[go: up one dir, main page]

CN119652588A - A global quantum secure key distribution method to prevent replay attacks - Google Patents

A global quantum secure key distribution method to prevent replay attacks Download PDF

Info

Publication number
CN119652588A
CN119652588A CN202411765535.8A CN202411765535A CN119652588A CN 119652588 A CN119652588 A CN 119652588A CN 202411765535 A CN202411765535 A CN 202411765535A CN 119652588 A CN119652588 A CN 119652588A
Authority
CN
China
Prior art keywords
key
terminal
quantum
pool
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411765535.8A
Other languages
Chinese (zh)
Inventor
傅波海
黎爽
徐静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Matrix Time Digital Technology Co Ltd
Original Assignee
Matrix Time Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Matrix Time Digital Technology Co Ltd filed Critical Matrix Time Digital Technology Co Ltd
Priority to CN202411765535.8A priority Critical patent/CN119652588A/en
Publication of CN119652588A publication Critical patent/CN119652588A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to the technical field of information security, in particular to a global quantum security key distribution method for preventing replay attack. When the key center receives the key distribution request of the terminal, the method checks the communication address to ensure the validity of the request and the matching between the terminal and the key pool, thereby effectively preventing network replay attack. Meanwhile, by combining with the access control of the equipment identifier, only the authorized terminal can be further ensured to be accessed into the system by checking the equipment identifier, and a double checking mechanism is realized. After the key distribution is completed, the key center recovers the resources corresponding to the complementary quantum key, so that the repeated use of the key is avoided, the one-time use principle of the key is ensured, and the efficient utilization of the key resources is improved. The application improves the key distribution safety of the global quantum security network and provides reliable technical support for quantum communication.

Description

Global quantum security key distribution method for preventing replay attack
Technical Field
The invention relates to the technical field of information security, in particular to a global quantum security key distribution method for preventing replay attack.
Background
In existing global quantum security networks, the key distribution process relies primarily on interactions between the quantum security terminal and the key center. The key center is responsible for generating a key and an encryption key, and transmitting the encryption key to the quantum security terminal in a quantum security encryption mode. After receiving the key distribution response, the quantum security terminal decrypts the key center information and the key index by using the encryption key, and then downloads the key from the key center. This key distribution ensures secure transmission of the keys.
However, the prior art has certain safety hazards. Once the attacker obtains the key index, it can obtain the key center information through network message and try to download the key to the key center. Although keys downloaded by illegal quantum security terminals cannot be used because they do not have an encryption key and cannot be decrypted, this downloading behavior places a certain burden on the key center.
Disclosure of Invention
In order to solve the problems, the application discloses a global quantum security key distribution method for preventing replay attack, which comprises the following steps:
The key center checks whether the equipment identifier of the terminal is legal or not, establishes a key pool after the verification is passed, associates the equipment identifier of the terminal with the key pool, distributes the key pool identifier for the key pool, generates a corresponding quantum security key, and synchronizes the quantum security key and the key pool identifier with the legal terminal;
The terminal sends a key distribution request to a key center, and the key distribution request carries a key pool identifier and a self device identifier, wherein the device identifier is subjected to quantum encryption processing by the key protection key;
the key center decrypts and acquires the equipment identifier and performs verification, and after the verification is passed, a key distribution response message is sent to the terminal and carries a communication address corresponding to the terminal, wherein the key distribution response message is sent to the terminal after being encrypted by a communication protection key;
the terminal receives a key distribution response message of a key center, obtains a communication address after decrypting a key protection key, constructs a key downloading request message, and carries a key pool identifier, a self communication address and a key index, wherein the communication address and the key index carry out quantum encryption processing again by using the communication protection key;
the key center receives the key downloading request message of the terminal, determines a corresponding key pool through the key pool identification, matches a corresponding communication protection key, decrypts the downloading request message to obtain a terminal communication address and a key index, verifies whether the communication address is correct, matches a generated complementary quantum key based on the key index in the key downloading request message after verification, and issues the complementary quantum key to the terminal, wherein the complementary quantum key is transmitted to the terminal in a file stream mode after being encrypted by a transmission key;
The terminal acquires the encrypted complementary key, and acquires a real complementary quantum key after decrypting the encrypted complementary key through the key protection key;
and after the terminal key downloading is completed, the key center recovers the resources corresponding to the complementary quantum key.
The communication protection key and the key protection key are quantum true random number keys.
The communication protection key comprises an uplink key and a downlink key.
The communication address includes address and port information.
The device identification includes manufacturer information and a hardware identification.
When the key center receives the key distribution request of the terminal, the method checks the communication address to ensure the validity of the request and the matching between the terminal and the key pool, thereby effectively preventing network replay attack. Meanwhile, by combining with the access control of the equipment identifier, only the authorized terminal can be further ensured to be accessed into the system by checking the equipment identifier, and a double checking mechanism is realized. After the key distribution is completed, the key center recovers the resources corresponding to the complementary quantum key, so that the repeated use of the key is avoided, the one-time use principle of the key is ensured, and the efficient utilization of the key resources is improved. The application improves the key distribution safety of the global quantum security network and provides reliable technical support for quantum communication.
Drawings
Fig. 1 is a flowchart of a method for global quantum security key distribution for replay attack prevention in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Embodiment as shown in FIG. 1, a method for distributing a global quantum security key for preventing replay attack includes the following steps:
S101, a key center checks whether a device identifier of a terminal is legal or not, and establishes a key pool after the device identifier passes the check, and distributes the key pool identifier for the key pool associated with the device identifier of the terminal, so as to generate a corresponding quantum security key, and synchronizes the quantum security key and the key pool identifier with the legal terminal;
The key center establishes a legal device identification library, wherein the legal device identification library stores the device identification information of all authorized terminals, when the terminals attempt to establish connection, the key center performs validity check on the device identifications sent by the terminals to ensure that the terminals exist in the device identification library, and after the validity check is passed, the key center initializes a key pool and distributes a unique key pool identification for the terminals.
Aiming at the key pool, a quantum security key is generated by a key center, is a quantum true random number key, and specifically comprises a communication protection key and a key protection key, wherein the communication protection key comprises an uplink key and a downlink key;
S102, a terminal sends a key distribution request to a key center and carries a key pool identifier and a self device identifier, wherein the device identifier is subjected to quantum encryption processing by the key protection key;
When a terminal needs a key, generating a key distribution request which comprises a device identifier of the terminal and a previously synchronized key pool identifier, wherein in order to protect the safety of the device identifier, the terminal uses a key protection key to carry out quantum encryption processing on the device identifier;
S103, the key center decrypts the acquired equipment identifier and checks, and after the verification is passed, a key distribution response message is sent to the terminal and carries a communication address corresponding to the terminal, wherein the key distribution response message is sent to the terminal after being encrypted by a communication protection key;
After the key center receives the key distribution request, the key center decrypts the request by using the key protection key to obtain the equipment identifier, and verifies the validity of the equipment identifier again and confirms the correctness of the key pool identifier;
S104, the terminal receives the key distribution response message of the key center, obtains a communication address after decrypting the key protection key, constructs a key downloading request message, and carries a key pool identifier, a self communication address and a key index, wherein the communication address and the key index carry out quantum encryption processing again by using the communication protection key;
The terminal receives the key distribution response message of the key center, and decrypts the key distribution response message by using the communication protection key to obtain a communication address; the terminal constructs a key downloading request message which comprises a key pool identifier, a communication address of the terminal and a key index, and in order to protect the safety of the communication address and the key index, the terminal uses a communication protection key to carry out quantum encryption processing on the communication protection key;
S105, the key center receives the key downloading request message of the terminal, determines a corresponding key pool through a key pool identifier, matches a corresponding communication protection key, decrypts the downloading request message to obtain a terminal communication address and a key index, verifies whether the communication address is correct, matches a generated complementary quantum key based on the key index in the key downloading request message after verification, and transmits the complementary quantum key to the terminal, wherein the complementary quantum key is encrypted through a transmission key and then is transmitted to the terminal in a file stream mode;
The key center receives the key downloading request message and positions the key downloading request message to the corresponding key pool through the key pool identification, decrypts the request message by using the matched communication protection key to acquire the communication address and the key index of the terminal, verifies the correctness of the communication address and ensures the validity of the key downloading request;
s106, the terminal acquires the encrypted complementary key, and acquires a real complementary quantum key after decrypting the encrypted complementary key through the key protection key;
After receiving the encrypted complementary key file stream, the terminal decrypts the encrypted complementary key file stream by using the key protection key to obtain a real complementary quantum key;
s107, after the terminal key downloading is completed, the key center recovers the resources corresponding to the complementary quantum key;
After confirming that the terminal successfully downloads the complementary quantum key, the key center immediately recovers the resource corresponding to the key, prevents the key from being repeatedly downloaded, and can not download the key with the key index even if the key is a legal request. The download key cannot be pseudo-loaded even if the original request is replayed using the original quantum security terminal communication.
Wherein the communication address includes address and port information.
The device identification includes manufacturer information and a hardware identification.
Illustratively, it is assumed that there is a key Center (KEY D I STR I but i on Center, KDC) and a terminal (Termina l, T) between which secure distribution of keys is required.
S101, initializing key pool by key center
The terminal T sends the device identification to the KDC including the Manufacturer information "manufacturer_x" and the hardware identification "HW456".
The KDC verifies the validity of "manufacturer_x_hw456" in its device identification library.
After the verification is passed, the KDC creates a key pool for T and distributes a key pool identifier of KP 001.
The KDC generates a pair of quantum security keys, communication protection key "CK001" and key protection key "MK001".
The KDC synchronizes "CK001", "MK001", and "KP001" to T through the quantum channel.
S102, the terminal sends key distribution request
T requires a new key, generates a key distribution request containing "KP001" and the device identification "Manufacturer X HW456".
T uses "MK001" to quantum encrypt the device identification "manufacturer_X_HW456" to obtain an Encrypted device identification "encrypted_manufacturer_X_HW456".
T sends the key distribution request to KDC.
S103 key center response
After the KDC receives the request, it decrypts the encrypted_Manufacturer_X_HW456 using MK001 to obtain Manufacturer_X_HW 456.
The KDC verifies the validity of "manufacturer_x_hw456" and passes the verification.
The KDC generates a key distribution response message containing the communication address of T, including IP address "192.168.1.100" and port information "8080".
The KDC encrypts the key distribution Response message using "CK001" to obtain "encrypted_response".
The KDC sends "encrypted_response" to T.
S104, terminal constructs key download request
T receives "encrypted_response" and decrypts using "CK001" to obtain communication address "192.168.1.100:8080".
T constructs a Key download request message containing "KP001", "192.168.1.100:8080" and a Key index "Key_ I ndex _001".
T uses "CK001" to quantum encrypt "192.168.1.100:8080" and "Key_ I ndex _001" to obtain "encrypted_Address" and "encrypted_ I ndex".
T sends the key download request to KDC.
S105, the key center processes the key download request
The KDC receives the key download request and locates to the corresponding key pool through "KP 001".
The KDC uses "CK001" to decrypt "encrypted_Address" and "encrypted_ I ndex" to obtain "192.168.1.100:8080" and "Key_ I ndex _001".
The KDC verifies the correctness of '192.168.1.100:8080', and passes the verification.
The KDC matches from the Key pool to the supplemental quantum Key "Supp L EMENTARY _qk" according to "key_ I ndex _001".
The KDC encrypts the "Supp L EMENTARY _qk" using the transmission key "TK" to obtain "encrypted_qk".
The KDC sends the "encrypted_qk" to T in the form of a file stream.
S106, the terminal acquires the complementary quantum key
T receives the "encrypted_QK" file stream, decrypts the file stream by using "MK001" and obtains the real complementary quantum key "Supp L EMENTARY _QK".
S107, recycling resources by key center
After the KDC confirms that the T successfully downloads the 'Supp L EMENTARY _QK', the resources corresponding to the 'Supp L EMENTARY _QK' are immediately recovered, so that the secret key is ensured not to be reused.
In the scheme of the embodiment, when the key center receives the key distribution request of the terminal, the communication address (comprising the IP address and the port information) in the message is checked to be consistent with the actual communication address of the terminal, if so, the message is truly sent by a legal quantum security terminal, and the terminal is matched with the key pool mentioned in the request;
The verification mechanism ensures that only the terminal with the correct equipment identifier and communication address can acquire the quantum security key, thereby improving the security of the system.
If an attacker tries to replay old messages in the network, the communication address in the replayed message is likely to be inconsistent with the current actual communication address of the terminal, since the communication address is typically dynamically changing.
When the key center verifies the communication address, if the communication address is inconsistent, the request is refused, so that the network replay attack is effectively prevented.
This mechanism makes it impossible for an attacker to use the previous communication content to acquire new key resources even if the content is intercepted.
Access control in combination with a device identification, the device identification comprising manufacturer information and a hardware identification, provides a unique identification for the terminal.
The key center further ensures that only authorized terminals can access the system by checking the device identification. This dual check (communication address and device identification) mechanism greatly enhances the access control capabilities of the system.
After the key distribution is completed, the key center recovers the resources corresponding to the supplemental quantum key.
The repeated use of the secret key is avoided, and the one-time use principle of the secret key is ensured, so that the safety of the secret key is improved. The resource recycling mechanism also ensures the efficient utilization of the key resources in the key pool and prevents the waste of the resources.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (5)

1.一种防重放攻击的全域量子安全密钥分发方法,其特征在于,包括以下步骤:1. A global quantum secure key distribution method that is resistant to replay attacks, comprising the following steps: 密钥中心校验终端的设备标识是否合法,并在校验通过后建立密钥池,将所述密钥池关联终端的设备标识,为该密钥池分配密钥池标识,生成对应的量子安全密钥,并与合法的终端之间同步所述量子安全密钥和密钥池标识;所述量子安全密钥包括通信保护密钥和密钥保护密钥;The key center verifies whether the device identification of the terminal is legal, and establishes a key pool after the verification is passed, associates the key pool with the device identification of the terminal, assigns a key pool identification to the key pool, generates a corresponding quantum security key, and synchronizes the quantum security key and the key pool identification with the legal terminal; the quantum security key includes a communication protection key and a key protection key; 终端向密钥中心发送密钥分发请求,携带密钥池标识和自身的设备标识,其中,所述设备标识通过所述密钥保护密钥量子加密处理;The terminal sends a key distribution request to the key center, carrying the key pool identifier and its own device identifier, wherein the device identifier is quantum encrypted by the key protection key; 密钥中心解密获取设备标识并进行校验,校验通过后,向终端发送密钥分发响应消息,携带终端对应的通信地址,其中,密钥分发响应消息经通信保护密钥加密后发送至终端;The key center decrypts and obtains the device identification and verifies it. After the verification is passed, it sends a key distribution response message to the terminal, carrying the communication address corresponding to the terminal. The key distribution response message is encrypted with the communication protection key and sent to the terminal; 终端接收密钥中心的密钥分发响应消息,通过密钥保护密钥解密后获取到通信地址,并构造密钥下载请求消息,携带密钥池标识、自身的通信地址和密钥索引,其中所述通信地址和密钥索引利用通信保护密钥再次进行量子加密处理;The terminal receives the key distribution response message from the key center, obtains the communication address after decryption through the key protection key, and constructs a key download request message, which carries the key pool identifier, its own communication address and key index, wherein the communication address and key index are quantum encrypted again using the communication protection key; 密钥中心接收到终端的密钥下载请求消息,通过密钥池标识确定对应的密钥池,匹配对应的通信保护密钥,解密下载请求消息得到终端通信地址和密钥索引;验证该通信地址是否正确,并在验证通过后,基于密钥下载请求消息中的密钥索引,匹配生成的补充量子密钥,向终端下发该补充量子密钥,其中,所述补充量子密钥经传输密钥加密后以文件流的方式发送给终端;The key center receives the key download request message from the terminal, determines the corresponding key pool through the key pool identifier, matches the corresponding communication protection key, decrypts the download request message to obtain the terminal communication address and key index; verifies whether the communication address is correct, and after the verification is passed, matches the generated supplementary quantum key based on the key index in the key download request message, and sends the supplementary quantum key to the terminal, wherein the supplementary quantum key is encrypted with the transmission key and sent to the terminal in the form of a file stream; 终端获取到加密的补充密钥,经密钥保护密钥解密后获取真实的补充量子密钥;The terminal obtains the encrypted supplementary key, and obtains the real supplementary quantum key after decryption by the key protection key; 所述密钥中心在所述终端密钥下载完成之后,回收该补充量子密钥对应的资源。After the terminal key download is completed, the key center recovers the resources corresponding to the supplementary quantum key. 2.根据权利要求1所述的方法,其特征在于,所述通信保护密钥和密钥保护密钥均为量子真随机数密钥。2. The method according to claim 1 is characterized in that both the communication protection key and the key protection key are quantum true random number keys. 3.根据权利要求2所述的方法,其特征在于,所述通信保护密钥包括上行密钥和下行密钥。3. The method according to claim 2 is characterized in that the communication protection key includes an uplink key and a downlink key. 4.根据权利要求1所述的方法,其特征在于,所述通信地址包括地址和端口信息。4. The method according to claim 1 is characterized in that the communication address includes address and port information. 5.根据权利要求1所述的方法,其特征在于,所述设备标识包括制造商信息和硬件标识。The method according to claim 1 , wherein the device identification includes manufacturer information and hardware identification.
CN202411765535.8A 2024-12-04 2024-12-04 A global quantum secure key distribution method to prevent replay attacks Pending CN119652588A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411765535.8A CN119652588A (en) 2024-12-04 2024-12-04 A global quantum secure key distribution method to prevent replay attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411765535.8A CN119652588A (en) 2024-12-04 2024-12-04 A global quantum secure key distribution method to prevent replay attacks

Publications (1)

Publication Number Publication Date
CN119652588A true CN119652588A (en) 2025-03-18

Family

ID=94937654

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411765535.8A Pending CN119652588A (en) 2024-12-04 2024-12-04 A global quantum secure key distribution method to prevent replay attacks

Country Status (1)

Country Link
CN (1) CN119652588A (en)

Similar Documents

Publication Publication Date Title
CN110120869B (en) Key management system and key service node
US6456716B1 (en) Apparatus and method for establishing a crytographic link between elements of a system
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
EP0746927B1 (en) Apparatus and method for establishing a cryptographic link between elements of a system
KR100687455B1 (en) How confidential information is delivered
US8694783B2 (en) Lightweight secure authentication channel
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
CN113225352A (en) Data transmission method and device, electronic equipment and storage medium
CN113411190B (en) Key deployment, data communication, key exchange and security reinforcement method and system
JP4283699B2 (en) Content transfer control device, content distribution device, and content reception device
CN108964897B (en) Identity authentication system and method based on group communication
US20110213976A1 (en) Method for downloading conditional access system for digital broadcasting
CN113726733B (en) Encryption intelligent contract privacy protection method based on trusted execution environment
CN114765543B (en) Encryption communication method and system of quantum cryptography network expansion equipment
KR101531662B1 (en) Method and system for mutual authentication between client and server
CN109981271B (en) Network multimedia safety protection encryption method
CN118659922B (en) Quantum security enhancement method for open authorization protocol
KR101213301B1 (en) Apparatus and method for re-authentication treatment of downloadable conditional access system
US8583930B2 (en) Downloadable conditional access system, secure micro, and transport processor, and security authentication method using the same
JP4447908B2 (en) Local digital network and method for introducing new apparatus, and data broadcasting and receiving method in the network
US8699710B2 (en) Controlled security domains
CN119652588A (en) A global quantum secure key distribution method to prevent replay attacks
JP4976794B2 (en) Station service system and security communication method
KR101282416B1 (en) DCAS, SM, TP and method for certificating security
KR100947326B1 (en) Downloadable conditional access system host apparatus and method for reinforcing secure of the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination