result, the second decryption result and the first quantum key to encrypt the communication between the first network device and the second network device.
以下以一个示例对本申请实施方式的方法进行说明,在本申请所举实施例中,第一网络设备为被管密码设备,以下简称密码设备。密码设备通过运行于密码设备上的设备管理代理与设备管理中心进行消息交互,需要强调的是,本申请所举实施例中,密码设备与设备管理中心的通信都是通过运行密码设备上的设备管理代理完成的。第二网络设备为设备管理中心,设备管理中心用于查询密码设备的基本配置和运行信息,并向密码设备发送具体的管理指令。量子网络节点为网络节点,量子网络节点存储并通过可信信道对设备管理中心提供生成的量子密钥或通过密钥服务节点对密码设备提供生成的量子密钥。密钥服务节点为服务节点,密钥服务节点用于连接量子网络节点,为多个密码设备提供预共享密钥充注和量子密钥服务。The following is an example to illustrate the method of implementing the present application. In the embodiments of the present application, the first network device is a managed cryptographic device, hereinafter referred to as the cryptographic device. The cryptographic device exchanges messages with the device management center through the device management agent running on the cryptographic device. It should be emphasized that in the embodiments of the present application, the communication between the cryptographic device and the device management center is completed by running the device management agent on the cryptographic device. The second network device is the device management center, which is used to query the basic configuration and operation information of the cryptographic device and send specific management instructions to the cryptographic device. The quantum network node is a network node, which stores and provides the generated quantum key to the device management center through a trusted channel or provides the generated quantum key to the cryptographic device through a key service node. The key service node is a service node, which is used to connect to the quantum network node and provide pre-shared key injection and quantum key services for multiple cryptographic devices.
请参阅图3,密码设备和设备管理中心按照安全通道协议流程进行密钥协商,二者都得到双方共享的初始会话密钥H1,即安全通道协议中的会话密钥。接着,密码设备向接入到密码设备的第一量子网络节点发送量子密钥申请,然后从第一量子网络节点中第一量子密钥QK_UUID-1和量子密钥标识符UUID_QK,第一量子密钥QK_UUID-1和量子密钥标识符UUID_QK可用于生成具有抗量子计算攻击的密钥,量子密钥标识符UUID_QK有助于使用和管理量子密钥。在获得第一量子密钥QK_UUID-1和量子密钥标识符UUID_QK后,密码设备对量子密钥标识符UUID_QK进行后量子密码加密处理得到第一加密结果,并将第一加密结果发送给设备管理中心。通过对量子密钥标识符UUID_QK进行后量子密码加密处理的方式,将量子密钥分发技术与后量子密码算法结合使用提升密钥的复杂性,并将加密结果发送给设备管理中心共享以使密码设备和设备管理中心在通信网络中的通信数据保持一致。Please refer to Figure 3. The cryptographic device and the device management center perform key negotiation according to the secure channel protocol process, and both obtain the initial session key H1 shared by both parties, that is, the session key in the secure channel protocol. Next, the cryptographic device sends a quantum key application to the first quantum network node connected to the cryptographic device, and then obtains the first quantum key QK_UUID-1 and the quantum key identifier UUID_QK from the first quantum network node. The first quantum key QK_UUID-1 and the quantum key identifier UUID_QK can be used to generate a key that is resistant to quantum computing attacks, and the quantum key identifier UUID_QK helps to use and manage quantum keys. After obtaining the first quantum key QK_UUID-1 and the quantum key identifier UUID_QK, the cryptographic device performs post-quantum cryptographic encryption on the quantum key identifier UUID_QK to obtain a first encryption result, and sends the first encryption result to the device management center. By performing post-quantum cryptographic encryption on the quantum key identifier UUID_QK, the quantum key distribution technology is combined with the post-quantum cryptographic algorithm to improve the complexity of the key, and the encryption result is sent to the device management center for sharing to keep the communication data between the cryptographic device and the device management center consistent in the communication network.
然后,设备管理中心接收到密码设备发送的第一加密结果,对第一加密结果进行解密处理获得第一解密结果。设备管理中心再对第一解密结果进行后量子密码加密处理得到第二加密结果。在获得第二加密结果后,设备管理中心将第二加密结果发送给密码设备以使密码设备也能共享设备管理中心信息及生成的密钥。设备管理中心再根据初始会话密钥H1、第一解密结果、第二加密结果和第二量子密钥生成最终会话密钥,以对密码设备和设备管理中心的通信进行加密。Then, the device management center receives the first encryption result sent by the cryptographic device, and decrypts the first encryption result to obtain the first decryption result. The device management center then performs post-quantum cryptographic encryption on the first decryption result to obtain the second encryption result. After obtaining the second encryption result, the device management center sends the second encryption result to the cryptographic device so that the cryptographic device can also share the device management center information and the generated key. The device management center then generates the final session key based on the initial session key H1, the first decryption result, the second encryption result and the second quantum key to encrypt the communication between the cryptographic device and the device management center.
同时,密码设备接收设备管理中心发送的第二加密结果,并对第二加密结果进行解密处理得到第二解密结果。密码设备再根据初始会话密钥H1、第一加密结果、第二解密结果和第一量子密钥QK_UUID-1生成最终会话密钥,以对密码设备和设备管理中心的通信进行加密。At the same time, the cryptographic device receives the second encryption result sent by the device management center, and decrypts the second encryption result to obtain a second decryption result. The cryptographic device then generates a final session key based on the initial session key H1, the first encryption result, the second decryption result and the first quantum key QK_UUID-1 to encrypt the communication between the cryptographic device and the device management center.
综上所述,本申请实施方式的通信网络的密码设备安全通道协议的抗量子安全增强方法、通信系统、第一网络设备和第二网络设备中,对于第一网络设备和第二网络设备的通信过程,第一网络设备和第二网络设备进行密钥协商获得初始会话密钥。随后,第一网络设备和第二网络设备申请获得量子密钥,并利用后量子密码算法对量子密钥标识符进行加密处理生成能够抵抗量子计算攻击的第一加密结果,后量子密码算法是一系列旨在抵御量子计算攻击的加密算法。接着,第一网络设备通过对第二网络设备发送的第二加密结果进行解密得到第二解密结果。最后,第一网络设备根据初始会话密钥、第一加密结果、第二解密结果和量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。这样,通过量子密钥分发技术和后量子密码算法增强了第一网络设备申请访问第二网络设备资源的通信过程的抗量子计算攻击能力。In summary, in the anti-quantum security enhancement method, communication system, first network device and second network device of the cryptographic device secure channel protocol of the communication network of the implementation mode of the present application, for the communication process between the first network device and the second network device, the first network device and the second network device perform key negotiation to obtain the initial session key. Subsequently, the first network device and the second network device apply for a quantum key, and use a post-quantum cryptographic algorithm to encrypt the quantum key identifier to generate a first encryption result that can resist quantum computing attacks. The post-quantum cryptographic algorithm is a series of encryption algorithms designed to resist quantum computing attacks. Next, the first network device obtains a second decryption result by decrypting the second encryption result sent by the second network device. Finally, the first network device generates a final session key based on the initial session key, the first encryption result, the second decryption result and the quantum key to encrypt the communication between the first network device and the second network device. In this way, the anti-quantum computing attack capability of the communication process in which the first network device applies to access the resources of the second network device is enhanced by quantum key distribution technology and post-quantum cryptographic algorithms.
请参阅图4,在某些实施方式中,方法还包括:Referring to FIG. 4 , in some embodiments, the method further comprises:
016:与第二网络设备进行身份认证,得到第二网络设备的第二身份标识。016: Perform identity authentication with the second network device to obtain a second identity identifier of the second network device.
在某些实施方式中,获取模块用于与第二网络设备进行身份认证,得到第二网络设备的第二身份标识。In some implementations, the acquisition module is used to perform identity authentication with the second network device to obtain a second identity identifier of the second network device.
在某些实施方式中,处理器还用于与第二网络设备进行身份认证,得到第二网络设备的第二身份标识。In some implementations, the processor is further configured to perform identity authentication with the second network device to obtain a second identity identifier of the second network device.
具体地,第一网络设备与第二网络设备进行身份认证,得到第二网络设备的第二身份标识。这样,第一网络设备得到了第二网络设备的第二身份标识,可用于后续进程中生成用于验证消息来源的第一签名消息。Specifically, the first network device performs identity authentication with the second network device to obtain the second identity of the second network device. In this way, the first network device obtains the second identity of the second network device, which can be used to generate a first signature message for verifying the source of the message in a subsequent process.
接续上述示例,身份认证包括证书认证和身份验证,第二身份标识为设备管理中心标识ID_Center。请再次参阅图3,密码设备和设备管理中心按照安全通道协议流程进行证书认证、身份验证,密码设备获取了设备管理中心的设备管理中心标识ID_Center。Continuing with the above example, identity authentication includes certificate authentication and identity authentication, and the second identity identifier is the device management center identifier ID_Center. Please refer to Figure 3 again. The cryptographic device and the device management center perform certificate authentication and identity authentication according to the secure channel protocol process, and the cryptographic device obtains the device management center identifier ID_Center of the device management center.
如此,密码设备得到了设备管理中心的设备管理中心标识ID_Center,可用于后续进程中生成用于验证消息来源的第一签名消息。In this way, the cryptographic device obtains the device management center identifier ID_Center of the device management center, which can be used to generate a first signature message for verifying the source of the message in a subsequent process.
请参阅图5,在某些实施方式中,步骤012(自接入第一网络设备的服务节点获取第一量子密钥和量子密钥标识符),包括:Please refer to FIG. 5 . In some embodiments, step 012 (obtaining a first quantum key and a quantum key identifier from a service node connected to a first network device) includes:
0121:利用服务节点对第一网络设备的密码模块充注多个密钥;0121: Using the service node to inject multiple keys into the cryptographic module of the first network device;
0122:向服务节点发送量子密钥申请;0122: Send quantum key request to the service node;
0123:接收服务节点根据保护密钥对第一量子密钥和量子密钥标识符进行加密处理得到的量子密钥加密结果;0123: receiving a quantum key encryption result obtained by the service node encrypting the first quantum key and the quantum key identifier according to the protection key;
0124:对量子密钥加密结果进行解密处理得到第一量子密钥和量子密钥标识符。0124: Decrypt the quantum key encryption result to obtain a first quantum key and a quantum key identifier.
在某些实施方式中,充注模块用于利用服务节点对第一网络设备的密码模块充注多个密钥。发送模块用于向服务节点发送量子密钥申请。接收模块用于接收服务节点根据保护密钥对第一量子密钥和量子密钥标识符进行加密处理得到的量子密钥加密结果。解密模块用于对量子密钥加密结果进行解密处理得到第一量子密钥和量子密钥标识符。In some embodiments, the charging module is used to charge a plurality of keys into the cryptographic module of the first network device using the service node. The sending module is used to send a quantum key application to the service node. The receiving module is used to receive a quantum key encryption result obtained by the service node encrypting the first quantum key and the quantum key identifier according to the protection key. The decryption module is used to decrypt the quantum key encryption result to obtain the first quantum key and the quantum key identifier.
在某些实施方式中,处理器还用于利用服务节点对第一网络设备的密码模块充注多个密钥,及向服务节点发送量子密钥申请。处理器还用于接收服务节点根据保护密钥对第一量子密钥和量子密钥标识符进行加密处理得到的量子密钥加密结果,及对量子密钥加密结果进行解密处理得到第一量子密钥和量子密钥标识符。In some embodiments, the processor is further configured to use the service node to inject multiple keys into the cryptographic module of the first network device, and send a quantum key application to the service node. The processor is also configured to receive a quantum key encryption result obtained by the service node encrypting the first quantum key and the quantum key identifier according to the protection key, and decrypt the quantum key encryption result to obtain the first quantum key and the quantum key identifier.
具体地,第一网络设备利用服务节点对第一网络设备的密码模块充注多个密钥。接着,第一网络设备根据接收到的由第二网络设备发送的授权码,向服务节点发送量子密钥申请,量子密钥申请由保护密钥保护,保护密钥是从充注到密码模块的多个密钥中随机使用的一个。然后,第一网络设备接收服务节点根据保护密钥对第一量子密钥进行加密处理得到的量子密钥加密结果,第一量子密钥由接入服务节点的第一网络节点产生并分发给服务节点。最后,第一网络设备对量子密钥加密结果进行解密处理得到第一量子密钥。第一网络设备获得了第一量子密钥和量子密钥标识符,可用于后续生成抗量子计算攻击能力更强的密钥。Specifically, the first network device uses the service node to inject multiple keys into the cryptographic module of the first network device. Then, the first network device sends a quantum key application to the service node based on the authorization code received and sent by the second network device. The quantum key application is protected by a protection key, which is a randomly used one of the multiple keys injected into the cryptographic module. Then, the first network device receives the quantum key encryption result obtained by the service node by encrypting the first quantum key according to the protection key. The first quantum key is generated by the first network node accessing the service node and distributed to the service node. Finally, the first network device decrypts the quantum key encryption result to obtain the first quantum key. The first network device obtains the first quantum key and the quantum key identifier, which can be used to subsequently generate keys with stronger resistance to quantum computing attacks.
接续上述示例,请再次参阅图3,密码设备利用密码服务节点对密码设备的个人密码模块进行预密钥的充注,充注总量为1M比特的128比特密钥,个人密码模块包括但不限于智能密码钥匙(HSM)、虚拟安全模块(VSM)。接着,密码设备向密码服务节点发送量子密钥申请,并通过随机使用智能密码钥匙中的一支密钥作为保护密钥。密码设备通过使用SM3算法和保护密钥对密钥ID和申请内容进行哈希运算(Hash-based Message AuthenticationCode,HMAC)。之后,密码服务节点也通过使用SM3算法和保护密钥对密钥ID和申请内容进行哈希运算,以验证数据的完整性和真实性,HMAC是一种利用哈希函数和密钥来提供数据完整性和来源认证的方法。Continuing with the above example, please refer to Figure 3 again. The cryptographic device uses the cryptographic service node to pre-charge the personal cryptographic module of the cryptographic device, with a total of 1M bits of 128-bit keys. The personal cryptographic module includes but is not limited to the smart cryptographic key (HSM) and the virtual security module (VSM). Next, the cryptographic device sends a quantum key application to the cryptographic service node and randomly uses a key in the smart cryptographic key as the protection key. The cryptographic device performs a hash operation (Hash-based Message Authentication Code, HMAC) on the key ID and the application content by using the SM3 algorithm and the protection key. Afterwards, the cryptographic service node also performs a hash operation on the key ID and the application content by using the SM3 algorithm and the protection key to verify the integrity and authenticity of the data. HMAC is a method that uses hash functions and keys to provide data integrity and source authentication.
待量子密钥申请成功后,密码设备接收密码服务节点根据保护密钥对第一量子密钥QK_UUID-1和量子密钥标识符UUID_QK进行加密处理得到的量子密钥加密结果,第一量子密钥QK_UUID-1由接入密码服务节点的第一量子网络节点产生并分发给密码服务节点,量子密钥标识符UUID_QK由第一量子网络节点根据第一量子网络节点通用的唯一标识符对第一量子密钥进行标识处理得到。密码设备再根据保护密钥对量子密钥加密结果进行解密处理得到第一量子密钥QK_UUID-1和量子密钥标识符UUID_QK。After the quantum key application is successful, the cryptographic device receives the quantum key encryption result obtained by the cryptographic service node by encrypting the first quantum key QK_UUID-1 and the quantum key identifier UUID_QK according to the protection key. The first quantum key QK_UUID-1 is generated by the first quantum network node connected to the cryptographic service node and distributed to the cryptographic service node. The quantum key identifier UUID_QK is obtained by the first quantum network node identifying the first quantum key according to the first quantum network node's universal unique identifier. The cryptographic device then decrypts the quantum key encryption result according to the protection key to obtain the first quantum key QK_UUID-1 and the quantum key identifier UUID_QK.
如此,密码设备获得了第一量子密钥QK_UUID-1和量子密钥标识符UUID_QK,可用于后续生成抗量子计算攻击能力更强的密钥。In this way, the cryptographic device obtains the first quantum key QK_UUID-1 and the quantum key identifier UUID_QK, which can be used to subsequently generate keys that are more resistant to quantum computing attacks.
请参阅图6,在某些实施方式中,步骤013(对量子密钥标识符进行后量子密码加密处理得到第一加密结果,并将第一加密结果发送给第二网络设备),包括:Please refer to FIG. 6 . In some embodiments, step 013 (performing post-quantum cryptographic encryption processing on the quantum key identifier to obtain a first encryption result, and sending the first encryption result to the second network device) includes:
0131:对量子密钥标识符和第一网络设备随机生成的第一随机数进行拼接处理得到第一拼接体;0131: concatenate the quantum key identifier and the first random number randomly generated by the first network device to obtain a first concatenation;
0132:对第一拼接体和初始会话密钥进行异或处理得到第一异或消息;0132: performing XOR processing on the first concatenated body and the initial session key to obtain a first XOR message;
0133:对第一异或消息进行后量子加密处理得到第一加密密钥;0133: Perform post-quantum encryption processing on the first XOR message to obtain a first encryption key;
0134:对第一异或消息进行后量子加密封装处理得到第一临时加密结果中的第一封装消息;0134: performing post-quantum encryption encapsulation processing on the first XOR message to obtain a first encapsulated message in a first temporary encryption result;
0135:对量子密钥标识符、第一网络设备的第一身份标识和第二身份标识进行拼接处理得到第一验证拼接体;0135: Concatenate the quantum key identifier, the first identity identifier of the first network device, and the second identity identifier to obtain a first verification concatenation;
0136:对第一验证拼接体进行后量子签名处理得到第一临时加密结果中的第一签名消息;0136: Perform post-quantum signature processing on the first verification splice to obtain a first signature message in a first temporary encryption result;
0137:根据初始会话密钥对第一临时加密结果进行加密处理得到第一加密结果;0137: Encrypt the first temporary encryption result according to the initial session key to obtain a first encryption result;
0138:将第一加密结果发送给第二网络设备。0138: Send the first encryption result to the second network device.
在某些实施方式中,拼接模块用于对量子密钥标识符和第一网络设备随机生成的第一随机数进行拼接处理得到第一拼接体。处理模块用于对第一拼接体和初始会话密钥进行异或处理得到第一异或消息。加密模块用于对第一异或消息进行后量子加密处理得到第一加密密钥。加密封装模块用于对第一异或消息进行后量子加密封装处理得到第一临时加密结果中的第一封装消息。拼接模块还用于对量子密钥标识符、第一网络设备的第一身份标识和第二身份标识进行拼接处理得到第一验证拼接体。签名模块还用于对第一验证拼接体进行后量子签名处理得到第一临时加密结果中的第一签名消息。加密模块还用于根据初始会话密钥对第一临时加密结果进行加密处理得到第一加密结果。发送模块用于将第一加密结果发送给第二网络设备。In some embodiments, the splicing module is used to splice the quantum key identifier and the first random number randomly generated by the first network device to obtain a first splicing body. The processing module is used to perform XOR processing on the first splicing body and the initial session key to obtain a first XOR message. The encryption module is used to perform post-quantum encryption processing on the first XOR message to obtain a first encryption key. The encryption encapsulation module is used to perform post-quantum encryption encapsulation processing on the first XOR message to obtain a first encapsulated message in a first temporary encryption result. The splicing module is also used to splice the quantum key identifier, the first identity identifier and the second identity identifier of the first network device to obtain a first verification splicing body. The signature module is also used to perform post-quantum signature processing on the first verification splicing body to obtain a first signature message in the first temporary encryption result. The encryption module is also used to encrypt the first temporary encryption result according to the initial session key to obtain a first encryption result. The sending module is used to send the first encryption result to the second network device.
在某些实施方式中,处理器还用于对量子密钥标识符和第一网络设备随机生成的第一随机数进行拼接处理得到第一拼接体。及对第一拼接体和初始会话密钥进行异或处理得到第一异或消息。以及对第一异或消息进行后量子加密处理得到第一加密密钥。处理器还用于对第一异或消息进行后量子加密封装处理得到第一加密结果中的第一封装消息。及对量子密钥标识符、第一网络设备的第一身份标识和第二身份标识进行拼接处理得到第一验证拼接体。处理器还用于对第一验证拼接体进行后量子签名处理得到第一加密结果中的第一签名消息。及根据初始会话密钥对第一临时加密结果进行加密处理得到第一加密结果。以及将第一加密结果发送给第二网络设备。In some embodiments, the processor is also used to perform splicing processing on the quantum key identifier and the first random number randomly generated by the first network device to obtain a first splicing body. And perform XOR processing on the first splicing body and the initial session key to obtain a first XOR message. And perform post-quantum encryption processing on the first XOR message to obtain a first encryption key. The processor is also used to perform post-quantum encryption encapsulation processing on the first XOR message to obtain a first encapsulated message in the first encryption result. And perform splicing processing on the quantum key identifier, the first identity identifier and the second identity identifier of the first network device to obtain a first verification splicing body. The processor is also used to perform post-quantum signature processing on the first verification splicing body to obtain a first signature message in the first encryption result. And perform encryption processing on the first temporary encryption result according to the initial session key to obtain a first encryption result. And send the first encryption result to the second network device.
具体地,第一网络设备对量子密钥标识符和第一网络设备随机生成的第一随机数进行拼接处理得到第一拼接体。接着,第一网络设备对第一拼接体和初始会话密钥进行异或处理得到第一异或消息。然后,第一网络设备对第一异或消息进行后量子加密处理得到第一加密密钥。并且对第一异或消息进行后量子加密封装处理得到第一临时加密结果中的第一封装消息。第一网络设备再对量子密钥标识符、第一网络设备的第一身份标识和第二身份标识进行拼接处理得到第一验证拼接体。并且对第一验证拼接体进行后量子签名处理得到第一临时加密结果中的第一签名消息。最后,第一网络设备将第一加密结果发送给第二网络设备,第一加密结果由初始会话密钥进行加密保护。这样,第一网络设备通过利用量子密钥标识符、随机生成的第一随机数和初始会话密钥获得了具有良好抗量子能力的第一加密密钥,可用于生成后续的最终会话密钥。还生成了可用于验证消息来源和正确性的第一签名消息,用于在传输过程中防止数据被未授权访问和篡改。并且,第一加密结果在初始会话密钥的保护下发送给第二网络设备,增强了第一加密结果的机密性。Specifically, the first network device performs a splicing process on the quantum key identifier and the first random number randomly generated by the first network device to obtain a first splicing body. Then, the first network device performs an XOR process on the first splicing body and the initial session key to obtain a first XOR message. Then, the first network device performs a post-quantum encryption process on the first XOR message to obtain a first encryption key. And the first XOR message is subjected to a post-quantum encryption encapsulation process to obtain a first encapsulated message in the first temporary encryption result. The first network device then performs a splicing process on the quantum key identifier, the first identity identifier of the first network device, and the second identity identifier to obtain a first verification splicing body. And the first verification splicing body is subjected to a post-quantum signature process to obtain a first signature message in the first temporary encryption result. Finally, the first network device sends the first encryption result to the second network device, and the first encryption result is encrypted and protected by the initial session key. In this way, the first network device obtains a first encryption key with good quantum resistance by using the quantum key identifier, the randomly generated first random number, and the initial session key, which can be used to generate a subsequent final session key. A first signature message that can be used to verify the source and correctness of the message is also generated to prevent data from being unauthorized access and tampering during transmission. Furthermore, the first encryption result is sent to the second network device under the protection of the initial session key, thereby enhancing the confidentiality of the first encryption result.
接续上述示例,密码设备的第一身份标识为密码设备标识ID_Device。请再参阅图3,密码设备对128比特的量子密钥标识符UUID_QK和密码设备随机生成的128比特第一随机数R1进行拼接处理得到第一拼接体P1,即UUID_QK|R1。接着,密码设备对第一拼接体P1和初始会话密钥H1进行异或处理得到第一异或消息Y1,即P1⊕H1。然后,密码设备对第一异或消息Y1进行后量子加密处理得到第一加密密钥K1。并且对第一异或消息Y1进行后量子加密封装处理得到第一临时加密结果中的第一封装消息F1。密码设备再对量子密钥标识符UUID_QK、密码设备标识ID_Device和设备管理中心标识ID_Center进行拼接处理得到第一验证拼接体P2,即UUID_QK|ID_Center|ID_Device。并且对第一验证拼接体P2进行后量子签名处理得到第一临时加密结果中的第一签名消息M1。随后,密码设备使用初始会话密钥H1和SM4分组密码算法对第一临时加密结果进行对称加密得到第一加密结果,即使用初始会话密钥H1和SM4分组密码算法对第一加密封装消息和第一签名消息进行对称加密。最后,密码设备将第一加密结果发送给设备管理中心。Continuing with the above example, the first identity identifier of the cryptographic device is the cryptographic device identifier ID_Device. Please refer to Figure 3 again. The cryptographic device concatenates the 128-bit quantum key identifier UUID_QK and the 128-bit first random number R1 randomly generated by the cryptographic device to obtain a first concatenation P1, that is, UUID_QK|R1. Next, the cryptographic device performs an XOR process on the first concatenation P1 and the initial session key H1 to obtain a first XOR message Y1, that is, P1⊕H1. Then, the cryptographic device performs post-quantum encryption processing on the first XOR message Y1 to obtain a first encryption key K1. And the first XOR message Y1 is post-quantum encrypted and encapsulated to obtain the first encapsulated message F1 in the first temporary encryption result. The cryptographic device then concatenates the quantum key identifier UUID_QK, the cryptographic device identifier ID_Device and the device management center identifier ID_Center to obtain a first verification concatenation P2, that is, UUID_QK|ID_Center|ID_Device. And the first verification splice P2 is processed with post-quantum signature to obtain the first signature message M1 in the first temporary encryption result. Subsequently, the cryptographic device uses the initial session key H1 and the SM4 block cipher algorithm to symmetric encrypt the first temporary encryption result to obtain the first encryption result, that is, the first encrypted encapsulation message and the first signature message are symmetric encrypted using the initial session key H1 and the SM4 block cipher algorithm. Finally, the cryptographic device sends the first encryption result to the device management center.
如此,密码设备通过利用量子密钥标识符UUID_QK、随机生成的第一随机数R1和初始会话密钥H1获得了具有良好抗量子能力的第一加密密钥K1,可用于生成后续的最终会话密钥。还生成了可用于验证消息来源和正确性的第一签名消息M1,用于在传输过程中防止数据被未授权访问和篡改。In this way, the cryptographic device obtains the first encryption key K1 with good quantum resistance by using the quantum key identifier UUID_QK, the randomly generated first random number R1 and the initial session key H1, which can be used to generate the subsequent final session key. It also generates a first signature message M1 that can be used to verify the source and correctness of the message, which is used to prevent data from being unauthorized access and tampering during transmission.
请参阅图7,在某些实施方式中,步骤014(对接收到的由第二网络设备发送的第二加密结果进行解密处理得到第二解密结果),包括:Please refer to FIG. 7 . In some implementations, step 014 (decrypting the second encryption result received and sent by the second network device to obtain the second decryption result) includes:
0141:接收第二网络设备发送的第二加密结果;0141: receiving a second encryption result sent by a second network device;
0142:根据初始会话密钥对第二加密结果进行解密得到第二临时加密结果;0142: decrypt the second encryption result according to the initial session key to obtain a second temporary encryption result;
0143:对第二临时加密结果进行解密处理得到第二解密结果。0143: Decrypt the second temporary encryption result to obtain a second decryption result.
在某些实施方式中,接收模块用于接收第二网络设备发送的第二加密结果。解密模块用于根据初始会话密钥对第二加密结果进行解密得到第二临时加密结果。解密模块还用于对第二临时加密结果进行解密处理得到第二解密结果。In some embodiments, the receiving module is used to receive the second encryption result sent by the second network device. The decryption module is used to decrypt the second encryption result according to the initial session key to obtain the second temporary encryption result. The decryption module is also used to decrypt the second temporary encryption result to obtain the second decryption result.
在某些实施方式中,处理器还用于接收第二网络设备发送的第二加密结果。及根据初始会话密钥对第二加密结果进行解密得到第二临时加密结果。以及对第二临时加密结果进行解密处理得到第二解密结果,第二解密结果包括第二加密封装消息和第二签名消息。In some embodiments, the processor is further configured to receive a second encryption result sent by the second network device, decrypt the second encryption result according to the initial session key to obtain a second temporary encryption result, and decrypt the second temporary encryption result to obtain a second decrypted result, wherein the second decrypted result includes a second encrypted encapsulation message and a second signature message.
具体地,第一网络设备接收第二网络设备发送的第二加密结果。接着,第一网络设备根据初始会话密钥对第二加密结果进行解密得到第二临时加密结果。并对第二临时加密结果进行解密处理得到第二解密结果,第二解密结果包括第二加密封装消息和第二签名消息。这样第一网络设备确定了与第二网络设备之间用于通信的通道的可用性,并得到了第二加密封装消息和第二签名消息,可根据第二加密封装消息的得到第二加密密钥,用于生成最终会话密钥,第二签名消息可用于验证第二加密结果的正确性。Specifically, the first network device receives the second encryption result sent by the second network device. Then, the first network device decrypts the second encryption result according to the initial session key to obtain the second temporary encryption result. The second temporary encryption result is decrypted to obtain the second decryption result, and the second decryption result includes the second encrypted encapsulation message and the second signature message. In this way, the first network device determines the availability of the channel for communication with the second network device, and obtains the second encrypted encapsulation message and the second signature message. The second encryption key can be obtained according to the second encrypted encapsulation message to generate the final session key, and the second signature message can be used to verify the correctness of the second encryption result.
接续上述示例,密码设备接收设备管理中心发送的第二加密结果。接着,密码设备根据初始会话密钥H1对第二加密结果进行解密得到第二临时加密结果。并对第二临时加密结果进行解密处理得到第二解密结果,第二解密结果包括第二加密封装消息F2和第二签名消息M2。Continuing with the above example, the cryptographic device receives the second encryption result sent by the device management center. Then, the cryptographic device decrypts the second encryption result according to the initial session key H1 to obtain a second temporary encryption result. The second temporary encryption result is decrypted to obtain a second decrypted result, which includes the second encrypted encapsulation message F2 and the second signature message M2.
如此,密码设备确定了与设备管理中心之间用于通信的通道的可用性,并得到了第二加密封装消息F2和第二签名消息M2,可根据第二加密封装消息得到第二加密密钥K2,用于生成最终会话密钥,第二签名消息M2可用于验证第二加密结果的正确性。In this way, the cryptographic device determines the availability of the channel for communication with the device management center, and obtains the second encrypted encapsulated message F2 and the second signed message M2. The second encryption key K2 can be obtained based on the second encrypted encapsulated message to generate the final session key. The second signed message M2 can be used to verify the correctness of the second encryption result.
请参阅图8,在某些实施方式中,方法还包括:Referring to FIG. 8 , in some embodiments, the method further comprises:
017:根据第二加密封装消息得到第二异或消息;017: Obtain a second XOR message according to the second encrypted encapsulation message;
018:对第二异或消息进行后量子加密处理得到第二加密密钥;018: Perform post-quantum encryption processing on the second XOR message to obtain a second encryption key;
019:对第二异或消息和初始会话密钥进行异或处理得到第二拼接体;019: XOR the second XOR message and the initial session key to obtain a second concatenated body;
020:根据第二拼接体得到量子密钥标识符。020: Obtain a quantum key identifier according to the second spliced body.
在某些实施方式中,处理模块用于根据第二加密封装消息得到第二异或消息。加密模块用于对第二异或消息进行后量子加密处理得到第二加密密钥。处理模块还用于对第二异或消息和初始会话密钥进行异或处理得到第二拼接体符。及根据第二拼接体得到量子密钥标识符。In some embodiments, the processing module is used to obtain a second XOR message according to the second encrypted encapsulated message. The encryption module is used to perform post-quantum encryption processing on the second XOR message to obtain a second encryption key. The processing module is also used to perform XOR processing on the second XOR message and the initial session key to obtain a second concatenated body symbol. And obtain a quantum key identifier according to the second concatenated body.
在某些实施方式中,处理器还用于根据第二加密封装消息得到第二异或消息,及对第二异或消息进行后量子加密处理得到第二加密密钥。处理器还用于对第二异或消息和初始会话密钥进行异或处理得到第二拼接体。及根据第二拼接体得到量子密钥标识符。In some embodiments, the processor is further configured to obtain a second XOR message based on the second encrypted encapsulated message, and perform post-quantum encryption processing on the second XOR message to obtain a second encryption key. The processor is further configured to perform XOR processing on the second XOR message and the initial session key to obtain a second concatenation. And obtain a quantum key identifier based on the second concatenation.
具体地,第一网络设备根据第二加密封装消息得到第二异或消息。接着,第一网络设备对第二异或消息进行后量子加密处理得到第二加密密钥。第一网络设备再对第二异或消息和初始会话密钥进行异或处理得到第二拼接体。最后,第一网络设备根据第二拼接体得到量子密钥标识符。这样,第一网络设备得到了用于生成最终会话密钥的第二加密密钥,第二加密密钥具有良好的抗量子能力。并得到了量子密钥标识符,能够用于确认第二网络设备收到的量子密钥标识符是正确的。Specifically, the first network device obtains the second XOR message according to the second encrypted encapsulation message. Then, the first network device performs post-quantum encryption processing on the second XOR message to obtain the second encryption key. The first network device then performs XOR processing on the second XOR message and the initial session key to obtain the second splice. Finally, the first network device obtains the quantum key identifier according to the second splice. In this way, the first network device obtains the second encryption key for generating the final session key, and the second encryption key has good quantum resistance. And obtains the quantum key identifier, which can be used to confirm that the quantum key identifier received by the second network device is correct.
接续上述示例,请再次参阅图3,密码设备根据第二加密封装消息F2得到第二异或消息Y2。接着,密码设备对第二异或消息Y2进行后量子加密处理得到第二加密密钥K2。密码设备再对第二异或消息Y2和初始会话密钥H1进行异或处理得到第二拼接体P3。最后,密码设备根据第二拼接体P3得到量子密钥标识符UUID_QK。Continuing with the above example, please refer to Figure 3 again. The cryptographic device obtains the second XOR message Y2 based on the second encrypted encapsulated message F2. Then, the cryptographic device performs post-quantum encryption processing on the second XOR message Y2 to obtain the second encryption key K2. The cryptographic device then performs XOR processing on the second XOR message Y2 and the initial session key H1 to obtain the second concatenation P3. Finally, the cryptographic device obtains the quantum key identifier UUID_QK based on the second concatenation P3.
如此,密码设备得到了用于生成最终会话密钥的第二加密密钥K2,第二加密密钥K2具有良好的抗量子能力。并得到了量子密钥标识符UUID_QK,能够用于确认设备管理中心收到的量子密钥标识符UUIID_QK是正确的。In this way, the cryptographic device obtains the second encryption key K2 used to generate the final session key, and the second encryption key K2 has good quantum resistance. It also obtains the quantum key identifier UUID_QK, which can be used to confirm that the quantum key identifier UUIID_QK received by the device management center is correct.
请参阅图9,在某些实施方式中,方法还包括:Referring to FIG. 9 , in some embodiments, the method further comprises:
021:根据第二签名消息得到第二验证拼接体;021: Obtain a second verification splice according to the second signature message;
022:对第二签名消息进行后量子密码验签处理,以确认第二验证拼接体的正确性。022: Perform post-quantum cryptographic signature verification on the second signature message to confirm the correctness of the second verification splice.
在某些实施方式中,处理模块还用于根据第二签名消息得到第二验证拼接体,验签模块用于对第二签名消息进行后量子密码验签处理,以确认第二验证拼接体的正确性。In some embodiments, the processing module is further used to obtain a second verification splice based on the second signature message, and the signature verification module is used to perform post-quantum cryptographic signature verification on the second signature message to confirm the correctness of the second verification splice.
在某些实施方式中,处理器还用于根据第二签名消息得到第二验证拼接体,及对第二签名消息进行后量子密码验签处理,以确认第二验证拼接体的正确性。In some embodiments, the processor is further configured to obtain a second verification splice based on the second signature message, and perform post-quantum cryptographic signature verification on the second signature message to confirm the correctness of the second verification splice.
具体地,第一网络设备根据第二签名消息得到第二验证拼接体。并对第二签名消息进行后量子密码验签处理,以确认第二验证拼接体的正确性,第二验证拼接体由第二网络设备对量子密钥标识符、第一身份标识和第二身份标识进行拼接处理得到。这样,通过对第二签名消息进行后量子密码验签处理,确定第一网络设备所接收的第二网络设备发送的量子密钥标识符、第一身份标识和第二身份标识的正确性,为后续的数据传输提供安全保障。Specifically, the first network device obtains the second verification splice according to the second signature message. The second signature message is subjected to post-quantum cryptographic signature verification to confirm the correctness of the second verification splice, which is obtained by the second network device splicing the quantum key identifier, the first identity identifier, and the second identity identifier. In this way, by performing post-quantum cryptographic signature verification on the second signature message, the correctness of the quantum key identifier, the first identity identifier, and the second identity identifier sent by the second network device and received by the first network device is determined, providing security for subsequent data transmission.
接续上述示例,请再次参阅图3,密码设备根据第二签名消息M2得到第二验证拼接体P4。并对第二签名消息M2进行后量子密码验签处理,以确认第二验证拼接体P4的正确性,第二验证拼接体P4由设备管理中心对量子密钥标识符UUID_QK、密码设备标识ID_Device和设备管理中心标识ID_Center进行拼接处理得到。Continuing with the above example, please refer to Figure 3 again. The cryptographic device obtains the second verification splice P4 according to the second signature message M2. The second signature message M2 is subjected to post-quantum cryptographic signature verification to confirm the correctness of the second verification splice P4. The second verification splice P4 is obtained by the device management center by splicing the quantum key identifier UUID_QK, the cryptographic device identifier ID_Device, and the device management center identifier ID_Center.
如此,通过对第二签名消息M2进行后量子密码验签处理,确定密码设备所接收的设备管理中心发送的量子密钥标识符UUID_QK、密码设备标识ID_Device和设备管理中心标识ID_Center的正确性,为后续的数据传输提供安全保障。In this way, by performing post-quantum cryptographic signature verification on the second signature message M2, the correctness of the quantum key identifier UUID_QK, the cryptographic device identifier ID_Device and the device management center identifier ID_Center sent by the device management center and received by the cryptographic device is determined, providing security for subsequent data transmission.
请参阅图10,在某些实施方式中,步骤015(根据初始会话密钥、第一加密结果、第二解密结果和第一量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密),包括:Referring to FIG. 10 , in some embodiments, step 015 (generating a final session key according to the initial session key, the first encryption result, the second decryption result, and the first quantum key to encrypt the communication between the first network device and the second network device) includes:
0151:对初始会话密钥、第一加密密钥、第二加密密钥和第一量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。0151: Perform XOR processing on the initial session key, the first encryption key, the second encryption key and the first quantum key to obtain a final session key to encrypt the communication between the first network device and the second network device.
在某些实施方式中,派生模块还用于对初始会话密钥、第一加密密钥、第二加密密钥和第一量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。In some embodiments, the derivation module is further used to perform XOR processing on the initial session key, the first encryption key, the second encryption key and the first quantum key to obtain a final session key to encrypt communication between the first network device and the second network device.
在某些实施方式中,处理器还用于对初始会话密钥、第一加密密钥、第二加密密钥和第一量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。In some embodiments, the processor is further configured to perform an XOR process on the initial session key, the first encryption key, the second encryption key, and the first quantum key to obtain a final session key to encrypt communication between the first network device and the second network device.
具体地,第一网络设备对初始会话密钥、第一加密密钥、第二加密密钥和第一量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。这样,通过使用结合量子密钥分发技术和后量子密码学技术,生成了最终会话密钥,能够增强第一网络设备和第二网络设备间通信的抗量子计算攻击的能力,保护通信过程中传输的数据。Specifically, the first network device performs XOR processing on the initial session key, the first encryption key, the second encryption key and the first quantum key to obtain the final session key to encrypt the communication between the first network device and the second network device. In this way, by combining quantum key distribution technology and post-quantum cryptography technology, the final session key is generated, which can enhance the ability of the communication between the first network device and the second network device to resist quantum computing attacks and protect the data transmitted during the communication process.
接续上述示例,密码设备对初始会话密钥H1、第一加密密钥K1、第二加密密钥K2和第一量子密钥QK_UUID-1进行异或处理得到最终会话密钥H2,即H2=H1⊕K1⊕K2⊕QK_UUID-1。通过生成的最终会话密钥H2对密码设备和设备管理中心的通信进行加密。Continuing with the above example, the cryptographic device performs XOR processing on the initial session key H1, the first encryption key K1, the second encryption key K2 and the first quantum key QK_UUID-1 to obtain the final session key H2, that is, H2=H1⊕K1⊕K2⊕QK_UUID-1. The generated final session key H2 is used to encrypt the communication between the cryptographic device and the device management center.
这样,通过使用结合量子密钥分发技术和后量子密码学技术,生成了最终会话密钥H2,能够增强密码设备和设备管理中心间通信的抗量子计算攻击的能力,保护通信过程中传输的数据。In this way, by combining quantum key distribution technology and post-quantum cryptography technology, the final session key H2 is generated, which can enhance the ability of communication between cryptographic devices and device management centers to resist quantum computing attacks and protect data transmitted during the communication process.
请参阅图11,在某些实施方式中,方法还包括:Referring to FIG. 11 , in some embodiments, the method further comprises:
023:接收第二网络设备发送的第二会话密钥验证消息;023: receiving a second session key verification message sent by the second network device;
024:根据最终会话密钥对第一验证拼接体进行计算得到第一会话密钥验证消息;024: Calculate the first verification concatenation according to the final session key to obtain a first session key verification message;
025:对第一会话密钥验证消息和第二会话密钥验证消息进行比较处理,以确定第一网络设备获得的最终会话密钥和第二网络设备获得的最终会话密钥一致。025: Compare and process the first session key verification message and the second session key verification message to determine that the final session key obtained by the first network device is consistent with the final session key obtained by the second network device.
在某些实施方式中,接收模块还用于接收第二网络设备发送的第二会话密钥验证消息。计算模块用于根据最终会话密钥对第一验证拼接体进行计算得到第一会话密钥验证消息。处理模块还用于对第一会话密钥验证消息和第二会话密钥验证消息进行比较处理,以确定第一网络设备获得的最终会话密钥和第二网络设备获得的最终会话密钥一致。In some embodiments, the receiving module is further configured to receive a second session key verification message sent by the second network device. The calculating module is configured to calculate the first verification concatenation according to the final session key to obtain the first session key verification message. The processing module is further configured to compare the first session key verification message with the second session key verification message to determine whether the final session key obtained by the first network device is consistent with the final session key obtained by the second network device.
在某些实施方式中,处理器还用于接收第二网络设备发送的第二会话密钥验证消息。及根据最终会话密钥对第一验证拼接体进行计算得到第一会话密钥验证消息。以及对第一会话密钥验证消息和第二会话密钥验证消息进行比较处理,以确定第一网络设备获得的最终会话密钥和第二网络设备获得的最终会话密钥一致。In some embodiments, the processor is further configured to receive a second session key verification message sent by the second network device, and to calculate the first verification concatenation according to the final session key to obtain the first session key verification message, and to compare the first session key verification message with the second session key verification message to determine that the final session key obtained by the first network device is consistent with the final session key obtained by the second network device.
具体地,第一网络设备接收第二网络设备发送的第二会话密钥验证消息。接着,第一网络设备再根据最终会话密钥对第一验证拼接体进行计算得到第一会话密钥验证消息。最后,第一网络设备对第一会话密钥验证消息和第二会话密钥验证消息进行比较处理,以确定第一网络设备获得的最终会话密钥和第二网络设备获得的最终会话密钥一致。这样,通过计算得到第一会话密钥验证消息,并与第二会话密钥验证消息进行比较,确定第一网络设备最终得到的最终会话密钥和第二网络设备获得的最终会话密钥是一致的,能够用于通信。Specifically, the first network device receives the second session key verification message sent by the second network device. Then, the first network device calculates the first verification concatenation according to the final session key to obtain the first session key verification message. Finally, the first network device compares the first session key verification message with the second session key verification message to determine that the final session key obtained by the first network device is consistent with the final session key obtained by the second network device. In this way, by calculating the first session key verification message and comparing it with the second session key verification message, it is determined that the final session key finally obtained by the first network device and the final session key obtained by the second network device are consistent and can be used for communication.
接续上述示例,请再参阅图3,密码设备接收设备管理中心发送的第二会话密钥验证消息Z2。接着,密码设备再根据最终会话密钥H2对第一验证拼接体P2进行计算得到第一会话密钥验证消息Z1。最后,密码设备对第一会话密钥验证消息Z1和第二会话密钥验证消息Z2进行比较处理,以确定密码设备获得的最终会话密钥H2和设备管理中心获得的最终会话密钥H2一致。Continuing with the above example, please refer to Figure 3 again, the cryptographic device receives the second session key verification message Z2 sent by the device management center. Then, the cryptographic device calculates the first verification splice P2 according to the final session key H2 to obtain the first session key verification message Z1. Finally, the cryptographic device compares the first session key verification message Z1 and the second session key verification message Z2 to determine that the final session key H2 obtained by the cryptographic device is consistent with the final session key H2 obtained by the device management center.
如此,通过计算得到第一会话密钥验证消息Z1,并与第二会话密钥验证消息Z2进行比较,确定密码设备最终得到的最终会话密钥H2和设备管理中心获得的最终会话密钥H2是一致的,避免出现通信失败。In this way, the first session key verification message Z1 is obtained by calculation and compared with the second session key verification message Z2 to determine whether the final session key H2 obtained by the cryptographic device is consistent with the final session key H2 obtained by the device management center, thereby avoiding communication failure.
请参阅图12,本申请实施方式提供一种通信网络的密码设备安全通道协议的抗量子安全增强方法,通信网络包括第一网络设备和第二网络设备,方法用于第二网络设备,方法包括:Please refer to FIG. 12 . The embodiment of the present application provides a method for enhancing the anti-quantum security of a cryptographic device secure channel protocol of a communication network. The communication network includes a first network device and a second network device. The method is used for the second network device. The method includes:
031:与第一网络设备进行密钥协商得到初始会话密钥;031: Perform key negotiation with the first network device to obtain an initial session key;
032:接收第一网络设备对量子密钥标识符进行后量子密码加密处理的第一加密结果;032: receiving a first encryption result of post-quantum cryptographic encryption processing performed by the first network device on the quantum key identifier;
033:对第一加密结果进行解密处理得到第一解密结果;033: Decrypt the first encryption result to obtain a first decryption result;
034:对第一解密结果进行后量子密码加密处理得到第二加密结果,并将第二加密结果发送给第一网络设备;034: Perform post-quantum cryptographic encryption processing on the first decryption result to obtain a second encryption result, and send the second encryption result to the first network device;
035:根据初始会话密钥、第一解密结果、第二加密结果和第二量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。035: Generate a final session key according to the initial session key, the first decryption result, the second encryption result and the second quantum key to encrypt the communication between the first network device and the second network device.
本申请实施方式还提供了一种第二网络设备,包括存储器和处理器。本申请实施方式的方法可以由本申请实施方式的第二网络设备实现。具体地,存储器中存储有计算机程序,处理器用于与第一网络设备进行密钥协商得到初始会话密钥。以及接收第一网络设备对量子密钥标识符进行后量子密码加密处理的第一加密结果。处理器还用于对第一加密结果进行解密处理得到第一解密结果。及对第一解密结果进行后量子密码加密处理得到第二加密结果,并将第二加密结果发送给第一网络设备。以及根据初始会话密钥、第一解密结果、第二加密结果和第二量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。The embodiment of the present application also provides a second network device, including a memory and a processor. The method of the embodiment of the present application can be implemented by the second network device of the embodiment of the present application. Specifically, a computer program is stored in the memory, and the processor is used to negotiate a key with the first network device to obtain an initial session key. And receive the first encryption result of the first network device performing post-quantum cryptographic encryption processing on the quantum key identifier. The processor is also used to decrypt the first encryption result to obtain a first decryption result. And perform post-quantum cryptographic encryption processing on the first decryption result to obtain a second encryption result, and send the second encryption result to the first network device. And generate a final session key based on the initial session key, the first decryption result, the second encryption result and the second quantum key to encrypt the communication between the first network device and the second network device.
本申请实施方式还提供了一种第二网络设备抗量子安全增强装置。本申请实施方式的方法可以由本申请实施方式的第二网络设备抗量子安全增强装置实现。具体地,第二网络设备抗量子安全增强装置包括协商模块、接收模块、解密模块、加密模块和派生模块。协商模块用于与第一网络设备进行密钥协商得到初始会话密钥。接收模块用于接收第一网络设备对量子密钥标识符进行后量子密码加密处理的第一加密结果。解密模块用于对第一加密结果进行解密处理得到第一解密结果。加密模块用于对对第一解密结果进行后量子密码加密处理得到第二加密结果,并将第二加密结果发送给第一网络设备。派生模块用于根据初始会话密钥、第一解密结果、第二加密结果和第二量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。The embodiment of the present application also provides a second network device anti-quantum security enhancement device. The method of the embodiment of the present application can be implemented by the second network device anti-quantum security enhancement device of the embodiment of the present application. Specifically, the second network device anti-quantum security enhancement device includes a negotiation module, a receiving module, a decryption module, an encryption module and a derivation module. The negotiation module is used to negotiate a key with the first network device to obtain an initial session key. The receiving module is used to receive a first encryption result of post-quantum cryptographic encryption processing of a quantum key identifier by the first network device. The decryption module is used to decrypt the first encryption result to obtain a first decryption result. The encryption module is used to perform post-quantum cryptographic encryption processing on the first decryption result to obtain a second encryption result, and send the second encryption result to the first network device. The derivation module is used to generate a final session key based on the initial session key, the first decryption result, the second encryption result and the second quantum key to encrypt the communication between the first network device and the second network device.
具体地,本实施方式的抗量子安全增强方法与前述实施方式以第一网络设备为执行对象的抗量子安全增强方法基本相同,具体可参照相应部分的解释说明,区别之处在于,本实施方式以第二网络设备为执行对象,此处不再赘述。Specifically, the anti-quantum security enhancement method of this embodiment is basically the same as the anti-quantum security enhancement method of the aforementioned embodiment with the first network device as the execution object. For details, please refer to the explanation of the corresponding part. The difference is that this embodiment takes the second network device as the execution object, which will not be repeated here.
综上所述,本申请实施方式的通信网络的密码设备安全通道协议的抗量子安全增强方法、通信系统、第二网络设备和第一网络设备中,对于第一网络设备和第二网络设备的通信过程,第一网络设备和第二网络设备进行密钥协商获得初始会话密钥。随后,第一网络设备和第二网络设备申请获得量子密钥,并利用后量子密码算法对量子密钥标识符进行加密处理生成能够抵抗量子计算攻击的第一加密结果,后量子密码算法是一系列旨在抵御量子计算攻击的加密算法。接着,第一网络设备通过对第二网络设备发送的第二加密结果进行解密得到第二解密结果。最后,第一网络设备根据初始会话密钥、第一加密结果、第二解密结果和量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。这样,通过量子密钥分发技术和后量子密码算法增强了第一网络设备申请访问第二网络设备资源的通信过程的抗量子计算攻击能力。In summary, in the anti-quantum security enhancement method, communication system, second network device and first network device of the cryptographic device secure channel protocol of the communication network of the implementation mode of the present application, for the communication process between the first network device and the second network device, the first network device and the second network device perform key negotiation to obtain the initial session key. Subsequently, the first network device and the second network device apply for a quantum key, and use a post-quantum cryptographic algorithm to encrypt the quantum key identifier to generate a first encryption result that can resist quantum computing attacks. The post-quantum cryptographic algorithm is a series of encryption algorithms designed to resist quantum computing attacks. Next, the first network device obtains a second decryption result by decrypting the second encryption result sent by the second network device. Finally, the first network device generates a final session key based on the initial session key, the first encryption result, the second decryption result and the quantum key to encrypt the communication between the first network device and the second network device. In this way, the anti-quantum computing attack capability of the communication process in which the first network device applies to access the resources of the second network device is enhanced by quantum key distribution technology and post-quantum cryptographic algorithms.
请参阅图13,在某些实施方式中,方法还包括:Referring to FIG. 13 , in some embodiments, the method further comprises:
036:通过预先建立的信道接入第二网络节点;036: Access the second network node through the pre-established channel;
037:加载第一网络设备的安全证书或第二网络设备的安全证书。037: Load the security certificate of the first network device or the security certificate of the second network device.
在某些实施方式中,接入模块用通过预先建立的信道接入第二网络节点。加载模块用于加载第一网络设备的安全证书或第二网络设备的安全证书。In some implementations, the access module is used to access the second network node through a pre-established channel. The loading module is used to load the security certificate of the first network device or the security certificate of the second network device.
在某些实施方式中,处理器还用于通过预先建立的信道接入第二网络节点。及加载第一网络设备的安全证书或第二网络设备的安全证书。In some embodiments, the processor is further configured to access the second network node through a pre-established channel and load the security certificate of the first network device or the security certificate of the second network device.
具体地,第二网络设备通过预先建立的信道接入第二网络节点。接着,第二网络设备加载第一网络设备的安全证书或第二网络设备的安全证书。这样,第二网络设备通过信道接入网络节点,可获取第二量子密钥。此外,第二网络设备还获取了安全证书用于对通信过程中传输的数据信息进行加解密。Specifically, the second network device accesses the second network node through a pre-established channel. Then, the second network device loads the security certificate of the first network device or the security certificate of the second network device. In this way, the second network device accesses the network node through the channel and can obtain the second quantum key. In addition, the second network device also obtains the security certificate for encrypting and decrypting the data information transmitted during the communication process.
接续上述示例,请再参阅图3,在与密码设备进行通信前,设备管理中心通过可信信道接入物理距离最近且授权完成的第二量子网络节点,可信信道指在两个通信实体之间提供安全通信路径的机制或协议,一种建立方式为认证服务器和第二量子网络节点在同一机柜内部且屏蔽网线直接连接。这种信道确保了数据在传输过程中的机密性、完整性和可用性,防止未授权的访问、篡改或窃听。接着,设备管理中心和密码设备通过离线或在线的方式导入并加载对方的PQC公钥(加密公钥和签名公钥)或PQC证书(由证书系统签发的加密证书和签名证书)。Continuing with the above example, please refer to Figure 3 again. Before communicating with the cryptographic device, the device management center accesses the second quantum network node that is physically closest and authorized through a trusted channel. A trusted channel refers to a mechanism or protocol that provides a secure communication path between two communicating entities. One way to establish it is that the authentication server and the second quantum network node are in the same cabinet and directly connected by a shielded network cable. This channel ensures the confidentiality, integrity and availability of data during transmission, preventing unauthorized access, tampering or eavesdropping. Next, the device management center and the cryptographic device import and load each other's PQC public key (encryption public key and signature public key) or PQC certificate (encryption certificate and signature certificate issued by the certificate system) offline or online.
如此,设备管理中心通过信道接入第二量子网络节点,可获取第二量子密钥。此外,设备管理中心还获取了安全证书用于对通信过程中传输的数据信息进行加解密。In this way, the device management center can access the second quantum network node through the channel and obtain the second quantum key. In addition, the device management center also obtains a security certificate for encryption and decryption of data information transmitted during the communication process.
请参阅图1:4,在某些实施方式中,方法还包括:Please refer to Figure 1:4, in some embodiments, the method further comprises:
038:与第一网络设备进行身份认证,得到第一网络设备的第一身份标识。038: Perform identity authentication with the first network device to obtain a first identity identifier of the first network device.
在某些实施方式中,处理模块还用于与第一网络设备进行身份认证,得到第一网络设备的第一身份标识。In some implementations, the processing module is further configured to perform identity authentication with the first network device to obtain a first identity identifier of the first network device.
在某些实施方式中,处理器还用于与第一网络设备进行身份认证,得到第一网络设备的第一身份标识。In some implementations, the processor is further configured to perform identity authentication with the first network device to obtain a first identity identifier of the first network device.
具体地,第二网络设备与第一网络设备进行身份认证,得到第一网络设备的第一身份标识。这样,第二网络设备得到了第一网络设备的第一身份标识,可用于后续进程中用于对第一签名消息进行验签处理,及生成后续的第二会话密钥验证消息。Specifically, the second network device performs identity authentication with the first network device to obtain the first identity of the first network device. In this way, the second network device obtains the first identity of the first network device, which can be used in subsequent processes to verify the signature of the first signature message and generate a subsequent second session key verification message.
接续上述示例,请再参阅图3,设备管理中心与密码设备进行身份认证,得到密码设备的第一身份标识。Continuing with the above example, please refer to FIG. 3 again, the device management center performs identity authentication with the password device to obtain the first identity identifier of the password device.
如此,设备管理中心得到了密码设备的密码设备标识ID_Device,可用于后续进程中用于对第一签名消息M1进行验签处理,及生成后续的第二会话密钥验证消息Z2。In this way, the device management center obtains the cryptographic device identification ID_Device of the cryptographic device, which can be used in subsequent processes to verify the first signature message M1 and generate a subsequent second session key verification message Z2.
请参阅图15,在某些实施方式中,第一解密结果包括第一加密封装消息,方法还包括:Referring to FIG. 15 , in some embodiments, the first decryption result includes a first encrypted encapsulated message, and the method further includes:
039:根据第一加密封装消息得到第一异或消息;039: Obtain a first XOR message according to the first encrypted encapsulation message;
040:对第一异或消息进行后量子加密处理得到第一加密密钥;040: Perform post-quantum encryption processing on the first XOR message to obtain a first encryption key;
041:对第一异或消息和初始会话密钥获得量子密钥标识符。041: Obtain a quantum key identifier for the first XOR message and the initial session key.
在某些实施方式中,处理模块利用根据第一加密封装消息得到第一异或消息。加密模块还用于对第一异或消息进行后量子加密处理得到第一加密密钥。处理模块用于对第一异或消息和初始会话密钥获得量子密钥标识符。In some embodiments, the processing module obtains a first XOR message based on the first encrypted encapsulated message. The encryption module is also used to perform post-quantum encryption processing on the first XOR message to obtain a first encryption key. The processing module is used to obtain a quantum key identifier for the first XOR message and the initial session key.
在某些实施方式中,处理器还用于根据第一加密封装消息得到第一异或消息。及对第一异或消息进行后量子加密处理得到第一加密密钥。以及对第一异或消息和初始会话密钥获得量子密钥标识符。In some embodiments, the processor is further configured to obtain a first XOR message based on the first encrypted encapsulated message, perform post-quantum encryption processing on the first XOR message to obtain a first encryption key, and obtain a quantum key identifier for the first XOR message and the initial session key.
具体地,第二网络设备根据第一加密封装消息得到第一异或消息。接着,第二网络设备对第一异或消息进行后量子加密处理得到第一加密密钥。第二网络设备再对第一异或消息和初始会话密钥获得量子密钥标识符。这样,第二网络设备获得了第一加密密钥,能够用于后续生成具有良好抗量子能力的最终会话密钥。并得到了量子密钥标识符,用于后续申请得到第二量子密钥。Specifically, the second network device obtains the first XOR message according to the first encrypted encapsulated message. Then, the second network device performs post-quantum encryption processing on the first XOR message to obtain the first encryption key. The second network device then obtains a quantum key identifier for the first XOR message and the initial session key. In this way, the second network device obtains the first encryption key, which can be used to subsequently generate a final session key with good quantum resistance. And obtains a quantum key identifier for subsequent application to obtain a second quantum key.
接续上述示例,请再参阅图3,设备管理中心根据第一加密封装消息F1得到第一异或消息Y1。接着,设备管理中心对第一异或消息Y1进行后量子加密处理得到第一加密密钥K1。设备管理中心再对第一异或消息Y1和初始会话密钥H1获得量子密钥标识符UUID_QK。Continuing with the above example, please refer to Figure 3 again. The device management center obtains the first XOR message Y1 based on the first encrypted encapsulated message F1. Then, the device management center performs post-quantum encryption processing on the first XOR message Y1 to obtain the first encryption key K1. The device management center then obtains the quantum key identifier UUID_QK from the first XOR message Y1 and the initial session key H1.
如此,设备管理中心获得了第一加密密钥K1,能够用于后续生成具有良好抗量子能力的最终会话密钥。并得到了量子密钥标识符UUID_QK,用于后续申请得到第二量子密钥。In this way, the device management center obtains the first encryption key K1, which can be used to subsequently generate the final session key with good quantum resistance. It also obtains the quantum key identifier UUID_QK, which is used to subsequently apply for the second quantum key.
请参阅图16,在某些实施方式中,第一解密结果包括第一签名消息,方法还包括:Referring to FIG. 16 , in some embodiments, the first decryption result includes a first signature message, and the method further includes:
042:根据第一签名消息得到第一验证拼接体;042: Obtain a first verification splice according to the first signature message;
043:对第一签名消息进行后量子密码验签处理,以确认获得正确的第一验证拼接体;043: Perform post-quantum cryptographic signature verification on the first signature message to confirm that a correct first verification splice is obtained;
044:在量子密钥标识符正确的情况下,根据量子密钥标识符向第二网络节点发送量子密钥申请;044: When the quantum key identifier is correct, sending a quantum key application to the second network node according to the quantum key identifier;
045:接收第二网络节点根据量子密钥申请发送的第二量子密钥。045: Receive a second quantum key sent by the second network node according to the quantum key application.
在某些实施方式中,处理模块用于根据第一签名消息得到第一验证拼接体。验签模块用于对第一签名消息进行后量子密码验签处理,以确认获得正确的第一验证拼接体。发送模块用于在量子密钥标识符正确的情况下,根据量子密钥标识符向第二网络节点发送量子密钥申请。接收模块用于接收第二网络节点根据量子密钥申请发送的第二量子密钥。In some embodiments, the processing module is used to obtain a first verification splice according to the first signature message. The signature verification module is used to perform post-quantum cryptographic signature verification processing on the first signature message to confirm that the correct first verification splice is obtained. The sending module is used to send a quantum key application to the second network node according to the quantum key identifier when the quantum key identifier is correct. The receiving module is used to receive a second quantum key sent by the second network node according to the quantum key application.
在某些实施方式中,处理器还用于根据第一签名消息得到第一验证拼接体。及对第一签名消息进行后量子密码验签处理,以确认获得正确的第一验证拼接体。处理器还用于在量子密钥标识符正确的情况下,根据量子密钥标识符向第二网络节点发送量子密钥申请。及接收第二网络节点根据量子密钥申请发送的第二量子密钥。In some embodiments, the processor is further configured to obtain a first verification splice according to the first signature message, and perform post-quantum cryptographic signature verification on the first signature message to confirm that a correct first verification splice is obtained. The processor is further configured to send a quantum key application to a second network node according to the quantum key identifier when the quantum key identifier is correct, and receive a second quantum key sent by the second network node according to the quantum key application.
具体地,第二网络设备根据第一签名消息得到第一验证拼接体。接着,第二网络设备对第一签名消息进行后量子密码验签处理,以确认获得正确的第一验证拼接体,第一验证拼接体由第二网络设备对量子密钥标识符、第一身份标识和第二网络设备的第二身份标识进行拼接处理得到。然后,在获得的量子密钥标识符正确的情况下,第二网络设备根据量子密钥标识符向第二网络节点发送量子密钥申请。最后,第二网络设备接收第二网络节点根据量子密钥申请发送的第二量子密钥。这样,第二网络设备通过对第一签名消息进行后量子密码验签处理,确认接收到的第一网络设备发送的数据信息正确且没有被未授权访问。此外,通过量子密钥标识符向第二网络节点申请得到了与第一量子密钥相匹配的第二量子密钥,第二量子密钥具有良好的抗量子计算攻击能力,能够用于后续生成最终会话密钥。Specifically, the second network device obtains the first verification splice according to the first signature message. Then, the second network device performs post-quantum cryptographic signature verification on the first signature message to confirm that the correct first verification splice is obtained. The first verification splice is obtained by the second network device splicing the quantum key identifier, the first identity identifier and the second identity identifier of the second network device. Then, if the obtained quantum key identifier is correct, the second network device sends a quantum key application to the second network node according to the quantum key identifier. Finally, the second network device receives the second quantum key sent by the second network node according to the quantum key application. In this way, the second network device confirms that the data information sent by the first network device is correct and has not been unauthorizedly accessed by performing post-quantum cryptographic signature verification on the first signature message. In addition, a second quantum key matching the first quantum key is obtained by applying to the second network node through the quantum key identifier. The second quantum key has good resistance to quantum computing attacks and can be used to generate the final session key later.
接续上述示例,请再次参阅图3,设备管理中心根据第一签名消息M1得到第一验证拼接体P2。接着,设备管理中心对第一签名消息M1进行后量子密码验签处理,以确认获得正确的第一验证拼接体P2,第一验证拼接体P2由设备管理中心对量子密钥标识符UUID_QK、密码设备标识ID_Device和设备管理中心标识ID_Center进行拼接处理得到。然后,在获得的量子密钥标识符UUID_QK正确的情况下,设备管理中心根据量子密钥标识符向第二量子网络节点发送量子密钥申请。最后,设备管理中心接收第二量子网络节点根据量子密钥申请发送的第二量子密钥QK_UUID-2。Continuing with the above example, please refer to Figure 3 again. The device management center obtains the first verification splice P2 based on the first signature message M1. Next, the device management center performs post-quantum cryptographic signature verification on the first signature message M1 to confirm that the correct first verification splice P2 is obtained. The first verification splice P2 is obtained by the device management center by splicing the quantum key identifier UUID_QK, the cryptographic device identifier ID_Device, and the device management center identifier ID_Center. Then, when the obtained quantum key identifier UUID_QK is correct, the device management center sends a quantum key application to the second quantum network node based on the quantum key identifier. Finally, the device management center receives the second quantum key QK_UUID-2 sent by the second quantum network node based on the quantum key application.
如此,设备管理中心通过对第一签名消息M1进行后量子密码验签处理,确认接收到的密码设备发送的数据信息正确且没有被未授权访问。此外,通过量子密钥标识符UUID_QK向第二量子网络节点申请得到了与第一量子密钥QK_UUID-1相匹配的第二量子密钥QK_UUID-2,第二量子密钥QK_UUID-2具有良好的抗量子计算攻击能力,能够用于后续生成最终会话密钥。In this way, the device management center performs post-quantum cryptographic signature verification on the first signature message M1 to confirm that the data information sent by the received cryptographic device is correct and has not been accessed without authorization. In addition, the second quantum key QK_UUID-2 matching the first quantum key QK_UUID-1 is applied to the second quantum network node through the quantum key identifier UUID_QK. The second quantum key QK_UUID-2 has good resistance to quantum computing attacks and can be used to generate the final session key later.
请参阅图17,在某些实施方式中,第一解密结果包括第二握手消息,步骤034(对第一解密结果进行后量子密码加密处理得到第二加密结果,并将第二加密结果发送给第一网络设备),包括:Please refer to FIG. 17 . In some embodiments, the first decryption result includes a second handshake message. Step 034 (performing post-quantum cryptographic encryption on the first decryption result to obtain a second encryption result, and sending the second encryption result to the first network device) includes:
0341:对量子密钥标识符和第二网络设备随机生成的第二随机数进行拼接处理得到第二拼接体;0341: concatenate the quantum key identifier and the second random number randomly generated by the second network device to obtain a second concatenation;
0342:对第二拼接体和初始会话密钥进行异或处理得到第二异或消息;0342: Perform XOR processing on the second concatenated body and the initial session key to obtain a second XOR message;
0343:对第二异或消息进行后量子加密处理得到第二加密密钥;0343: Perform post-quantum encryption processing on the second XOR message to obtain a second encryption key;
0344:对第二异或消息进行后量子加密封装处理得到第二临时加密结果中的第二封装消息;0344: Perform post-quantum encryption encapsulation processing on the second XOR message to obtain a second encapsulated message in a second temporary encryption result;
0345:对量子密钥标识符、第一身份标识和第二身份标识进行拼接处理得到第二验证拼接体;0345: Concatenate the quantum key identifier, the first identity identifier, and the second identity identifier to obtain a second verification concatenation;
0346:对第二验证拼接体进行后量子签名处理得到第二临时加密结果中的第二签名消息;0346: Perform post-quantum signature processing on the second verification splice to obtain a second signature message in the second temporary encryption result;
0347:根据初始会话密钥对第二临时加密结果进行加密处理得到第二加密结果;0347: Encrypt the second temporary encryption result according to the initial session key to obtain a second encryption result;
0348:将第二加密结果发送给第一网络设备。0348: Send the second encryption result to the first network device.
在某些实施方式中,拼接模块用于对量子密钥标识符和第二网络设备随机生成的第二随机数进行拼接处理得到第二拼接体。处理模块用于对第二拼接体和初始会话密钥进行异或处理得到第二异或消息。加密模块用于对第二异或消息进行后量子加密处理得到第二加密密钥。加密封装模块用于对第二异或消息进行后量子加密封装处理得到第二临时加密结果中的第二封装消息。拼接模块还用于对量子密钥标识符、第一身份标识和第二身份标识进行拼接处理得到第二验证拼接体。签名模块还用于对第二验证拼接体进行后量子签名处理得到第二临时加密结果中的第二签名消息。加密模块还用于根据初始会话密钥对第二临时加密结果进行加密处理得到第二加密结果。发送模块用于将第二加密结果发送给第一网络设备。In some embodiments, the splicing module is used to splice the quantum key identifier and the second random number randomly generated by the second network device to obtain a second splicing body. The processing module is used to perform XOR processing on the second splicing body and the initial session key to obtain a second XOR message. The encryption module is used to perform post-quantum encryption processing on the second XOR message to obtain a second encryption key. The encryption encapsulation module is used to perform post-quantum encryption encapsulation processing on the second XOR message to obtain a second encapsulated message in the second temporary encryption result. The splicing module is also used to splice the quantum key identifier, the first identity identifier and the second identity identifier to obtain a second verification splicing body. The signature module is also used to perform post-quantum signature processing on the second verification splicing body to obtain a second signature message in the second temporary encryption result. The encryption module is also used to encrypt the second temporary encryption result according to the initial session key to obtain a second encryption result. The sending module is used to send the second encryption result to the first network device.
在某些实施方式中,处理器还用于对量子密钥标识符和第二网络设备随机生成的第二随机数进行拼接处理得到第二拼接体。及对第二拼接体和初始会话密钥进行异或处理得到第二异或消息。以及对第二异或消息进行后量子加密处理得到第二加密密钥。处理器还用于对第二异或消息进行后量子加密封装处理得到第二临时加密结果中的第二封装消息。及对对量子密钥标识符、第一身份标识和第二身份标识进行拼接处理得到第二验证拼接体。处理器还用于对第二验证拼接体进行后量子签名处理得到第二临时加密结果中的第二签名消息。及根据初始会话密钥对第二临时加密结果进行加密处理得到第二加密结果。以及将第二加密结果发送给第一网络设备。In some embodiments, the processor is also used to perform a splicing process on the quantum key identifier and the second random number randomly generated by the second network device to obtain a second splicing body. And perform an XOR process on the second splicing body and the initial session key to obtain a second XOR message. And perform a post-quantum encryption process on the second XOR message to obtain a second encryption key. The processor is also used to perform a post-quantum encryption encapsulation process on the second XOR message to obtain a second encapsulated message in a second temporary encryption result. And perform a splicing process on the quantum key identifier, the first identity identifier, and the second identity identifier to obtain a second verification splicing body. The processor is also used to perform a post-quantum signature process on the second verification splicing body to obtain a second signature message in a second temporary encryption result. And perform an encryption process on the second temporary encryption result according to the initial session key to obtain a second encryption result. And send the second encryption result to the first network device.
具体地,第二网络设备对量子密钥标识符和第二网络设备随机生成的第二随机数进行拼接处理得到第二拼接体。接着,第二网络设备对第二拼接体和初始会话密钥进行异或处理得到第二异或消息。然后,第二网络设备对第二异或消息进行后量子加密处理得到第二加密密钥。并对第二异或消息进行后量子加密封装处理得到第二临时加密结果中的第二封装消息。随后,第二网络设备对量子密钥标识符、第一身份标识和第二身份标识进行拼接处理得到第二验证拼接体。第二网络设备再对第二验证拼接体进行后量子签名处理得到第二临时加密结果中的第二签名消息。随后,第二网络设备根据初始会话密钥对第二临时加密结果进行加密处理得到第二加密结果。最后,第二网络设备将第二加密结果发送给第一网络设备。这样,第二网络设备通过利用量子密钥标识符、随机生成的第二随机数和初始会话密钥获得了具有良好抗量子能力的第二加密密钥,可用于生成后续的最终会话密钥。还生成了可用于验证消息来源和正确性的第二签名消息,用于在传输过程中防止数据被未授权访问和篡改。Specifically, the second network device performs a splicing process on the quantum key identifier and the second random number randomly generated by the second network device to obtain a second splicing body. Then, the second network device performs an XOR process on the second splicing body and the initial session key to obtain a second XOR message. Then, the second network device performs a post-quantum encryption process on the second XOR message to obtain a second encryption key. And the second XOR message is subjected to a post-quantum encryption encapsulation process to obtain a second encapsulated message in the second temporary encryption result. Subsequently, the second network device performs a splicing process on the quantum key identifier, the first identity identifier, and the second identity identifier to obtain a second verification splicing body. The second network device then performs a post-quantum signature process on the second verification splicing body to obtain a second signature message in the second temporary encryption result. Subsequently, the second network device performs an encryption process on the second temporary encryption result according to the initial session key to obtain a second encryption result. Finally, the second network device sends the second encryption result to the first network device. In this way, the second network device obtains a second encryption key with good quantum resistance by using the quantum key identifier, the randomly generated second random number, and the initial session key, which can be used to generate a subsequent final session key. A second signature message is also generated that can be used to verify the source and correctness of the message, and is used to prevent unauthorized access and tampering of data during transmission.
接续上述示例,请再参阅图3,设备管理中心对量子密钥标识符UUID_QK和设备管理中心随机生成的128比特第二随机数R2进行拼接处理得到第二拼接体P3,即UUID_QK|R2。接着,设备管理中心对第二拼接体P3和初始会话密钥H1进行异或处理得到第二异或消息Y2,即P3⊕H1。然后,设备管理中心对第二异或消息Y2进行后量子加密处理得到第二加密密钥K2。并对第二异或消息Y2进行后量子加密封装处理得到第二临时加密结果中的第二封装消息F2。随后,设备管理中心对量子密钥标识符UUID_QK、密码设备标识ID_Device和设备管理中心标识ID_Center进行拼接处理得到第二验证拼接体P4,即UUID_QK|ID_Center|ID_Device。设备管理中心再对第二验证拼接体P4进行后量子签名处理得到第二临时加密结果中的第二签名消息M2。随后,密码设备使用初始会话密钥H1和SM4分组密码算法对第二临时加密结果进行对称加密得到第二加密结果,即使用初始会话密钥H1和SM4分组密码算法对第二加密封装消息和第二签名消息进行对称加密。最后,设备管理中心将第二加密结果发送给密码设备。Continuing with the above example, please refer to Figure 3 again. The device management center concatenates the quantum key identifier UUID_QK and the 128-bit second random number R2 randomly generated by the device management center to obtain the second concatenation P3, that is, UUID_QK|R2. Next, the device management center performs XOR processing on the second concatenation P3 and the initial session key H1 to obtain the second XOR message Y2, that is, P3⊕H1. Then, the device management center performs post-quantum encryption processing on the second XOR message Y2 to obtain the second encryption key K2. And the second XOR message Y2 is post-quantum encrypted and encapsulated to obtain the second encapsulated message F2 in the second temporary encryption result. Subsequently, the device management center concatenates the quantum key identifier UUID_QK, the cryptographic device identifier ID_Device and the device management center identifier ID_Center to obtain the second verification concatenation P4, that is, UUID_QK|ID_Center|ID_Device. The device management center then performs post-quantum signature processing on the second verification splice P4 to obtain the second signature message M2 in the second temporary encryption result. Subsequently, the cryptographic device uses the initial session key H1 and the SM4 block cipher algorithm to symmetric encrypt the second temporary encryption result to obtain the second encryption result, that is, the initial session key H1 and the SM4 block cipher algorithm are used to symmetric encrypt the second encrypted encapsulation message and the second signature message. Finally, the device management center sends the second encryption result to the cryptographic device.
如此,设备管理中心通过利用量子密钥标识符UUID_QK、随机生成的第二随机数R2和初始会话密钥H1获得了具有良好抗量子能力的第二加密密钥K2,可用于生成后续的最终会话密钥。还生成了可用于验证消息来源和正确性的第二签名消息M2,用于在传输过程中防止数据被未授权访问和篡改。In this way, the device management center obtains a second encryption key K2 with good quantum resistance by using the quantum key identifier UUID_QK, the randomly generated second random number R2 and the initial session key H1, which can be used to generate the subsequent final session key. A second signature message M2 is also generated to verify the source and correctness of the message, which is used to prevent unauthorized access and tampering of data during transmission.
请参阅图18,在某些实施方式中,步骤035(根据初始会话密钥、第一解密结果、第二加密结果和第二量子密钥生成最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密),包括:Referring to FIG. 18 , in some embodiments, step 035 (generating a final session key according to the initial session key, the first decryption result, the second encryption result, and the second quantum key to encrypt the communication between the first network device and the second network device) includes:
0351:对初始会话密钥、第一加密密钥、第二加密密钥和第二量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。0351: Perform XOR processing on the initial session key, the first encryption key, the second encryption key and the second quantum key to obtain a final session key to encrypt the communication between the first network device and the second network device.
在某些实施方式中,派生模块用于对初始会话密钥、第一加密密钥、第二加密密钥和第二量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。In some embodiments, the derivation module is used to perform XOR processing on the initial session key, the first encryption key, the second encryption key, and the second quantum key to obtain a final session key to encrypt communication between the first network device and the second network device.
在某些实施方式中,处理器还用于对初始会话密钥、第一加密密钥、第二加密密钥和第二量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。In some embodiments, the processor is further configured to perform XOR processing on the initial session key, the first encryption key, the second encryption key, and the second quantum key to obtain a final session key to encrypt communication between the first network device and the second network device.
具体地,第二网络设备对初始会话密钥、第一加密密钥、第二加密密钥和第二量子密钥进行异或处理得到最终会话密钥,以对第一网络设备和第二网络设备的通信进行加密。这样,通过使用结合量子密钥分发技术和后量子密码学技术,生成了最终会话密钥,能够增强第一网络设备和第二网络设备间通信的抗量子计算攻击的能力,保护通信过程中传输的数据。Specifically, the second network device performs XOR processing on the initial session key, the first encryption key, the second encryption key, and the second quantum key to obtain a final session key to encrypt the communication between the first network device and the second network device. In this way, by combining quantum key distribution technology and post-quantum cryptography technology, the final session key is generated, which can enhance the ability of the communication between the first network device and the second network device to resist quantum computing attacks and protect the data transmitted during the communication process.
接续上述示例,请再参阅图3,设备管理中心对初始会话密钥H1、第一加密密钥K1、第二加密密钥K2和第二量子密钥QK_UUID-2进行异或处理得到最终会话密钥H2,即H2=H1⊕K1⊕K2⊕QK_UUID-2。通过生成的最终会话密钥H2对密码设备和设备管理中心的通信进行加密。Continuing with the above example, please refer to Figure 3 again. The device management center performs XOR processing on the initial session key H1, the first encryption key K1, the second encryption key K2, and the second quantum key QK_UUID-2 to obtain the final session key H2, that is, H2=H1⊕K1⊕K2⊕QK_UUID-2. The generated final session key H2 is used to encrypt the communication between the cryptographic device and the device management center.
如此,通过使用结合量子密钥分发技术和后量子密码学技术,生成了最终会话密钥H2,能够增强密码设备和设备管理中心间通信的抗量子计算攻击的能力,保护通信过程中传输的数据。In this way, by combining quantum key distribution technology and post-quantum cryptography technology, the final session key H2 is generated, which can enhance the ability of communication between cryptographic devices and device management centers to resist quantum computing attacks and protect data transmitted during the communication process.
请参阅图19,在某些实施方式中,方法还包括:Referring to FIG. 19 , in some embodiments, the method further comprises:
046:根据最终会话密钥对第二验证拼接体进行加密处理得到第二会话密钥验证消息;046: Encrypt the second verification concatenation according to the final session key to obtain a second session key verification message;
047:将第二会话密钥验证消息发送给第一网络设备,第二会话密钥验证消息由初始会话密钥进行加密保护。047: Send the second session key verification message to the first network device, where the second session key verification message is encrypted and protected by the initial session key.
在某些实施方式中,加密模块用于根据最终会话密钥对第二验证拼接体进行加密处理得到第二会话密钥验证消息。发送模块用于将第二会话密钥验证消息发送给第一网络设备,第二会话密钥验证消息由初始会话密钥进行加密保护。In some embodiments, the encryption module is used to encrypt the second verification concatenation according to the final session key to obtain a second session key verification message. The sending module is used to send the second session key verification message to the first network device, and the second session key verification message is encrypted and protected by the initial session key.
在某些实施方式中,处理器还用于根据最终会话密钥对第二验证拼接体进行加密处理得到第二会话密钥验证消息。及将第二会话密钥验证消息发送给第一网络设备,第二会话密钥验证消息由初始会话密钥进行加密保护。In some embodiments, the processor is further configured to encrypt the second verification concatenation according to the final session key to obtain a second session key verification message, and send the second session key verification message to the first network device, wherein the second session key verification message is encrypted and protected by the initial session key.
具体地,第二网络设备根据最终会话密钥对第二验证拼接体进行加密处理得到第二会话密钥验证消息。将第二会话密钥验证消息发送给第一网络设备,第二会话密钥验证消息由初始会话密钥进行加密保护。这样,第二网络设备将生成的第二会话密钥验证消息在初始会话密钥的保护下发送给第一网络设备,使第一网络设备能够根据第二会话密钥验证消息验证第一网络设备生成的最终会话密钥和第二网络设备生成的最终会话密钥的一致性。Specifically, the second network device encrypts the second verification concatenation according to the final session key to obtain a second session key verification message. The second session key verification message is sent to the first network device, and the second session key verification message is encrypted and protected by the initial session key. In this way, the second network device sends the generated second session key verification message to the first network device under the protection of the initial session key, so that the first network device can verify the consistency of the final session key generated by the first network device and the final session key generated by the second network device according to the second session key verification message.
接续上述示例,请再参阅图3,设备管理中心根据最终会话密钥H2对第二验证拼接体p4进行加密处理得到第二会话密钥验证消息Z2。将第二会话密钥验证消息Z2发送给密码设备,第二会话密钥验证消息Z2由初始会话密钥H1进行加密保护。Continuing with the above example, please refer to Figure 3 again. The device management center encrypts the second verification splice p4 according to the final session key H2 to obtain a second session key verification message Z2. The second session key verification message Z2 is sent to the cryptographic device and is encrypted and protected by the initial session key H1.
如此,设备管理中心将生成的第二会话密钥验证消息Z2在初始会话密钥H1的保护下发送给密码设备,使密码设备能够根据第二会话密钥验证消息Z2验证密码设备生成的最终会话密钥H2和设备管理中心生成的最终会话密钥H2的一致性。In this way, the device management center sends the generated second session key verification message Z2 to the cryptographic device under the protection of the initial session key H1, so that the cryptographic device can verify the consistency of the final session key H2 generated by the cryptographic device and the final session key H2 generated by the device management center based on the second session key verification message Z2.
本申请还提供了一种包含计算机程序的计算机可读存储介质。当计算机程序被一个或多个处理器执行时,使得一个或多个处理器执行本申请的方法。The present application also provides a computer-readable storage medium containing a computer program. When the computer program is executed by one or more processors, the one or more processors execute the method of the present application.
可以理解,计算机程序包括计算机程序代码。计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。计算机可读存储介质可以包括:能够携带计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、以及软件分发介质等。It is understood that a computer program includes computer program code. The computer program code may be in source code form, object code form, executable file or some intermediate form. Computer readable storage media may include: any entity or device capable of carrying computer program code, recording medium, USB flash drive, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM), random access memory (RAM), and software distribution medium.
在本说明书的描述中,参考术语“具体地”、“进一步地”、“特别地”、“可以理解地”等的描述意指结合实施方式或示例描述的具体特征、结构、材料或者特点包含于本申请的至少一个实施方式或示例中。在本说明书中,对上述术语的示意性表述不预定指的是相同的实施方式或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施方式或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。In the description of this specification, the descriptions with reference to the terms "specifically", "further", "particularly", "understandably", etc. are intended to mean that the specific features, structures, materials or characteristics described in conjunction with the embodiments or examples are included in at least one embodiment or example of the present application. In this specification, the schematic representations of the above terms are not intended to refer to the same embodiment or example. Moreover, the specific features, structures, materials or characteristics described may be combined in any one or more embodiments or examples in a suitable manner. In addition, those skilled in the art may combine and combine the different embodiments or examples described in this specification and the features of the different embodiments or examples, unless they are contradictory.
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本申请的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本申请的实施例所属技术领域的技术人员所理解。Any process or method description in a flowchart or otherwise described herein may be understood to represent a module, segment or portion of code that includes one or more executable instructions for implementing the steps of a specific logical function or process, and the scope of the preferred embodiments of the present application includes alternative implementations in which functions may not be performed in the order shown or discussed, including performing functions in a substantially simultaneous manner or in the reverse order depending on the functions involved, which should be understood by technicians in the technical field to which the embodiments of the present application belong.
尽管上面已经示出和描述了本申请的实施方式,可以理解的是,上述实施方式是示例性的,不能理解为对本申请的限制,本领域的普通技术人员在本申请的范围内可以对上述实施方式进行变化、修改、替换和变型。Although the embodiments of the present application have been shown and described above, it can be understood that the above embodiments are exemplary and cannot be understood as limitations to the present application. Ordinary technicians in this field can change, modify, replace and modify the above embodiments within the scope of the present application.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411191841.5ACN118694529B (en) | 2024-08-28 | 2024-08-28 | Quantum-resistant security enhancement method for secure channel protocol of password equipment |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411191841.5ACN118694529B (en) | 2024-08-28 | 2024-08-28 | Quantum-resistant security enhancement method for secure channel protocol of password equipment |
| Publication Number | Publication Date |
|---|---|
| CN118694529Atrue CN118694529A (en) | 2024-09-24 |
| CN118694529B CN118694529B (en) | 2025-01-03 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411191841.5AActiveCN118694529B (en) | 2024-08-28 | 2024-08-28 | Quantum-resistant security enhancement method for secure channel protocol of password equipment |
| Country | Link |
|---|---|
| CN (1) | CN118694529B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210226782A1 (en)* | 2020-01-22 | 2021-07-22 | Cisco Technology, Inc. | Quantum computer resistant pre-shared key distribution for large scale wide area network solutions |
| US11153080B1 (en)* | 2020-07-29 | 2021-10-19 | John A. Nix | Network securing device data using two post-quantum cryptography key encapsulation mechanisms |
| US20210409214A1 (en)* | 2020-06-30 | 2021-12-30 | John A. Nix | Subscription Concealed Identifier (SUCI) Supporting Post-Quantum Cryptography |
| CN115150061A (en)* | 2021-03-30 | 2022-10-04 | 国民技术股份有限公司 | Post-quantum cryptographic algorithm digital currency transaction method, device, equipment and medium |
| US20230308424A1 (en)* | 2021-12-08 | 2023-09-28 | John A. Nix | Secure Session Resumption using Post-Quantum Cryptography |
| CN118540164A (en)* | 2024-07-25 | 2024-08-23 | 中电信量子信息科技集团有限公司 | Quantum security enhancement method for Internet key exchange protocol |
| CN118540163A (en)* | 2024-07-25 | 2024-08-23 | 中电信量子信息科技集团有限公司 | Quantum security enhancement method for national security SSL VPN protocol |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210226782A1 (en)* | 2020-01-22 | 2021-07-22 | Cisco Technology, Inc. | Quantum computer resistant pre-shared key distribution for large scale wide area network solutions |
| US20210409214A1 (en)* | 2020-06-30 | 2021-12-30 | John A. Nix | Subscription Concealed Identifier (SUCI) Supporting Post-Quantum Cryptography |
| US11153080B1 (en)* | 2020-07-29 | 2021-10-19 | John A. Nix | Network securing device data using two post-quantum cryptography key encapsulation mechanisms |
| CN115150061A (en)* | 2021-03-30 | 2022-10-04 | 国民技术股份有限公司 | Post-quantum cryptographic algorithm digital currency transaction method, device, equipment and medium |
| US20230308424A1 (en)* | 2021-12-08 | 2023-09-28 | John A. Nix | Secure Session Resumption using Post-Quantum Cryptography |
| CN118540164A (en)* | 2024-07-25 | 2024-08-23 | 中电信量子信息科技集团有限公司 | Quantum security enhancement method for Internet key exchange protocol |
| CN118540163A (en)* | 2024-07-25 | 2024-08-23 | 中电信量子信息科技集团有限公司 | Quantum security enhancement method for national security SSL VPN protocol |
| Publication number | Publication date |
|---|---|
| CN118694529B (en) | 2025-01-03 |
| Publication | Publication Date | Title |
|---|---|---|
| CN116132043B (en) | Session key agreement method, device and equipment | |
| CN118540163B (en) | Anti-quantum security enhancement method for national secret SSL VPN protocol | |
| CN116633530A (en) | Quantum key transmission method, device and system | |
| CN118540165B (en) | Anti-quantum security enhancement method for national secret IPSec VPN protocol | |
| CN118540164B (en) | Quantum security enhancement method for Internet key exchange protocol | |
| CN113726733B (en) | Encryption intelligent contract privacy protection method based on trusted execution environment | |
| CN118659922B (en) | Quantum security enhancement method for open authorization protocol | |
| WO2023151427A1 (en) | Quantum key transmission method, device and system | |
| CN110730071A (en) | A security access authentication method, device and equipment for power distribution communication equipment | |
| CN116567624B (en) | 5G feeder terminal communication safety protection method, device and storage medium | |
| CN117155564A (en) | Bidirectional encryption authentication system and method | |
| CN118659881B (en) | Quantum-resistant security enhancement method for secure shell protocol | |
| CN118694528B (en) | Anti-quantum security enhancement method for on-line certificate issuing and key pair distribution | |
| CN118713833B (en) | Quantum security enhancement method for open identity connection protocol | |
| CN118555133B (en) | Quantum-resistant security enhancement method of transport layer security protocol | |
| CN119766437A (en) | SSL VPN remote access method, system and related device supporting post quantum algorithm | |
| CN119766433A (en) | Encryption communication method, device and system supporting post quantum algorithm | |
| WO2025148510A1 (en) | Authentication method based on dual quantum random number protection, client, and system | |
| CN112822015A (en) | Information transmission method and related device | |
| CN117714185A (en) | Bank counter data processing method and system based on cryptographic algorithm | |
| WO2025025326A1 (en) | Data transmission method for nuclear power physical protection communication, device, and medium | |
| CN118694529B (en) | Quantum-resistant security enhancement method for secure channel protocol of password equipment | |
| CN118659923B (en) | A quantum-resistant security enhancement method for the Simple Authentication and Security Layer protocol | |
| CN118631457B (en) | Quantum-resistant security enhancement method of security assertion marking protocol | |
| CN118694618B (en) | A method to enhance the quantum security of the Central Authentication Service Protocol |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |