[go: up one dir, main page]

CN113765660B - A method for on-demand distribution of quantum keys for IoT terminal devices - Google Patents

A method for on-demand distribution of quantum keys for IoT terminal devices Download PDF

Info

Publication number
CN113765660B
CN113765660B CN202111039799.1A CN202111039799A CN113765660B CN 113765660 B CN113765660 B CN 113765660B CN 202111039799 A CN202111039799 A CN 202111039799A CN 113765660 B CN113765660 B CN 113765660B
Authority
CN
China
Prior art keywords
key
quantum
quantum key
request
pool
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111039799.1A
Other languages
Chinese (zh)
Other versions
CN113765660A (en
Inventor
陈芊叶
陈立全
陈婧琦
曹楷林
陆意
傅寒青
张亦浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN202111039799.1A priority Critical patent/CN113765660B/en
Publication of CN113765660A publication Critical patent/CN113765660A/en
Application granted granted Critical
Publication of CN113765660B publication Critical patent/CN113765660B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16YINFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
    • G16Y40/00IoT characterised by the purpose of the information processing
    • G16Y40/50Safety; Security of things, users, data or systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0858Details about key distillation or coding, e.g. reconciliation, error correction, privacy amplification, polarisation coding or phase coding

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种物联网终端设备量子密钥按需分配方法,包括根据物联网的应用程序请求;物联网终端设备密钥请求到达后,根据密钥请求的需求,完整设计密钥池密钥资源分配和密钥池密钥资源补充两个过程;按照比例定量考虑密钥请求的量子密钥需求量要求和量子密钥安全性要求,确定到达时间相同密钥请求的排队响应顺序,进行密钥池的密钥资源分配;剩余密钥量无法响应密钥请求时,密钥池发出密钥补充请求,按需进行密钥中继补充;设定密钥池的高低两个阈值,在空闲时隙按需对于密钥池密钥进行动态补充。本方法可以减少物联网应用程序密钥请求到达后到请求响应完成之间的时延,提高系统效率和密钥池承载密钥请求服务的能力。

Figure 202111039799

The invention discloses a method for on-demand distribution of quantum keys of Internet of Things terminal equipment, which comprises the following steps: according to the application program request of the Internet of Things; There are two processes: key resource allocation and key pool key resource replenishment; quantitatively consider the quantum key requirements and quantum key security requirements of key requests according to the proportion, determine the queuing response order for key requests with the same arrival time, and carry out Key resource allocation of the key pool; when the remaining amount of keys cannot respond to the key request, the key pool sends a key replenishment request, and performs key relay replenishment as needed; set the high and low thresholds of the key pool, in The free time slot dynamically replenishes the key pool key as needed. The method can reduce the time delay between the arrival of the key request of the Internet of Things application and the completion of the request response, and improve the system efficiency and the ability of the key pool to carry the key request service.

Figure 202111039799

Description

一种物联网终端设备量子密钥按需分配方法A method for on-demand distribution of quantum keys for IoT terminal devices

技术领域technical field

本发明属于信息安全技术领域,公开了量子密钥分发在新领域的应用,具体涉及一种物联网终端设备量子密钥按需分配方法。The invention belongs to the technical field of information security, discloses the application of quantum key distribution in the new field, and particularly relates to a method for distributing quantum keys on demand for Internet of Things terminal equipment.

背景技术Background technique

在目前的物联网系统中,保证数据传输安全的传统密码技术存在被量子计算机破解的风险,因此,将量子密钥应用于物联网终端具有重要现实意义。量子密钥分发QKD基于量子物理的量子不可克隆原理和量子不可分割原理,可以有效实现密钥的安全生成和分发。通过连接多个点对点QKD系统形成了一个量子密钥分发网络,可以为多个用户提供量子密钥服务。In the current IoT system, the traditional cryptographic technology that ensures the security of data transmission has the risk of being cracked by quantum computers. Therefore, it is of great practical significance to apply quantum keys to IoT terminals. Quantum key distribution QKD is based on the quantum unclonable principle and quantum indivisible principle of quantum physics, which can effectively realize the secure generation and distribution of keys. By connecting multiple peer-to-peer QKD systems, a quantum key distribution network is formed, which can provide quantum key services for multiple users.

但是,QKD网络在物联网的应用场景下将会面临许多未考虑到的难题,首先,由于量子密钥的生成速率一般较低,在面对大量量子密钥请求的时候,对于怎样高效进行量子密钥资源分配提出了很高的要求。其次,物联网中接入的终端设备多且杂,而且由于物联网很多终端设备的存储和计算能力的限制,所以对于物联网量子密钥分配的效率,以及物联网终端设备获取加密通信所需量子密钥的算法都提出了很高要求。However, the QKD network will face many unconsidered problems in the application scenario of the Internet of Things. First, since the generation rate of quantum keys is generally low, in the face of a large number of quantum key requests, how to efficiently perform quantum Key resource allocation places high demands. Secondly, the terminal devices connected to the Internet of Things are many and complex, and due to the limitations of the storage and computing capabilities of many terminal devices in the Internet of Things, the efficiency of quantum key distribution in the Internet of Things and the requirements for the Internet of Things terminal devices to obtain encrypted communication The algorithms of quantum keys have put forward high requirements.

另外,在考虑根据应用程序的量子密钥请求提升量子密钥分发效率的问题之外,因为QKD网络量子密钥生成效率低的问题,会采用量子密钥资源的积累来满足量子密钥使用需求,所以会对量子密钥采用密钥池存储,对于量子密钥在密钥池中的存储安全问题,在考虑量子密钥资源分配的同时,需要考虑密钥池中的量子密钥补充过程问题。In addition, in addition to considering the problem of improving the efficiency of quantum key distribution according to the quantum key request of the application, because of the low efficiency of quantum key generation in the QKD network, the accumulation of quantum key resources will be used to meet the demand for quantum key usage , so the quantum key will be stored in the key pool. For the storage security of quantum keys in the key pool, while considering the allocation of quantum key resources, it is necessary to consider the quantum key replenishment process in the key pool. .

所以,按照物联网应用程序需求来减少量子密钥请求响应时延,提升系统效率乃至降低物联网终端设备接收量子密钥的时间成本是急需解决的问题。Therefore, reducing the quantum key request response delay according to the requirements of IoT applications, improving system efficiency and even reducing the time cost for IoT terminal devices to receive quantum keys is an urgent problem to be solved.

发明内容SUMMARY OF THE INVENTION

为解决上述问题,本发明公开了为高效利用量子密钥资源,实现QKD网络量子密钥资源和物联网安全需求之间的平衡,本发明提出了一种物联网终端设备量子密钥按需分配方法,根据密钥请求的需求,完整设计密钥池密钥资源分配和密钥池密钥资源补充两个过程,根据应用程序密钥请求的密钥需求量和密钥安全性要求因素,提出物联网终端设备量子密钥动态按需分配方法,以更高效、更安全地响应物联网应用程序请求。In order to solve the above problems, the present invention discloses that in order to efficiently utilize quantum key resources and achieve a balance between QKD network quantum key resources and IoT security requirements, the present invention proposes an on-demand distribution of quantum keys for IoT terminal devices. Method, according to the requirements of the key request, the two processes of key pool key resource allocation and key pool key resource replenishment are completely designed. A method for dynamic on-demand distribution of quantum keys for IoT end devices to respond to IoT application requests more efficiently and securely.

为实现上述目的,本发明采用的技术方案是:一种物联网终端设备量子密钥按需分配方法,包括如下步骤:In order to achieve the above purpose, the technical solution adopted in the present invention is: a method for distributing quantum keys on demand for terminal equipment of the Internet of Things, comprising the following steps:

S1,响应物联网的应用程序请求,根据应用程序的安全性要求,分等级定量确定应用程序与服务器之间进行信息加密时的量子密钥安全性要求;S1, in response to the application request of the Internet of Things, according to the security requirements of the application, quantitatively determine the quantum key security requirements for information encryption between the application and the server;

S2,按照比例定量考虑密钥请求的量子密钥需求量要求和量子密钥安全性要求,计算物联网应用程序量子密钥请求的响应权重值;S2: Quantitatively consider the quantum key requirements and quantum key security requirements of the key request according to the proportion, and calculate the response weight value of the quantum key request of the Internet of Things application;

S3,根据量子密钥请求的权重值,从高到低确定到达时间相同量子密钥请求的排队响应顺序,对密钥池的剩余量子密钥量按需进行密钥分配;S3, according to the weight value of the quantum key request, determine the queuing response sequence of the quantum key request with the same arrival time from high to low, and perform key distribution on the remaining quantum key amount of the key pool as needed;

S4,剩余量子密钥量无法响应密钥请求时,密钥池发出量子密钥补充请求,按照密钥池响应的密钥请求权重值响应量子密钥补充请求;S4, when the remaining quantum key amount cannot respond to the key request, the key pool sends a quantum key replenishment request, and responds to the quantum key replenishment request according to the key request weight value responded by the key pool;

S5,考虑系统时间片资源,设定密钥池的高低两个阈值,当密钥池以及相应中继器处于空闲时隙,且量子密钥剩余量低于低阈值时,进行密钥池的量子密钥补充。S5, considering the system time slice resources, set two thresholds of the key pool, high and low, when the key pool and the corresponding repeater are in the idle time slot, and the remaining quantum key is lower than the low threshold, the key pool is set. Quantum Key Supplement.

作为本发明进一步改进在于:所述步骤S1中响应物联网的应用程序请求,对于物联网应用程序的请求,和物联网本身轻量级处理数据的特性,采用轻量级数据采集与消息管理,依据应用程序的消息申请安全需求,对消息的安全级别进行等级划分,根据不同等级,定量确定应用程序与服务器之间进行信息加密时的量子密钥安全性要求。As a further improvement of the present invention, in the step S1, in response to the application program request of the Internet of Things, for the request of the Internet of Things application program, and the light-weight data processing characteristics of the Internet of Things itself, lightweight data collection and message management are adopted, According to the message application security requirements of the application, the security level of the message is classified, and according to different levels, the quantum key security requirements for information encryption between the application and the server are quantitatively determined.

作为本发明进一步改进在于:所述步骤S2进一步包括:As a further improvement of the present invention, the step S2 further includes:

S21,物联网应用程序到达后,多个物联网终端设备向边缘网关发出多个量子密钥请求,该量子密钥请求需求中需包含量子密钥需求量、量子密钥安全性要求、会话双方身份标识等信息;S21, after the IoT application arrives, multiple IoT terminal devices send multiple quantum key requests to the edge gateway, and the quantum key request requirements need to include quantum key requirements, quantum key security requirements, and both parties to the session. identification and other information;

S22,按照系统对于效率和安全性的不同需求,按照比例定量考虑密钥请求的量子密钥需求量要求和量子密钥安全性要求,计算量子密钥请求的响应权重值。S22, according to the different requirements of the system for efficiency and security, quantitatively consider the quantum key requirement and the quantum key security requirement of the key request according to the proportion, and calculate the response weight value of the quantum key request.

作为本发明进一步改进在于:所述步骤S3进一步包括:As a further improvement of the present invention, the step S3 further includes:

S31,边缘网关接收到多个量子密钥请求后,按照到达时间和密钥请求响应权重值的优先级,对于量子密钥请求的响应顺序进行排序,当密钥池QKP的量子密钥剩余量充足,能够满足到达的密钥请求的量子密钥量需求时,按照量子密钥请求到达时间顺序响应量子密钥请求,在量子密钥请求的到达时间一致的情况下,按照权重值响应量子密钥请求;S31, after receiving multiple quantum key requests, the edge gateway sorts the response order of the quantum key requests according to the arrival time and the priority of the key request response weight value. When the remaining quantum keys of the key pool QKP When it is sufficient and can meet the quantum key quantity requirement of the arriving key request, it will respond to the quantum key request in the order of the arrival time of the quantum key request, and if the arrival time of the quantum key request is the same, the quantum key request will be responded to the weight value key request;

S32,当密钥池QKP的量子剩余密钥量不足,不能够满足到达的密钥请求的量子密钥量需求时,则密钥池QKP发出量子密钥补充申请。等待到密钥池QKP进行量子密钥补充之后,密钥池剩余量子密钥量可以满足密钥请求的量子密钥需求量要求时,再进行密钥请求的量子密钥分配;S32, when the quantum remaining key quantity of the key pool QKP is insufficient and cannot meet the quantum key quantity requirement of the arriving key request, the key pool QKP sends a quantum key supplement application. After the quantum key replenishment of the key pool QKP, the quantum key distribution of the key request will be performed when the remaining quantum key volume of the key pool can meet the quantum key requirement of the key request;

S33,量子密钥请求得到响应后,边缘网关从边缘网关处的对应密钥池QKP中按需获取量子密钥,经无线信道生成无线密钥加密后,传输到物联网终端设备。S33 , after the quantum key request is responded to, the edge gateway obtains the quantum key on demand from the corresponding key pool QKP at the edge gateway, generates the wireless key through the wireless channel and encrypts it, and transmits it to the IoT terminal device.

作为本发明进一步改进在于:所述步骤S4进一步包括:As a further improvement of the present invention, the step S4 further includes:

S41,剩余密钥量无法响应量子密钥请求时,密钥池发出量子密钥补充请求,该量子密钥补充请求中需包含密钥池信息、当前密钥请求的量子密钥需求量、量子密钥安全性要求、会话双方身份标识等信息;S41, when the remaining key amount cannot respond to the quantum key request, the key pool sends a quantum key replenishment request, and the quantum key replenishment request needs to include the key pool information, the quantum key demand for the current key request, the quantum key replenishment request, and the quantum key replenishment request. Key security requirements, identities of both parties to the session, etc.;

S42,在有多个密钥池QKP的量子密钥剩余量都不足够提供量子密钥服务的时候,因为同一时间光线路终端OLT与光网络单元ONU之间生成的中继密钥只能进行一对一的量子密钥中继,所以在处理同一时间到达的密钥池QKP量子密钥补充请求时,按照比例定量考虑密钥请求的量子密钥需求量要求和量子密钥安全性要求,计算响应权重值,根据响应权重值从高到低确定相应密钥池量子密钥补充请求的响应顺序。S42, when the remaining quantum keys of multiple key pools QKP are not enough to provide quantum key services, because the relay keys generated between the optical line terminal OLT and the optical network unit ONU at the same time can only be used for One-to-one quantum key relay, so when processing the QKP quantum key replenishment request of the key pool that arrives at the same time, the quantum key requirements and quantum key security requirements of the key request are quantitatively considered according to the proportion. Calculate the response weight value, and determine the response order of the corresponding key pool quantum key replenishment request according to the response weight value from high to low.

作为本发明进一步改进在于:所述步骤S5进一步包括:As a further improvement of the present invention, the step S5 further includes:

S51,综合考虑系统安全性和效率要求,设定量子密钥池的高低阈值;S51, comprehensively consider the system security and efficiency requirements, and set the high and low thresholds of the quantum key pool;

S52,当密钥池剩余量子密钥量太少,低于设定的低阈值时,为了防止密钥池QKP剩余量子密钥量不能满足后续密钥请求的量子密钥需求量要求,当密钥池以及相应中继器处于空闲时隙,及时进行量子密钥补充;S52, when the remaining quantum keys of the key pool are too small and lower than the set low threshold, in order to prevent the remaining quantum keys of the key pool QKP from being unable to meet the quantum key requirements of subsequent key requests, when the The key pool and the corresponding repeaters are in idle time slots, and quantum keys are replenished in time;

S53,当密钥池剩余量子密钥量过多,大于等于设定的高阈值时,为了防止过长时间,过多量子密钥存储会造成量子密钥安全性降低,将停止量子密钥补充。S53, when the amount of quantum keys remaining in the key pool is too large, which is greater than or equal to the set high threshold, in order to prevent the storage of too many quantum keys for a long time, the security of quantum keys will be reduced, and quantum key replenishment will be stopped. .

与现有技术相比,本发明提出了一种物联网终端设备量子密钥按需分配方法,在物联网应用程序量子密钥请求到达之后,确定应用程序与服务器之间进行信息加密时的量子密钥安全性要求,物联网终端设备密钥请求到达后,根据量子密钥请求的需求,完整设计密钥池密钥资源分配和密钥池密钥资源补充两个过程,按照比例定量考虑物联网应用程序密钥请求的密钥需求量和密钥安全性要求,进行量子密钥资源分配,同时,设定密钥池的高低两个阈值,按需对于密钥池量子密钥进行动态补充,这样使得系统有更高效的密钥处理效率和更高的密钥池QKP密钥请求承载能力,满足物联网应用程序对于存储、计算力和轻量级的要求,同时实现QKD网络量子密钥资源和物联网安全需求之间的平衡。Compared with the prior art, the present invention proposes a method for on-demand distribution of quantum keys of Internet of Things terminal equipment. After the quantum key request of the Internet of Things application program arrives, the quantum key for information encryption between the application program and the server is determined. Key security requirements, after the IoT terminal device key request arrives, according to the requirements of the quantum key request, the two processes of key pool key resource allocation and key pool key resource replenishment are completely designed, and the matter is quantitatively considered according to the proportion. Quantum key resources are allocated according to the key requirements and key security requirements of networked application key requests. At the same time, two thresholds, high and low, of the key pool are set to dynamically supplement the quantum keys of the key pool as needed. , so that the system has more efficient key processing efficiency and higher key pool QKP key request bearing capacity, meeting the requirements of IoT applications for storage, computing power and lightweight, while realizing the QKD network quantum key Balance between resources and IoT security needs.

附图说明Description of drawings

图1为本发明的方法步骤流程图;Fig. 1 is the method step flow chart of the present invention;

图2为本发明的工作框架图;Fig. 2 is the working frame diagram of the present invention;

图3为本发明的响应量子密钥请求部分流程图;Fig. 3 is the partial flow chart of the response quantum key request of the present invention;

图4为本发明的响应量子密钥补充请求部分流程图;Fig. 4 is the partial flow chart of the response quantum key supplementary request of the present invention;

图5为本发明的密钥池量子密钥补充部分流程图。FIG. 5 is a flow chart of the supplementary part of the quantum key of the key pool of the present invention.

具体实施方式Detailed ways

下面结合附图和具体实施方式,进一步阐明本发明,应理解下述具体实施方式仅用于说明本发明而不用于限制本发明的范围。需要说明的是,下面描述中使用的词语“前”、“后”、“左”、“右”、“上”和“下”指的是附图中的方向,词语“内”和“外”分别指的是朝向或远离特定部件几何中心的方向。The present invention will be further clarified below with reference to the accompanying drawings and specific embodiments. It should be understood that the following specific embodiments are only used to illustrate the present invention and not to limit the scope of the present invention. It should be noted that the words "front", "rear", "left", "right", "upper" and "lower" used in the following description refer to the directions in the drawings, and the words "inner" and "outer" ” refer to directions towards or away from the geometric center of a particular part, respectively.

本方案中的符号及其定义如表1所示:The symbols and their definitions in this scheme are shown in Table 1:

表1Table 1

Figure BDA0003248670710000061
Figure BDA0003248670710000061

Figure BDA0003248670710000071
Figure BDA0003248670710000071

本文提出了一种物联网终端设备量子密钥按需分配方法,该方法依托量子密钥分发QKD网络生成量子密钥,来保证物联网终端设备的安全通信。接入网到边缘网关基于无源光网络实现密钥分发,光线路终端OLT处布置量子接收机和可信量子中继设备,该量子接收机和可信量子中继设备可由多个量子发射机共享,用于密钥生成,量子发射机布置在光网络单元ONU处;通过波分复用技术和时分复用技术,在光纤中进行量子密钥分发以产生光网络单元ONU与光线路终端OLT之间的安全密钥。This paper proposes an on-demand quantum key distribution method for IoT terminal devices. This method relies on the quantum key distribution QKD network to generate quantum keys to ensure the secure communication of IoT terminal devices. The access network to the edge gateway realizes key distribution based on the passive optical network. The optical line terminal OLT is arranged with a quantum receiver and a trusted quantum relay device. The quantum receiver and the trusted quantum relay device can be controlled by multiple quantum transmitters. Shared, used for key generation, the quantum transmitter is arranged at the ONU of the optical network unit; through wavelength division multiplexing technology and time division multiplexing technology, quantum key distribution is performed in the optical fiber to generate the ONU of the optical network unit and the optical line terminal OLT between the security keys.

在有可信中继器的量子密钥分发QKD网络中,通过点对点生成的中继密钥对量子密钥进行异或加密,加密传输量子密钥。光线路终端OLT和光网络单元ONU之间生成的量子密钥用于中继密钥,通过可信量子中继器,中继来自量子骨干网最终用于会话的量子密钥。In the quantum key distribution QKD network with trusted repeaters, the quantum key is XOR-encrypted by the relay key generated point-to-point, and the quantum key is encrypted and transmitted. The quantum key generated between the optical line terminal OLT and the optical network unit ONU is used to relay the key, and through the trusted quantum repeater, the quantum key from the quantum backbone network is finally used for the session.

量子密钥存储在密钥池中,基于软件定义网络SDN技术,量子密钥存储设备被抽象虚拟为一个密钥池QKP,密钥池QKP存在于任意两个QKD节点之间,密钥在两节点之间以成对的方式进行管理。The quantum key is stored in the key pool. Based on the software-defined network SDN technology, the quantum key storage device is abstracted and virtualized as a key pool QKP. The key pool QKP exists between any two QKD nodes. The nodes are managed in pairs.

以下,通过具体的步骤进一步详细说明本发明公开的技术方案。Hereinafter, the technical solutions disclosed in the present invention will be further described in detail through specific steps.

如图1所示,本文提供了一种物联网终端设备量子密钥按需分配方法,包括如下的步骤:As shown in Figure 1, this paper provides a method for on-demand distribution of quantum keys for IoT terminal devices, including the following steps:

(1)响应物联网的应用程序请求,对于物联网应用程序的请求,和物联网本身轻量级处理数据的特性,采用轻量级数据采集与消息管理,对消息的安全级别进行等级划分,根据不同等级,定量确定应用程序与服务器之间进行信息加密时的量子密钥安全性要求。(1) In response to the application request of the Internet of Things, for the request of the Internet of Things application, and the light-weight data processing characteristics of the Internet of Things itself, lightweight data collection and message management are used to classify the security level of the message. According to different levels, quantitatively determine the security requirements of quantum keys when encrypting information between applications and servers.

根据应用程序的安全需求,提供3种安全等级Sec划分,分别为安全等级最低(Sec=0),消息最多到达一次,用于可以被丢失的消息;安全等级中等(Sec=1),消息至少到达一次,保证接收方一定会收到消息,但消息会有重复;安全等级最高(Sec=2),消息仅到达一次,用于非常重要且不可重复的消息。根据物联网轻量级要求和系统效率的考量,量子密钥的使用仅针对于消息申请服务质量要求较高的情况,即Sec=1或Sec=2的情况下,应用程序与服务器之间进行信息交互时,使用量子密钥对消息进行加密处理,其他安全等级较低的情况,消息直接以明文进行传输。According to the security requirements of the application, three security levels Sec are provided, which are the lowest security level (Sec=0), the message arrives at most once, and is used for messages that can be lost; the security level is medium (Sec=1), the message is at least If it arrives once, it is guaranteed that the receiver will receive the message, but the message will be repeated; the security level is the highest (Sec=2), and the message only arrives once, which is used for very important and non-repeatable messages. According to the lightweight requirements of the Internet of Things and the consideration of system efficiency, the use of quantum keys is only for the case where the message application service quality requirements are high, that is, in the case of Sec=1 or Sec=2, between the application and the server. When the information is exchanged, the quantum key is used to encrypt the message. In other cases where the security level is low, the message is directly transmitted in plaintext.

(2)物联网应用程序量子密钥请求到达,边缘网关接从物联网终端设备处收到多个量子密钥请求后,确定量子密钥请求的响应顺序。(2) When the quantum key request of the IoT application arrives, the edge gateway determines the response sequence of the quantum key request after receiving multiple quantum key requests from the IoT terminal device.

步骤(2)包括如下的子步骤:Step (2) includes the following substeps:

(2.1)物联网应用程序量子密钥请求KRequest到达后,多个物联网终端设备向边缘网关G1发出多个量子密钥请求KRequest,该量子密钥请求KRequest中需包含量子密钥需求量Kqua、量子密钥安全性要求Ksec、会话双方身份标识,即会话申请终端T1、会话目标终端T2,以及T1对应的边缘网关G1和T2对应的边缘网关G2等信息,即KRequest=(Kqua,Ksec,T1,T2,G1,G2)。(2.1) After the IoT application quantum key request K Request arrives, multiple IoT terminal devices send multiple quantum key requests K Request to the edge gateway G1, and the quantum key request K Request must contain the quantum key requirements Quantum K qua , quantum key security requirement K sec , identities of both parties in the session, that is, the session request terminal T1, the session target terminal T2, and the edge gateway G1 corresponding to T1 and the edge gateway G2 corresponding to T2 and other information, that is, K Request = ( Kqua , Ksec ,T1,T2,G1,G2).

(2.2)因为物联网终端设备的量子密钥请求KRequest在一段时间内到达数量众多,所以需要对量子密钥请求KRequest的响应顺序进行排序,优先级最高的是量子密钥请求KRequest的到达时间tarr,在到达时间tarr相同的情况下,以一定响应权重值est(Ki)定量标识量子密钥请求KRequest的量子密钥需求量Kqua和量子密钥安全性Ksec的要求,权重值est(Ki)的具体计算如公式(1)所示:(2.2) Because the quantum key request K Request of the IoT terminal device arrives in a large number in a period of time, it is necessary to sort the response order of the quantum key request K Request , and the highest priority is the quantum key request K Request The arrival time t arr , in the case of the same arrival time t arr , quantitatively identifies the quantum key requirement K qua of the quantum key request K Request and the quantum key security K sec with a certain response weight value est(K i ) Requirements, the specific calculation of the weight value est(K i ) is shown in formula (1):

est(Ki)=(1-ω)lnKqua+ωln(10-Ksec) (1)est(K i )=(1-ω)lnK qua +ωln(10-K sec ) (1)

在公式(2)中,Ksec∈[1,5]且Ksec∈N,表示量子密钥请求安全性Ksec要求,ω∈[0,1],表示系统对于量子密钥请求KRequest的量子密钥需求量Kqua和量子密钥服务的安全性要求Ksec的权衡度,由于系统对于量子密钥需求量和量子密钥安全性权衡度的要求不同,因此这两个因素的权重值将随之变化,通过调整ω的大小来满足系统对于量子密钥请求KRequest的量子密钥需求量Kqua和量子密钥服务的安全性要求Ksec的不同需求。权重值est(Ki)按照升序排列,则量子密钥需求量Kqua越小,量子密钥服务的安全性要求Ksec越大的量子密钥请求KRequest有更高的响应优先级。In formula (2), K sec ∈ [1,5] and K sec ∈ N, representing the quantum key request security K sec requirement, ω ∈ [0,1], representing the system’s response to the quantum key request K Request The demand for quantum keys K qua and the security of quantum key services require a trade-off degree of K sec . Since the system has different requirements for the trade-off degree of quantum key demand and quantum key security, the weights of these two factors are It will change accordingly, by adjusting the size of ω to meet the different requirements of the system for the quantum key requirement K qua of the quantum key request K Request and the security requirement K sec of the quantum key service. The weight values est(K i ) are arranged in ascending order, the smaller the quantum key demand K qua is, and the larger the quantum key service security requirement K sec is, the higher the quantum key request K Request has a higher response priority.

(3)根据量子密钥请求的权重值,确定到达时间相同量子密钥请求的排队响应顺序,对密钥池的剩余量子密钥量按需进行密钥分配,算法流程如图3所示。(3) According to the weight value of the quantum key request, determine the queuing response sequence of the quantum key request with the same arrival time, and distribute the key according to the remaining quantum key amount of the key pool as needed. The algorithm flow is shown in Figure 3.

步骤(3)包括如下的子步骤:Step (3) includes the following substeps:

(3.1)边缘网关G1接收到多个密钥请求后,根据量子密钥请求KRequest中会话双方身份标识中,会话申请终端T1对应的边缘网关G1和会话目标终端T2对应的边缘网关G2,从边缘网关处的对应密钥池QKP中提取量子密钥,密钥池QKP通过索引具体标识,密钥根据通信请求的会话申请终端T1对应的边缘网关G1和会话目标终端T2对应的边缘网关G2,放置于对应索引编号的VK P1-2中,满足了通信双方对于密钥资源分配进行一一对应的安全需求。(3.1) After the edge gateway G1 receives multiple key requests, according to the identities of both parties in the session in the quantum key request K Request , the edge gateway G1 corresponding to the session request terminal T1 and the edge gateway G2 corresponding to the session target terminal T2, from The quantum key is extracted from the corresponding key pool QKP at the edge gateway, the key pool QKP is specifically identified by the index, and the key is based on the edge gateway G1 corresponding to the terminal T1 corresponding to the session application terminal T1 and the edge gateway G2 corresponding to the session target terminal T2 according to the communication request, It is placed in the VK P 1-2 corresponding to the index number, which satisfies the security requirement of one-to-one correspondence between the two communication parties for key resource allocation.

(3.2)按照算法流程,响应量子密钥请求KRequest,对密钥池QKP的量子密钥进行分配。按照到达时间和量子密钥请求响应权重值的优先级,对于量子密钥请求的响应顺序进行排序。当量子密钥请求KRequest到达时,判断是否有与当前量子密钥请求KRequest(i)同时间到达的量子密钥请求KRequest,如果有与当前量子密钥请求KRequest(i)的到达时间tarr一致的其他量子密钥请求KRequest,再按照请求KRequest量子密钥需求量Kqua和量子密钥安全性Ksec,计算出的响应权重值est(Ki)进行排序,然后排队等待轮到当前量子密钥请求KRequest(i)等待响应;如果没有与当前量子密钥请求KRequest(I)到达时间tarr一样的量子密钥请求KRequest,直接轮到当前量子密钥请求KRequest(i)等待响应。(3.2) According to the algorithm flow, the quantum key of the key pool QKP is distributed in response to the quantum key request K Request . The response order of the quantum key request is sorted according to the arrival time and the priority of the quantum key request response weight value. When the quantum key request K Request arrives, determine whether there is a quantum key request K Request that arrives at the same time as the current quantum key request K Request (i). If there is a quantum key request K Request (i) that arrives at the same time as the current quantum key request The other quantum key requests K Request with the same time tarr are sorted according to the quantum key requirement K qua of the request K Request and the quantum key security K sec , and the calculated response weight value est(K i ) is then queued up Waiting for the current quantum key request K Request (i) to wait for a response; if there is no quantum key request K Request with the same arrival time tarr as the current quantum key request K Request (I), it is directly the current quantum key request K Request (i) Waiting for a response.

(3.3)当轮到当前量子密钥请求KRequest(I)等待响应,根据时间片资源的情况,判断当前密钥池时隙是否被占用,如果密钥池QKP所处时隙被上一个量子密钥请求KRequest(I-1)占用,即上一个量子密钥请求KRequest(i-1)从密钥池QKP获得量子密钥的时间tget≥当前量子密钥请求KRequest(i)的到达时间tarr,则当前量子密钥请求KRequest(i)需排队等待时隙空闲,排队等待量子密钥请求KRequest(I)得到响应;如果密钥池QKP所处空闲时隙,即上一个量子密钥请求KRequest(i-1)从密钥池QKP获得量子密钥的时间rget<当前量子密钥请求KRequest(I)的到达时间tarr,则当前量子密钥请求KRequest(I)直接得到响应。(3.3) When it is the turn of the current quantum key request K Request (I) to wait for a response, according to the situation of the time slice resources, determine whether the current key pool time slot is occupied, if the time slot where the key pool QKP is located is occupied by the previous quantum The key request K Request (I-1) is occupied, that is, the time t get when the last quantum key request K Request (i-1) obtains the quantum key from the key pool QKP ≥ the current quantum key request K Request (i) arrival time tarr , then the current quantum key request K Request (i) needs to be queued to wait for the time slot to be free, and queued to wait for the quantum key request K Request (I) to get a response; if the key pool QKP is in an idle time slot, that is The time when the last quantum key request K Request (i-1) obtained the quantum key from the key pool QKP r get < the arrival time t arr of the current quantum key request K Request (I), then the current quantum key request K Request (I) gets the response directly.

(3.4)当前量子密钥请求KRequest(i)得到响应,根据密钥池QKP剩余量子密钥量Ksur的情况,判断密钥池QKP的剩余量子密钥量Ksur是否能满足当前量子密钥请求KRequest(i)的量子密钥需求量Kqua的要求,如果密钥池QKP的剩余量子密钥量Ksur无法满足当前量子密钥请求KRequest(i)的量子密钥需求量Kqua的要求,即当前量子密钥请求KRequest(i)的量子密钥需求量Kqua>密钥池QKP的剩余量子密钥量Ksur,则需要进行量子密钥补充,密钥池QKP发出量子密钥补充申请。等待到密钥池QKP进行量子密钥补充之后,密钥池剩余量子密钥量Ksur可以满足当前量子密钥请求KRequest(i)的量子密钥需求量Kqua要求时,再进行当前量子密钥请求KRequest(i)的密钥分配;如果密钥池QKP的剩余量子密钥量Ksur能够满足当前量子密钥请求KRequest(i)的量子密钥需求量Kqua的要求,即当前量子密钥请求KRequest(i)的量子密钥需求量Kqua≤密钥池QKP的剩余量子密钥量Ksur,则当前量子密钥请求KRequest(i)可以从密钥池QKP中提取相应Kqua的量子密钥。(3.4) The current quantum key request K Request (i) is responded, and according to the remaining quantum key amount K sur of the key pool QKP, it is judged whether the remaining quantum key amount K sur of the key pool QKP can satisfy the current quantum encryption If the remaining quantum key quantity K sur of the key pool QKP cannot satisfy the quantum key quantity K qua of the current quantum key request K Request ( i) The requirement of qua , that is, the quantum key demand quantity K qua of the current quantum key request K Request (i) > the remaining quantum key quantity K sur of the key pool QKP, the quantum key supplement is required, and the key pool QKP sends Quantum Key Supplementary Application. After the quantum key is supplemented by the key pool QKP, the remaining quantum key quantity K sur of the key pool can meet the quantum key requirement K qua of the current quantum key request K Request (i), and then the current quantum key quantity K qua The key distribution of the key request K Request (i); if the remaining quantum key quantity K sur of the key pool QKP can meet the requirement of the quantum key demand quantity K qua of the current quantum key request K Request (i), namely The quantum key demand quantity K qua of the current quantum key request K Request (i) ≤ the remaining quantum key quantity K sur of the key pool QKP, then the current quantum key request K Request (i) can be obtained from the key pool QKP Extract the quantum key of the corresponding Kqua .

(3.5)量子密钥请求得到响应后,边缘网关从边缘网关处的对应密钥池QKP中按需获取量子密钥后,通过在通信的无线信道上提取信道特征,生成加解密密钥,量子密钥经加密密钥加密后,通过无线信道发送给物联网终端,物联网移动终端在解密后得到量子密钥。(3.5) After the quantum key request is responded to, the edge gateway obtains the quantum key on demand from the corresponding key pool QKP at the edge gateway, and generates the encryption and decryption keys by extracting the channel characteristics on the wireless channel of communication. After the key is encrypted by the encryption key, it is sent to the IoT terminal through the wireless channel, and the IoT mobile terminal obtains the quantum key after decryption.

(4)剩余量子密钥量无法承载密钥请求时,密钥池发出量子密钥补充请求,按照密钥池响应的量子密钥请求权重值响应量子密钥补充请求。(4) When the remaining quantum key amount cannot carry the key request, the key pool sends a quantum key supplement request, and responds to the quantum key supplement request according to the quantum key request weight value responded by the key pool.

步骤(4)包括如下的子步骤:Step (4) includes the following substeps:

(4.1)密钥池QKP的剩余量子密钥量Ksur无法满足当前量子密钥请求KRequest(i)的量子密钥需求量Kqua的要求时,需要向光线路终端OLT和光网络单元ONU发出量子密钥补充申请KSupplement,该量子密钥补充申请KSupplement中需包含:密钥池QKP信息,当前量子密钥请求KRequest(i)的量子密钥需求量Kqua、量子密钥安全性要求Ksec、会话双方身份标识,即会话申请终端T1、会话目标终端T2,以及T1对应的边缘网关G1和T2对应的边缘网关G2等信息,即KSupplement=(QKP,KRequest(Kqua,Ksec,T1,T2,G1,G2)),等待光线路终端OLT和光网络单元ONU之间生成中继量子密钥,响应密钥此QKP的量子密钥补充请求。(4.1) When the remaining quantum key amount K sur of the key pool QKP cannot meet the requirement of the quantum key demand amount K qua of the current quantum key request K Request (i), it needs to send a message to the optical line terminal OLT and the optical network unit ONU. Quantum Key Supplement Application K Supplement , the quantum key Supplement Application K Supplement must include: key pool QKP information, quantum key requirement K qua of current quantum key request K Request (i), quantum key security Information such as K sec , the identities of both parties in the session, that is, the session application terminal T1, the session target terminal T2, and the edge gateway G1 corresponding to T1 and the edge gateway G2 corresponding to T2 are required, that is, K Supplement = (QKP, K Request (K qua , K sec ,T1,T2,G1,G2)), wait for the relay quantum key to be generated between the optical line terminal OLT and the optical network unit ONU, and respond to the QKP's quantum key replenishment request.

(4.2)因为密钥池QKP的量子密钥补充请求KSupplement在一段时间内到达数量众多,所以需要对量子密钥请求KSupplement的响应顺序进行排序,优先级最高的是量子密钥请求KSupplement的到达时间Tarr,在到达时间Tarr相同的情况下,因为同一时间光线路终端OLT与光网络单元ONU之间生成的中继量子密钥只能进行一对一的量子密钥中继,在处理同一时间到达的密钥池QKP量子密钥补充请求KSupplement时,按照算法流程,权衡考虑量子密钥请求KRequest的量子密钥需求量Kqua和量子密钥服务的安全性要求Ksec,确定进行密钥池QKP的量子密钥补充考虑的顺序。以一定权重est(Ki)定量标识量子密钥请求KRequest的量子密钥需求量Kqua和量子密钥安全性Ksec的要求,权重est(Ki)的具体计算如公式(3)所示:(4.2) Because the quantum key supplementary request K Supplement of the key pool QKP arrives in a large number in a period of time, it is necessary to sort the response order of the quantum key request K Supplement , and the highest priority is the quantum key request K Supplement When the arrival time Tarr is the same, because the relay quantum key generated between the optical line terminal OLT and the optical network unit ONU at the same time can only perform one-to-one quantum key relay, When processing the quantum key supplement request K Supplement of the key pool QKP arriving at the same time, according to the algorithm process, weigh the quantum key demand K qua of the quantum key request K Request and the security requirement K sec of the quantum key service. , determine the order of quantum key supplementary consideration for the key pool QKP. A certain weight est(K i ) is used to quantitatively identify the quantum key requirement K qua of the quantum key request K Request and the requirement of quantum key security K sec . The specific calculation of the weight est(K i ) is as shown in formula (3). Show:

est(Ki)=(1-ω)lnKqua+ωln(10-Ksec) (3)est(K i )=(1-ω)lnK qua +ωln(10-K sec ) (3)

在公式(3)中,Ksec∈[1,5]且Ksec∈N,表示量子密钥请求安全性Ksec要求,ω∈[0,1],表示系统对于量子密钥请求KRequest的量子密钥需求量Kqua和量子密钥服务的安全性要求Ksec的权衡度,由于系统对于量子密钥需求量和量子密钥安全性权衡度的要求不同,因此这两个因素的权重将随之变化,通过调整ω的大小来满足系统对于量子密钥请求KRequest的量子密钥需求量Kqua和量子密钥服务的安全性要求Ksec的不同需求。权重est(Ki)按照升序排列,则量子密钥需求量Kqua越小,量子密钥服务的安全性要求Ksec越大的量子密钥请求KRequest有更高的优先级,相应的量子密钥补充请求KSupplement将越先得到相应。In formula (3), K sec ∈ [1,5] and K sec ∈ N, representing the quantum key request security K sec requirement, ω ∈ [0,1], representing the system’s response to the quantum key request K Request The demand for quantum keys K qua and the security of quantum key services require a trade-off degree of K sec . Since the system has different requirements for the trade-off degree of quantum key demand and quantum key security, the weights of these two factors will be With the change, the size of ω can be adjusted to meet the different requirements of the system for the quantum key requirement K qua of the quantum key request K Request and the security requirement K sec of the quantum key service. The weights est(K i ) are arranged in ascending order, the smaller the quantum key demand K qua is, the larger the quantum key service security requirement K sec is, the higher the quantum key request K Request has a higher priority, the corresponding quantum key The key supplementary request K Supplement will be answered sooner.

(4.3)按照算法流程,响应量子密钥补充请求KSupplement,对密钥池QKP的量子密钥进行补充,算法流程如图4所示。按照到达时间和量子密钥补充请求响应权重值的优先级,对于量子密钥补充请求的响应顺序进行排序。当量子密钥补充请求到达KSupplement时,判断是否有与当前量子密钥补充请求KSupplement(i)同时间到达的量子密钥请求KSupplement,如果有与当前量子密钥补充请求KSupplement(i)的到达时间Tarr一致的其他量子密钥补充请求KSupplement,再按照量子补充请求KSupplement的量子密钥需求量Kqua和量子密钥安全性Ksec,计算出的响应权重值est(Ki)进行排序,然后排队等待轮到当前量子补充密钥请求KSupplement(i)等待响应;如果没有与当前量子密钥补充请求KSupplement(i)到达时间Tarr一样的量子密钥补充请求KSupplement,直接轮到当前量子密钥请求KSupplement(i)等待响应。(4.3) According to the algorithm flow, the quantum key of the key pool QKP is supplemented in response to the quantum key supplement request K Supplement , and the algorithm flow is shown in Fig. 4 . According to the arrival time and the priority of the response weight value of the quantum key replenishment request, the response order of the quantum key replenishment request is sorted. When the quantum key supplement request arrives at K Supplement , determine whether there is a quantum key request K Supplement that arrives at the same time as the current quantum key supplement request K Supplement ( i). ) of other quantum key supplementary requests K Supplement consistent with the arrival time Tarr , and then according to the quantum key demand K qua and quantum key security K sec of the quantum supplementary request K Supplement , the calculated response weight value est(K i ) sort, then queue up to wait for the current quantum supplementary key request K Supplement (i) to wait for a response; if there is no quantum key supplementary request K that arrives at the same time Tarr as the current quantum key supplementary request K Supplement (i) Supplement , it is directly the turn of the current quantum key to request K Supplement (i) and wait for a response.

(4.4)当轮到当前量子密钥请求KSupplement(i)等待响应,根据时间片资源的情况,判断当前光线路终端OLT和光网络单元ONU的时隙是否被占用,如果光线路终端OLT和光网络单元ONU所处时隙被上一个量子密钥补充请求KSupplement(i-1)占用,即上一个QKP量子密钥补充请求KSupplement(i-1)获得量子密钥的时间Tget≥当前量子密钥补充请求KSupplement(i)的到达时间Tarr,则前量子密钥请求KSupplement(i)需排队等待时隙空闲,排队等待量子密钥补充请求KSupplement(i)得到响应;如果光线路终端OLT和光网络单元ONU所处空闲时隙,即上一个QKP量子密钥补充请求KSupplement(i-1)获得量子密钥的时间Tget<当前量子密钥补充请求KSupplement(i)的到达时间Tarr,则当前量子密钥补充请求KSupplement(i)直接得到响应,无需排队等待。(4.4) When it is the turn of the current quantum key request K Supplement (i) Wait for the response, according to the time slice resources, determine whether the time slot of the current optical line terminal OLT and the ONU of the optical network unit is occupied. The time slot where the unit ONU is located is occupied by the last quantum key supplement request K Supplement (i-1), that is, the time T get ≥ the current quantum key obtained by the previous QKP quantum key supplement request K Supplement (i-1) The arrival time Tarr of the key supplement request K Supplement (i), then the pre-quantum key request K Supplement (i) needs to queue up to wait for the time slot to be free, and queue up to wait for the quantum key supplement request K Supplement (i) to get a response; The idle time slot where the line terminal OLT and the ONU are located, that is, the time when the last QKP quantum key supplement request K Supplement (i-1) obtained the quantum key T get < the current quantum key supplement request K Supplement (i) When the time Tarr is reached, the current quantum key supplement request K Supplement (i) is directly responded without waiting in line.

(4.5)当前量子密钥请求KRequest(i)得到响应,光线路终端OLT与光网络单元ONU之间生成的中继量子密钥进行一对一的量子密钥中继,完成密钥池的密钥补充。(4.5) The current quantum key request K Request (i) is responded to, and the relay quantum key generated between the optical line terminal OLT and the optical network unit ONU performs a one-to-one quantum key relay to complete the key pool. Key supplement.

(5)考虑系统时间片资源,设定密钥池的高低两个阈值,当密钥池以及相应中继器处于空闲时隙,且剩余量子密钥量低于低阈值时,进行密钥池的量子密钥补充。(5) Considering the system time slice resources, set the high and low thresholds of the key pool. When the key pool and the corresponding repeater are in idle time slots, and the remaining quantum key amount is lower than the low threshold, the key pool is executed. Quantum Key Supplement.

步骤(5)包括如下的子步骤:Step (5) includes the following sub-steps:

(5.1)在密钥池QKP、光线路终端OLT和光网络单元ONU处于空闲时隙时,对于密钥池QKP进行动态的量子密钥补充,综合考虑系统安全性和效率要求,设置密钥池QKP的两个阈值,一个低阈值Kthreshold_low,一个高阈值Kthreshold_high(5.1) When the key pool QKP, the optical line terminal OLT and the ONU of the optical network unit are in idle time slots, perform dynamic quantum key supplementation for the key pool QKP, comprehensively consider the system security and efficiency requirements, and set the key pool QKP The two thresholds, a low threshold K threshold_low and a high threshold K threshold_high .

(5.2)按照算法流程,对密钥池QKP进行量子密钥补充,如图5所示。根据时间片的情况,判断密钥池是否处于空闲时隙,当密钥池QKP处于空闲时隙,则判断密钥池QKP剩余量子量Ksur是否低于低阈值Kthreshold_low,当剩余量子密钥量Ksur太少,低于设定的低阈值Kthreshold_low时,为了防止密钥池QKP剩余量子密钥量Ksur不能满足后续量子密钥请求KRequest的量子密钥需求量Kqua要求,当密钥池以及相应中继器处于空闲时隙,及时进行量子密钥补充。(5.2) According to the algorithm flow, perform quantum key supplementation on the key pool QKP, as shown in Figure 5. According to the situation of the time slice, it is judged whether the key pool is in an idle time slot. When the key pool QKP is in an idle time slot, it is judged whether the remaining quantum quantity K sur of the key pool QKP is lower than the low threshold K threshold_low , when the remaining quantum key When the quantity K sur is too small and is lower than the set low threshold K threshold_low , in order to prevent the remaining quantum key quantity K sur of the key pool QKP from being unable to meet the quantum key demand quantity K qua of the subsequent quantum key request K Request , when The key pool and the corresponding repeaters are in idle time slots, and quantum keys are replenished in time.

(5.3)满足密钥池QKP进行密钥补充条件之后,判断当前光线路终端OLT和光网络单元ONU是否处于空闲时隙,如果当前光线路终端OLT和光网络单元ONU时隙空闲,则进行密钥补充。(5.3) After satisfying the key replenishment conditions of the key pool QKP, determine whether the current optical line terminal OLT and the ONU of the optical network unit are in idle time slots, and if the current optical line terminal OLT and the optical network unit ONU time slots are idle, perform key replenishment .

(5.4)判断密钥池QKP剩余量子密钥量Ksur是否高于高阈值Kthreshold_high,当剩余量子密钥量Ksur太多,高于设定的高阈值Kthreshold_high时,为了防止过长时间,过多量子密钥存储会造成量子密钥安全性降低,将停止量子密钥补充。(5.4) Judging whether the remaining quantum key amount K sur of the key pool QKP is higher than the high threshold K threshold_high , when the remaining quantum key amount K sur is too much and is higher than the set high threshold K threshold_high , in order to prevent the excessively long time , too much quantum key storage will reduce the security of quantum keys, and will stop quantum key replenishment.

本发明方案所公开的技术手段不仅限于上述实施方式所公开的技术手段,还包括由以上技术特征任意组合所组成的技术方案。The technical means disclosed in the solution of the present invention are not limited to the technical means disclosed in the above embodiments, but also include technical solutions composed of any combination of the above technical features.

Claims (6)

1.一种物联网终端设备量子密钥按需分配方法,其特征在于:包括如下步骤:1. a method for distributing quantum keys on demand for Internet of Things terminal equipment, is characterized in that: comprise the steps: S1,响应物联网的应用程序请求,根据应用程序的安全性要求,分等级定量确定应用程序与服务器之间进行信息加密时的量子密钥安全性要求;S1, in response to the application request of the Internet of Things, according to the security requirements of the application, quantitatively determine the quantum key security requirements for information encryption between the application and the server; S2,按照比例定量考虑密钥请求的量子密钥需求量要求和量子密钥安全性要求,计算物联网应用程序量子密钥请求的响应权重值;S2: Quantitatively consider the quantum key requirements and quantum key security requirements of the key request according to the proportion, and calculate the response weight value of the quantum key request of the Internet of Things application; S3,根据量子密钥请求的权重值,从高到低确定到达时间相同量子密钥请求的排队响应顺序,对密钥池的剩余量子密钥量按需进行密钥分配;S3, according to the weight value of the quantum key request, determine the queuing response sequence of the quantum key request with the same arrival time from high to low, and perform key distribution on the remaining quantum key amount of the key pool as needed; S4,剩余量子密钥量无法响应密钥请求时,密钥池发出量子密钥补充请求,按照密钥池响应的量子密钥请求权重值响应量子密钥补充请求;S4, when the remaining quantum key amount cannot respond to the key request, the key pool sends a quantum key replenishment request, and responds to the quantum key replenishment request according to the quantum key request weight value responded by the key pool; S5,考虑系统时间片资源,设定密钥池的高低两个阈值,当密钥池以及相应中继器处于空闲时隙,且量子密钥剩余量低于低阈值时,进行密钥池的量子密钥补充。S5, considering the system time slice resources, set two thresholds of the key pool, high and low, when the key pool and the corresponding repeater are in the idle time slot, and the remaining quantum key is lower than the low threshold, the key pool is set. Quantum Key Supplement. 2.如权利要求1所述的一种物联网终端设备量子密钥按需分配方法,其特征在于:所述步骤S1中响应物联网的应用程序请求,对于物联网应用程序的请求,结合物联网本身轻量级处理数据的特性,采用轻量级数据采集与消息管理,依据应用程序的消息申请安全需求,对消息的安全级别进行等级划分,根据不同等级,定量确定应用程序与服务器之间进行信息加密时的量子密钥安全性要求。2. A method for on-demand distribution of quantum keys for Internet of Things terminal equipment as claimed in claim 1, characterized in that: in the step S1, in response to the application request of the Internet of Things, for the request of the Internet of Things application, the combination of the The networking itself has the characteristics of lightweight data processing. It adopts lightweight data collection and message management. According to the application's message application security requirements, the security level of the message is classified, and the relationship between the application and the server is quantitatively determined according to different levels. Quantum key security requirements for information encryption. 3.如权利要求1所述的一种物联网终端设备量子密钥按需分配方法,其特征在于:所述步骤S2进一步包括:3. The method for on-demand distribution of quantum keys for Internet of Things terminal equipment as claimed in claim 1, wherein the step S2 further comprises: S21,物联网应用程序到达后,多个物联网终端设备向边缘网关发出多个量子密钥请求,该量子密钥请求中需包含量子密钥需求量、量子密钥安全性要求、会话双方身份标识的信息;S21, after the IoT application arrives, multiple IoT terminal devices send multiple quantum key requests to the edge gateway. The quantum key request needs to include quantum key requirements, quantum key security requirements, and the identities of both parties to the session. identifying information; S22,按照系统对于效率和安全性的不同需求,按照比例定量考虑量子密钥请求的量子密钥需求量要求和量子密钥安全性要求,计算量子密钥请求的响应权重值。S22 , according to the different requirements of the system for efficiency and security, quantitatively consider the quantum key requirement and the quantum key security requirement of the quantum key request according to the proportion, and calculate the response weight value of the quantum key request. 4.如权利要求1所述的一种物联网终端设备量子密钥按需分配方法,其特征在于:所述步骤S3进一步包括:4. The method for on-demand distribution of quantum keys for Internet of Things terminal equipment as claimed in claim 1, wherein the step S3 further comprises: S31,边缘网关接收到多个量子密钥请求后,按照到达时间和密钥请求响应权重值的优先级,对于量子密钥请求的响应顺序进行排序;S31, after receiving multiple quantum key requests, the edge gateway sorts the response order of the quantum key requests according to the arrival time and the priority of the key request response weight value; S32,当密钥池QKP的剩余量子密钥量不足,则边缘网关发出密钥池QKP量子密钥补充请求,等待密钥池QKP剩余量子密钥量满足要求时,响应量子密钥请求;S32, when the remaining quantum key amount of the key pool QKP is insufficient, the edge gateway sends a quantum key replenishment request of the key pool QKP, and responds to the quantum key request when the remaining quantum key amount of the key pool QKP meets the requirements; S33,量子密钥请求得到响应后,边缘网关从边缘网关处的对应密钥池QKP中按需获取量子密钥,经无线信道生成无线密钥加密后传输到物联网终端设备。S33, after the quantum key request is responded to, the edge gateway obtains the quantum key from the corresponding key pool QKP at the edge gateway on demand, generates the wireless key through the wireless channel, encrypts it, and transmits it to the IoT terminal device. 5.如权利要求1所述的一种物联网终端设备量子密钥按需分配方法,其特征在于:所述步骤S4进一步包括:5. The method for on-demand distribution of quantum keys for Internet of Things terminal equipment as claimed in claim 1, wherein the step S4 further comprises: S41,剩余密钥量无法响应量子密钥请求时,密钥池发出量子密钥补充请求,该量子密钥补充请求中需包含密钥池信息、当前量子密钥请求的量子密钥需求量、量子密钥安全性要求、会话双方身份标识的信息;S41, when the remaining key amount cannot respond to the quantum key request, the key pool sends a quantum key replenishment request, and the quantum key replenishment request needs to include the key pool information, the quantum key demand for the current quantum key request, Quantum key security requirements, information on the identities of both parties to the session; S42,在有多个密钥池QKP的量子密钥剩余量都不足够提供量子密钥服务的时候,在处理同一时间到达的密钥池QKP量子密钥补充请求时,按照比例定量考虑密钥请求的量子密钥需求量要求和量子密钥安全性要求,计算响应权重值,根据响应权重值从高到低确定密钥池量子密钥补充请求的响应顺序,进行密钥池的量子密钥资源补充。S42, when the remaining quantum keys of multiple key pools QKP are not enough to provide quantum key services, when processing the quantum key replenishment request of the key pool QKP arriving at the same time, the key is quantitatively considered according to the proportion The requested quantum key demand and quantum key security requirements, calculate the response weight value, determine the response order of the key pool quantum key replenishment request according to the response weight value from high to low, and perform the quantum key of the key pool. Supplementary resources. 6.如权利要求1所述的一种物联网终端设备量子密钥按需分配方法,其特征在于:所述步骤S5进一步包括:6. The method for on-demand distribution of quantum keys for Internet of Things terminal equipment as claimed in claim 1, wherein the step S5 further comprises: S51,综合考虑系统安全性和效率要求,设定量子密钥池的高低阈值;在密钥池QKP、光线路终端OLT和光网络单元ONU处于空闲时隙时,对于密钥池QKP进行动态的量子密钥补充,设置密钥池QKP的两个阈值,一个低阈值Kthreshold_low,一个高阈值Kthreshold_highS51, comprehensively consider the system security and efficiency requirements, set the high and low thresholds of the quantum key pool; when the key pool QKP, the optical line terminal OLT and the optical network unit ONU are in idle time slots, perform dynamic quantum quantum analysis on the key pool QKP Key supplement, set two thresholds of the key pool QKP, a low threshold K threshold_low and a high threshold K threshold_high ; S52,对密钥池QKP进行量子密钥补充,根据时间片的情况,判断密钥池是否处于空闲时隙,当密钥池QKP处于空闲时隙,则判断密钥池QKP剩余量子量Ksur是否低于低阈值Kthreshold_low,当剩余量子密钥量Ksur太少,低于设定的低阈值Kthreshold_low时,为了防止密钥池QKP剩余量子密钥量Ksur不能满足后续量子密钥请求KRequest的量子密钥需求量Kqua要求,当密钥池以及相应中继器处于空闲时隙,及时进行量子密钥补充;S52, perform quantum key supplementation on the key pool QKP, and determine whether the key pool is in an idle time slot according to the situation of the time slice, and when the key pool QKP is in an idle time slot, determine the remaining quantum quantity K sur of the key pool QKP Whether it is lower than the low threshold K threshold_low , when the remaining quantum key amount K sur is too small and is lower than the set low threshold K threshold_low , in order to prevent the remaining quantum key amount K sur of the key pool QKP from being unable to satisfy subsequent quantum key requests The quantum key requirement of K Request K qua requires that when the key pool and the corresponding repeater are in the idle time slot, the quantum key is replenished in time; S53,满足密钥池QKP进行密钥补充条件之后,判断当前光线路终端OLT和光网络单元ONU是否处于空闲时隙,如果当前光线路终端OLT和光网络单元ONU时隙空闲,则进行密钥补充;S53, after satisfying the key pool QKP to carry out key replenishment conditions, determine whether the current optical line terminal OLT and the optical network unit ONU are in idle time slots, and if the current optical line terminal OLT and the optical network unit ONU time slots are idle, then carry out key replenishment; S54,判断密钥池QKP剩余量子密钥量Ksur是否高于高阈值Kthreshold_high,当剩余量子密钥量Ksur太多,高于设定的高阈值Kthreshold_high时,为了防止过长时间,过多量子密钥存储会造成量子密钥安全性降低,将停止量子密钥补充。S54, determine whether the remaining quantum key amount K sur of the key pool QKP is higher than the high threshold K threshold_high , when the remaining quantum key amount K sur is too large and is higher than the set high threshold K threshold_high , in order to prevent excessive time, Excessive quantum key storage will reduce quantum key security and will stop quantum key replenishment.
CN202111039799.1A 2021-09-06 2021-09-06 A method for on-demand distribution of quantum keys for IoT terminal devices Active CN113765660B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111039799.1A CN113765660B (en) 2021-09-06 2021-09-06 A method for on-demand distribution of quantum keys for IoT terminal devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111039799.1A CN113765660B (en) 2021-09-06 2021-09-06 A method for on-demand distribution of quantum keys for IoT terminal devices

Publications (2)

Publication Number Publication Date
CN113765660A CN113765660A (en) 2021-12-07
CN113765660B true CN113765660B (en) 2022-08-02

Family

ID=78793233

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111039799.1A Active CN113765660B (en) 2021-09-06 2021-09-06 A method for on-demand distribution of quantum keys for IoT terminal devices

Country Status (1)

Country Link
CN (1) CN113765660B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499834B (en) * 2021-12-20 2024-05-14 北京邮电大学 Internet of things quantum key distribution method, system, electronic equipment and storage medium
CN115865332B (en) * 2022-11-24 2024-01-02 北京百度网讯科技有限公司 Request processing method and device and electronic equipment
CN115694815B (en) * 2023-01-03 2023-03-28 国网天津市电力公司电力科学研究院 Communication encryption method and device for power distribution terminal
CN116318689B (en) * 2023-05-25 2023-07-28 天津市城市规划设计研究总院有限公司 Method and system for improving information transmission safety of Internet of things equipment by utilizing quantum key
CN118540060B (en) * 2024-07-25 2024-12-10 中电信量子信息科技集团有限公司 Key pool scheduling method, device, edge gateway, Internet of Things system and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138552A (en) * 2019-05-08 2019-08-16 北京邮电大学 Multi-user quantum key Supply Method and device
CN110149204A (en) * 2019-05-09 2019-08-20 北京邮电大学 The key resource allocation methods and system of QKD network
CN110365476A (en) * 2019-07-01 2019-10-22 北京邮电大学 SDN-based QKD network and its key scheduling management method
CN112910639A (en) * 2021-02-05 2021-06-04 北京邮电大学 Quantum encryption service transmission method under multi-domain scene and related equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107959566A (en) * 2016-10-14 2018-04-24 阿里巴巴集团控股有限公司 Quantal data key agreement system and quantal data cryptographic key negotiation method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110138552A (en) * 2019-05-08 2019-08-16 北京邮电大学 Multi-user quantum key Supply Method and device
CN110149204A (en) * 2019-05-09 2019-08-20 北京邮电大学 The key resource allocation methods and system of QKD network
CN110365476A (en) * 2019-07-01 2019-10-22 北京邮电大学 SDN-based QKD network and its key scheduling management method
CN112910639A (en) * 2021-02-05 2021-06-04 北京邮电大学 Quantum encryption service transmission method under multi-domain scene and related equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Scalable QKD Network Using Simple Key-Management Technique with On-Demand Crypto-Key Supply";Maeda, W等;《2008 34TH EUROPEAN CONFERENCE ON OPTICAL COMMUNICATION (ECOC)》;20080925;全文 *
物联网通信信道的量子密钥协议研究;赵洁;《激光杂志》;20171225(第12期);第118-122页 *

Also Published As

Publication number Publication date
CN113765660A (en) 2021-12-07

Similar Documents

Publication Publication Date Title
CN113765660B (en) A method for on-demand distribution of quantum keys for IoT terminal devices
CN104919757B (en) System and method for estimating effective bandwidth
CN112769550B (en) Load balancing quantum key resource distribution system facing data center
CN102571607B (en) A network velocity distribution system
CN111246586A (en) Method and system for distributing smart grid resources based on genetic algorithm
CN113746677B (en) A resource allocation method in network slices for 5G new air interface
CN114302266B (en) A method and system for resource allocation in quantum key distribution light network
CN112637354B (en) Data transmission management method, system and equipment based on cloud storage
CN110506403A (en) Flow control for wireless device
CN114125831B (en) 5G smart grid user side data acquisition method and system based on proxy re-encryption
EP2225851A1 (en) Improved resource allocation plan in a network
CN108667526B (en) Multi-service safe transmission method, device and equipment in optical transport network
US7620006B2 (en) Method and apparatus for providing quality of service guarantees using stateful monitoring of network load
CN114499834A (en) Internet of Things quantum key distribution method, system, electronic device and storage medium
Yang et al. Predictive two-timescale resource allocation for VoD services in fast moving scenarios
CN112364365A (en) Industrial data encryption method, edge server and computer readable storage medium
US8341266B2 (en) Method and system for load balancing over a set of communication channels
CN114978998B (en) A flow control method, device, terminal and storage medium
CN112202538B (en) An Artificial Bee Colony OFDMA Resource Allocation Method with Guaranteed Fairness Threshold
Li et al. User perceived QoS provisioning for video streaming in wireless OFDMA systems: Admission control and resource allocation
US7952996B2 (en) Method and apparatus for assessing traffic load of a communication network
Qiao et al. Achievable throughput of energy harvesting fading multiple-access channels under statistical QoS constraints
CN110662221B (en) Resource allocation method for security and performance perception of enterprise multimedia in MEC
CN114422107B (en) Fault-tolerant ciphertext data aggregation method based on intelligent engineering construction system platform
Kuo et al. Distributed Antenna Allocation Scheme for Massive MIMO Cellular Backhaul Networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant