Disclosure of Invention
Aiming at the problem that the existing tunnel communication technology is insufficient in safety under the threat of quantum computation, the invention provides a method and a system for enhancing the quantum-resistant tunnel communication safety based on software definition. Through the quantum-resistant tunnel architecture design of pure software definition, the full stack software deployment is realized by combining a message processing module, a remote management module, a password module and an access control module, the dependence on a quantum chip is avoided, and the deployment cost is reduced. Meanwhile, the original traffic is intercepted through the virtualized network interface, the service data is transparently packaged, multiprotocol transparent transmission is supported, and the original protocol is not required to be modified, so that non-invasive deployment is realized. In addition, the invention adopts a double certificate mixed authentication mechanism, superimposes quantum protection capability on the basis of national compliance, ensures the same security of management instructions and data traffic through a remote management channel for quantum reinforcement, and prevents man-in-the-middle attack under quantum computation. The lightweight flow access control module realizes refined flow filtration through dynamic blacklist rules, and improves the effective utilization rate of the tunnel and the safety of the intranet.
A quantum-tunnel-resistant communication security enhancement method based on software definition comprises the following steps:
Tunnel software is deployed at the local end and the remote end, and comprises a message processing module, a remote management module, a password module and an access control module;
Establishing a link between the tunnel software of the local end and the tunnel software of the remote end, calling a cryptographic module by the local end to generate a key, sending the key to the remote end, and carrying out tunnel establishment and key negotiation;
The message processing module of the local end receives the plaintext business message of the enterprise intranet, calls the cryptographic module, encrypts the plaintext by using the negotiated key, and sends the encrypted ciphertext business message to the message processing module of the remote end through the tunnel;
The message processing module of the local terminal receives the ciphertext service message responded by the remote terminal, calls the password module to decrypt the ciphertext service message into a plaintext, and sends the plaintext to the equipment corresponding to the enterprise intranet;
the message processing module of the local end receives the remote management message, the remote management message is reinforced by using the quantum-resistant cryptographic technology, and the remote management message is decrypted by calling the cryptographic module after being received and then is sent to the remote management module for processing.
Further, a client is arranged on the local end, and a server is arranged on the remote end;
The tunnel establishment and key negotiation process specifically comprises the following steps:
s101, a client initiates a key negotiation request;
s102, after receiving a key negotiation request, a server sends a server national cryptographic certificate, a server anti-quantum certificate, a first random number and a first signature to a client;
S103, after receiving the response, the client verifies the server side national secret certificate, the server side anti-quantum certificate and the first signature, if the verification is passed, the next step is continuously executed, otherwise, the link is terminated;
S104, generating a second random number by the client, and generating a client anti-quantum key pair and a session key seed based on an anti-quantum cryptographic algorithm, encrypting the session key seed by using a public key in a server anti-quantum certificate to obtain first encryption information, and calculating hash values of the first random number and the second random number based on an SM3 cryptographic algorithm to obtain first tamper-proof information;
s105, the client sends a client national encryption certificate, a client anti-quantum public key, first encryption information, a second random number, first tamper-proof information and a second signature to the server;
S106, the server verifies the second signature in the response of the client, recovers the session key seed from the first encrypted information by using the server anti-quantum private key, verifies the first tamper-proof information by using an SM3 cryptographic algorithm, the first random number and the second random number;
S107, the server generates a first key in a symmetric encryption process by using the recovered session key seed and the first and second random numbers, encrypts the first key by using the client quantum-resistant public key to obtain a first authentication tag, and generates second tamper-resistant information based on the session key seed recovered by the server;
s108, the server side sends a first authentication tag, second tamper-proof information and a third signature to the client side;
S109, the client verifies a third signature of the server, verifies the second tamper-proof information by utilizing a local session key seed, and verifies a first authentication tag of the server by utilizing a first key;
if all the authentications pass, both sides hold the same first key at this time, indicating that the encryption channel is ready.
Further, in S102, the server-side cryptographic certificate includes the server-sidePublic key;
The server anti-quantum certificate contains a server anti-quantum public key;
The first signature calculation formula is as follows:
calculating hash values based on a first random number:;
Generating a first signature:;
Wherein, theRepresenting the first random number of the first random number,Represents an SM3 cryptographic algorithm; Representing a time stamp; Representing a SM2 private key of the server; Linking operators for the character strings; representing a signature generation function;
the process of signature verification in S103 is expressed as:
Calculation of,;
By passing throughVerifying;
wherein, theIn order to recalculate the hash value,The public key is a server SM2 public key; Representing a signature verification function.
Further, S104 specifically includes:
Client generates a second random numberPreparing key exchange, generating a client anti-quantum key pair by the client based on an anti-quantum cryptographic algorithm, wherein the client anti-quantum key pair comprises a client anti-quantum public keyAnd client anti-quantum private keyThe generation algorithm is as follows:
generating a random matrix by first generating a random private key seedExpanded into a public key matrix,;
Wherein, theRepresenting an expansion operation; representing the dimension of a matrix, each element in the matrix being a polynomial ringThe polynomial of the above is used for the control of the temperature,Is the modulus of the polynomial,The dimensions are represented as such,In the form of a variable which is a form variable,Is a modular polynomial used for constructing algebraic structure of polynomial ring; Representative modelOf (a), i.e. all integers are moduloA set of the following;
generating a private key vectorExpressed as: Wherein, the method comprises the steps of,Representation ofThe error sampling distribution is maintained,Representing random sampling;
Generating public keysExpressed as:
;
;
wherein e is a noise vector;
Obtaining an anti-quantum public keyExpressed as:
;
Obtaining client anti-quantum private keyExpressed as:
;
generating a session key seed;
encrypting the session key seed by using a public key in the server anti-quantum certificate to obtain first encryption informationThe encryption method specifically comprises the following steps:
Use of server side quantum-resistant public keysExpanding server-side matrices;;As a server-side random private key seed,The public key is a server side public key;
generating random vectorsSum error of、Expressed as:
;
;
;
wherein, theSampling distribution for single variable errors;
Calculating ciphertext components、And is expressed as:
,; representing the result after encoding into a polynomial,The transpose of the matrix is represented,Representing a session key seed;
Compression to obtain first encrypted informationExpressed as:
;
wherein, theRepresenting the number of low bits retaining each coefficient;
Based onThe cryptographic algorithm calculates a hash value of the first random number and the second random number as first tamper-resistant informationThe calculation formula is as follows:
;
wherein, theRepresentation ofCryptographic algorithms.
Further, the second signature in S105 is generated based on the SM2 cryptographic algorithm, and the calculation formula is as follows:
;
wherein, theA second signature is represented and is used to represent a second signature,The representation is based onThe signing operation of the cryptographic algorithm,Representing the client anti-quantum public key,Representing the client anti-quantum private key,Representing the SM3 cryptographic algorithm,Representing the first encrypted information to be used for the first time,Representing a second random number;
The S106 is specifically that the server verifies whether the client signature is correct or not, if the verification fails, the link is terminated, and specifically is that:
verifying the second signatureExpressed as:
;
wherein, theRepresenting a server anti-quantum private key;
after the verification is passed, recovering a session key seed from the first encrypted information by using the server anti-quantum private key, wherein the session key seed is expressed as:
Decompressing first encrypted informationExpressed as:
;
wherein, theFor the first encrypted informationCompressed ciphertext component,For the first encrypted informationCompressed ciphertext component,As ciphertext componentAs a result of the decompression of (c),As ciphertext componentA decompressed result;
the session key seed is unsealed by using the server-side anti-quantum private key, which is expressed as:
;
;
wherein, theIs the coding information containing noise; seed for the session key after recovering; Representing the decoding function of the decoding device,Representing a server anti-quantum private key;
verifying hash consistency based onThe cryptographic algorithm calculates hash values of the first random number and the second random number, and if the hash values and the first tamper-proof informationIf the two types of information are inconsistent, the link is tampered and terminated, and the method is expressed as:
Wherein, the method comprises the steps of,Indicating a condition judgment.
Further, S107 specifically is:
The server uses the recovered session key seedAnd first key of first and second random number generation symmetric encryption processExpressed as:
;
;
;
;
wherein, theIs a key derivation function based on SM3 cryptographic algorithm; a symmetric encryption key for the SM4 algorithm; Is thatAn authentication key of an authentication tag generation function; initialization vector for GCM mode;、 AndFor a fixed ASCII string, identifying encryption key derivation, authentication key derivation, and counter mode, respectively;
Encrypting a first key using a client anti-quantum public key to obtain a first authentication tagThe formula is as follows:
;
wherein, theRepresenting an authentication tag generation function;
Generating second tamper-proof information based on session key seeds recovered by the server, wherein the formula is as follows:
;
wherein, theRepresenting the second tamper-resistant information.
Further, in S108, the third signature calculation formula is as follows:
;
;
wherein, theRepresenting a third signature of the signature,Representing a first authentication tag;
in S109, the client verifies the third signature of the server, and the formula is as follows:
;
Using local session key seedsVerifying the second tamper-resistant information, the formula is as follows:
;
verifying whether the first authentication tag of the server is correct by using the first key of the symmetric encryption process synchronously generated by the client, which is expressed as follows:
。
Further, the process of data encapsulation and transmission using the symmetric encryption key is specifically as follows:
S201, after receiving intranet communication data, a client encrypts by using a first key to obtain a communication message ciphertext;
S201 specifically is:
;
;
wherein, theRepresenting the communication data of the intranet,Representing the original flow rate of the fluid,On behalf of the communication report Wen Miwen,Representative ofThe encryption function of the pattern is that,On behalf of the communication message authentication tag,The sequence number is a 32-bit unsigned integer; generating a function for the authentication tag;
S202, a client sends a communication message ciphertext and a communication message authentication tag to a server;
S203, after receiving the encrypted data, the server firstly decrypts the ciphertext of the communication message by using a first key, then verifies whether the HMAC is correct or not, and if so, forwards the plaintext message to the client;
S203 is expressed as:
;
;
wherein, theIs thatA pattern decryption function; Is the received HMAC;
s204, the server sends the communication message ciphertext and the communication message authentication label to the client, specifically, the tunnel repeats the symmetrical encryption process to transmit data, and when the session key reaches the preset life cycle, the link is disconnected, the link is restarted and the key is renegotiated.
The anti-quantum tunnel communication safety enhancement system based on the software definition is used for implementing the anti-quantum tunnel communication safety enhancement method based on the software definition, comprises a local end and a far end,
The local end and the remote end are both provided with tunnel software;
The tunnel software includes:
the message processing module is communicated with the enterprise intranet through plaintext and communicated with the public extranet through ciphertext;
the remote management module is communicated with the message processing module;
The password module is communicated with the message processing module;
and the access control module is communicated with the message processing module.
The invention has the technical effects that:
The encryption process is realized based on the anti-quantum cryptographic algorithm PQC through the pure software-defined anti-quantum tunnel architecture, the full stack software is realized through the modularized design, the dependence on an anti-quantum chip is avoided, and the deployment cost is reduced. Further, through tunneling non-invasive deployment, based on a client-server tunnel proxy mode, original traffic is intercepted and captured through a message processing module virtualization network interface, service data is transparently packaged, multiprotocol transparent transmission is supported, and the original protocol is not required to be modified. Particularly, through a double certificate mixed authentication mechanism, an SM2 national cryptographic certificate and an anti-quantum certificate are simultaneously used, so that the existing CA system is compatible, and quantum security transition is realized. In addition, the remote management channel and the VPN data tunnel are integrated to the same quantum-resistant communication protocol stack through the quantum-resistant reinforced remote management channel, so that the same safety of management instructions and data traffic is ensured. Finally, through lightweight traffic access control, a blacklist rule is preset at an encrypted tunnel entrance, access traffic filtration is realized, and the tunnel effective utilization rate and intranet security are improved.
Detailed Description
The invention provides a method and a system for enhancing the communication security of an anti-quantum tunnel based on software definition, which build an anti-quantum tunnel architecture realized by pure software by introducing an anti-quantum cryptographic algorithm and a modularized design. The architecture can realize quantum secure communication without depending on hardware, supports non-invasive deployment, and is compatible with various service scenes. Specific embodiments of the present invention are described in detail below with reference to fig. 1 to 3.
Fig. 1 is a schematic diagram of a software-defined anti-quantum tunneling communication security enhancement system according to the present invention, showing the interaction relationship between the overall structure of the system and the core module. The system comprises a local end and a remote end, tunnel software is deployed at both ends, and the tunnel software consists of a message processing module, a remote management module, a password module and an access control module. The enterprise intranet guides the original flow into the message processing module through the virtualized network interface for encryption processing, and then transmits the original flow to the message processing module at the far end through the public extranet. The whole communication process relates to a double-certificate authentication mechanism of a national secret certificate and an anti-quantum certificate and a blacklist rule which is dynamically updated so as to ensure the safety of traffic.
In the running process of the system, firstly, a tunnel needs to be established and key negotiation is completed, then real-time communication is realized through data encapsulation and transmission, and meanwhile, the tunnel working mode, the security policy and the like are centralized and controlled through a remote management channel. Fig. 2 shows a tunnel establishment and key negotiation flow, and fig. 3 details specific implementation steps of symmetric encryption communication.
In practice, it is assumed that a distributed enterprise headquarter is interconnected with a plurality of branches via a public extranet. The headquarter and each branch office deploy the tunnel software of the invention respectively, intercept the original traffic through the virtualized network interface and carry out transparent quantum security encapsulation and transmission. The message processing module guarantees service continuity through an intelligent fragment recombination mechanism, and avoids the problem of data loss or delay caused by network fluctuation. For example, when the device a in the intranet sends data to the remote device B, the message processing module first captures the data stream, invokes the cryptographic module to encrypt the data packet layer by layer, and then transmits the encrypted data to the remote message processing module through the tunnel. And after receiving the encrypted data, the remote message processing module calls the password module to decrypt the encrypted data into a plaintext, and finally forwards the plaintext to the corresponding equipment B.
The remote management module is used as a control center of the system, and the same safety of the instruction and the data flow is realized through a quantum reinforcement resistant management channel. The management channel derives an independent management key based on the session key generated by the ML-KEM algorithm, so that the management instruction is ensured not to be tampered or stolen in the transmission process. The remote management module supports the functions of setting a tunnel working mode, managing a real-time tunnel, configuring a tunnel security policy and the like. For example, a headquarter administrator may query existing tunnel information, add new tunnels, or delete invalid tunnels through a remote management module. In addition, the administrator can dynamically update blacklist rules to cope with changing network security threats. The blacklist rule is preset at the entrance of the encryption tunnel, and the access control module ensures that illegal traffic is blocked before entering the encryption tunnel by matching the IP address, the port number and the protocol type in the original traffic one by one.
The cryptographic module provides quantum security cryptographic service support for the system, supporting anti-quantum cryptographic algorithms and hybrid encryption modes. The cipher module realizes flexible switching of various algorithms through modularized design, for example, different parameter sets are selected in NIST post quantum standard algorithm to adapt to the requirements of different scenes. In the embodiment, the cryptographic module uses the ML-KEM anti-quantum cryptographic algorithm to strengthen data, and supports the combined use of the SM4 symmetric encryption algorithm and the anti-quantum algorithm, so that the cryptographic module is compatible with the traditional encryption mode in the transitional period and meets the quantum security requirement. For example, after the tunnel is established, the client and the server each independently calculate the same session key seed, and then use the first key to perform symmetric encryption communication. In the process, the password module calls a standardized API according to a preset security policy to complete key generation, distribution and data encryption operation.
And the access control module is communicated with the message processing module. In the whole communication process, the remote management function is realized through a quantum reinforcement resistant management channel, and the equal safety of management instructions and data traffic is ensured. The remote management function comprises the steps of setting a tunnel working mode, managing a real-time tunnel and configuring a tunnel security policy. For example, an administrator may update tunnel credentials, modify encryption algorithms, or adjust tunnel duration through the management tunnel. Real-time tunnel management supports querying existing tunnel information, adding new tunnels, or deleting invalid tunnels. Configuring tunnel security policies supports querying, adding, or deleting security rules, such as adding blacklist rules for a particular IP address, port number, or protocol type.
Implementations of the remote management function include the following. The tunnel working mode setting supports certificate updating operation, and an administrator sends an updating instruction through a request message structure, wherein the updating instruction comprises a version number, a message ID, a timestamp, an operation type and a signature field. The main body information contains instruction type, parameters and certificate data. The server returns a status code and a status description, and returns a new configuration effective time stamp if the update is successful. The real-time tunnel management supports a tunnel inquiry function, and an administrator can inquire the tunnel ID, the state and the network configuration through filtering conditions. And returning the basic configuration, the algorithm suite and the flow statistics to the response data format. The tunnel adding operation needs to specify a tunnel identifier, an IP address pair and an algorithm suite, and the tunnel deleting operation supports batch processing. The security policy configuration supports rule query, add or delete operations, and an administrator can dynamically update blacklist rules through rule types, rule IDs and target values.
A quantum-tunnel-resistant communication security enhancement method based on software definition comprises the following steps:
Tunnel software is deployed at the local end and the remote end, and comprises a message processing module, a remote management module, a password module and an access control module;
Establishing a link between the tunnel software of the local end and the tunnel software of the remote end, calling a cryptographic module by the local end to generate a key, sending the key to the remote end, and carrying out tunnel establishment and key negotiation;
The message processing module of the local end receives the plaintext business message of the enterprise intranet, calls the cryptographic module, encrypts the plaintext by using the negotiated key, and sends the encrypted ciphertext business message to the message processing module of the remote end through the tunnel;
The message processing module of the local terminal receives the ciphertext service message responded by the remote terminal, calls the password module to decrypt the ciphertext service message into a plaintext, and sends the plaintext to the equipment corresponding to the enterprise intranet;
the message processing module of the local end receives the remote management message, the remote management message is reinforced by using the quantum-resistant cryptographic technology, and the remote management message is decrypted by calling the cryptographic module after being received and then is sent to the remote management module for processing.
Further, a client is arranged on the local end, and a server is arranged on the remote end;
The tunnel establishment and key negotiation process specifically comprises the following steps:
s101, a client initiates a key negotiation request;
s102, after receiving a key negotiation request, a server sends a server national cryptographic certificate, a server anti-quantum certificate, a first random number and a first signature to a client;
S103, after receiving the response, the client verifies the server side national secret certificate, the server side anti-quantum certificate and the first signature, if the verification is passed, the next step is continuously executed, otherwise, the link is terminated;
S104, generating a second random number by the client, and generating a client anti-quantum key pair and a session key seed based on an anti-quantum cryptographic algorithm, encrypting the session key seed by using a public key in a server anti-quantum certificate to obtain first encryption information, and calculating hash values of the first random number and the second random number based on an SM3 cryptographic algorithm to obtain first tamper-proof information;
s105, the client sends a client national encryption certificate, a client anti-quantum public key, first encryption information, a second random number, first tamper-proof information and a second signature to the server;
S106, the server verifies the second signature in the response of the client, recovers the session key seed from the first encrypted information by using the server anti-quantum private key, verifies the first tamper-proof information by using an SM3 cryptographic algorithm, the first random number and the second random number;
S107, the server generates a first key in a symmetric encryption process by using the recovered session key seed and the first and second random numbers, encrypts the first key by using the client quantum-resistant public key to obtain a first authentication tag, and generates second tamper-resistant information based on the session key seed recovered by the server;
s108, the server side sends a first authentication tag, second tamper-proof information and a third signature to the client side;
S109, the client verifies a third signature of the server, verifies the second tamper-proof information by utilizing a local session key seed, and verifies a first authentication tag of the server by utilizing a first key;
if all the authentications pass, both sides hold the same first key at this time, indicating that the encryption channel is ready.
Further, in S102, the server-side cryptographic certificate includes the server-sidePublic key;
The server anti-quantum certificate contains a server anti-quantum public key;
The first signature calculation formula is as follows:
calculating hash values based on a first random number:;
Generating a first signature:;
Wherein, theRepresenting the first random number of the first random number,Represents an SM3 cryptographic algorithm; Representing a time stamp; Representing a SM2 private key of the server; Linking operators for the character strings; representing a signature generation function;
the process of signature verification in S103 is expressed as:
Calculation of,;
By passing throughVerifying;
wherein, theIn order to recalculate the hash value,The public key is a server SM2 public key; Representing a signature verification function.
Further, S104 specifically includes:
Client generates a second random numberPreparing key exchange, generating a client anti-quantum key pair by the client based on an anti-quantum cryptographic algorithm, wherein the client anti-quantum key pair comprises a client anti-quantum public keyAnd client anti-quantum private keyThe generation algorithm is as follows:
generating a random matrix by first generating a random private key seedExpanded into a public key matrix,;
Wherein, theRepresenting an expansion operation; representing the dimension of a matrix, each element in the matrix being a polynomial ringThe polynomial of the above is used for the control of the temperature,Is the modulus of the polynomial,The dimensions are represented as such,In the form of a variable which is a form variable,Is a modular polynomial used for constructing algebraic structure of polynomial ring; Representative modelOf (a), i.e. all integers are moduloA set of the following;
generating a private key vectorExpressed as: Wherein, the method comprises the steps of,Representation ofThe error sampling distribution is maintained,Representing random sampling;
Generating public keysExpressed as:
;
;
wherein e is a noise vector;
Obtaining an anti-quantum public keyExpressed as:
;
Obtaining client anti-quantum private keyExpressed as:
;
generating a session key seed;
encrypting the session key seed by using a public key in the server anti-quantum certificate to obtain first encryption informationThe encryption method specifically comprises the following steps:
Use of server side quantum-resistant public keysExpanding server-side matrices;;As a server-side random private key seed,The public key is a server side public key;
generating random vectorsSum error of、Expressed as:
;
;
;
wherein, theSampling distribution for single variable errors;
Calculating ciphertext components、And is expressed as:
,; representing the result after encoding into a polynomial,The transpose of the matrix is represented,Representing a session key seed;
Compression to obtain first encrypted informationExpressed as:
;
wherein, theRepresenting the number of low bits retaining each coefficient;
Based onThe cryptographic algorithm calculates a hash value of the first random number and the second random number as first tamper-resistant informationThe calculation formula is as follows:
;
wherein, theRepresentation ofCryptographic algorithms.
Further, the second signature in S105 is generated based on the SM2 cryptographic algorithm, and the calculation formula is as follows:
;
wherein, theA second signature is represented and is used to represent a second signature,The representation is based onThe signing operation of the cryptographic algorithm,Representing the client anti-quantum public key,Representing the client anti-quantum private key,Representing the SM3 cryptographic algorithm,Representing the first encrypted information to be used for the first time,Representing a second random number;
The S106 is specifically that the server verifies whether the client signature is correct or not, if the verification fails, the link is terminated, and specifically is that:
verifying the second signatureExpressed as:
;
wherein, theRepresenting a server anti-quantum private key;
after the verification is passed, recovering a session key seed from the first encrypted information by using the server anti-quantum private key, wherein the session key seed is expressed as:
Decompressing first encrypted informationExpressed as:
;
wherein, theFor the first encrypted informationCompressed ciphertext component,For the first encrypted informationCompressed ciphertext component,As ciphertext componentAs a result of the decompression of (c),As ciphertext componentA decompressed result;
the session key seed is unsealed by using the server-side anti-quantum private key, which is expressed as:
;
;
wherein, theIs the coding information containing noise; seed for the session key after recovering; Representing the decoding function of the decoding device,Representing a server anti-quantum private key;
verifying hash consistency based onThe cryptographic algorithm calculates hash values of the first random number and the second random number, and if the hash values and the first tamper-proof informationIf the two types of information are inconsistent, the link is tampered and terminated, and the method is expressed as:
Wherein, the method comprises the steps of,Indicating a condition judgment.
Further, S107 specifically is:
The server uses the recovered session key seedAnd first key of first and second random number generation symmetric encryption processExpressed as:
;
;
;
;
wherein, theIs a key derivation function based on SM3 cryptographic algorithm; a symmetric encryption key for the SM4 algorithm; Is thatAn authentication key of an authentication tag generation function; initialization vector for GCM mode;、 AndFor a fixed ASCII string, identifying encryption key derivation, authentication key derivation, and counter mode, respectively;
Encrypting a first key using a client anti-quantum public key to obtain a first authentication tagThe formula is as follows:
;
wherein, theRepresenting an authentication tag generation function;
Generating second tamper-proof information based on session key seeds recovered by the server, wherein the formula is as follows:
;
wherein, theRepresenting the second tamper-resistant information.
Further, in S108, the third signature calculation formula is as follows:
;
;
wherein, theRepresenting a third signature of the signature,Representing a first authentication tag;
in S109, the client verifies the third signature of the server, and the formula is as follows:
;
Using local session key seedsVerifying the second tamper-resistant information, the formula is as follows:
;
verifying whether the first authentication tag of the server is correct by using the first key of the symmetric encryption process synchronously generated by the client, which is expressed as follows:
。
Further, the process of data encapsulation and transmission using the symmetric encryption key is specifically as follows:
S201, after receiving intranet communication data, a client encrypts by using a first key to obtain a communication message ciphertext;
S201 specifically is:
;
;
wherein, theRepresenting the communication data of the intranet,Representing the original flow rate of the fluid,On behalf of the communication report Wen Miwen,Representative ofThe encryption function of the pattern is that,On behalf of the communication message authentication tag,The sequence number is a 32-bit unsigned integer; generating a function for the authentication tag;
S202, a client sends a communication message ciphertext and a communication message authentication tag to a server;
S203, after receiving the encrypted data, the server firstly decrypts the ciphertext of the communication message by using a first key, then verifies whether the HMAC is correct or not, and if so, forwards the plaintext message to the client;
S203 is expressed as:
;
;
wherein, theIs thatA pattern decryption function; Is the received HMAC;
s204, the server sends the communication message ciphertext and the communication message authentication label to the client, specifically, the tunnel repeats the symmetrical encryption process to transmit data, and when the session key reaches the preset life cycle, the link is disconnected, the link is restarted and the key is renegotiated.
The anti-quantum tunnel communication safety enhancement system based on the software definition is used for implementing the anti-quantum tunnel communication safety enhancement method based on the software definition, comprises a local end and a far end,
The local end and the remote end are both provided with tunnel software;
The tunnel software includes:
the message processing module is communicated with the enterprise intranet through plaintext and communicated with the public extranet through ciphertext;
the remote management module is communicated with the message processing module;
The password module is communicated with the message processing module;
and the access control module is communicated with the message processing module.
In summary, the invention realizes the encryption process based on the PQC algorithm through the quantum-resistant tunnel architecture defined by pure software, realizes the full stack software through the modularized design, avoids the dependence on quantum chips and reduces the deployment cost. Based on a client-server tunnel proxy mode, the method intercepts and captures the original traffic through a virtualized network interface of a message processing module through tunneling non-invasive deployment, transparently encapsulates service data, supports multiprotocol transparent transmission and does not need to modify an original protocol. Through a double certificate mixed authentication mechanism, SM2 national secret certificate and anti-quantum certificate are simultaneously used, so that the system is compatible with the existing CA system and quantum security transition is realized. And integrating the remote management channel and the VPN data tunnel to the same quantum-resistant communication protocol stack through the quantum-resistant reinforced remote management channel, so as to ensure the equal safety of management instructions and data traffic. And through lightweight flow access control, a blacklist rule is preset at an encrypted tunnel entrance, access flow filtration is realized, and the effective utilization rate of the tunnel and the intranet security are improved.