[go: up one dir, main page]

CN117857027A - Group key management method and system based on quantum key distribution and token authorization technology - Google Patents

Group key management method and system based on quantum key distribution and token authorization technology Download PDF

Info

Publication number
CN117857027A
CN117857027A CN202311748237.3A CN202311748237A CN117857027A CN 117857027 A CN117857027 A CN 117857027A CN 202311748237 A CN202311748237 A CN 202311748237A CN 117857027 A CN117857027 A CN 117857027A
Authority
CN
China
Prior art keywords
key
quantum
group
token
service system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311748237.3A
Other languages
Chinese (zh)
Inventor
张志伟
刘驰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co ltd
Original Assignee
China Telecom Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co ltd filed Critical China Telecom Quantum Technology Co ltd
Priority to CN202311748237.3A priority Critical patent/CN117857027A/en
Publication of CN117857027A publication Critical patent/CN117857027A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A group key management method and system based on quantum key distribution and token authorization techniques, the method comprising: after the group member identity authentication is passed, the service system sends an access_token to the group member; the service system initiates a group key update request to the service system; the service system generates a new group key and distributes the paired key as an authentication code for the new group key through QKD; the service system informs the group members of key update, generates an authentication code into an authorization token, encrypts the authorization token by using the access_token and then sends the encrypted authorization token to the group members; after decrypting by using the access token, the group member encrypts the authorization token by using the filling key and requests the group key from the service system; the service system obtains an authorization token after decrypting by using the corresponding filling key, and encrypts a group key by using the filling key corresponding to the user after checking and returns the group key to the user; the user decrypts the corresponding filling key to obtain the group key. The technical proposal of the invention reduces the complexity of key management of group encryption and protects the security of group content in multicast communication.

Description

Group key management method and system based on quantum key distribution and token authorization technology
Technical Field
The application belongs to the field of security application products, and particularly relates to a group key management method and system based on quantum key distribution and token authorization technology.
Background
With the development of internet technology, multicast (Multicast) communication applications such as instant messaging, video conferencing, streaming media, remote teaching, online gaming, etc. are emerging. These applications typically conduct data dissemination in a "one-to-many" or "many-to-many" manner, i.e., the sender sends data information to multiple recipients. Multicast communication can save a lot of network bandwidth, lighten the burden of a sender and relieve the load of a server, and can improve the performance of a system, but brings great challenges in terms of security, and main security problems faced by group communication include: identity authentication of data transceiver entity, confidentiality, integrity and non-repudiation in data transmission and storage process, access control, etc. Group users are distributed all over the area, and a reliable security mechanism is needed to ensure the group security because the group users are always provided with member exits or new members join at any time, which continuously brings challenges to the group communication security.
In the prior art, a group key management mode based on a key interaction protocol is generally adopted, the public key encryption algorithm and the key negotiation protocol are utilized, the group members exchange information through a public channel, so that the group key is generated and updated, the mode has the defects of long time delay, high calculation expense, large number of group keys and high key management complexity because of the participation of all members in updating, and the public key cipher algorithm based on the large factor decomposition problem faces the decoding risk of quantum calculation, so that the group key management method based on the quantum key distribution technology is provided to ensure the group security.
Disclosure of Invention
The technical problem to be solved by the invention is how to reduce the complexity of key management of group encryption and to protect the data security of group content in multicast communication.
The invention solves the technical problems by the following technical means: a group key management method based on quantum key distribution and token authorization technology comprises the following steps:
s1: the group member uses the filling secret key in the quantum security chip to carry out identity authentication, and the service system sends an access token to the group member after the authentication is passed;
s2: when the group member changes or the group key expires, the service system vector sub-password management service system initiates a group key update request;
s3: the quantum cryptography management service system generates a new group key according to the quantum random number, and simultaneously distributes a paired key through QKD, wherein the paired key is used as an authentication code of the new group key;
s4: the service system informs the group members of updating the group key, generates an authorization token by using an authentication code of the new group key, encrypts the authorization token by using the access_token and then sends the encrypted authorization token to the group members;
s5: after decrypting by using the access token, the group member encrypts the authorization token by using the filling key and then requests the group key from the password management service system;
s6: the password management service system obtains an authorized token after decrypting by using the corresponding filling key, firstly checks whether the group key authentication code is correct, then checks whether a user in the authorized token is consistent with the user corresponding to the filling key, and encrypts the group key by using the filling key corresponding to the user after the verification is passed and returns the group key to the user;
s7: and the user obtains the group key after decrypting by using the corresponding filling key, and normally decrypts the encrypted message in the group.
As one of the specific technical solutions, the specific process of authenticating the user in step S1 is:
s11, safely filling the quantum key generated by the QKD into a quantum security chip and a quantum password management service system by using a quantum key filling machine;
s12, when a group member user performs user registration or activates an account number at user terminal equipment, a service system performs key negotiation through a QKD and a quantum password management service system to obtain a temporary user registration key, the service system uses the key to encrypt a user unique identifier and sends the user unique identifier to the quantum password management service system, and the quantum password management service system uses the key to decrypt and then stores the corresponding relationship between the user unique identifier and a quantum security chip unique physical MAC;
s13, the quantum password management service system enables the unique user identification to pass through a filling key K with a sequence of i in the quantum security chip i And the encrypted data are transmitted to a quantum security chip after being symmetrically encrypted, and the quantum security chip writes the unique identification of the user into a self secure storage space.
S14, the user terminal equipment encrypts the unique identification information SM 3-HMAC of the user by using a charging key through the quantum security chip and then sends the encrypted unique identification information SM 3-HMAC to the service system for identity authentication, the service system requests the quantum password management service system for authentication, and after the authentication is passed, the quantum password management service system generates a loginKey and sends the loginKey to the service system along with an authentication result;
s15, after authentication is successful, the service system issues an access token to the client, and the quantum cryptography management service system uses a filling key K with a sequence i corresponding to the security chip stored in the platform i And decrypting, comparing whether the unique identifier of the security chip is correct, transmitting a new loginKey to the service system after verification is passed, and transmitting the new loginKey to the client after the service system uses the new loginKey to update the access token.
Further, the filling secret keys are in one-to-one correspondence with the security chips and the quantum cryptography service system.
Furthermore, the service system takes the registered biological characteristic information of the user or the account number or the mobile phone number as the unique identifier of the user.
Furthermore, the access_token has a structure of JWT, at_hash is added into the playload of the JWT to enhance security, { "at_hash": "XXX" }, at_hash uses the LoginKey as salt, and SM3 algorithm is used to calculate the MAC value of user unique identifier + service system address + group code + expiration time.
Furthermore, only the filling key K with the quantum security chip sequence of j is needed when the access token is expired and refreshed j The unique identification within the secure chip is encrypted.
As one specific technical scheme, the specific process of the group authorization token in step S4 is as follows:
s41, a user applies for a group key authorization token with an access token, a service system checks whether the access token is out of date, tampered and whether the user belongs to a specified group, if the authentication is passed, the next step is continuously executed, and if the authentication is failed, the request is refused and error information is returned;
s42, the service system verifies that the access_token passes and then generates a group_token,
s43, the user receives the group_token issued by the service system, checks whether the access_group is legal, and uses the group_token vector sub-password to manage the service system to apply for the GROUP key after the check is passed.
Furthermore, the group_token has a JWT structure and consists of a head part, a load part and a signature part, wherein the Payload mainly comprises the following components:
iss: identification of a service system;
sub: a user unique identifier;
aud: identification of a quantum cryptography management service system;
gid: identification of the group;
exp: expiration time of Token;
iat: time of Token generation;
sig: the service system uses the private key to sign the above fields;
the method comprises the steps of customizing a private load ACCESS_ GROUP, QUANTUM _GROUP in a playload of JWT, wherein the ACCESS_GROUP uses an at_hash in an access_token as a salt, and calculating a MAC value of iss, sub, aud, gid, exp, iat, sig and other information by using an SM3 algorithm; quantum_group uses the GROUP key authentication code in step S3 as a salt, calculates the MAC value of iss, sub, aud, gid, exp, iat using the SM3 algorithm.
As a specific technical scheme, the process of applying the group_token for the group key in step S5 is as follows:
s51, a user uses a secret key Km with a cipher sequence m in a quantum security chip in terminal equipment, and symmetrically encrypts a group_token by using an SM4 algorithm, wherein an iv value takes a unique MAC of the quantum security chip;
s52, the QUANTUM password management service system inquires a secret key corresponding to a password sequence m corresponding to a user and a unique MAC of the QUANTUM security chip stored in the system, decrypts to obtain a group_token, and then checks whether QUANUM_GROUP is legal or not;
and S53, after verification is passed, symmetrically encrypting the group key by using a filling key Kn corresponding to a user filling key sequence n and then sending the group key to the user by using an SM4 algorithm.
The invention also provides a group key management system based on the quantum key distribution and token authorization technology, which adopts the group key management method of any one of the quantum key distribution and token authorization technology, and the system comprises the following steps:
a business system for providing a message receiving and transmitting function;
QKD for generating a quantum key;
the quantum exchange cipher machine is used for receiving the quantum key sent by the quantum random number generator and providing key service, the key is prestored in the quantum exchange cipher machine, and the key is a key which is generated by the quantum random number generator and is stored in the quantum exchange cipher machine, and the key in the quantum exchange cipher machine and the key in the quantum security chip are symmetric keys;
the quantum key filling machine is connected with the output end of the quantum exchange cipher machine and is used for filling the quantum key;
the quantum password management service system is respectively in data interaction with the service system and the quantum security chip through a network, and is directly connected with the quantum password switch and used for providing encryption keys and identity authentication functions;
the quantum security chip stores quantum security keys, the key stored in each quantum security chip and the key prestored in the quantum exchange cipher machine are symmetric keys, and the security keys in the quantum security chip are authenticated by symmetric entities through a network and a quantum cipher management service system;
and the user terminal equipment is used for receiving and transmitting group member messages, and the quantum security chip is internally arranged or externally connected with the user terminal equipment.
The invention has the advantages that:
1. safety promotion
(1) Group key security:
the invention manages the group key by dynamic generation and encryption and decryption, can realize the security and timeliness of the group key and prevent the group key from being revealed or abused.
(2) Key transmission security;
the full life cycle of the secret key is transmitted by the secret key ciphertext, the secret key plaintext is obtained by decrypting the pre-filled quantum secret key, and the filled secret key is protected by the encryption chip.
(3) The security threat brought by a future quantum computer and a quantum algorithm is prevented;
(1) the public key cryptographic algorithm based on the large factor decomposition problem is prevented from being deciphered: the quantum symmetric key cannot be decoded by large factorization;
(2) the security threat brought by the quantum computer in the future is prevented: the quantum security password is used for encryption transmission, and the transmission process is completely safe and credible in theory;
(3) the threat of a quantum algorithm possibly appearing in the future to an existing password system is prevented: the quantum security cipher is used for encryption transmission, and the quantum security key is a true random number generated by a quantum random number generator and cannot be deciphered by an algorithm.
2. The encryption complexity of the group is reduced, and the encryption and decryption efficiency is improved
(1) Reducing complexity of group key management
The invention uses Token of JWT structure as the certificate of user application group key, can realize decoupling between service system and key management system, and simplifies user authentication and authorization flow.
(2) Encryption and decryption efficiency is improved
The encryption and decryption efficiency is improved by adopting quantum symmetric encryption, and compared with the traditional group encryption which mainly generates a shared key by DH and ECDH, more calculation force can be saved by adopting an asymmetric encryption mode such as RSA, ECC and the like.
(3) Third party issuance and authentication of digital certificates is not required;
and a certification mode without certificates is provided, so that participation of a third party is reduced: entity authentication of both sides of a user is performed by using an entity authentication protocol based on a symmetric password, and a third party issuing a certificate is not needed. The participants of the process are reduced, and the risk of the three-party agreement is reduced.
3. Easy to realize, strong in universality and good in ductility
(1) The development technology is easy to realize
The quantum security chip is a feasible technology, the security authentication based on the quantum symmetric key is also a technology which can be realized, the temporary symmetric key for encrypting the message can be generated by using a quantum random number, the technology is mature, and the security is high.
(2) High versatility and ductility
The invention has few reconstruction places on the service system, mainly improves the safety by adding the quantum key service system, and has strong universality. The invention can be integrated on a quantum security service platform, and has good ductility and provides a functional interface to the outside.
4. Economic benefit
(1) Saving calculation force
The quantum symmetric encryption is adopted to save more calculation force.
(2) Reducing interactions
And the protocol format is customized, so that the interaction cost of sending the key signature for many times is reduced.
(3) Low reconstruction cost
The invention can be modified on the existing system, the platform side has almost no modification amount, the application end is in butt joint, and the modification cost is low.
Drawings
FIG. 1 is a block diagram of a group membership authentication system in accordance with an embodiment of the present invention;
FIG. 2 is a general flow chart of a group key management method based on quantum key distribution and token authorization techniques in accordance with an embodiment of the present invention;
FIG. 3 is a specific process diagram of user identity authentication in step S1 in a group key management method based on quantum key distribution and token authorization techniques according to an embodiment of the present invention;
FIG. 4 is a detailed process diagram of the group authorization token in step S4 in the method for managing group keys based on quantum key distribution and token authorization technique according to the embodiment of the present invention;
fig. 5 is a specific process diagram of applying a group_token for a group key in step S5 in a group key management method based on quantum key distribution and token authorization technology according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention provides a group key management method based on quantum key distribution and token authorization technology, which is applied to a group member identity authentication system shown in fig. 1, wherein the group member identity authentication system comprises:
a business system for providing a message receiving and transmitting function;
a quantum random number generator (QKD) for generating a quantum key;
the quantum exchange cipher machine is used for receiving the quantum key sent by the quantum random number generator and providing key service, the key is prestored in the quantum exchange cipher machine, and the key is a key which is generated by the quantum random number generator and is stored in the quantum exchange cipher machine, and the key in the quantum exchange cipher machine and the key in the quantum security chip are symmetric keys;
the quantum key filling machine is connected with the output end of the quantum exchange cipher machine and is used for filling the quantum key;
the quantum password management service system is respectively in data interaction with the service system and the quantum security chip through a network, and is directly connected with the quantum password switch and used for providing encryption keys and identity authentication functions;
the quantum security chip stores quantum security keys, the key stored in each quantum security chip and the key prestored in the quantum exchange cipher machine are symmetric keys, and the security keys in the quantum security chip are authenticated by symmetric entities through a network and a quantum cipher management service system;
and the user terminal equipment is used for receiving and transmitting group member messages, and the quantum security chip is internally arranged or externally connected with the user terminal equipment.
By adopting the technical scheme, the identity authentication problem of the entity of the message transmitting and receiving party is solved: and carrying out identity authentication by using a quantum symmetric key built in the quantum security chip, and authenticating one key at a time.
By adopting the technical scheme, the security threat brought by a future quantum computer and a quantum algorithm is prevented, and the public key cryptographic algorithm based on the large factor decomposition problem is prevented from being deciphered: using quantum symmetric keys, they cannot be broken by large factorization.
Referring to fig. 2, the group key management method based on quantum key distribution and token authorization technique of the present invention includes the following steps:
s1: the group member uses the filling secret key in the quantum security chip to carry out identity authentication, and the service system sends an access token to the group member after the authentication is passed;
s2: when the group member changes (newly added or exits) or the group key expires, the service system vector sub-password management service system initiates a group key update request;
s3: the quantum cryptography management service system generates a new group key according to the quantum random number, and simultaneously distributes a paired key through QKD, wherein the paired key is used as an authentication code of the new group key;
s4: the service system informs the group members of updating the group key, generates an authorization token by using a JWT mode through an authentication code of the new group key, encrypts the authorization token by using the access_token and then sends the encrypted authorization token to the group members;
s5: after decrypting by using the access token, the group member encrypts the authorization token by using the filling key and then requests the group key from the password management service system;
s6: the password management service system obtains an authorized token after decrypting by using the corresponding filling key, firstly checks whether the group key authentication code is correct, then checks whether a user in the authorized token is consistent with the user corresponding to the filling key, and encrypts the group key by using the filling key corresponding to the user after the verification is passed and returns the group key to the user;
s7: the user obtains the group key after decrypting by using the corresponding filling key, and can normally decrypt the encrypted message in the group.
Referring to fig. 3, the specific process of authenticating the user in step S1 is as follows:
s11, safely filling the quantum key generated by the QKD into a quantum security chip and a quantum password management service system by using a quantum key filling machine;
s12, when a group member user performs user registration or activates an account number at user terminal equipment, a service system takes biological characteristic information or account number or mobile phone number registered by the user as a user unique identifier, the service system performs key negotiation through a QKD and a quantum password management service system to obtain a temporary user registration key sign Key, the service system uses the sign Key to encrypt the user unique identifier and sends the user unique identifier to the quantum password management service system, and the quantum password management service system uses the sign Key to decrypt and then stores the corresponding relationship between the user unique identifier and a unique physical MAC of a quantum security chip;
s13, the quantum password management service system enables the unique user identification to pass through a filling key K with a sequence of i in the quantum security chip i And the encrypted data are transmitted to a quantum security chip after being symmetrically encrypted, and the quantum security chip writes the unique identification of the user into a self secure storage space.
S14, the user terminal equipment encrypts information SM3_HMAC (secure media access controller) such as unique identification and biological characteristics of a user through a quantum security chip by using a filling key and then sends the encrypted information SM3_HMAC to a service system for identity authentication, the service system requests a quantum password management service system for authentication, after authentication, the quantum password management service system generates a loginKey and sends the loginKey to the service system along with an authentication result, the filling key corresponds to the quantum password service system one by one in the security chip, the filling keys are filled in batches, the filling keys of different media are different, and software on the user terminal can call an interface in the security chip to encrypt the information by using the filling key;
s15, issuing an access_token to a client by a service system after successful authentication, wherein the access_token has a JWT structure, in order to enhance the security of the access_token, adding an at_hash into a playload of the JWT to enhance the security, { "at_hash": XXX "}, wherein the at_hash takes a loginKey as a salt, calculating an MAC value of a user unique identifier+a service system address+a group code+an expiration time by using an SM3 algorithm, and in addition, only needing a filling key K with a quantum security chip sequence of j when the access_token is expired and refreshed j Encrypting the unique identifier in the security chip, decrypting by using the filling key with the sequence i corresponding to the security chip stored in the platform by the quantum cryptography management service system, comparing whether the unique identifier of the security chip is correct, transmitting a new loginKey to the service system after verification is passed, and transmitting the new loginKey to the client after updating the access_token by the service system.
Referring to fig. 4, in step S4, the specific process of the group authorization token (group_token) is as follows:
s41, a user applies for a group key authorization token with an access token, a service system checks whether the access token is out of date, tampered (at_hash is matched), and whether the user belongs to a specified group, if the authentication is passed, the next step is continuously executed, and if the authentication is failed, the request is refused and error information is returned;
s42, after the service system verifies that the access_token passes, generating a group_token, wherein the structure of the group_token is JWT, and the group_token consists of a Header, a Payload and a Signature, and the main content of the Payload is as follows:
iss: identification of the business system, e.g. "biz.com";
sub: a user unique identification, such as "user123";
aud: identification of a quantum cryptography management service system, such as "key.com";
gid: an identification of a group, such as "group456";
exp: expiration time of Token, e.g. "2024-01-01 12:00:00";
iat: the time of generation of Token, e.g. "2023-12-31 12:00:00";
sig: the service system uses the private key to sign the above fields;
to enhance the security of the group_token, we customize the private payload access_ GROUP, QUANTUM _group in the playload of JWT, wherein access_group uses the at_hash in the access_token as salt, and uses SM3 algorithm to calculate the MAC value of iss, sub, aud, gid, exp, iat, sig information; quantum_group uses the GROUP key authentication code in step S3 as a salt, calculates the MAC value of iss, sub, aud, gid, exp, iat using the SM3 algorithm.
S43, the user receives the group_token issued by the service system, checks whether the access_group is legal, and after the check is passed, the group_token vector sub-password management service system can be used for applying for the GROUP key.
Referring to fig. 5, in step S5, the process of applying the group_token for the group key is as follows:
s51, a user uses a secret key Km with a cipher sequence m in a quantum security chip in terminal equipment, and symmetrically encrypts a group_token by using an SM4 algorithm, wherein an iv value takes a unique MAC of the quantum security chip;
s52, the QUANTUM password management service system inquires a secret key corresponding to a password sequence m corresponding to a user and a unique MAC of the QUANTUM security chip stored in the system, decrypts to obtain a group_token, and then checks whether QUANUM_GROUP is legal or not;
and S53, after verification is passed, symmetrically encrypting the group key by using a filling key Kn corresponding to a user filling key sequence n and then sending the group key to the user by using an SM4 algorithm.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. A group key management method based on quantum key distribution and token authorization technology is characterized in that: the method comprises the following steps:
s1: the group member uses the filling secret key in the quantum security chip to carry out identity authentication, and the service system sends an access token to the group member after the authentication is passed;
s2: when the group member changes or the group key expires, the service system vector sub-password management service system initiates a group key update request;
s3: the quantum cryptography management service system generates a new group key according to the quantum random number, and simultaneously distributes a paired key through QKD, wherein the paired key is used as an authentication code of the new group key;
s4: the service system informs the group members of updating the group key, generates an authorization token by using an authentication code of the new group key, encrypts the authorization token by using the access_token and then sends the encrypted authorization token to the group members;
s5: after decrypting by using the access token, the group member encrypts the authorization token by using the filling key and then requests the group key from the password management service system;
s6: the password management service system obtains an authorized token after decrypting by using the corresponding filling key, firstly checks whether the group key authentication code is correct, then checks whether a user in the authorized token is consistent with the user corresponding to the filling key, and encrypts the group key by using the filling key corresponding to the user after the verification is passed and returns the group key to the user;
s7: and the user obtains the group key after decrypting by using the corresponding filling key, and normally decrypts the encrypted message in the group.
2. The group key management method based on quantum key distribution and token authorization technique according to claim 1, wherein: the specific process of user identity authentication in step S1 is as follows:
s11, safely filling the quantum key generated by the QKD into a quantum security chip and a quantum password management service system by using a quantum key filling machine;
s12, when a group member user performs user registration or activates an account number at user terminal equipment, a service system performs key negotiation through a QKD and a quantum password management service system to obtain a temporary user registration key, the service system uses the key to encrypt a user unique identifier and sends the user unique identifier to the quantum password management service system, and the quantum password management service system uses the key to decrypt and then stores the corresponding relationship between the user unique identifier and a quantum security chip unique physical MAC;
s13, the quantum password management service system enables the unique user identification to pass through a filling key K with a sequence of i in the quantum security chip i And the encrypted data are transmitted to a quantum security chip after being symmetrically encrypted, and the quantum security chip writes the unique identification of the user into a self secure storage space.
S14, the user terminal equipment encrypts the unique identification information SM 3-HMAC of the user by using a charging key through the quantum security chip and then sends the encrypted unique identification information SM 3-HMAC to the service system for identity authentication, the service system requests the quantum password management service system for authentication, and after the authentication is passed, the quantum password management service system generates a loginKey and sends the loginKey to the service system along with an authentication result;
s15, after authentication is successful, the service system issues an access token to the client, and the quantum cryptography management service system uses a filling key K with a sequence i corresponding to the security chip stored in the platform i And decrypting, comparing whether the unique identifier of the security chip is correct, transmitting a new loginKey to the service system after verification is passed, and transmitting the new loginKey to the client after the service system uses the new loginKey to update the access token.
3. A group key management method based on quantum key distribution and token authorization techniques according to claim 1 or 2, wherein: the charging keys are in one-to-one correspondence with the security chips and the quantum cryptography service system.
4. The group key management method based on quantum key distribution and token authorization technique according to claim 2, wherein: the service system takes the registered biological characteristic information of the user or the account number or the mobile phone number as the unique identifier of the user.
5. The group key management method based on quantum key distribution and token authorization technique according to claim 2, wherein: the access_token is in a JWT structure, at_hash is added into playoad of the JWT to enhance security, { "at_hash": XXX "}, at_hash takes the loginKey as salt, and SM3 algorithm is used for calculating the MAC value of the user unique identifier + the service system address + the group code + the expiration time.
6. The group key management method based on quantum key distribution and token authorization technique according to claim 2, wherein: only a charging key K with a quantum security chip sequence of j is needed when the access token is expired and refreshed j The unique identification within the secure chip is encrypted.
7. The group key management method based on quantum key distribution and token authorization technique according to claim 2, wherein: the specific process of the group authorization token in the step S4 is as follows:
s41, a user applies for a group key authorization token with an access token, a service system checks whether the access token is out of date, tampered and whether the user belongs to a specified group, if the authentication is passed, the next step is continuously executed, and if the authentication is failed, the request is refused and error information is returned;
s42, the service system verifies that the access_token passes and then generates a group_token,
s43, the user receives the group_token issued by the service system, checks whether the access_group is legal, and uses the group_token vector sub-password to manage the service system to apply for the GROUP key after the check is passed.
8. The group key management method based on quantum key distribution and token authorization technique according to claim 5 or 7, wherein: the structure of the group_token is JWT, and consists of a head part, a load part and a signature part, wherein the main content of the Payload is as follows:
iss: identification of a service system;
sub: a user unique identifier;
aud: identification of a quantum cryptography management service system;
gid: identification of the group;
exp: expiration time of Token;
iat: time of Token generation;
sig: the service system uses the private key to sign the above fields;
the method comprises the steps of customizing a private load ACCESS_ GROUP, QUANTUM _GROUP in a playload of JWT, wherein the ACCESS_GROUP uses an at_hash in an access_token as a salt, and calculating a MAC value of iss, sub, aud, gid, exp, iat, sig and other information by using an SM3 algorithm; quantum_group uses the GROUP key authentication code in step S3 as a salt, calculates the MAC value of iss, sub, aud, gid, exp, iat using the SM3 algorithm.
9. The group key management method based on quantum key distribution and token authorization technique according to claim 5, wherein: the process of applying the group key in step S5 includes:
s51, a user uses a secret key Km with a cipher sequence m in a quantum security chip in terminal equipment, and symmetrically encrypts a group_token by using an SM4 algorithm, wherein an iv value takes a unique MAC of the quantum security chip;
s52, the QUANTUM password management service system inquires a secret key corresponding to a password sequence m corresponding to a user and a unique MAC of the QUANTUM security chip stored in the system, decrypts to obtain a group_token, and then checks whether QUANUM_GROUP is legal or not;
and S53, after verification is passed, symmetrically encrypting the group key by using a filling key Kn corresponding to a user filling key sequence n and then sending the group key to the user by using an SM4 algorithm.
10. A group key management system based on quantum key distribution and token authorization techniques, characterized in that: a group key management method based on the quantum key distribution and token authorization technique according to any one of claims 1 to 9, the system comprising:
a business system for providing a message receiving and transmitting function;
QKD for generating a quantum key;
the quantum exchange cipher machine is used for receiving the quantum key sent by the quantum random number generator and providing key service, the key is prestored in the quantum exchange cipher machine, and the key is a key which is generated by the quantum random number generator and is stored in the quantum exchange cipher machine, and the key in the quantum exchange cipher machine and the key in the quantum security chip are symmetric keys;
the quantum key filling machine is connected with the output end of the quantum exchange cipher machine and is used for filling the quantum key;
the quantum password management service system is respectively in data interaction with the service system and the quantum security chip through a network, and is directly connected with the quantum password switch and used for providing encryption keys and identity authentication functions;
the quantum security chip stores quantum security keys, the key stored in each quantum security chip and the key prestored in the quantum exchange cipher machine are symmetric keys, and the security keys in the quantum security chip are authenticated by symmetric entities through a network and a quantum cipher management service system;
and the user terminal equipment is used for receiving and transmitting group member messages, and the quantum security chip is internally arranged or externally connected with the user terminal equipment.
CN202311748237.3A 2023-12-18 2023-12-18 Group key management method and system based on quantum key distribution and token authorization technology Pending CN117857027A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311748237.3A CN117857027A (en) 2023-12-18 2023-12-18 Group key management method and system based on quantum key distribution and token authorization technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311748237.3A CN117857027A (en) 2023-12-18 2023-12-18 Group key management method and system based on quantum key distribution and token authorization technology

Publications (1)

Publication Number Publication Date
CN117857027A true CN117857027A (en) 2024-04-09

Family

ID=90537612

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311748237.3A Pending CN117857027A (en) 2023-12-18 2023-12-18 Group key management method and system based on quantum key distribution and token authorization technology

Country Status (1)

Country Link
CN (1) CN117857027A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118487749A (en) * 2024-04-19 2024-08-13 安徽成方量子科技有限公司 Key distribution method, device and system applied in quantum key management scenario

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118487749A (en) * 2024-04-19 2024-08-13 安徽成方量子科技有限公司 Key distribution method, device and system applied in quantum key management scenario

Similar Documents

Publication Publication Date Title
CN113612605B (en) Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology
CN112887338B (en) A kind of identity authentication method and system based on IBC identification password
CN108173649B (en) Message authentication method and system based on quantum key card
CN105959269B (en) An Identity-Based Authentication Method for Dynamic Group Key Agreement
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
CN101902476B (en) Method for authenticating identity of mobile peer-to-peer user
CN112003889A (en) Distributed cross-chain system and cross-chain information interaction and system access control mechanism
CN102547688B (en) Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel
JP6534777B2 (en) Terminal device, key delivery management device, server / client system, communication method, program
JP2002290397A (en) Secure communication method
CN108809636B (en) Communication system for realizing message authentication between members based on group type quantum key card
CN110493272B (en) Communication method and communication system using multiple keys
CN113630407A (en) Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology
CN113079022B (en) Secure transmission method and system based on SM2 key negotiation mechanism
CN103297963B (en) Based on the method and system without the M2M secret protection of certificate and key management
CN101594233B (en) Method for uploading information, method for receiving information, equipment and communication system
US8705745B2 (en) Method and system for transmitting deferred media information in an IP multimedia subsystem
JP2024500526A (en) Identity authentication method, authentication access controller and requesting device, storage medium, program, and program product
KR101351110B1 (en) Apparatus and method of transmitting/receiving encrypted data in a communication system
CN113014376B (en) Method for safety authentication between user and server
CN106850584B (en) Anonymous authentication method facing client/server network
CN117857027A (en) Group key management method and system based on quantum key distribution and token authorization technology
CN107104888B (en) A Secure Instant Messaging Method
CN118659922A (en) Quantum-resistant security enhancement method for open licensing protocols
CN113918971B (en) Block chain-based message transmission method, device, equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination