CN118487749B - Key distribution method, device and system applied in quantum key management scenario - Google Patents
Key distribution method, device and system applied in quantum key management scenario Download PDFInfo
- Publication number
- CN118487749B CN118487749B CN202410475946.7A CN202410475946A CN118487749B CN 118487749 B CN118487749 B CN 118487749B CN 202410475946 A CN202410475946 A CN 202410475946A CN 118487749 B CN118487749 B CN 118487749B
- Authority
- CN
- China
- Prior art keywords
- key
- application device
- management module
- password
- distribution management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000009826 distribution Methods 0.000 title claims abstract description 265
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000012545 processing Methods 0.000 claims abstract description 100
- 238000012795 verification Methods 0.000 claims description 42
- 238000004891 communication Methods 0.000 claims description 15
- 230000006870 function Effects 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 9
- 238000004519 manufacturing process Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 6
- 230000002708 enhancing effect Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000002427 irreversible effect Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000005728 strengthening Methods 0.000 description 2
- 241000271566 Aves Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种应用于量子密钥管理场景中的密钥分发方法、装置及系统,本发明在信任执行环境中预先存储身份验证信息,该身份信息不能被非法篡改,当密码应用设备需要申请密钥/密码时,需要将自身的待验证身份信息与通过代理模块获取的身份验证信息进行比对,对比一致时,再将密码应用设备发送的身份标识通过代理模块发送给密钥安全处理模块以获取目标密码。通过对密码应用设备的身份验证,减少密码被第三人获取的几率,提高密码在分发过程中的安全性,进一步提高密码所保护的数据的安全性。
The present invention discloses a key distribution method, device and system applied in a quantum key management scenario. The present invention pre-stores identity authentication information in a trusted execution environment. The identity information cannot be illegally tampered with. When a password application device needs to apply for a key/password, it needs to compare its own identity information to be verified with the identity authentication information obtained through a proxy module. When the comparison is consistent, the identity identification sent by the password application device is sent to a key security processing module through the proxy module to obtain a target password. By authenticating the password application device, the probability of the password being obtained by a third party is reduced, the security of the password in the distribution process is improved, and the security of the data protected by the password is further improved.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, and a system for distributing a key applied to a quantum key management scenario.
Background
Password distribution refers to the process of securely passing a password from one entity to another entity in a network. In the information age, passwords are key elements for authentication and data security, and security is critical to personal privacy and enterprise confidentiality. The significance of the password distribution is to ensure that the user's password or key can safely reach the intended destination in the event that unauthorized persons and devices cannot obtain it. This process is the basis for establishing secure communications and maintaining secure operation of the information system, and involves not only the creation and updating of passwords, but also the revocation and replacement of passwords.
In current cryptographic distribution practices, secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) protocols are one of the most common technologies. These protocols are mainly used for secure communications over the internet, ensuring encryption of data transmitted between a client and a server, thereby protecting the data from interception or tampering by a third party. However, even when the encryption protocol is used, the security threats such as configuration errors, software vulnerabilities, man-in-the-middle attacks and the like cannot be completely eliminated in the password distribution process, so that the password leakage in the password distribution process is caused.
Disclosure of Invention
The invention provides a key distribution method, a device and a system applied to a quantum key management scene, which can improve the security of passwords in the password distribution process and further improve the security of information based on password protection.
To solve the above technical problem, a first aspect of the present invention discloses a key distribution method applied to a quantum key management scenario, where the method includes:
The key distribution management module receives an identity identifier sent by the password application device, wherein the identity identifier is used for uniquely identifying one password application device in a network;
The key distribution management module applies for the identity verification information of the password application device to the key security processing module, judges whether the password application device passes the identity verification based on the identity verification information, and when the identity verification is passed, the key distribution management module sends the identity mark to the key security processing module and applies for a target password matched with the identity mark, the key security processing module is deployed in a trusted execution environment, the key distribution management module is deployed in an untrusted execution environment, and the communication between the key security processing module and the key distribution management module is transmitted through an agent module deployed in the untrusted execution environment;
The key security processing module sends the target password to the password application device through the key distribution management module.
As an alternative embodiment, in the first aspect of the present invention, the authentication information includes the identity and one or more of a device model number, a device asset number, a device serial number, a device MAC address, a device firmware version number, a device hardware version number, a device production date, a plaintext password, and a device public key, and when the password application device does not support asymmetric encryption, the device public key is null or the authentication information does not include the device public key.
As an optional implementation manner, in the first aspect of the present invention, the determining, based on the authentication information, whether the cryptographic application device passes authentication includes:
the key distribution management module calculates a session token and the identity verification information according to a predefined hash function to obtain a hash value of the password application device, wherein the session token is generated by the key security processing module based on a quantum random number and is used for identifying a session between the key distribution management module and the password application device;
the key distribution management module compares whether the hash value of the password application device is equal to the hash value to be verified, and when the hash value is equal to the hash value to be verified, the password application device passes the identity verification;
the hash value to be verified is obtained by the following steps:
Calculating equipment information and a session token of the password application equipment according to the predefined hash function to obtain a hash value to be verified, wherein the equipment information is the same as a key value in the identity verification information;
Encrypting the hash value to be verified by using an encryption key by the password application device, and then sending the encrypted hash value to the key distribution management module, wherein the key distribution management module decrypts the hash value to be verified by using a decryption key corresponding to the encryption key;
when the password application device supports asymmetric encryption, the encryption key and the decryption key refer to a device private key and the device public key; when the cryptographic application device does not support asymmetric encryption, the encryption key and the decryption key both refer to session keys of the cryptographic application device and the key distribution management module.
As an optional implementation manner, in the first aspect of the present invention, before the key distribution management module receives the identity identifier sent by the cryptographic application device, the method further includes:
the key distribution management module receives a new session request from the password application device;
The key distribution management module applies a session key and a session token to the key security processing module;
The key security processing module generates a session key and a session token based on the quantum random number and sends the session key and the session token to the key distribution management module;
and the key distribution management module encrypts and transmits the session key and the session token to the password application equipment and triggers the key distribution management module to receive the identification sent by the password application equipment.
As an optional implementation manner, in the first aspect of the present invention, when the cryptographic application device supports asymmetric encryption, the key distribution management module sends a session key and a session token to the cryptographic application device in an encrypted manner, including:
The key distribution management module encrypts the session key and the session token by using a service management private key, and sends the encrypted session key and session token to the password application device through an asymmetric password transmission protocol, wherein the encrypted session key and session token are decrypted by using a service management public key in the password application device, and the service management private key and the service management public key refer to an asymmetric key which is generated in advance by the key distribution management module for the key security processing module.
As an optional implementation manner, in the first aspect of the present invention, when the cryptographic application device does not support asymmetric encryption, the key distribution management module sends a session key and a session token to the cryptographic application device in an encrypted manner, including:
the key distribution management module sends a session token to the password application device;
The key distribution management module receives a temporary key sent by the password application device, wherein the temporary key is generated by the password application device based on a session token and the plaintext password;
The key distribution management module acquires a quantum session key from the key security processing module, encrypts the quantum session key based on the temporary key and sends the quantum session key to the password application device;
The quantum session key is used as a session key after the password application device uses the temporary key to decrypt.
As an optional implementation manner, in the first aspect of the present invention, before the key distribution management module receives a new session request from the cryptographic application device, the key distribution method applied in the quantum key management scenario further includes:
the key distribution management module receives the identity verification information;
the key distribution management module sends the identity verification information to the key security processing module;
The key security processing module encrypts the identity verification information by using a trusted key and then sends the encrypted identity verification information to the key distribution management module, and triggers and executes the operation that the key distribution management module receives a new session request from the password application device, wherein the trusted key is a key which can only be accessed in a trusted execution environment;
And the key distribution management module applies the authentication information of the password application device to the key security processing module, and the key distribution management module comprises:
the key distribution management module sends the encrypted identity verification information to the key security processing module, and the key security processing module decrypts the encrypted identity verification information and sends the decrypted identity verification information to the key distribution management module.
The invention discloses a key distribution device applied to a quantum key management scene, which comprises a key distribution management module, an agent module and a key security processing module;
the key distribution management module is used for receiving an identity identifier sent by the password application device, and the identity identifier is used for uniquely identifying one password application device in a network;
The key distribution management module is further used for applying the identity verification information of the password application device to the key security processing module, judging whether the password application device passes the identity verification based on the identity verification information, and when the identity verification is passed, the key distribution management module is further used for sending the identity mark to the key security processing module and applying a target password matched with the identity mark, the key security processing module is deployed in a trusted execution environment, and the key distribution management module is deployed in an untrusted execution environment;
The proxy module is used for proxy all communication information between the key security processing module and the key distribution management module, and is deployed in an untrusted execution environment;
the key security processing module is used for sending the target password to the password application device through the key distribution management module.
A third aspect of the present invention discloses a key distribution apparatus for use in a quantum key management scenario, the apparatus comprising:
A memory storing executable program code;
A processor coupled to the memory;
the processor invokes the executable program code stored in the memory to perform the key distribution method disclosed in the first aspect of the present invention applied in the quantum key management scenario.
A fourth aspect of the invention discloses a quantum key management system storing computer instructions for performing the key distribution method disclosed in the first aspect of the invention applied in a quantum key management scenario when invoked.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
the invention stores the identity verification information in advance in the trust execution environment, the identity information cannot be tampered illegally, when the password application device needs to apply for a secret key/a password, the identity information to be verified of the password application device needs to be compared with the identity verification information acquired through the proxy module, and when the identity information is consistent with the identity verification information, the identity identification transmitted by the password application device is transmitted to the secret key security processing module through the proxy module so as to acquire the target password. By verifying the identity of the password application device, the probability that the password is acquired by a third person is reduced, the security of the password in the distribution process is improved, and the security of data protected by the password is further improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow diagram of a key distribution method applied in a quantum key management scenario according to an embodiment of the present invention;
FIG. 2 is a flow chart of another key distribution method applied in a quantum key management scenario disclosed in an embodiment of the present invention;
Fig. 3 is a schematic structural diagram of a key distribution device applied to a quantum key management scenario according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another key distribution device applied to a quantum key management scenario according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a key distribution device applied to a quantum key management scenario according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or article that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or article.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The invention discloses a key distribution method, a device and a system applied to a quantum key management scene. The system comprises a key security processing module deployed in a trusted execution environment, and a proxy module and a key distribution management module deployed in an untrusted execution environment, wherein the communication between the key distribution management module and the key security processing module is transmitted through the proxy module. The key security processing module generates a key based on the quantum random number in the trusted execution environment, generates a derivative key based on the root password or SBK (Secure boot key) in the trusted execution environment, encrypts the key/password to be saved based on the derivative key, and saves the key/password. The trusted execution environment and the untrusted execution environment in the present invention may refer to a trusted execution environment and a rich execution environment in an ARM trust zone, a secure enclave (Enc l aves) and a conventional application execution space (APP L I CAT I on space) in an I nte SGX, and the like, and the embodiments of the present invention are not limited.
The invention generates the password/secret key based on the quantum random number in the trust execution environment to enhance the randomness and unpredictability of the password/secret key, thereby greatly enhancing the security of the password/secret key, enhancing the identity credibility of the password application device receiving the target password through the identity authentication information encrypted/decrypted in the trust execution environment, reducing the probability of the password being stolen by illegal devices, protecting and identifying the session between the secret key distribution management module and the password application device through the session secret key and the session token generated by the secret key security processing module in the trust execution environment, and enhancing the security during the password distribution. The invention can improve the security of the password, and the security of the password in the distribution process, and further improve the security of the data protected by the password. The following will describe in detail.
Example 1
Referring to fig. 1, fig. 1 is a flow chart of a key distribution method applied in a quantum key management scenario according to an embodiment of the present invention. The key distribution method applied to the quantum key management scenario described in fig. 1 may be applied to various trusted execution environments and corresponding untrusted execution environments, and the embodiment of the present invention is not limited. As shown in fig. 1, the key distribution method applied in the quantum key management scenario may include the following operations:
101. The key distribution management module receives an identity identifier sent by the password application device, wherein the identity identifier is used for uniquely identifying one password application device in a network;
the identity in this embodiment may be a MAC address, a CPU number, a device serial number, etc., which is not limited in the embodiment of the present invention. The target password requested by the password application device can be the target password after the password application device provides the plaintext password and requests the encryption of the secret key of the plaintext password, can be the target password directly required to be generated without providing any password, and can be the target password inquired in the memory according to the identity, and the embodiment of the invention is not limited.
102. The key distribution management module applies authentication information of the password application device to the key security processing module, judges whether the password application device passes authentication based on the authentication information, and when the authentication is passed, the key distribution management module sends an identity mark to the key security processing module and applies for a target password matched with the identity mark, the key security processing module is deployed in a trusted execution environment, the key distribution management module is deployed in an untrusted execution environment, and communication between the key security processing module and the key distribution management module is transmitted through an agent module deployed in the untrusted execution environment;
In this embodiment, the authentication information includes an identity identifier, and one or more of a device model number, a device asset number, a device serial number, a device MAC address, a device firmware version number, a device hardware version number, a device production date, a plaintext password, and a device public key, and when the password application device does not support asymmetric encryption, the device public key is null or the authentication information does not include the device public key.
103. The key security processing module sends the target password to the password application device through the key distribution management module.
In the alternative embodiment, when the identity is not matched with the password or the password matched with the identity is empty, the target password is the password generated by the key security processing module based on the quantum random number, and when the identity is matched with the password, the password is the target password.
As can be seen, in this embodiment, authentication information is pre-stored in a trusted execution environment, where the authentication information cannot be illegally tampered, when a cryptographic application device needs to apply for a key/a password, it needs to compare the authentication information to be authenticated with the authentication information obtained through the proxy module, and when the comparison is consistent, the identity identifier sent by the cryptographic application device is sent to the key security processing module through the proxy module to obtain the target password. By verifying the identity of the password application device, the probability that the password is acquired by a third person is reduced, the security of the password in the distribution process is improved, and the security of data protected by the password is further improved.
In an alternative embodiment, determining whether the cryptographic application device is authenticated based on the authentication information includes:
The key distribution management module calculates a session token and authentication information according to a predefined hash function to obtain a hash value of the password application device, wherein the session token is generated by the key security processing module based on the quantum random number and is used for identifying a session between the key distribution management module and the password application device;
The key distribution management module compares whether the hash value of the password application device is equal to the hash value to be verified, and when the hash value is equal to the hash value to be verified, the password application device passes the identity verification;
Wherein, the hash value to be verified is obtained by the following way:
The password application equipment calculates equipment information and a session token of the password application equipment according to a predefined hash function to obtain a hash value to be verified, wherein the equipment information is the same as a key value in the identity verification information;
Encrypting the hash value to be verified by using an encryption key by the password application equipment, and then sending the encrypted hash value to a key distribution management module, wherein the key distribution management module decrypts the hash value to be verified by using a decryption key corresponding to the encryption key;
when the password application device does not support asymmetric encryption, the encryption key and the decryption key both refer to session keys of the password application device and the key distribution management module.
In this alternative embodiment, the session token refers to a session token of a session between the cryptographic application device and the key distribution management module. The fact that the key values in the device information and the identity verification information are the same means that the keys in the device information and the identity verification information must be the same, and the device information and the identity verification information can be split into a plurality of key value pairs with the same key values according to a predefined format. Comparing whether the hash value of the password application device is equal to the hash value to be verified or not refers to whether the key value pair split by the device information and the identity verification information is identical or not.
The session token generated based on the quantum random numbers ensures the uniqueness and the unpredictability of each session, the irreversible characteristic of the hash function ensures the confidentiality of the authentication information, the security of the password in the distribution process is improved, and the security of data protected by the password is further improved.
Example two
Referring to fig. 2, fig. 2 is a flow chart of another key distribution method applied in a quantum key management scenario according to an embodiment of the present invention. The key distribution method applied to the quantum key management scenario described in fig. 2 may be applied to various trusted execution environments and corresponding untrusted execution environments, and the embodiment of the present invention is not limited. As shown in fig. 2, the key distribution method applied in the quantum key management scenario may include the following operations:
201. The key distribution management module receives a new session request from the password application device;
202. The key distribution management module applies a session key and a session token to the key security processing module;
in this embodiment, the session key and the session token both correspond to a session between the cryptographic application device and the key distribution management module.
203. The key security processing module generates a session key and a session token based on the quantum random number and sends the session key and the session token to the key distribution management module;
In this embodiment, the session key and the session token may be generated based on the same quantum random number, or may be generated based on different quantum random numbers, or may be generated using the same algorithm, or may be generated using different algorithms, which is not limited by the embodiment of the present invention.
204. The key distribution management module encrypts and transmits the session key and the session token to the password application equipment and triggers the key distribution management module to receive the operation of the identity mark transmitted by the password application equipment;
205. The key distribution management module receives an identity identifier sent by the password application device, wherein the identity identifier is used for uniquely identifying one password application device in a network;
206. the key distribution management module applies authentication information of the password application device to the key security processing module, judges whether the password application device passes authentication based on the authentication information, and when the authentication is passed, the key distribution management module sends an identity mark to the key security processing module and applies for a target password matched with the identity mark, the key security processing module is deployed in a trusted execution environment, the key distribution management module is deployed in an untrusted execution environment, and communication between the key security processing module and the key distribution management module is transmitted through an agent module deployed in the untrusted execution environment;
207. The key security processing module sends the target password to the password application device through the key distribution management module.
In the embodiment of the present invention, the detailed descriptions of steps 205-207 in the first embodiment are omitted herein for brevity.
It can be seen that this alternative embodiment requires that a new session is applied before each time the password application device requests a new target password, which ensures that each time the password request is performed in a new and independent session environment, thereby reducing the risk of capturing or reusing the password in multiple sessions, that the session key and the session token inherit the characteristic of quantum uncertainty, have high randomness and unpredictability, that such high entropy key and token are critical for resisting exhaustive attacks and predictive attacks, that the session key and the session token are encrypted by the key distribution management module and then sent to the password application device, preventing a potential eavesdropper from acquiring the session key and the token, preventing man-in-the-middle attacks, that the authentication information is stored in advance in the trusted execution environment, that when the password application device needs to apply for the key/password, the authentication information itself needs to be compared with the authentication information acquired by the proxy module, and that when the comparison is consistent, the identity identifier sent by the password application device is sent to the key security processing module by the proxy module to acquire the target password. By verifying the identity of the password application device, the probability that the password is acquired by a third person is reduced, the security of the password in the distribution process is improved, and the security of data protected by the password is further improved.
In an alternative embodiment, when the cryptographic application device supports asymmetric encryption, the key distribution management module sends the session key and the session token encryption to the cryptographic application device, comprising:
The key distribution management module encrypts the session key and the session token by using the service management private key, and sends the encrypted session key and session token to the password application device through the asymmetric password transmission protocol, wherein the encrypted session key and session token are decrypted by using the service management public key in the password application device, and the service management private key and the service management public key refer to the asymmetric key which is pre-generated by the key distribution management module by the key security processing module.
In this alternative embodiment, the asymmetric cryptographic transport protocol may be a DH protocol, an ECDH protocol, or any other asymmetric cryptographic transport protocol, which embodiments of the present invention are not limited to.
Therefore, in the alternative embodiment, the key distribution management module encrypts the session key and the session token by using the private key, only the paired public key can decrypt the session key and the session token, so that confidentiality of information in transmission is guaranteed, an attacker intercepting encrypted data cannot decrypt the session key because the private key is not transmitted by a network, even if the data is intercepted, the session key and the session token cannot be leaked, and an asymmetric encrypted identity verification function further defends man-in-the-middle attack, so that security of password distribution is remarkably improved.
In another alternative embodiment, when the cryptographic application device does not support asymmetric encryption, the key distribution management module sends the session key and session token encryption to the cryptographic application device, comprising:
the key distribution management module sends the session token to the password application device;
the key distribution management module receives a temporary key sent by the password application device, wherein the temporary key is generated by the password application device based on a session token and a plaintext password;
The key distribution management module acquires the quantum session key from the key security processing module, encrypts the quantum session key based on the temporary key and sends the encrypted quantum session key to the password application device;
The quantum session key is used as a session key after the cryptographic application device decrypts using the temporary key.
It can be seen that in this alternative embodiment, the cryptographic application device receives the session token, generates a temporary key in combination with the plaintext password, the temporary key is used to encrypt the session key generated based on the quantum random number, and then securely transmits back to the device. Because the temporary key is random and disposable, even if the temporary key leaks, the session key cannot be predicted, thereby protecting the security of the key distribution process.
In yet another alternative embodiment, the key distribution method applied in the quantum key management scenario further comprises, before the key distribution management module receives a new session request from the cryptographic application device:
the key distribution management module receives the identity verification information;
The key distribution management module sends the identity verification information to the key security processing module;
The key security processing module encrypts the identity verification information by using a trusted key, then sends the encrypted identity verification information to the key distribution management module, and triggers the execution of the operation that the key distribution management module receives a new session request from the password application device, wherein the trusted key is a key which can only be accessed in a trusted execution environment;
And the key distribution management module applies authentication information of the password application device to the key security processing module, and the authentication information comprises:
The key distribution management module sends the encrypted authentication information to the key security processing module, and the key security processing module decrypts the authentication information and sends the encrypted authentication information to the key distribution management module.
In this alternative embodiment, the trusted password refers to a password that is only accessible in a trusted execution environment, such as a root password or an SBK or a derivative key generated based on the SBK. The key distribution management module receives the authentication information, and an administrator can fill the authentication information of the password application device through a management interface of the service management module.
In the alternative embodiment, the key distribution management module receives the identity verification information from the password application device and sends the identity verification information to the key security processing module, the key security processing module encrypts the identity verification information by using a trusted key to prevent the leakage of the identity verification information caused by the attack of the memory, and the identity verification information is returned to the key distribution management module to initiate the identity verification of the password application device, so that the reliability of the identity security of the password application device can be improved, the security of the password in the distribution process can be improved, and the security of the information can be further improved.
In yet another alternative embodiment, the key distribution method applied in the quantum key management scenario further comprises:
And the key distribution management module destroys the service management private key and the service management public key before the life cycle is finished.
Therefore, the optional embodiment can reduce the probability of unauthorized use or leakage of the old key, reduce the potential security risk caused by leakage of the old key, and enhance the overall security of password distribution.
In yet another alternative embodiment, the key distribution method applied in the quantum key management scenario further comprises:
When the session between the key distribution management module and the password application device is ended/closed, or the password service module cannot receive the reply of the password application device within a preset time, the key distribution management module destroys the session key and the session token and closes the session communication link.
It can be seen that the alternative embodiment destroys the session key and the session token, closes the communication link, reduces the possibility that the old session is maliciously utilized, and enhances the security of the password distribution.
In yet another alternative embodiment, the key distribution method applied in the quantum key management scenario further comprises:
The key distribution management module updates a session key between the key distribution management module and the password application device according to a predetermined session password update policy.
Therefore, the optional embodiment can reduce the exposure time of the key by strategically replacing the key, and reduce the possibility of security holes caused by long-term use of the same key, thereby strengthening the security of the key in the quantum key management system and further improving the security of the password in the distribution process.
In yet another alternative embodiment, the key distribution method applied in the quantum key management scenario further comprises:
When the target password needs to be transmitted between the password application device and another password application device, judging whether the password application device and the other password application device both support asymmetric encryption;
If the judgment result is yes, the target password is transmitted between the password application device and another password application device through an asymmetric password transmission protocol;
if the judgment result is negative, the key distribution management module receives the identity of the password application device sent by the other password application device, sends the identity to the key security processing module to request the target password, and sends the target password to the other password application device.
In this alternative embodiment, the authentication step of the further cryptographic application device and the step of establishing a session with the key distribution management module are identical to those of the cryptographic application device. And after receiving the identity, the trusted password execution module returns a target password matched with the identity.
It can be seen that this alternative embodiment reduces the likelihood that another password application device that is not authenticated will obtain the target password by either an asymmetric transport protocol or allowing the key distribution management module to authenticate the requester's identity, thereby enhancing the security of the password distribution process.
Example III
Referring to fig. 3, fig. 3 is a schematic structural diagram of a key distribution device applied in a quantum key management scenario according to an embodiment of the present invention. The apparatus shown in fig. 3 may be applied to various trusted execution environments and corresponding untrusted execution environments, and embodiments of the present invention are not limited thereto. The apparatus shown in fig. 3 includes a key security processing module 301, a proxy module 302, and a key distribution management module 303;
the key distribution management module 303 is configured to receive an identity identifier sent by the cryptographic application device, where the identity identifier is used to uniquely identify a cryptographic application device in the network;
The key distribution management module 303 is further configured to apply authentication information of the cryptographic application device to the key security processing module 301, determine whether the cryptographic application device passes authentication based on the authentication information, and when the authentication is passed, the key distribution management module 303 is further configured to send an identity to the key security processing module 301 and apply for a target password matched with the identity, where the key security processing module 301 is deployed in a trusted execution environment, the key distribution management module 303 is deployed in an untrusted execution environment, and communications between the key security processing module 301 and the key distribution management module 303 are all transmitted through the proxy module 302 deployed in the untrusted execution environment;
The proxy module 302 is configured to proxy all communication information between the key security processing module 301 and the key distribution management module 303, where the proxy module 302 is deployed in an untrusted execution environment;
the key security processing module 301 is configured to send the target password to the password application device through the key distribution management module 303.
In this embodiment, the authentication information includes an identity identifier, and one or more of a device model number, a device asset number, a device serial number, a device MAC address, a device firmware version number, a device hardware version number, a device production date, a plaintext password, and a device public key, and when the password application device does not support asymmetric encryption, the device public key is null or the authentication information does not include the device public key.
As can be seen, in this embodiment, authentication information is pre-stored in a trusted execution environment, where the authentication information cannot be illegally tampered, when a cryptographic application device needs to apply for a key/a password, it needs to compare the authentication information to be authenticated with the authentication information obtained through the proxy module, and when the comparison is consistent, the identity identifier sent by the cryptographic application device is sent to the key security processing module through the proxy module to obtain the target password. By verifying the identity of the password application device, the probability that the password is acquired by a third person is reduced, the security of the password in the distribution process is improved, and the security of data protected by the password is further improved.
In an alternative embodiment, determining whether the cryptographic application device is authenticated based on the authentication information includes:
the key distribution management module 303 calculates a session token and authentication information according to a predefined hash function to obtain a hash value of the password application device, wherein the session token is generated by the key security processing module 301 based on the quantum random number, and is used for identifying a session between the key distribution management module 303 and the password application device;
the key distribution management module 303 compares whether the hash value of the password application device is equal to the hash value to be verified, and when the hash value is equal to the hash value to be verified, the password application device passes the identity verification;
Wherein, the hash value to be verified is obtained by the following way:
The password application equipment calculates equipment information and a session token of the password application equipment according to a predefined hash function to obtain a hash value to be verified, wherein the equipment information is the same as a key value in the identity verification information;
encrypting the hash value to be verified by using the encryption key by the password application device, and then sending the encrypted hash value to the key distribution management module 303, wherein the key distribution management module 303 decrypts the hash value to be verified by using a decryption key corresponding to the encryption key;
when the cryptographic application device supports asymmetric encryption, the encryption key and the decryption key refer to device private keys and device public keys, and when the cryptographic application device does not support asymmetric encryption, the encryption key and the decryption key refer to session keys of the cryptographic application device and the key distribution management module 303.
The session token generated based on the quantum random numbers ensures the uniqueness and the unpredictability of each session, the irreversible characteristic of the hash function ensures the confidentiality of the authentication information, the security of the password in the distribution process is improved, and the security of data protected by the password is further improved.
In another alternative embodiment, the key distribution management module 303 is further configured to, before the key distribution management module 303 receives the identity sent by the cryptographic application device, receive a new session request from the cryptographic application device;
the key distribution management module 303 is further configured to apply a session key and a session token to the key security processing module 301;
The key security processing module 301 is further configured to generate a session key and a session token based on the quantum random number, and send the session key and the session token to the key distribution management module 303;
the key distribution management module 303 is further configured to encrypt and send the session key and the session token to the cryptographic application device, and trigger the key distribution management module 303 to receive the identity identifier sent by the cryptographic application device.
It can be seen that this alternative embodiment requires that a new session is applied before each time the password application device requests a new target password, which ensures that each time the password request is performed in a new, independent session environment, thereby reducing the risk of capturing or reusing the password in multiple sessions, the session key and session token inherit the characteristics of quantum uncertainty, have high randomness and unpredictability, such high entropy key and token are critical for resisting exhaustive attacks and predictive attacks, and the session key and session token are sent to the password application device after being encrypted by the key distribution management module, preventing potential eavesdroppers from acquiring the session key and token, preventing man-in-the-middle attacks, and improving the security of the password in the distribution process.
In yet another alternative embodiment, when the cryptographic application device supports asymmetric encryption, the key distribution management module 303 sends the session key and session token encryption to the cryptographic application device, including:
The key distribution management module 303 encrypts the session key and the session token by using the service management private key, and sends the encrypted session key and session token to the cryptographic application device through the asymmetric cryptographic transmission protocol, where the encrypted session key and session token are decrypted by using the service management public key in the cryptographic application device, and the service management private key and the service management public key refer to asymmetric keys that are pre-generated by the key distribution management module by the key security processing module 301.
In this alternative embodiment, the key distribution management module 303 encrypts the session key and the session token with the private key, only the paired public key can decrypt the session key, so that confidentiality of information in transmission is guaranteed, an attacker intercepting encrypted data cannot decrypt the session key because the private key is not transmitted through the network, even if the data is intercepted, the session key and the session token cannot be leaked, and the asymmetric encrypted identity verification function further defends man-in-the-middle attack, so that security of password distribution is remarkably improved.
In yet another alternative embodiment, when the cryptographic application device does not support asymmetric encryption, the key distribution management module 303 sends the session key and session token encryption to the cryptographic application device, including:
the key distribution management module 303 sends the session token to the cryptographic application device;
The key distribution management module 303 receives a temporary key sent by the password application device, wherein the temporary key is generated by the password application device based on the session token and the plaintext password;
The key distribution management module 303 acquires the quantum session key from the key security processing module 301, encrypts the quantum session key based on the temporary key, and transmits the encrypted quantum session key to the cryptographic application device;
The quantum session key is used as a session key after the cryptographic application device decrypts using the temporary key.
It can be seen that in this alternative embodiment, the cryptographic application device receives the session token, generates a temporary key in combination with the plaintext password, the temporary key is used to encrypt the session key generated based on the quantum random number, and then securely transmits back to the device. Because the temporary key is random and disposable, even if the temporary key leaks, the session key cannot be predicted, thereby protecting the security of the key distribution process.
In yet another alternative embodiment, the key distribution management module 303 is further configured to accept authentication information before the key distribution management module 303 receives a new session request from the cryptographic application device;
The key distribution management module 303 is further configured to send the authentication information to the key security processing module 301;
The key security processing module 301 is further configured to encrypt the authentication information with a trusted key, send the encrypted authentication information to the key distribution management module 303, and trigger an operation of the key distribution management module 303 to receive a new session request from the cryptographic application device, where the trusted key is a key that can only be accessed in a trusted execution environment;
And, the key distribution management module 303 applies the authentication information of the cryptographic application device to the key security processing module 301, including:
The key distribution management module 303 sends the encrypted authentication information to the key security processing module 301, and the key security processing module 301 decrypts the authentication information and sends the decrypted authentication information to the key distribution management module 303.
In this alternative embodiment, the key distribution management module 303 receives the authentication information from the cryptographic application device and sends the authentication information to the key security processing module 301, the key security processing module 301 encrypts the authentication information by using the trusted key to prevent the memory from being attacked to leak the authentication information, and the authentication information is returned to the key distribution management module 303 to initiate the authentication of the cryptographic application device, thereby improving the reliability of the identity security of the cryptographic application device, improving the security of the password in the distribution process, and further improving the security of the information.
In yet another alternative embodiment, the key distribution management module 303 is further configured to destroy the service management private key and the service management public key before the lifetime is completed.
Therefore, the optional embodiment can reduce the probability of unauthorized use or leakage of the old key, reduce the potential security risk caused by leakage of the old key, and enhance the overall security of password distribution.
In yet another alternative embodiment, the key distribution management module 303 is further configured to destroy the session key, the session token, and close the session communication link when the session between the key distribution management module 303 and the cryptographic application device is ended/closed, or the cryptographic service module 303 does not receive a reply from the cryptographic application device within a predetermined time.
It can be seen that the alternative embodiment destroys the session key and the session token, closes the communication link, reduces the possibility that the old session is maliciously utilized, and enhances the security of the password distribution.
In yet another alternative embodiment, the key distribution management module 303 is further configured to update the session key between the key distribution management module 303 and the cryptographic application device according to a predetermined session password update policy.
Therefore, the optional embodiment can reduce the exposure time of the key by strategically replacing the key, and reduce the possibility of security holes caused by long-term use of the same key, thereby strengthening the security of the key in the quantum key management system and further improving the security of the password in the distribution process.
In yet another alternative embodiment, as shown in fig. 4, the key distribution apparatus applied to the quantum key management scenario further includes:
A judging module 304, configured to judge whether the cryptographic application device and the other cryptographic application device both support asymmetric encryption when the target cryptographic needs to be transmitted between the cryptographic application device and the other cryptographic application device;
A transmission module 305, configured to transmit the target password between the password application device and another password application device through an asymmetric password transmission protocol when the determination result of the determination module 304 is yes;
The key distribution management module 303 is further configured to, when the determination result of the determination module 304 is no, receive an identity of the cryptographic application device sent by another cryptographic application device, send the identity to the key security processing module 301 to request the target password, and send the target password to the other cryptographic application device.
In this alternative embodiment, the authentication step of the other cryptographic application device, and the step of establishing a session with the key distribution management module 303, are the same as the cryptographic application device. After receiving the identity, the trusted cryptography module 301 returns a target cryptography matching the identity.
It can be seen that this alternative embodiment reduces the likelihood that another password application device that is not authenticated will obtain the target password by either an asymmetric transport protocol or allowing the key distribution management module to authenticate the requester's identity, thereby enhancing the security of the password distribution process.
Example IV
Referring to fig. 5, fig. 5 is a schematic structural diagram of a key distribution device applied in a quantum key management scenario according to another embodiment of the present invention. As shown in fig. 5, the key distribution apparatus applied to the quantum key management scenario may include:
a memory 501 in which executable program codes are stored;
A processor 502 coupled to the memory 501;
Further, an input interface 503 and an output interface 504 coupled to the processor 502 may also be included;
The processor 502 invokes executable program code stored in the memory 501 to perform the steps of the key distribution method applied in the quantum key management scenario described in the first or second embodiment of the present invention.
Example five
The embodiment of the invention discloses a quantum key management system, which stores computer instructions for executing the steps of the key distribution method applied to a quantum key management scene described in the first embodiment or the second embodiment of the invention when the computer instructions are called.
Example six
An embodiment of the present invention discloses a computer program product comprising a non-transitory computer readable storage medium storing a computer program, and the computer program is operable to cause a computer to perform the steps of the key distribution method described in embodiment one or embodiment two applied in a quantum key management scenario.
The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above detailed description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course by means of hardware. Based On such understanding, the foregoing technical solutions may be embodied essentially or in part in a software product that may be stored in a computer-readable storage medium including Read-On-y Memory, ROM, random-access Memory (Random Access Memory, RAM), programmable-On-y Memory, PROM, erasable programmable-On-Memory (Erasab l e Programmab l e Read On l y Memory, EPROM), one-time-programmable-On-y Memory (OTPROM), electronically erasable programmable-On-Memory (E L ECTR I CA L L Y-Erasab l e Programmab l eRead-On-y Memory, EEPROM), compact disc Read-only Memory (Compact Di sc Read-On-y Memory, CD-ROM) or other optical disc Memory, magnetic disc Memory, tape Memory, or any other medium that can be used for computer-readable carrying or storing data.
Finally, it should be noted that the disclosure of the key distribution method, device and system applied to the quantum key management scenario is only a preferred embodiment of the present invention, and is only for illustrating the technical scheme of the present invention, but not for limiting the same, although the detailed description of the present invention is described with reference to the foregoing embodiments, it should be understood by those skilled in the art that the technical scheme described in the foregoing embodiments may be modified or some technical features thereof may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical scheme deviate from the spirit and scope of the technical scheme of the embodiments of the present invention.
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410475946.7A CN118487749B (en) | 2024-04-19 | 2024-04-19 | Key distribution method, device and system applied in quantum key management scenario |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410475946.7A CN118487749B (en) | 2024-04-19 | 2024-04-19 | Key distribution method, device and system applied in quantum key management scenario |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118487749A CN118487749A (en) | 2024-08-13 |
| CN118487749B true CN118487749B (en) | 2025-04-15 |
Family
ID=92191019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410475946.7A Active CN118487749B (en) | 2024-04-19 | 2024-04-19 | Key distribution method, device and system applied in quantum key management scenario |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118487749B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124377A (en) * | 2021-11-19 | 2022-03-01 | 中国联合网络通信集团有限公司 | A quantum key transmission method, device, system and storage medium |
| CN116318784A (en) * | 2022-12-07 | 2023-06-23 | 深圳科盾量子信息科技有限公司 | Identity authentication method, identity authentication device, computer equipment and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105763563B (en) * | 2016-04-19 | 2019-05-21 | 浙江神州量子网络科技有限公司 | A kind of identity identifying method in quantum key application process |
| CN111756529B (en) * | 2019-03-28 | 2023-05-19 | 广东国盾量子科技有限公司 | Quantum session key distribution method and system |
| CN117118609A (en) * | 2023-08-23 | 2023-11-24 | 中国电信股份有限公司技术创新中心 | Identity verification method based on quantum encryption technology and related hardware |
| CN117857027A (en) * | 2023-12-18 | 2024-04-09 | 中电信量子科技有限公司 | Group key management method and system based on quantum key distribution and token authorization technology |
-
2024
- 2024-04-19 CN CN202410475946.7A patent/CN118487749B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114124377A (en) * | 2021-11-19 | 2022-03-01 | 中国联合网络通信集团有限公司 | A quantum key transmission method, device, system and storage medium |
| CN116318784A (en) * | 2022-12-07 | 2023-06-23 | 深圳科盾量子信息科技有限公司 | Identity authentication method, identity authentication device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118487749A (en) | 2024-08-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11165757B2 (en) | Method and apparatus for securing communications using multiple encryption keys | |
| CN111971929B (en) | Secure distributed key management system | |
| US8196186B2 (en) | Security architecture for peer-to-peer storage system | |
| US6950523B1 (en) | Secure storage of private keys | |
| CN109361668A (en) | A method of reliable data transmission | |
| US20180034810A1 (en) | A system and methods for protecting keys in computerized devices operating versus a server | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| US20080077592A1 (en) | method and apparatus for device authentication | |
| CN112565205B (en) | Credible authentication and measurement method, server, terminal and readable storage medium | |
| CN109981255B (en) | Method and system for updating key pool | |
| WO2014026518A1 (en) | Software key updating method and device | |
| CN107920052B (en) | Encryption method and intelligent device | |
| US10263782B2 (en) | Soft-token authentication system | |
| ES2665887T3 (en) | Secure data system | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
| CN106790045A (en) | One kind is based on cloud environment distributed virtual machine broker architecture and data integrity support method | |
| US20210306306A1 (en) | Method and system for secure communication | |
| CN112565265A (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
| KR20210153419A (en) | Apparatus and method for authenticating device based on certificate using physical unclonable function | |
| CN112733129A (en) | Trusted access method for out-of-band management of server | |
| US8806216B2 (en) | Implementation process for the use of cryptographic data of a user stored in a data base | |
| KR102539418B1 (en) | Apparatus and method for mutual authentication based on physical unclonable function | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| CN118797581A (en) | A mobile application authorization method and system based on smart door lock and smart door lock |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |