[go: up one dir, main page]

CN110138548A - Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system - Google Patents

Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system Download PDF

Info

Publication number
CN110138548A
CN110138548A CN201910324294.6A CN201910324294A CN110138548A CN 110138548 A CN110138548 A CN 110138548A CN 201910324294 A CN201910324294 A CN 201910324294A CN 110138548 A CN110138548 A CN 110138548A
Authority
CN
China
Prior art keywords
key
authentication
service station
encryption
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910324294.6A
Other languages
Chinese (zh)
Other versions
CN110138548B (en
Inventor
富尧
钟一民
杨羽成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201910324294.6A priority Critical patent/CN110138548B/en
Publication of CN110138548A publication Critical patent/CN110138548A/en
Application granted granted Critical
Publication of CN110138548B publication Critical patent/CN110138548B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

This application involves it is a kind of based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system, in the application, the key card used is independent hardware isolated equipment.A possibility that public key, private key and other relevant parameters are stored in the data safety area in key card, steal key by Malware or malicious operation substantially reduces, and will not be obtained and be cracked by quantum computer.The application improves the identifying procedure based on symmetric key algorithm, so that the data in identifying procedure, such as random number interactive between B and service station and TICKET, the symmetric key encryption obtained by DH algorithm are protected.Since the symmetric key that DH algorithm obtains can only be calculated gained by communicating pair, the data in authentication authorization and accounting process can only be decrypted by DH private key owner, and all other men can not decrypt, therefore improve the safety of the identifying procedure based on symmetric key algorithm.

Description

Based on unsymmetrical key pond to and DH agreement quantum communications service station key agreement side Method and system
Technical field
This application involves safety communication technology field, more particularly to based on unsymmetrical key pond to and DH agreement quantum Communication service station cryptographic key negotiation method and system.
Background technique
The Internet of rapid development brings huge convenience to people's lives, work, and people can be sitting in family It sent and received e-mail, made a phone call by Internet, carrying out the activities such as shopping online, bank transfer.The network information security simultaneously It is increasingly becoming a potential huge problem.In general the network information is faced with following several security risks: the network information It is stolen, information is tampered, attacker palms off information, malicious sabotage etc..
Wherein authentication is a kind of means of one of protection people's network information.Authentication is also referred to as " identity Verifying " or " identity identifies, " refer to the process of confirmation operation person's identity in computer and computer network system, so that it is determined that Whether the user has access and access right to certain resource, and then enables the access strategy of computer and networks system It reliably and efficiently executes, prevents attacker from palming off the access authority that legitimate user obtains resource, guarantee the peace of system and data Entirely, and authorization visitor legitimate interests.
And currently ensure that authentication successfully mainly relies on cryptographic technique, and in field of cryptography of today, it is main Will there are two types of cryptographic system, first is that symmetric key cryptosystem, i.e. encryption key and decruption key use it is same.The other is Public key cryptosystem, i.e. encryption key and decruption key difference, one of them can be disclosed.Current most identity is recognized Card relies primarily on public key cryptography system using algorithm.
The encryption key pair (public key) and decryption key (private key) that Public Key Cryptographic Systems uses are different.Due to encryption Key be it is disclosed, the distribution of key and management are just very simple, and Public Key Cryptographic Systems can also be easily carried out number Signature.
Since public key encryption comes out, scholars propose many kinds of public key encryption methods, their safety is all base In complicated difficult math question.Classified according to the difficult math question being based on, have following three classes system be presently believed to be safety and It is effective: big integer factorization system (representative to have RSA), Discrete log systems (representative to have DSA) and ellipse from It dissipates Logarithmic system (ECC).
But with the development of quantum computer, classical asymmetric-key encryption algorithm will be no longer safe, no matter encryption and decryption Or private key can be calculated in key exchange method, quantum computer by public key, therefore currently used asymmetric close Key will become cannot withstand a single blow in the quantum epoch.Quantum key distribution equipment QKD can ensure that the key of negotiation can not be acquired at present. But QKD is mainly used for quantum main line, ustomer premises access equipment to quantum communications service station is still classic network, therefore by non-right Claim algorithm it is difficult to ensure that authentication procedures safety.
Problem of the existing technology:
1. using pool of symmetric keys between quantum communications service station and quantum key card, capacity is huge, to quantum communications The key storage in service station brings pressure;
2. quantum communications service station, which has to encrypt key, to be stored in commonly since pool of symmetric keys key capacity is huge In storage medium such as hard disk, and it can not be stored in the key card in quantum communications service station;
3. causing trouble to cipher key backup since pool of symmetric keys key capacity is huge.
Summary of the invention
Based on this, it is necessary in view of the above technical problems, provide based on unsymmetrical key pond to and DH agreement quantum it is logical Telecommunications services station cryptographic key negotiation method and system.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, it is real It applies in masters, quantum communications service station cryptographic key negotiation method includes:
It generates and sends information M1 to passive side, the information M1 includes parameters for authentication NA and device parameter IDA;The letter It ceases M1 and generates session key KAB and the bill TICKETA for verifying for the masters for the service station;
The bill TICKETA from passive side is obtained, the parameters for authentication NC and parameters for authentication of session key KAB encryption are utilized NA, the bill TICKETA are encrypted using encryption parameter Ka and are included parameters for authentication NA;Utilize service station public key PKQa and master Dynamic side private key SKA generates encryption parameter Ka, trusts after decrypting bill TICKETA and authentication verification parameter NA using encryption parameter Ka Session key KAB, using authenticating the passive side after session key KAB authentication verification parameter NA;Benefit is sent to the passive side The parameters for authentication NC encrypted with session key KAB;
The parameters for authentication NC authenticates the masters for the passive side.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, it is real It applies in service station, quantum communications service station cryptographic key negotiation method includes:
Obtain the authentication code MAC (M2_0, AK2) encrypted using encryption key EK2 from passive side, the equipment of passive side Parameter IDB;The encryption key EK2 is generated using service station public key PKQ2, and the authentication code MAC (M2_0, AK2) utilizes service The public key PKQ2 that stands makes and includes the device parameter of parameters for authentication NB, the message M1 and passive side that the passive side generates IDB, the information M1 include the device parameter IDA of the parameters for authentication NA that masters generate and masters;
It decrypts and authentication verification code MAC (M2_0, AK2) generates session key KAB afterwards, utilize service station private key SKQa and master Dynamic side public key PKA generates encryption parameter Ka, generates encryption parameter Kb, system using service station private key SKQb and passive side's public key PKB Make bill TICKETA and bill TICKETB, the parameters for authentication NA that the bill TICKETA is encrypted including the use of encryption parameter Ka, Device parameter IDA, device parameter IDB, session key KAB;The bill TICKETB recognizes including the use of what encryption parameter Kb was encrypted Demonstrate,prove parameter NB, device parameter IDA, device parameter IDB, session key KAB;
Encryption parameter K3 is generated using service station private key SKQ3, fractionation encryption parameter K3 is authentication key AK3, encryption key EK3 generates the information M3_0 comprising bill TICKETA and bill TICKETB, using authentication key AK3 to the information M3_0 It makes authentication code MAC (M3_0, AK3), the information M3_0 and authentication code encrypted using encryption key EK3 is sent to passive side MAC(M3_0,AK3);
Bill TICKETA and bill TICKETB in the authentication code MAC (M3_0, AK3) is for for masters and passively Side verifies and trusts session key KAB.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, it is real It applies in passive side, quantum communications service station cryptographic key negotiation method includes:
Obtaining message M1, the information M1 from masters includes the parameters for authentication NA and masters that masters generate Device parameter IDA;It generates parameters for authentication NB and message M2_0, the message M2_0 includes the parameters for authentication NB, the message The device parameter IDB of M1 and passive side;Encryption parameter K2 is generated using the service station public key PKQ2 of itself storage, splits encryption Parameter K2 is authentication key AK2, encryption key EK2, makes authentication code MAC to the message M2_0 using authentication key AK2 (M2_0, AK2) sends the authentication code MAC (M2_0, AK2) encrypted using encryption key EK2, the equipment of passive side to service station Parameter IDB;
Obtain from service station using encryption key EK3 encryption the information M3_0 and authentication code MAC (M3_0, AK3), the encryption key EK3 is generated using service station private key SKQ3, and the authentication code MAC (M3_0, AK3) utilizes service station Private key SKQ3 makes and includes bill TICKETA and bill TICKETB, and the bill TICKETA is including the use of encryption parameter Ka The parameters for authentication NA of encryption, device parameter IDA, device parameter IDB, session key KAB;The bill TICKETB including the use of The parameters for authentication NB, device parameter IDA, device parameter IDB, session key KAB of encryption parameter Kb encryption;Wherein encryption parameter Ka Generated using using service station private key SKQa and masters public key PKA, encryption parameter Ka utilize using service station private key SKQb and Passive side's public key PKB is generated, and session key KAB is generated by the service station;Bill TICKETA and bill are obtained after decryption TICKETB is verified and is trusted session key KAB in bill TICKETB after parameters for authentication NB, parameters for authentication NC is generated, to the master Dynamic side sends information M4, and the information M4 includes bill TICKETA, using the session key KAB parameters for authentication NC encrypted and recognizes Demonstrate,prove parameter NA;
Obtain the parameters for authentication NC encrypted using session key KAB from masters, parameters for authentication described in decryption verification The verifying to the masters is completed after NC.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, institute Stating quantum communications service station cryptographic key negotiation method includes:
Masters generate and to passive side send information M1, the information M1 include masters generate parameters for authentication NA and The device parameter IDA of masters;
Passive side generates parameters for authentication NB after obtaining and message M2_0, the message M2_0 include the parameters for authentication NB, The device parameter IDB of the message M1 and passive side;Encryption parameter K2 is generated using the service station public key PKQ2 of itself storage, Fractionation encryption parameter K2 is authentication key AK2, encryption key EK2, is made and is authenticated to the message M2_0 using authentication key AK2 Code MAC (M2_0, AK2) sends the authentication code MAC (M2_0, AK2) encrypted using encryption key EK2 to service station, passive side's Device parameter IDB;
The service station obtains, decryption and authentication verification code MAC (M2_0, AK2) generate session key KAB afterwards, utilizes clothes Business station private key SKQa and masters public key PKA generates encryption parameter Ka, raw using service station private key SKQb and passive side's public key PKB At encryption parameter Kb, bill TICKETA and bill TICKETB is made, the bill TICKETA adds including the use of encryption parameter Ka Close parameters for authentication NA, device parameter IDA, device parameter IDB, session key KAB;The bill TICKETB is including the use of adding The parameters for authentication NB, device parameter IDA, device parameter IDB, session key KAB of close parameter Kb encryption;Utilize service station private key SKQ3 generates encryption parameter K3, and fractionation encryption parameter K3 is authentication key AK3 and encryption key EK3, and generating includes bill The information M3_0 of TICKETA and bill TICKETB makes authentication code MAC (M3_ to the information M3_0 using authentication key AK3 0, AK3) the information M3_0 and authentication code MAC (M3_0, AK3) encrypted using encryption key EK3, is sent to passive side;
The passive side obtains, obtains bill TICKETA and bill TICKETB after decryption, verifies and recognizes in bill TICKETB Session key KAB is trusted after demonstrate,proving parameter NB, generates parameters for authentication NC, and Xiang Suoshu masters send information M4, the information M4 packet Bill TICKETA is included, the parameters for authentication NC and parameters for authentication NA encrypted using session key KAB;
The masters obtain, trust session key KAB after decryption bill TICKETA and authentication verification parameter NA, utilize The passive side is authenticated after session key KAB authentication verification parameter NA;It sends to the passive side and is encrypted using session key KAB Parameters for authentication NC;
The passive side obtains the parameters for authentication NC encrypted using session key KAB from masters, decryption verification institute State the verifying completed after parameters for authentication NC to the masters.
Further, service station is divided into service station QA and service station QB, and masters are the sub- equipment of service station QA, passive side For the sub- equipment of service station QB;
Service station QB obtains the authentication code MAC (M2_0, AK2 ') using encryption key EK2 ' encryption from passive side, quilt Move the device parameter IDB of side;Encryption parameter K2 ' is generated using service station QB private key SKQB2 and passive side's public key, splits encryption ginseng Number K2 ' is authentication key AK2 ' and encryption key EK2 ', is decrypted using encryption key EK2 ' and is verified using authentication key AK2 ' Authentication code MAC (M2_0, AK2 ') information M3 ' is generated afterwards, information M3 ' includes information M2_0, is obtained with service station QA coded communication Encryption parameter K3 ', fractionation encryption parameter K3 ' are authentication key AK3 ' and encryption key EK3 ', encrypt to service station QA and send benefit With the information M3 ' and authentication code MAC (M3 ', AK3 ') of encryption parameter K3 ' encryption, authentication code MAC (M3 ', AK3 ') is using authenticating Key A K3 ' and information M3 ' makes;
Service station QA obtains, authentication verification code MAC (M3 ', AK3 ') after decryption;Utilize masters public key PKA and service station QA private key SKQAa generates encryption parameter Ka ', generates session key KAB;Bill TICKETA ' is generated, bill TICKETA ' includes The device parameter IDB, parameters for authentication NA, device parameter IDA, session key KAB encrypted using encryption parameter Ka ';Generate information M4 ', information M4 ' is including the use of bill TICKETA ' and session key KAB;Encryption parameter is obtained with service station QB coded communication K4 ', fractionation encryption parameter K4 ' are authentication key AK4 ' and encryption key EK4 ', encrypt transmission using encryption ginseng to service station QB The information M4 ' and authentication code MAC (M4 ', AK4 ') of number K4 ' encryption, authentication code MAC (M4 ', AK4 ') is utilize authentication key AK4 ' It is made with information M4 ';
Service station QB obtains, authentication verification code MAC (M4 ', AK4 ') after decryption, utilizes passive side's public key PKB and service station QB private key SKQBb generates encryption parameter Kb ', generates session key KAB;Bill TICKETB ' is generated, bill TICKETB ' includes The device parameter IDB, parameters for authentication NB, device parameter IDA, session key KAB encrypted using encryption parameter Kb ';Utilize service Stand private key SKQB5 and passive side public key PKB, generates encryption parameter K5 ', splits encryption parameter K5 ' and is authentication key AK5 ' and adds Key EK5 ' generates information M5 ' _ 0 comprising bill TICKETB ' and bill TICKETA ', sends to Partner and utilizes encryption Information M5 ' _ 0 of key EK5 ' encryption and authentication code MAC (M5 ' _ 0, AK5 '), authentication code MAC (M5 ' _ 0, AK5 ') utilize certification Key A K5 ' and information M5 ' _ 0 is generated;
Bill TICKETA ' is used to trust for masters session key KAB, and bill TICKETB ' is used to trust for passive side Session key KAB.
Further, the session key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
This application discloses a kind of active method, apparatus, including memory and processor, the memory is stored with computer Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program The step of quotient's method.
This application discloses a kind of service station equipment, including memory and processor, the memory is stored with computer Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program The step of quotient's method.
This application discloses a kind of passive method, apparatus, including memory and processor, the memory is stored with computer Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program The step of quotient's method.
This application discloses the quantum communications service station identity authorization systems based on unsymmetrical key pond, including are equipped with actively Side, passive side, service station and communication network;The masters are configured with masters key card, in the masters key card It is stored with service station public key pond, masters public key and masters private key;The passive side is configured with passive side's key card, described Service station public key pond, passive side's public key and passive side's private key are stored in dynamic side's key card;The service station is configured with service It stands key card, service station private key pond, masters public key pond and passive side's public key pond is stored in the service station key card;
Quantum described in above-mentioned technical proposal is realized by the communication network in the masters, passive side and service station The step of communication service station cryptographic key negotiation method.
In the application, the key card used is independent hardware isolated equipment.Public key, private key and other relevant parameters are deposited A possibility that storing up the data safety area in key card, stealing key by Malware or malicious operation substantially reduces, will not It is obtained and is cracked by quantum computer.It is non-since nothing is related to the transmitting of public and private key and algorithm parameter in classic network The risk that symmetric key is cracked is very low, in addition, encrypted transmission message is carried out using QKD between service station and service station, so The safety of message is greatly ensured.Key card has ensured communication security of the communicating pair in group, also greatly mentions The high safety of authentication.Unsymmetrical key pond solves pool of symmetric keys and brings key to quantum communications service station simultaneously Pressure is stored, carrying cost is reduced.For example, the pool of symmetric keys size of original users is 1G, user's number is N, then measures Sub- communication service station needs to store the pool of keys of N G, and if storage unsymmetrical key pond, it is same that client stores pool of keys size Sample is 1G, and quantum communications service station equally only needs to store the pool of keys of 1G size.
Meanwhile the application improves the identifying procedure based on symmetric key algorithm, so that the data in identifying procedure, Such as the random number and TICKET interacted between B and service station, the symmetric key encryption obtained by DH algorithm are protected.Since DH is calculated The symmetric key that method obtains can only be calculated gained by communicating pair, and the data in authentication authorization and accounting process can only be solved by DH private key owner Close, all other men can not decrypt, therefore improve the safety of the identifying procedure based on symmetric key algorithm.
Detailed description of the invention
Fig. 1 is the pool of keys distribution schematic diagram of service station key card in the present invention;
Fig. 2 is the pool of keys distribution schematic diagram of client key card in the present invention;
Fig. 3 is the authentication process figure of embodiment 1;
Fig. 4 is the authentication process figure of embodiment 2.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not For limiting the application.Wherein the service station in the application is quantum communications service station in the case where not doing specified otherwise, Each title in the application is subject to letter and number and is combined, such as Q, service station Q, service station indicate same meaning below, That is service station Q;Such as parameters for authentication NA again, NA hereinafter indicate same meaning, and authentication authorization and accounting parameter NA, remaining title is similarly.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, it is real It applies in masters, quantum communications service station cryptographic key negotiation method includes:
It generates and sends information M1 to passive side, information M1 includes parameters for authentication NA and device parameter IDA;Information M1 is for clothes Business station generates the session key KAB and bill TICKETA for verifying for masters;
The bill TICKETA from passive side is obtained, the parameters for authentication NC and parameters for authentication of session key KAB encryption are utilized NA, bill TICKETA are encrypted using encryption parameter Ka and are included parameters for authentication NA;Utilize service station public key PKQa and masters Private key SKA generates encryption parameter Ka, trusts session after decrypting bill TICKETA and authentication verification parameter NA using encryption parameter Ka Key KAB, using authenticating passive side after session key KAB authentication verification parameter NA;It is sent to passive side and utilizes session key KAB The parameters for authentication NC of encryption;
Parameters for authentication NC authenticates masters for passive side.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, it is real It applies in service station, quantum communications service station cryptographic key negotiation method includes:
Obtain the authentication code MAC (M2_0, AK2) encrypted using encryption key EK2 from passive side, the equipment of passive side Parameter IDB;Encryption key EK2 is generated using service station public key PKQ2, and authentication code MAC (M2_0, AK2) utilizes service station public key PKQ2 makes and includes the device parameter IDB of the parameters for authentication NB that passive side generates, message M1 and passive side, and information M1 includes The device parameter IDA of parameters for authentication NA and masters that masters generate;
It decrypts and authentication verification code MAC (M2_0, AK2) generates session key KAB afterwards, utilize service station private key SKQa and master Dynamic side public key PKA generates encryption parameter Ka, generates encryption parameter Kb, system using service station private key SKQb and passive side's public key PKB Make bill TICKETA and bill TICKETB, the parameters for authentication NA that bill TICKETA is encrypted including the use of encryption parameter Ka, equipment Parameter IDA, device parameter IDB, session key KAB;The parameters for authentication that bill TICKETB is encrypted including the use of encryption parameter Kb NB, device parameter IDA, device parameter IDB, session key KAB;
Encryption parameter K3 is generated using service station private key SKQ3, fractionation encryption parameter K3 is authentication key AK3, encryption key EK3 generates the information M3_0 comprising bill TICKETA and bill TICKETB, is made using authentication key AK3 to information M3_0 Authentication code MAC (M3_0, AK3) sends the information M3_0 and authentication code MAC (M3_ encrypted using encryption key EK3 to passive side 0,AK3);
Bill TICKETA and bill TICKETB in authentication code MAC (M3_0, AK3) for masters and passive side for testing It demonstrate,proves and trusts session key KAB.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, it is real It applies in passive side, quantum communications service station cryptographic key negotiation method includes:
The message M1 from masters is obtained, information M1 includes the equipment of the parameters for authentication NA that masters generate and masters Parameter IDA;Parameters for authentication NB and message M2_0 is generated, message M2_0 includes parameters for authentication NB, and message M1 and passive side's sets Standby parameter IDB;Encryption parameter K2 is generated using the service station public key PKQ2 of itself storage, fractionation encryption parameter K2 is authentication key AK2, encryption key EK2 make authentication code MAC (M2_0, AK2) to message M2_0 using authentication key AK2, send to service station The authentication code MAC (M2_0, AK2), the device parameter IDB of passive side encrypted using encryption key EK2;
The information M3_0 and authentication code MAC (M3_0, AK3) encrypted using encryption key EK3 from service station is obtained, is added Key EK3 is generated using service station private key SKQ3, and authentication code MAC (M3_0, AK3) makes and wraps using service station private key SKQ3 The parameters for authentication NA that TICKETA containing bill and bill TICKETB, bill TICKETA are encrypted including the use of encryption parameter Ka, equipment Parameter IDA, device parameter IDB, session key KAB;The parameters for authentication that bill TICKETB is encrypted including the use of encryption parameter Kb NB, device parameter IDA, device parameter IDB, session key KAB;Wherein encryption parameter Ka utilize using service station private key SKQa and Masters public key PKA is generated, and encryption parameter Ka is utilized to be generated using service station private key SKQb and passive side's public key PKB, and session is close Key KAB is generated by service station;Bill TICKETA and bill TICKETB is obtained after decryption, is verified and is authenticated ginseng in bill TICKETB Session key KAB is trusted after number NB, generates parameters for authentication NC, sends information M4 to masters, information M4 includes bill TICKETA, the parameters for authentication NC and parameters for authentication NA encrypted using session key KAB;
After acquisition the parameters for authentication NC encrypted using session key KAB from masters, decryption verification parameters for authentication NC Complete the verifying to masters.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, amount Sub- communication service station cryptographic key negotiation method includes:
Masters generate and send information M1 to passive side, and information M1 includes the parameters for authentication NA and active that masters generate The device parameter IDA of side;
Passive side generates parameters for authentication NB and message M2_0 after obtaining, and message M2_0 includes parameters for authentication NB, message M1 with And the device parameter IDB of passive side;Encryption parameter K2 is generated using the service station public key PKQ2 of itself storage, splits encryption parameter K2 is authentication key AK2, encryption key EK2, makes authentication code MAC (M2_0, AK2) to message M2_0 using authentication key AK2, The authentication code MAC (M2_0, AK2), the device parameter IDB of passive side encrypted using encryption key EK2 is sent to service station;
Service station obtains, decryption and authentication verification code MAC (M2_0, AK2) generate session key KAB afterwards, utilizes service station Private key SKQa and masters public key PKA generates encryption parameter Ka, is generated and is added using service station private key SKQb and passive side's public key PKB Close parameter Kb makes bill TICKETA and bill TICKETB, the certification that bill TICKETA is encrypted including the use of encryption parameter Ka Parameter NA, device parameter IDA, device parameter IDB, session key KAB;Bill TICKETB is encrypted including the use of encryption parameter Kb Parameters for authentication NB, device parameter IDA, device parameter IDB, session key KAB;Encryption ginseng is generated using service station private key SKQ3 Number K3, fractionation encryption parameter K3 are authentication key AK3 and encryption key EK3, and generating includes bill TICKETA and bill The information M3_0 of TICKETB makes authentication code MAC (M3_0, AK3) to information M3_0 using authentication key AK3, sends out to passive side Send the information M3_0 and authentication code MAC (M3_0, AK3) using encryption key EK3 encryption;
Passive side obtains, obtains bill TICKETA and bill TICKETB after decryption, verifies and authenticates ginseng in bill TICKETB Session key KAB is trusted after number NB, generates parameters for authentication NC, sends information M4 to masters, information M4 includes bill TICKETA, the parameters for authentication NC and parameters for authentication NA encrypted using session key KAB;
Masters obtain, trust session key KAB after decryption bill TICKETA and authentication verification parameter NA, utilize session Passive side is authenticated after key KAB authentication verification parameter NA;The parameters for authentication encrypted using session key KAB is sent to passive side NC;
Passive side obtains the parameters for authentication NC encrypted using session key KAB from masters, decryption verification certification ginseng The verifying to masters is completed after number NC.
In one embodiment, such as in embodiment 2, service station is divided into service station QA and service station QB, and masters are service It stands the sub- equipment of QA, passive side is the sub- equipment of service station QB;
Service station QB obtains the authentication code MAC (M2_0, AK2 ') using encryption key EK2 ' encryption from passive side, quilt Move the device parameter IDB of side;Encryption parameter K2 ' is generated using service station QB private key SKQB2 and passive side's public key, splits encryption ginseng Number K2 ' is authentication key AK2 ' and encryption key EK2 ', is decrypted using encryption key EK2 ' and is verified using authentication key AK2 ' Authentication code MAC (M2_0, AK2 ') information M3 ' is generated afterwards, information M3 ' includes information M2_0, is obtained with service station QA coded communication Encryption parameter K3 ', fractionation encryption parameter K3 ' are authentication key AK3 ' and encryption key EK3 ', encrypt to service station QA and send benefit With the information M3 ' and authentication code MAC (M3 ', AK3 ') of encryption parameter K3 ' encryption, authentication code MAC (M3 ', AK3 ') is using authenticating Key A K3 ' and information M3 ' makes;
Service station QA obtains, authentication verification code MAC (M3 ', AK3 ') after decryption;Utilize masters public key PKA and service station QA private key SKQAa generates encryption parameter Ka ', generates session key KAB;Bill TICKETA ' is generated, bill TICKETA ' includes The device parameter IDB, parameters for authentication NA, device parameter IDA, session key KAB encrypted using encryption parameter Ka ';Generate information M4 ', information M4 ' is including the use of bill TICKETA ' and session key KAB;Encryption parameter is obtained with service station QB coded communication K4 ', fractionation encryption parameter K4 ' are authentication key AK4 ' and encryption key EK4 ', encrypt transmission using encryption ginseng to service station QB The information M4 ' and authentication code MAC (M4 ', AK4 ') of number K4 ' encryption, authentication code MAC (M4 ', AK4 ') is utilize authentication key AK4 ' It is made with information M4 ';
Service station QB obtains, authentication verification code MAC (M4 ', AK4 ') after decryption, utilizes passive side's public key PKB and service station QB private key SKQBb generates encryption parameter Kb ', generates session key KAB;Bill TICKETB ' is generated, bill TICKETB ' includes The device parameter IDB, parameters for authentication NB, device parameter IDA, session key KAB encrypted using encryption parameter Kb ';Utilize service Stand private key SKQB5 and passive side public key PKB, generates encryption parameter K5 ', splits encryption parameter K5 ' and is authentication key AK5 ' and adds Key EK5 ' generates information M5 ' _ 0 comprising bill TICKETB ' and bill TICKETA ', sends to Partner and utilizes encryption Information M5 ' _ 0 of key EK5 ' encryption and authentication code MAC (M5 ' _ 0, AK5 '), authentication code MAC (M5 ' _ 0, AK5 ') utilize certification Key A K5 ' and information M5 ' _ 0 is generated;
Bill TICKETA ' is used to trust for masters session key KAB, and bill TICKETB ' is used to trust for passive side Session key KAB.
Further, session key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
This application discloses a kind of active method, apparatus, including memory and processor, memory to be stored with computer program, The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses a kind of service station equipments, including memory and processor, memory to be stored with computer program, The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses a kind of passive method, apparatus, including memory and processor, memory to be stored with computer program, The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses based on unsymmetrical key pond to and DH agreement quantum communications service station key agreement system, packet It includes and is equipped with masters, passive side, service station and communication network;Masters are configured with masters key card, masters key card Inside it is stored with service station public key pond, masters public key and masters private key;Passive side is configured with passive side's key card, moves Fang Mi Service station public key pond, passive side's public key and passive side's private key are stored in key card;Service station is configured with service station key card, clothes Service station private key pond, masters public key pond and passive side's public key pond are stored in the key card of business station;
Masters, passive side and service station realize that quantum communications service station is close in above-mentioned technical proposal by communication network The step of key machinery of consultation.
The application realizes that scene is to carry out mutually at one based on any two object A, B under unsymmetrical key pond body system Authentication.Each object has key card in the pool of keys system of the application, can store the key of big data quantity, also have The ability of standby processing information.In the application, all there is the algorithm of corresponding demand in the local system of object A and object B.
The description of key card is visible, and application No. is the applications of " 201610843210.6 ".When for mobile terminal, key card Preferably key SD card;When for fixed terminal, key card is preferably key USBkey or host key board.
With application No. is compared with the application of " 201610843210.6 ", key card to issue mechanism similar.The application The key card side of issuing be key card supervisor side, the generally administrative department of group, such as the pipe of certain enterprise or public institution Reason department;The member's that the key card side of being awarded is managed by the supervisor side of key card, generally certain enterprise or public institution is each Grade employee.Supervisor side's application that client arrives key card first is opened an account.After client carries out registering granted, it will obtain close Key card (has unique key card ID).Key card stores client enrollment register information.Under same quantum communications service station Public key pond in client key card is all downloaded from down the same Key Management server, and its each client key card for issuing The public key pond of middle storage is completely the same.Preferably, the pool of keys size stored in key card can be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G etc..
Key card is developed from smart card techniques, is combined with cryptological technique, hardware security isolation technology, quantum The authentication of physics technology (in the case where carrying quantum random number generator) and encryption and decryption product.The embedded core of key card Piece and operating system can provide the functions such as secure storage and the cryptographic algorithm of key.Since it is with independent data processing energy Power and good safety, key card become the safety barrier of private key and pool of keys.Each key card has hardware PIN code guarantor Shield, PIN code and hardware constitute two necessary factors that user uses key card.I.e. so-called " double factor authentication, " user only has The key card and user's PIN code for saving relevant authentication information are obtained simultaneously, it just can be with login system.Even if the PIN code of user It is leaked, as long as the key card that user holds is not stolen, the identity of legitimate user would not be counterfeit;If the key of user Card is lost, and the person of picking up also cannot counterfeit the identity of legitimate user due to not knowing user's PIN code.In short, key card makes key It is not appeared in the disk and memory of host with plaintext version Deng top secret information, so as to which the safety of top-secret information is effectively ensured.
In the application, key card is divided into service station key card and client key card.As shown in Figure 1, service station key card Key zone be mainly stored with client public key pond and service station private key pond;As shown in Fig. 2, the key zone master of client key card It is stored with service station public key pond and a pair of of public private key pair.The key card is issued by Key Management server.
Key Management server can select a kind of algorithm for not only having supported encryption and decryption but also support signature before issuing key card. Key Management server generates respective numbers according to the quantity of client and meets the number of the algorithm specification as private key and public key. Key Management server generates the ID of respective numbers, and chooses the public private key pair of respective numbers, and public key therein and ID is taken to carry out Combination obtains ID/ public key, and formation public key pond file in same file is written in the form of ID/ public key, i.e., above-mentioned client is public Key pond.Meanwhile corresponding private key is also written to formation private key pond file in file by Key Management server in an identical manner, That is client private key pond.The ID of each private key is identical as the ID of corresponding public key in client public key pond in client private key pond.It is close Key management server generates the number for largely meeting the algorithm specification as private key and public key again.Key Management server will be public Private key, which is respectively written into two files, forms service station public key pond and service station private key pond.Public key in the public key pond of service station with The private key of same position is corresponding in the private key pond of service station.The first key card issued is defined as service station by Key Management server Key card, and by service station private key pond and client public key pond and related algorithm parameter write-in key card key zone.Key The subsequent key card issued of management server is client key card.Key Management server random number selection one is unallocated ID distribute to key card, and public and private key and the service station public key pond of identical ID are taken from client public key pond and client private key pond The key zone of key card is written, relevant parameter is written in key card together.
Random number described herein is true random number, preferably quantum random number.
According to Diffie-Hellman agreement, a Big prime p and a several g are defined, g is the primitive root of mould p, and g and p are The parameter of Diffie-Hellman agreement.By taking customer end A and service station QA as an example, customer end A is generated according to matched key card DH private key of the truly random big integer SKA as customer end A, is obtained by calculation DH public key PKA=gSKAmod p.Service station QA DH private key of the truly random big integer SKQAi (i ∈ { 1,2 ... ..., m }) as service station QA is generated according to matched key card, is led to It crosses and DH public key PKQAi=g is calculatedSKQAiMod p (i ∈ { 1,2 ... ..., m }).
According to Diffie-Hellman agreement, PKQAiSKAMod p=PKASKQAimod p.Hereinafter, mod p is omitted Part, use PKQAiSKARefer to PKQAiSKAMod p, remaining is similarly.
Embodiment 1
System explanation
The scene of the present embodiment is as shown in figure 4, in this figure, masters, client including customer end A corresponding claims The passive side of B corresponding claims and quantum communications service station Q corresponding with service station, referred to as service station Q.Customer end A and client End B is equipped with client key card, and quantum communications service station Q is furnished with service station key card.Above-mentioned key card is same close Same a batch of key card that key management server is issued.
Step 1: customer end A initiates arranging key request to customer end B.
Customer end A generates random number N A according to the randomizer in matched key card, ID, that is, IDA mono- with oneself It rises and is sent to customer end B as M1.
Step 2: customer end B encryption M1 is simultaneously forwarded to quantum communications service station Q.
After customer end B receives M1, random number N B is generated according to the randomizer in oneself matched key card, by NB M2_0 is formed together with M1, IDB, is represented by M1 | | IDB | | NB.
Customer end B generates random number R 2 according to the randomizer in matched key card, uses R2 combination pointer letter Number obtains pointer P2, extracts PKQ2 in the public key pond of service station by P2.K2=PKQ 2SKB is enabled, K2 is then split as EK2 And AK2.Message authentication code MAC (M2_0, AK2) is made to M2_0 using AK2.Wherein, MAC (m, k) is indicated using m as message, with k For the message authentication code of key.Then using EK2 encryption M2_0 and its message authentication code, then together with R2 and IDB together as M2 is sent to service station Q.M2 is represented by R2 | | IDB | | M2_0 | | and MAC (M2_0, AK2) } EK2.
Step 3: service station Q generates TICKETB and TICKETA and is sent to customer end B.
After service station Q receives M2, pointer P2 is obtained using R2 combination pointer function, by the pointer in oneself private key pond Middle extraction SKQ2 extracts PKB according to IDB in client public key pond, calculates K2=PKBSKQ2.K2 is split as EK2 and AK2, It decrypts to obtain M2_0 and its Message Authentication Code using EK2.Message authentication code is calculated to M2_0 using AK2, contrast verification is logical Later, IDA, NA, IDB and NB are obtained.
Service station Q generates random number R a and Rb according to the randomizer in matched key card, is combined using Ra, Rb Pointer function obtains pointer Pa, Pb, extracts SKQa and SKQb respectively in the private key pond of service station by Pa, Pb, further according to IDA and IDB extracts the public key PKA of customer end A and the public key PKB of customer end B respectively in client public key pond, calculates Ka=PKASKQa, Kb=PKBSKQb
Service station Q generates session key KAB according to the randomizer in matched key card, encrypts KAB using Ka, Also IDA, NA and the IDB being encrypted simultaneously.Part will be encrypted and Ra forms TICKETA, be represented by Ra | | and IDA | | NA | |IDB||KAB}Ka.TICKETB is similarly made, Rb is represented by | | and IDB | | NB | | IDA | | KAB } Kb.
Service station Q generates random number R 3 according to the randomizer in matched key card, uses R3 combination pointer letter Number obtains pointer P3, extracts SKQ3 in the private key pond of service station by P3, calculates K3=PKBSKQ3.By K3 be split as EK3 and AK3.Enable M3_0=TICKETA | | TICKETB.Message authentication code MAC (M3_0, AK3) is made to M3_0 using AK3.Then make M3_0 and its message authentication code are encrypted with EK3, then is sent to customer end B together as M3 together with R3.M3 is represented by R3 | | {M3_0||MAC(M3_0,AK3)}EK3。
Step 4: customer end B verifies TICKETB.
After customer end B receives message.Pointer P3 is obtained using R3 combination pointer function, through P3 in the public key pond of service station PKQ3 is extracted, K3=PKQ3 is calculatedSKB.K3 is split as EK3 and AK3, decrypts to obtain M3_0 and its Message Authentication Code using EK3. Message authentication code is calculated to M3_0 using AK3, after contrast verification passes through, obtains TICKETA and TICKETB.
Customer end B verifies TICKETB.Customer end B obtains pointer Pb using Rb combination pointer function, is existed by Pb PKQb is extracted in the public key pond of service station, calculates Kb=PKQbSKB.Using Kb decryption TICKETB encryption unit separately win IDB, NB, IDA and KAB.Customer end B identify NB it is whether equal with local NB, if equal, trust session key KAB as with customer end A The key of communication.Customer end B generates random number N C according to the randomizer in matched key card, is encrypted and is walked using KAB The NA and NC received in rapid 1, then customer end A is sent to together as M4 with TICKETA.M4 is represented by TICKETA | | NA | | NC}KAB。
Step 5: customer end A verifies TICKETA.
After customer end A receives M4, pointer Pa is obtained using Ra combination pointer function, by Pa in service station public key Chi Zhongti PKQa is taken, Ka=PKQa is calculatedSKA.IDA, NA, IDB and KAB are separately won to obtain using the encryption unit of Ka decryption TICKETA.Customer end A Whether equal with local NA identify NA, if equal, trusts session key KAB as the key communicated with customer end B.
Customer end A decrypts to obtain NA and NC using session key KAB, and NA and local NA are compared, complete if passing through The certification of pairs of customer end B.
Customer end A uses KAB encryption NC and is sent to customer end B as M5.M5 is represented by { NC } KAB.
Step 6: customer end B verifies customer end A.
After customer end B receives M5, decrypt to obtain NC using KAB.NC and local NC are compared, if passing through, completed Certification to customer end A.
Step 7: customer end A is securely communicated with customer end B.
Customer end A and customer end B can carry out message encryption and decryption and message authentication using key KAB.Preferably, KAB is torn open It is divided into KABE and KABA, respectively as message encryption and decryption and message authentication key.
Embodiment 2
System explanation
The scene of the present embodiment is as shown in figure 3, in this figure, masters, client including customer end A corresponding claims The passive side of B corresponding claims, service station include quantum communications service station QA and quantum communications service station QB, are referred to as serviced Stand QA and service station QB.QA and QB is respectively provided with respective Key Management server.Customer end A and customer end B are equipped with client Key card is held, quantum communications service station QA and quantum communications service station QB are furnished with service station key card.Above-mentioned customer end A belongs to Quantum communications service station QA, customer end B belong to quantum communications service station QB, i.e., the key card of A, B are respectively by the key of QA, QB Management server is issued.
Step 1: customer end A initiates arranging key request to customer end B.
Customer end A generates random number N A according to the randomizer in matched key card, ID, that is, IDA mono- with oneself It rises and is sent to customer end B as M1.
Step 2: customer end B encryption M1 is simultaneously forwarded to quantum communications service station QB.
After customer end B receives M1, random number N B is generated according to the randomizer in oneself matched key card, by NB M2_0 is formed together with M1, IDB, is represented by M1 | | IDB | | NB.
Customer end B generates random number R 2 according to the randomizer in matched key card, uses R2 combination pointer letter Number obtains pointer P2, extracts PKQB2 in the public key pond of service station by P2.K2 '=PKQB2SKB is enabled, is then split as K2 ' EK2 ' and AK2 '.Use AK2 ' to M2_0 production message authentication code MAC (M2_0, AK2 ').Wherein, MAC (m, k) indicate with m be Message, using k as the message authentication code of key.Then using EK2 ' encryption M2_0 and its message authentication code, then together with R2 and IDB Service station QB is sent to together as M2.M2 is represented by R2 | | IDB | | M2_0 | | and MAC (M2_0, AK2 ') } EK2 '.
Step 3: being forwarded to service station QA after service station QB verifying message.
After service station QB receives M2, pointer P2 is obtained using R2 combination pointer function, through P2 in the private key pond of oneself SKQB2 is extracted, PKB is extracted in client public key pond according to IDB, calculates K2 '=PKBSKQB2.By K2 ' be split as EK2 ' and AK2 ' uses EK2 ' decryption to obtain M2_0 and its Message Authentication Code.It uses AK2 ' that message authentication code is calculated to M2_0, compares After being verified, M3 '=M2_0, i.e. M3 ' is enabled to be represented by IDA | | NA | | IDB | | NB.
Service station QB and service station QA negotiates to obtain key K3 ' by QKD, and K3 ' is split into EK3 ' and AK3 ', it uses AK3 ' calculates message authentication code MAC (M3 ', AK3 ') to M3 ', then using EK3 ' encryption M3 ' and its message authentication code.It is sent to The message of service station QA is represented by { M3 ' | | MAC (M3 ', AK3 ') } EK3 '.
Step 4: QA production TICKETA ' in quantum communications service station is simultaneously sent to quantum communications service station QB.
After service station QA receives the message of QKD key encryption, QKD key K3 ' is split into EK3 ' and AK3 ', it uses EK3 ' decryption verifies message authentication code after obtaining M3 ' and its message authentication code.After being verified, service station QA according to Randomizer in the key card matched generates random number R a ', uses Ra ' that pointer function is combined to obtain pointer Pa, passes through Pa SKQAa is extracted in the private key pond of service station, extracts the public key PKA of customer end A in client public key pond further according to IDA, is calculated Ka '=PKASKQAa
Service station QA generates session key KAB according to the randomizer in matched key card, and Ka ' is used to encrypt KAB, while also IDA, NA and the IDB being encrypted.Part will be encrypted and Ra ' forms TICKETA ', be represented by Ra ' | | {IDA||NA||IDB||KAB}Ka’。
TICKETA ' and KAB is formed into M4 ', encrypt M4 ' using QKD key K4 and is sent to service station QB, cipher mode It is same as above.The message of transmission is represented by { M4 ' | | MAC (M4 ', AK4) } EK4.
Step 5: quantum communications service station QB sends TICKETA ' and TICKETB ' to customer end B.
It after service station QB receives the message of QKD key encryption, is decrypted using QKD key, decryption and information authentication side Formula is same as above.Service station QB obtains M4 ' i.e. TICKETA ' and KAB.Service station QB is according to random in matched key card Number generator generates random number R b ', uses Rb ' that pointer function is combined to obtain pointer Pb, by Pb in service station private key Chi Zhongti SKQBb is taken, extracts the public key PKB of customer end B in client public key pond further according to IDB, calculates Kb '=PKBSKQBb.Use Kb ' Also IDB, NB and the IDA for encrypting KAB, while being encrypted.Part will be encrypted and Rb ' forms TICKETB ', be represented by Rb ' ||{IDB||NB||IDA||KAB}Kb’。
Service station QB generates random number R 5 ' according to the randomizer in matched key card, and R5 ' is used to combine pointer Function obtains pointer P5, extracts SKQB5 in the private key pond of service station by P5, calculates K5 '=PKBSKQB5.K5 ' is split as EK5 ' and AK5 '.Enable M5 ' _ 0=TICKETA ' | | TICKETB '.Use AK5 ' to M5 ' _ 0 make message authentication code MAC (M5 ' _ 0,AK5').Then using encryption M5 ' _ 0 EK5 ' and its message authentication code, then client is sent to together as M5 ' together with R5 ' B.M5 ' is represented by R5 ' | | M5 ' _ 0 | | MAC (M5 ' _ 0, AK5 ') } EK5 '.
Step 6: customer end B verifies TICKETB '.
After customer end B receives M5 '.Use R5 ' that pointer function is combined to obtain pointer P5, through P5 in the public key pond of service station PKQB5 is extracted, K5 '=PKQB5 is calculatedSKB.K5 ' is split as EK5 ' and AK5 ', use EK5 ' decryption to obtain M5 ' _ 0 and its disappear Cease identifying code.Use AK5 ' that message authentication code is calculated to M5 ' _ 0, after contrast verification passes through, obtain TICKETA ' and TICKETB’。
Customer end B verifies TICKETB '.Customer end B combines pointer function to obtain pointer Pb using Rb ', passes through Pb PKQBb is extracted in the public key pond of service station, calculates Kb '=PKQBbSKB.The encryption unit of Kb ' decryption TICKETB ' is used to separately win IDB, NB, IDA and KAB.Customer end B identify NB it is whether equal with local NB, if equal, trust session key KAB as with The key of customer end A communication.Customer end B generates random number N C according to the randomizer in matched key card, uses KAB The NA and NC received in encrypting step 1, then customer end A is sent to together as M6 ' with TICKETA '.M6 ' is represented by TICKETA’||{NA||NC}KAB。
Step 7: customer end A verifies TICKETA '
After customer end A receives M6 ', use Ra ' that pointer function is combined to obtain pointer Pa, through Pa in the public key pond of service station PKQAa is extracted, Ka '=PKQAa is calculatedSKA.The encryption unit of Ka ' decryption TICKETA ' is used to separately win to obtain IDA, NA, IDB and KAB. Whether customer end A identification NA is equal with local NA, if equal, it is close as what is communicated with customer end B to trust session key KAB Key.
Customer end A decrypts to obtain NA and NC using session key KAB, and NA and local NA are compared, complete if passing through The certification of pairs of customer end B.
Customer end A uses KAB encryption NC and is sent to customer end B as M7 '.M7 ' is represented by { NC } KAB.
Step 8: customer end B verifies customer end A.
After customer end B receives M7 ', decrypt to obtain NC using KAB.NC and local NC are compared, if passing through, completed Certification to customer end A.
Step 9: customer end A is securely communicated with customer end B.
Customer end A and customer end B can carry out message encryption and decryption and message authentication using key KAB.Preferably, KAB is torn open It is divided into KABE and KABA, respectively as message encryption and decryption and message authentication key.
Specific restriction about active method, apparatus, passive method, apparatus and service station equipment and system may refer to above In restriction for quantum communications service station authentication method, details are not described herein.Modules in above-mentioned each equipment can be whole Or part is realized by software, hardware and combinations thereof.Above-mentioned each module can be embedded in the form of hardware or independently of computer In processor in equipment, it can also be stored in a software form in the memory in computer equipment, in order to processor tune With the corresponding operation of the above modules of execution.
In one embodiment, a kind of computer equipment is provided, which can be server, internal junction Composition can be as shown in Figure 3.The computer equipment include by system bus connect processor, memory, network interface and Database.Wherein, the processor of the computer equipment is for providing calculating and control ability.The memory packet of the computer equipment Include non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system, computer program and data Library.The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium.The calculating The database of machine equipment is used to store the related data of authentication.The network interface of the computer equipment is used for and external end End passes through network connection communication.When the computer program is executed by processor with realize it is a kind of based on unsymmetrical key pond to and DH The quantum communications service station cryptographic key negotiation method of agreement.
Wherein implement according in the available claim of conclusion of the specific steps of technical solution disclosed above in master Dynamic side based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, implement the base in passive side In unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and implement in service station based on non- Pool of symmetric keys to and DH agreement quantum communications service station cryptographic key negotiation method, therefore repeat no more.
It will be understood by those skilled in the art that structure shown in Fig. 3, only part relevant to application scheme is tied The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
Wherein implement according in the available claim of conclusion of the specific steps of technical solution disclosed above in master Dynamic side based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, implement the base in passive side In unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and implement in service station based on non- Pool of symmetric keys to and DH agreement quantum communications service station cryptographic key negotiation method, therefore repeat no more.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, To any reference of memory, storage, database or other media used in each embodiment provided herein, Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application Range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.

Claims (10)

1. based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, implement in masters, It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
It generates and sends information M1 to passive side, the information M1 includes parameters for authentication NA and device parameter IDA;
The bill TICKETA from passive side is obtained, the parameters for authentication NC and parameters for authentication NA encrypted using session key KAB, The bill TICKETA is encrypted using encryption parameter Ka and is included parameters for authentication NA;Utilize service station public key PKQa and active Square private key SKA generates encryption parameter Ka, utilizes trust meeting after encryption parameter Ka decryption bill TICKETA and authentication verification parameter NA Key KAB is talked about, using authenticating the passive side after session key KAB authentication verification parameter NA;It sends and utilizes to the passive side The parameters for authentication NC of session key KAB encryption;
The parameters for authentication NC authenticates the masters for the passive side.
2. based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, implement in service station, It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
Obtain the authentication code MAC (M2_0, AK2) encrypted using encryption key EK2 from passive side, the device parameter of passive side IDB;The encryption key EK2 is generated using service station public key PKQ2, and the authentication code MAC (M2_0, AK2) is public using service station Key PKQ2 makes and includes the device parameter IDB of parameters for authentication NB, the message M1 and passive side that the passive side generates, The information M1 includes the device parameter IDA of the parameters for authentication NA that masters generate and masters;
It decrypts and authentication verification code MAC (M2_0, AK2) generates session key KAB afterwards, utilize service station private key SKQa and masters Public key PKA generates encryption parameter Ka, generates encryption parameter Kb using service station private key SKQb and passive side's public key PKB, makes ticket According to TICKETA and bill TICKETB, the parameters for authentication NA that the bill TICKETA is encrypted including the use of encryption parameter Ka, equipment Parameter IDA, device parameter IDB, session key KAB;The bill TICKETB joins including the use of the certification that encryption parameter Kb is encrypted Number NB, device parameter IDA, device parameter IDB, session key KAB;
Using service station private key SKQ3 generate encryption parameter K3, fractionations encryption parameter K3 be authentication key AK3, encryption key EK3, The information M3_0 comprising bill TICKETA and bill TICKETB is generated, the information M3_0 is made using authentication key AK3 Authentication code MAC (M3_0, AK3) sends the information M3_0 and authentication code MAC encrypted using encryption key EK3 to passive side (M3_0,AK3);
Bill TICKETA and bill TICKETB in the authentication code MAC (M3_0, AK3) are respectively used to for masters and passive Side verifies and trusts session key KAB.
3. based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, implement in passive side, It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
Obtain the equipment that message M1, the information M1 from masters include the parameters for authentication NA that masters generate and masters Parameter IDA;Generating parameters for authentication NB and message M2_0, the message M2_0 includes the parameters for authentication NB, the message M1 with And the device parameter IDB of passive side;Encryption parameter K2 is generated using the service station public key PKQ2 of itself storage, splits encryption parameter K2 be authentication key AK2, encryption key EK2, using authentication key AK2 to the message M2_0 production authentication code MAC (M2_0, AK2), the authentication code MAC (M2_0, AK2) encrypted using encryption key EK2, the device parameter of passive side are sent to service station IDB;
Obtain the information M3_0 and authentication code MAC (M3_0, AK3) encrypted using encryption key EK3 from service station, institute It states encryption key EK3 to generate using service station private key SKQ3, the authentication code MAC (M3_0, AK3) utilizes service station private key SKQ3 It makes and includes bill TICKETA and bill TICKETB, the bill TICKETA recognizes including the use of what encryption parameter Ka was encrypted Demonstrate,prove parameter NA, device parameter IDA, device parameter IDB, session key KAB;The bill TICKETB is including the use of encryption parameter The parameters for authentication NB, device parameter IDA, device parameter IDB, session key KAB of Kb encryption;Wherein encryption parameter Ka utilizes utilization Service station private key SKQa and masters public key PKA are generated, and encryption parameter Ka utilizes public using service station private key SKQb and passive side Key PKB is generated, and session key KAB is generated by the service station;Bill TICKETA and bill TICKETB, verifying are obtained after decryption Session key KAB is trusted in bill TICKETB after parameters for authentication NB, generates parameters for authentication NC, Xiang Suoshu masters send information M4, the information M4 include bill TICKETA, the parameters for authentication NC and parameters for authentication NA encrypted using session key KAB;
The parameters for authentication NC encrypted using session key KAB from masters is obtained, after parameters for authentication NC described in decryption verification Complete the verifying to the masters.
4. based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method, which is characterized in that it is described Quantum communications service station cryptographic key negotiation method includes:
Masters generate and send information M1 to passive side, and the information M1 includes the parameters for authentication NA and active that masters generate The device parameter IDA of side;
Passive side generates parameters for authentication NB after obtaining and message M2_0, the message M2_0 include the parameters for authentication NB, described The device parameter IDB of message M1 and passive side;Encryption parameter K2 is generated using the service station public key PKQ2 of itself storage, is split Encryption parameter K2 is authentication key AK2, encryption key EK2, makes authentication code to the message M2_0 using authentication key AK2 MAC (M2_0, AK2) sends the authentication code MAC (M2_0, AK2) encrypted using encryption key EK2 to service station, and passive side's sets Standby parameter IDB;
The service station obtains, decryption and authentication verification code MAC (M2_0, AK2) generate session key KAB afterwards, utilizes service station Private key SKQa and masters public key PKA generates encryption parameter Ka, is generated and is added using service station private key SKQb and passive side's public key PKB Close parameter Kb makes bill TICKETA and bill TICKETB, what the bill TICKETA was encrypted including the use of encryption parameter Ka Parameters for authentication NA, device parameter IDA, device parameter IDB, session key KAB;The bill TICKETB joins including the use of encryption The parameters for authentication NB, device parameter IDA, device parameter IDB, session key KAB of number Kb encryption;It is raw using service station private key SKQ3 It is authentication key AK3 and encryption key EK3 at encryption parameter K3, fractionation encryption parameter K3, generating includes bill TICKETA and ticket According to the information M3_0 of TICKETB, authentication code MAC (M3_0, AK3) is made to the information M3_0 using authentication key AK3, to quilt Dynamic side sends the information M3_0 and authentication code MAC (M3_0, AK3) using encryption key EK3 encryption;
The passive side obtains, obtains bill TICKETA and bill TICKETB after decryption, verifies and authenticates ginseng in bill TICKETB Session key KAB is trusted after number NB, generates parameters for authentication NC, and Xiang Suoshu masters send information M4, and the information M4 includes ticket According to TICKETA, the parameters for authentication NC and parameters for authentication NA encrypted using session key KAB;
The masters obtain, trust session key KAB after decryption bill TICKETA and authentication verification parameter NA, utilize session The passive side is authenticated after key KAB authentication verification parameter NA;It sends to the passive side and is recognized using what session key KAB was encrypted Demonstrate,prove parameter NC;
The passive side obtains the parameters for authentication NC encrypted using session key KAB from masters, recognizes described in decryption verification The verifying to the masters is completed after card parameter NC.
5. such as the described in any item quantum communications service station cryptographic key negotiation methods of Claims 1-4, which is characterized in that the clothes Business station is divided into service station QA and service station QB, and the masters are the sub- equipment of the service station QA, and the passive side is described The sub- equipment of service station QB;
The service station QB obtain from the passive side using encryption key EK2 ' encryption authentication code MAC (M2_0, AK2 '), the device parameter IDB of passive side;Encryption parameter K2 ' is generated using service station QB private key SKQB2 and passive side's public key, is torn open Dividing encryption parameter K2 ' is authentication key AK2 ' and encryption key EK2 ', is decrypted using encryption key EK2 ' and utilizes authentication key AK2 ' authentication verification code MAC (M2_0, AK2 ') information M3 ' is generated afterwards, information M3 ' includes information M2_0, is encrypted with service station QA Communication obtains encryption parameter K3 ', and fractionation encryption parameter K3 ' is authentication key AK3 ' and encryption key EK3 ', adds to service station QA The close information M3 ' and authentication code MAC (M3 ', AK3 ') sent using encryption parameter K3 ' encryption, authentication code MAC (M3 ', AK3 ') be It is made using authentication key AK3 ' and information M3 ';
The service station QA obtains, authentication verification code MAC after decryption (M3 ', AK3 ');Utilize masters public key PKA and service station QA private key SKQAa generates encryption parameter Ka ', generates session key KAB;Bill TICKETA ' is generated, bill TICKETA ' includes The device parameter IDB, parameters for authentication NA, device parameter IDA, session key KAB encrypted using encryption parameter Ka ';Generate information M4 ', information M4 ' is including the use of bill TICKETA ' and session key KAB;Encryption parameter is obtained with service station QB coded communication K4 ', fractionation encryption parameter K4 ' are authentication key AK4 ' and encryption key EK4 ', encrypt transmission using encryption ginseng to service station QB The information M4 ' and authentication code MAC (M4 ', AK4 ') of number K4 ' encryption, authentication code MAC (M4 ', AK4 ') is utilize authentication key AK4 ' It is made with information M4 ';
The service station QB obtains, authentication verification code MAC after decryption (M4 ', AK4 '), utilizes passive side's public key PKB and service station QB private key SKQBb generates encryption parameter Kb ', generates session key KAB;Bill TICKETB ' is generated, bill TICKETB ' includes The device parameter IDB, parameters for authentication NB, device parameter IDA, session key KAB encrypted using encryption parameter Kb ';Utilize service Stand private key SKQB5 and passive side public key PKB, generates encryption parameter K5 ', splits encryption parameter K5 ' and is authentication key AK5 ' and adds Key EK5 ' generates information M5 ' _ 0 comprising bill TICKETB ' and bill TICKETA ', sends to Partner and utilizes encryption Information M5 ' _ 0 of key EK5 ' encryption and authentication code MAC (M5 ' _ 0, AK5 '), authentication code MAC (M5 ' _ 0, AK5 ') utilize certification Key A K5 ' and information M5 ' _ 0 is generated;
The bill TICKETA ' is used to trust session key KAB for masters, and the bill TICKETB ' is used for for passive side Trust session key KAB.
6. such as the described in any item quantum communications service station cryptographic key negotiation methods of Claims 1-4, which is characterized in that the meeting Words key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
7. a kind of active method, apparatus, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station key agreement side described in claim 1 when executing the computer program The step of method.
8. a kind of service station equipment, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station key agreement side described in claim 2 when executing the computer program The step of method.
9. a kind of passive method, apparatus, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station key agreement side described in claim 3 when executing the computer program The step of method.
10. based on unsymmetrical key pond to and DH agreement quantum communications service station key agreement system, which is characterized in that including Equipped with masters, passive side, service station and communication network;The masters are configured with masters key card, the masters Service station public key pond, masters public key and masters private key are stored in key card;The passive side is close configured with passive side Key card is stored with service station public key pond, passive side's public key and passive side's private key in dynamic side's key card;Match in the service station It is equipped with service station key card, service station private key pond, masters public key pond and passive side are stored in the service station key card Public key pond;
The masters, passive side and service station realize that quantum communications described in claim 4 take by the communication network The step of business station cryptographic key negotiation method.
CN201910324294.6A 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol Active CN110138548B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910324294.6A CN110138548B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910324294.6A CN110138548B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol

Publications (2)

Publication Number Publication Date
CN110138548A true CN110138548A (en) 2019-08-16
CN110138548B CN110138548B (en) 2023-09-01

Family

ID=67570616

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910324294.6A Active CN110138548B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol

Country Status (1)

Country Link
CN (1) CN110138548B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245609A (en) * 2020-01-17 2020-06-05 南京如般量子科技有限公司 Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof
CN111953675A (en) * 2020-08-10 2020-11-17 四川阵风科技有限公司 Key management method based on hardware equipment
CN112565176A (en) * 2019-09-26 2021-03-26 通用电气公司 Securely communicating with devices in a distributed control system
CN112600669A (en) * 2020-12-16 2021-04-02 航天恒星科技有限公司 Cipher algorithm and conformity verification system
CN113452687A (en) * 2021-06-24 2021-09-28 中电信量子科技有限公司 Method and system for encrypting sent mail based on quantum security key
CN114529271A (en) * 2020-11-02 2022-05-24 如般量子科技有限公司 Digital currency quantum secret communication method and system based on witness

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110231665A1 (en) * 2008-12-05 2011-09-22 Qinetiq Limited Method of performing authentication between network nodes
CN108400867A (en) * 2017-02-07 2018-08-14 中国科学院沈阳计算技术研究所有限公司 A kind of authentication method based on public encryption system
CN108809636A (en) * 2018-04-26 2018-11-13 如般量子科技有限公司 The communication system and communication means of message authentication between member are realized based on group's type quantum key card
CN108964897A (en) * 2018-06-28 2018-12-07 如般量子科技有限公司 Identity authorization system and method based on group communication
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110231665A1 (en) * 2008-12-05 2011-09-22 Qinetiq Limited Method of performing authentication between network nodes
CN108400867A (en) * 2017-02-07 2018-08-14 中国科学院沈阳计算技术研究所有限公司 A kind of authentication method based on public encryption system
CN108809636A (en) * 2018-04-26 2018-11-13 如般量子科技有限公司 The communication system and communication means of message authentication between member are realized based on group's type quantum key card
CN108964897A (en) * 2018-06-28 2018-12-07 如般量子科技有限公司 Identity authorization system and method based on group communication
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112565176A (en) * 2019-09-26 2021-03-26 通用电气公司 Securely communicating with devices in a distributed control system
CN112565176B (en) * 2019-09-26 2022-12-23 通用电气公司 Securely communicating with devices in a distributed control system
US11711206B2 (en) 2019-09-26 2023-07-25 General Electric Company Communicating securely with devices in a distributed control system
CN111245609A (en) * 2020-01-17 2020-06-05 南京如般量子科技有限公司 Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof
CN111245609B (en) * 2020-01-17 2023-02-28 南京如般量子科技有限公司 Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof
CN111953675A (en) * 2020-08-10 2020-11-17 四川阵风科技有限公司 Key management method based on hardware equipment
CN111953675B (en) * 2020-08-10 2022-10-25 四川阵风科技有限公司 Key management method based on hardware equipment
CN114529271A (en) * 2020-11-02 2022-05-24 如般量子科技有限公司 Digital currency quantum secret communication method and system based on witness
CN112600669A (en) * 2020-12-16 2021-04-02 航天恒星科技有限公司 Cipher algorithm and conformity verification system
CN112600669B (en) * 2020-12-16 2022-08-12 航天恒星科技有限公司 A Cryptographic Algorithm and Compliance Verification System
CN113452687A (en) * 2021-06-24 2021-09-28 中电信量子科技有限公司 Method and system for encrypting sent mail based on quantum security key

Also Published As

Publication number Publication date
CN110138548B (en) 2023-09-01

Similar Documents

Publication Publication Date Title
CN1689297B (en) Method of preventing unauthorized distribution and use of electronic keys using a key seed
US10305688B2 (en) Method, apparatus, and system for cloud-based encryption machine key injection
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN104639516B (en) Identity identifying method, equipment and system
JP4866863B2 (en) Security code generation method and user device
CN109379387B (en) Safety certification and data communication system between Internet of things equipment
CN110138548A (en) Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system
CN110519046A (en) Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
RU2584500C2 (en) Cryptographic authentication and identification method with real-time encryption
JP2016502377A (en) How to provide safety using safety calculations
CN1921395B (en) Method for improving security of network software
CN109547208B (en) Online distribution method and system for master key of financial electronic equipment
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system
CN110505055A (en) Based on unsymmetrical key pond to and key card outer net access identity authentication method and system
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN110493177A (en) Based on unsymmetrical key pond to and sequence number quantum communications service station AKA cryptographic key negotiation method and system
TWI476629B (en) Data security and security systems and methods
CN113761488A (en) Content network copyright tracing encryption system and encryption method
CN110176989B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN114401087B (en) Passive lock identity authentication and key agreement system based on state cryptographic algorithm
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card
CN103944721A (en) Method and device for protecting terminal data security on basis of web
CN110086627A (en) Based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant