[go: up one dir, main page]

CN118540165B - Anti-quantum security enhancement method for national secret IPSec VPN protocol - Google Patents

Anti-quantum security enhancement method for national secret IPSec VPN protocol Download PDF

Info

Publication number
CN118540165B
CN118540165B CN202411007783.6A CN202411007783A CN118540165B CN 118540165 B CN118540165 B CN 118540165B CN 202411007783 A CN202411007783 A CN 202411007783A CN 118540165 B CN118540165 B CN 118540165B
Authority
CN
China
Prior art keywords
network device
key
quantum
encryption
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411007783.6A
Other languages
Chinese (zh)
Other versions
CN118540165A (en
Inventor
罗俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Information Technology Group Co ltd
Original Assignee
China Telecom Quantum Information Technology Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Information Technology Group Co ltd filed Critical China Telecom Quantum Information Technology Group Co ltd
Priority to CN202411007783.6A priority Critical patent/CN118540165B/en
Publication of CN118540165A publication Critical patent/CN118540165A/en
Application granted granted Critical
Publication of CN118540165B publication Critical patent/CN118540165B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an anti-quantum security enhancement method of a national secret IPSecVPN protocol of a communication network. The method comprises the following steps: the method comprises the steps of obtaining a first quantum key from a first network node accessed to first network equipment, conducting post-quantum cryptographic encryption processing on the first quantum key, sending a first encryption result of the post-quantum cryptographic encryption processing to second network equipment, conducting decryption processing on a second encryption result sent by the second network equipment to obtain a second decryption result, obtaining the second encryption result by the second network equipment according to the first encryption result, and obtaining a security association identifier according to the first quantum key, the first encryption result and the second decryption result to protect communication between the first network equipment and the second network equipment. The first network device and the second network device encrypt communications using post-quantum cryptography algorithms and quantum key distribution techniques, significantly enhancing resistance to quantum computing attacks.

Description

Quantum security enhancement method for national security IPSec VPN protocol
Technical Field
The application relates to the field of network security, in particular to an anti-quantum security enhancement method of a national security IPSec VPN protocol of a communication network.
Background
The computational power represented by quantum computation plays a role in security and has a great influence on related algorithms in classical cryptography. It will be appreciated that with large quantum computer implementations, key agreement, encryption, signing, etc. applications in classical cryptography will have some impact. Thus, providing cryptographic techniques that can resist quantum computing attacks is a highly desirable problem.
Disclosure of Invention
The application provides an anti-quantum security enhancement method of a national security IPSec VPN protocol of a communication network.
The embodiment of the application provides an anti-quantum security enhancement method of a national cryptographic IPSec VPN protocol of a communication network, wherein the communication network comprises a first network device and a second network device, the method is used for the first network device, and the method comprises the following steps:
acquiring a first quantum key from a first network node accessing the first network device;
performing post-quantum cryptography encryption processing on the first quantum key, and transmitting a first encryption result subjected to the post-quantum cryptography encryption processing to the second network device;
Decrypting the received second encryption result sent by the second network device to obtain a second decryption result, wherein the second encryption result is obtained by the second network device according to the first encryption result;
and obtaining a security association identifier according to the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device.
In this way, in the communication process of the first network device and the second network device, the first network device applies for obtaining the first quantum key and the quantum key identifier, and encrypts the quantum key identifier and data exchanged in the communication process by using a post quantum cryptographic algorithm to protect the transmission of the quantum key identifier, where the post quantum cryptographic algorithm is a series of encryption algorithms aimed at resisting quantum computing attacks. And after the second network equipment obtains the quantum key identifier, applying for obtaining a second quantum key. The first network device and the second network device use the quantum key in establishing a secure federation of communications between the first network device and the second network device. This enhances the quantum resistance of the network communication between the first network device and the second network device.
In certain embodiments, the method further comprises:
accessing the first network node through a pre-established channel;
Loading the security certificate of the first network device or the security certificate of the second network device.
In this way, the first network device is accessed through the pre-established channel before the key negotiation with the second network device, and the pre-established channel can protect data in the data transmission process, so that the risk of unauthorized access is reduced. Then, the security certificate of the first network device or the security certificate of the second network device is loaded, and after the security certificate is loaded, the security certificate is used for establishing and maintaining a secure communication channel, so that the security of data in the transmission process is enhanced.
In some embodiments, the obtaining the first quantum key from the first network node accessing the first network device includes:
Sending a quantum key application to the first network node accessed to the first network device;
and receiving a first quantum key and a quantum key identifier which are distributed by the first network node according to the quantum key application, wherein the quantum key identifier is obtained by marking the first quantum key by the first network node by utilizing an identification code of the first network device.
In this way, a quantum key application is sent to the first network node. Then, after the quantum key application is passed, a first quantum key and a quantum key identifier distributed by the first network node according to the quantum key application are received, and the quantum key identifier is obtained by marking the first quantum key by the first network node by utilizing the identification code of the first network node. This results in a first quantum key that can be used for subsequent generation of keys with resistance to quantum computing attacks and a quantum key identifier that facilitates the use and management of the first quantum key.
In some embodiments, the performing post-quantum cryptography encryption processing on the first quantum key and transmitting the first encryption result subjected to the post-quantum cryptography encryption processing to the second network device includes:
Splicing the quantum key identifier and the randomly generated first random number to obtain a first encrypted message;
Performing post quantum cryptography derivation processing on the first encrypted message to obtain a first session key;
performing exclusive-or processing on the first temporary key and the first session key which are randomly generated to obtain a first exclusive-or key, and transmitting the first exclusive-or key to second network equipment after being encrypted;
performing post quantum cryptography encryption processing on the first encrypted message to obtain a second encrypted message in the first encrypted result;
Encrypting the first session random number according to the first temporary key to obtain a first session encryption message in the first encryption result;
Obtaining a first verification message according to the quantum key identifier, the first session random number and first identification information;
Performing post quantum cryptography signature processing on the first verification message to obtain a first signature message in the first encryption result;
and sending the first encryption result to the second network equipment.
And then, the quantum key identifier and the first random number generated randomly are spliced to obtain a first encrypted message. The first encrypted message is then subjected to a post quantum cryptography derivation process to obtain a first session key. And then, performing exclusive-or processing on the randomly generated first temporary key and the first session key to obtain a first exclusive-or key, and transmitting the encrypted first exclusive-or key to the second network device. And performing post quantum cryptography encryption processing on the first encrypted message to obtain a second encrypted message in the first encryption result. And then, the first session random number is encrypted according to the first temporary key to obtain a first session encrypted message in the first encryption result. And obtaining a first verification message according to the quantum key identifier, the first session random number and the first identification information, and performing post-quantum cryptographic signature processing on the first verification message to obtain a first signature message in a first encryption result. And finally, the first encryption result is sent to the second network equipment. The confidentiality of the quantum key identifier is increased by concatenating the quantum key identifier with the first random number, and the quantum key identifier and its derivative are processed with a post-quantum cryptographic algorithm to increase the complexity of the quantum key identifier in combination with the quantum key distribution technique and the post-quantum cryptographic technique.
In some embodiments, the decrypting the received second encrypted result sent by the second network device to obtain a second decrypted result, where the second encrypted result is obtained by the second network device according to the first encrypted result, includes:
Receiving the second encryption result sent by the second network device, wherein the second encryption result is obtained by encrypting a first decryption result by the second network device, and the first decryption result is obtained by decrypting the first encryption result by the second network device;
and carrying out post quantum cryptography decryption processing on the second encryption result to obtain a second decryption result, wherein the second decryption result comprises a third encryption message, a quantum key identifier, a second exclusive-or key, a second session encryption message and a second signature message.
In this way, the second encryption result sent by the second network device is received, the second encryption result is obtained by encrypting the first decryption result by the second network device, and the first decryption result is obtained by decrypting the first encryption result by the second network device. And carrying out decryption processing on the second encryption result to obtain a second decryption result, wherein the second decryption result comprises a third encryption message, a quantum key identifier, a second exclusive-or key and a second signature message. In this way the first network device determines the availability of a channel for communication with the second network device and obtains key information for the second network device, which key information can be used in combination with the associated key information of the first network device to generate a higher security key.
In certain embodiments, the method further comprises:
Obtaining a second verification message according to the second signature message, wherein the second verification message is obtained from the quantum key identifier, a second session random number and second identification information;
and performing post quantum verification processing on the second signature message to confirm the correctness of the second verification message.
And obtaining a second verification message according to the second signature message, and then carrying out post quantum cryptography signature verification processing on the second signature message, wherein the second verification message quantum key identifier, the second session random number and the second identification information are obtained. And the second signature message is subjected to post quantum cryptography signing verification processing so as to determine the correctness of the second verification message, ensure the integrity of the second network equipment related data received by the network equipment, verify the identity of the second network equipment and provide security for subsequent data transmission.
In certain embodiments, the method further comprises:
Obtaining a second session key according to the third encrypted message;
Obtaining a second temporary key according to the second session key and the second exclusive-or key;
And decrypting the second session encryption message according to the second temporary key to obtain a second session random number.
And obtaining a second session key according to the third encrypted message, and obtaining a second temporary key according to the second session key and the second exclusive-or key. And finally, decrypting the second session encryption message according to the second temporary key to obtain a second session random number. The second session random number is thus obtained to generate a security association identifier for securing communications between the first network device and the second network device.
In certain embodiments, the method further comprises:
performing key negotiation with the second network device to exchange an identification random number;
the obtaining a security association identifier according to the first quantum key, the first encryption result and the second decryption result to protect communication between the first network device and the second network device includes:
And obtaining a security association identifier according to the identification random number, the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number.
In this way, a key agreement is made with the second network device to exchange the identification random number. And obtaining a security association identifier according to the identification random number, the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number. This increases the confidentiality of the security association identifier by adding the identification random number, and thus the communication between the first network device and the second network device can be well protected.
In some embodiments, the obtaining a security association identifier according to the first quantum key, the first encryption result, and the second decryption result to protect communications between the first network device and the second network device includes:
Performing splicing processing according to the first session random number, the second session random number and the first quantum key to obtain a session splice;
Splicing the first identification random number and the second identification random number to obtain an identification splice body;
and obtaining a security association identifier according to the session splice and the identification splice so as to protect communication between the first network device and the second network device.
And then, splicing according to the first session random number, the second session random number and the first quantum key to obtain a session splice. And then, splicing the first identification random number and the second identification random number to obtain an identification spliced body. And finally, obtaining a security association identifier according to the session splice body and the identification splice body so as to protect communication between the first network equipment and the second network equipment. In this way, the security of the communication data between the first network device and the second network device is enhanced by processing the quantum key and other random numbers generated randomly and deriving a security association identifier with quantum computing attack resistance for protecting the communication between the first network device and the second network device.
The embodiment of the application provides an anti-quantum security enhancement method of a national cryptographic IPSec VPN protocol of a communication network, wherein the communication network comprises a first network device and a second network device, the method is used for the second network device, and the method comprises the following steps:
Receiving a first encryption result obtained by the first network equipment through post quantum cryptography encryption processing of a first quantum key, wherein the first quantum key is obtained by the first network equipment from an accessed first network node;
decrypting the first encryption result to obtain a first decryption result;
Performing post quantum cryptography encryption processing on the first decryption result, and transmitting a second encryption result subjected to the post quantum cryptography encryption processing to first network equipment;
And obtaining a security association identifier according to the second quantum key, the first decryption result and the second encryption result so as to protect communication between the first network device and the second network device.
In this way, in the communication process of the first network device and the second network device, the first network device applies for obtaining the first quantum key and the quantum key identifier, and encrypts the quantum key identifier and data exchanged in the communication process by using a post quantum cryptographic algorithm to protect the transmission of the quantum key identifier, where the post quantum cryptographic algorithm is a series of encryption algorithms aimed at resisting quantum computing attacks. And after the second network equipment obtains the quantum key identifier, applying for obtaining a second quantum key. The first network device and the second network device use the quantum key in establishing a secure federation of communications between the first network device and the second network device. This enhances the quantum resistance of the network communication between the first network device and the second network device.
In some embodiments, the first decryption result comprises a first signed message, the method further comprising:
Obtaining a first verification message according to the first signature message, wherein the first verification message is obtained from the quantum key identifier, the first session random number and the first identification information;
Performing post quantum verification processing on the first signature message to confirm correctness of the first verification message and the quantum key identifier;
And acquiring the second quantum key from a second network node which is accessed to the second network device under the condition that the quantum key identifier is acquired correctly.
In this way, post quantum cryptography signing verification processing is performed on the first signature message, and the correct first verification message is confirmed to be received so as to ensure the integrity of data and the legality of the source, wherein the first verification message is obtained by the quantum key identifier, the first session random number and the first identification information. And when the received first verification message is confirmed to be correct, applying for obtaining a second quantum key from a second network node accessed to the second network device according to the quantum key identifier. In this way, the obtained second quantum key is matched with the first quantum key of the network equipment, and the second quantum key is used for generating a key with high security and good quantum computing attack resistance.
In some embodiments, the first decryption result includes a quantum key identifier, and the performing post quantum cryptography encryption processing on the first decryption result obtains a second encryption result includes:
Splicing the quantum key identifier and the randomly generated second random number to obtain a third encrypted message;
performing post quantum cryptography derivation processing on the third encrypted message to obtain a second session key;
Performing exclusive-or processing on the randomly generated second temporary key and the second session key to obtain a second exclusive-or key, and transmitting the encrypted second exclusive-or key to the first network device;
performing post quantum cryptography encryption processing on the third encrypted message to obtain a fourth encrypted message in the second encryption result;
Encrypting the second session random number according to the second temporary key to obtain a third session encryption message in the second encryption result;
obtaining a second verification message according to the quantum key identifier, the second session random number and second identification information;
performing post quantum cryptography signature processing on the second verification message to obtain a second signature message in a second encryption result;
and sending the second encryption result to the first network equipment.
And then, the quantum key identifier and the second random number generated randomly are spliced to obtain a third encrypted message. Then, the third encrypted message is subjected to post quantum cryptography derivation processing to obtain a second session key. And then, performing exclusive-or processing on the randomly generated second temporary key and the second session key to obtain a second exclusive-or key, and transmitting the encrypted second exclusive-or key to the first network device. And performing post quantum cryptography encryption processing on the third encrypted message to obtain a fourth encrypted message in the second encryption result. And then, the second session random number is encrypted according to the second temporary key to obtain a second session encrypted message in a second encryption result. And obtaining a second verification message according to the quantum key identifier, the second session random number and the second identification information, and performing post quantum cryptographic signature processing on the second verification message to obtain a second signature message in a second encryption result. And finally, sending the second encryption result to the first network equipment. The confidentiality of the quantum key identifier is increased by concatenating the quantum key identifier with the second random number, and the quantum key identifier and its derivative are processed with a post-quantum cryptographic algorithm to increase the complexity of the quantum key identifier in combination with the quantum key distribution technique and the post-quantum cryptographic technique.
In certain embodiments, the method further comprises:
Performing key negotiation with the first network device to exchange an identification random number;
Obtaining a security association identifier according to the second quantum key, the first decryption result and the second encryption result to protect communication between the first network device and the second network device, wherein the security association identifier comprises:
And obtaining a security association identifier according to the identification random number, the second quantum key, the first decryption result and the second encryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number.
In this manner, a key agreement is made with the first network device to exchange the identification random number. And obtaining a security association identifier according to the identification random number, the second quantum key, the first decryption result and the second encryption result so as to protect communication between the second network device and the first network device, wherein the identification random number comprises a first identification random number and a second identification random number. Thus, the confidentiality of the security association random number is increased by adding the identification random number, and the communication between the first network device and the second network device can be well protected.
In some embodiments, the first decrypted message includes a first encrypted message, a first exclusive-or key, and a first session encrypted message, the deriving a security association identifier from the second quantum key, the first decryption result, and the second encryption result to secure communications between the first network device and the second network device, comprising:
Obtaining a first session key according to the first encrypted message;
obtaining a first temporary key according to the first session key and the first exclusive-or key;
Decrypting the first session encryption message according to the first temporary key to obtain a first session random number;
Performing splicing processing according to the first session random number, the second session random number and the first quantum key to obtain a session splice;
Splicing the first identification random number and the second identification random number to obtain an identification splice body;
and obtaining a security association identifier according to the session splice and the identification splice so as to protect communication between the first network device and the second network device.
Thus, a first session key is obtained by calculation according to the first encrypted message, and a first temporary key is obtained according to the first session key and the first exclusive-or key. Next, the first session encrypted message is decrypted according to the first temporary key to obtain the first session random number. And then, splicing the first session random number, the second session random number and the first quantum key to obtain a session splice body. And then splicing the first identification random number and the second identification random number to obtain an identification splice body. And finally, obtaining a security association identifier according to the session splice body and the identification splice body so as to protect communication between the first network equipment and the second network equipment. In this way, the security of the communication data between the first network device and the second network device is enhanced by processing the second quantum key with other random numbers generated randomly and deriving a security association identifier with quantum computation attack resistance for protecting the communication between the first network device and the second network device.
The embodiment of the application provides a first network device, which is used for a communication network based on a national secret IPSec VPN protocol, and further comprises a second network device, wherein the first network device is configured to:
acquiring a first quantum key from a first network node accessing the first network device;
performing post-quantum cryptography encryption processing on the first quantum key, and transmitting a first encryption result subjected to the post-quantum cryptography encryption processing to the second network device;
Decrypting the received second encryption result sent by the second network device to obtain a second decryption result, wherein the second encryption result is obtained by the second network device according to the first encryption result;
and obtaining a security association identifier according to the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device.
In this way, in the communication process of the first network device and the second network device, the first network device applies for obtaining the first quantum key and the quantum key identifier, and encrypts the quantum key identifier and data exchanged in the communication process by using a post quantum cryptographic algorithm to protect the transmission of the quantum key identifier, where the post quantum cryptographic algorithm is a series of encryption algorithms aimed at resisting quantum computing attacks. And after the second network equipment obtains the quantum key identifier, applying for obtaining a second quantum key. The first network device and the second network device use the quantum key in establishing a secure federation of communications between the first network device and the second network device. This enhances the quantum resistance of the network communication between the first network device and the second network device.
The embodiment of the application provides a second network device, which is used for a communication network based on a national secret IPSec VPN protocol, and further comprises a first network device, wherein the second network device is configured to:
Receiving a first encryption result obtained by the first network equipment through post quantum cryptography encryption processing of a first quantum key, wherein the first quantum key is obtained by the first network equipment from an accessed first network node;
decrypting the first encryption result to obtain a first decryption result;
Performing post quantum cryptography encryption processing on the first decryption result, and transmitting a second encryption result subjected to the post quantum cryptography encryption processing to first network equipment;
And obtaining a security association identifier according to the second quantum key, the first decryption result and the second encryption result so as to protect communication between the first network device and the second network device.
In this way, in the communication process of the first network device and the second network device, the first network device applies for obtaining the first quantum key and the quantum key identifier, and encrypts the quantum key identifier and data exchanged in the communication process by using a post quantum cryptographic algorithm to protect the transmission of the quantum key identifier, where the post quantum cryptographic algorithm is a series of encryption algorithms aimed at resisting quantum computing attacks. And after the second network equipment obtains the quantum key identifier, applying for obtaining a second quantum key. The first network device and the second network device use the quantum key in establishing a secure federation of communications between the first network device and the second network device. This enhances the quantum resistance of the network communication between the first network device and the second network device.
An embodiment of the present application provides a communication system based on a national cryptographic IPSec VPN protocol, which is characterized in that the communication system comprises a first network device as described above, a second network device as described above, and a quantum key distribution network configured to distribute a quantum key to the first network device or the second network device.
The embodiment of the application provides a network device, which comprises one or more processors and a memory, wherein the memory stores a computer program, and the computer program realizes the method when being executed by the processors.
The embodiment of the application provides a computer readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the method described above.
Additional aspects and advantages of embodiments of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of embodiments of the application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
FIG. 1 is one of the flow diagrams of the method of an embodiment of the present application;
FIG. 2 is an architecture diagram of a method of an embodiment of the present application;
FIG. 3 is a signaling diagram of a method of an embodiment of the present application;
FIG. 4 is a second flow chart of a method according to an embodiment of the present application;
FIG. 5 is a third flow chart of a method according to an embodiment of the application;
FIG. 6 is a fourth flow diagram of a method of an embodiment of the present application;
FIG. 7 is a fifth flow chart of a method of an embodiment of the present application;
FIG. 8 is a flow chart of a method according to an embodiment of the present application;
FIG. 9 is a seventh flow chart of a method of an embodiment of the present application;
FIG. 10 is a schematic flow diagram eighth of a method of an embodiment of the present application;
FIG. 11 is a nine-step schematic of a method of an embodiment of the application;
FIG. 12 is a schematic flow diagram of a method of an embodiment of the present application;
FIG. 13 is a flow diagram of a method according to an embodiment of the application;
FIG. 14 is a flow chart of a method of an embodiment of the present application;
FIG. 15 is a flow chart of a thirteenth embodiment of the method of the present application;
FIG. 16 is a flow chart of a method according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are exemplary only for explaining the embodiments of the present application and are not to be construed as limiting the embodiments of the present application.
The computational power represented by quantum computation plays a role in security and has a great influence on related algorithms in classical cryptography. That is, quantum computing constitutes a more direct and urgent crack threat to classical cryptography. For example, the Shor quantum algorithm can solve complex mathematical problems such as large integer decomposition and discrete logarithm solution in polynomial time, and can quickly crack widely used public key cryptographic algorithms such as RSA, ECC, DSA, elGamal. It will be appreciated that with large quantum computer implementations, key agreement, encryption, signing, etc. applications in classical cryptography will have some impact.
As such, the use of classical cryptographic algorithms protects the security of the internet in the course of communications from the threat of quantum computing attacks. For example, in the first stage of establishing ISAKMP security alliance by using the national secret IPSec VPN protocol in the network layer, key exchange is performed by using a digital envelope mode combining SM4 symmetric encryption and SM2 elliptic curve public key encryption, and digital signature is performed by using an SM2 elliptic curve algorithm for identity authentication. While the national security IPSec VPN protocol provides relatively strong security and forward confidentiality using classical PKI techniques, it lacks the ability to resist quantum computing attacks. The national secret IPSec VPN protocol is a key exchange protocol defined by GM/T0022 "IPSec VPN technical specification" and GB/T36968 "information security technology IPSec VPN technical specification" and used by a network layer to establish a communication tunnel encrypted between two network devices, and includes the most widely used data security transmission and communication channel encryption in the national commercial cryptography field.
At present, technologies for dealing with quantum computing attack threats internationally mainly fall into two categories, namely a classic anti-quantum-post quantum cryptography algorithm and a quantum anti-quantum cryptography technology. The quantum key distribution technology utilizes the quantum mechanics principle, can generate a key which cannot be stolen by a third party, and ensures the security of key transmission. The method is particularly suitable for the key exchange scene, and can replace the existing asymmetric key negotiation algorithm such as RSA or ECC to improve the security of the key. However, quantum key distribution techniques currently cannot completely replace all applications of asymmetric algorithms, such as signature verification and integrity protection, and still require the use of asymmetric algorithms.
The post quantum cryptography algorithm is an asymmetric cryptography algorithm designed based on a new mathematical problem, and aims to resist the threat possibly brought by a quantum computer. NIST has published the first 4 post quantum cryptography algorithms to be standardized, including Kyber, dilithium, falcon and SPHINCS +, which cover multiple technical routes to reduce the risk of single technology hacking. The post quantum cryptography algorithm can theoretically replace all asymmetric algorithms and is more general. However, the security of post quantum cryptography algorithms still depends on the complexity of computational challenges, and may face new cracking methods or become unsafe with the increase of computational power in the future. In addition, the post quantum cryptography algorithm standard is not formally published, and the production and authentication of related products also need time, so that the large-scale application of the post quantum cryptography algorithm also needs a longer period.
The post quantum cryptography algorithm and the quantum key distribution technology have the capability of resisting quantum computing attacks, but each has limitations, so that the provision of the cryptography technology which has relatively low cost and high security and can resist quantum computing attacks is a problem to be solved.
Based on the above problems, referring to fig. 1, an embodiment of the present application provides an anti-quantum security enhancement method of a national secret IPSec VPN protocol of a communication network, where the communication network includes a first network device and a second network device, and the method is used by the first network device, and includes:
011: acquiring a first quantum key from a first network node accessed to first network equipment;
012: performing post quantum cryptography encryption processing on the first quantum key, and transmitting a first encryption result subjected to the post quantum cryptography encryption processing to second network equipment;
013: decrypting the received second encryption result sent by the second network device to obtain a second decryption result, wherein the second encryption result is obtained by the second network device according to the first encryption result;
014: and obtaining a security association identifier according to the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device.
The embodiment of the application also provides a network device which comprises a memory and a processor. The method of the embodiment of the application can be realized by the network equipment of the embodiment of the application. Specifically, the memory stores a computer program, and the processor is configured to obtain a first quantum key from a first network node accessing the first network device, perform post-quantum cryptographic encryption processing on the first quantum key, send a first encryption result of the post-quantum cryptographic encryption processing to the second network device, and perform decryption processing on a second encryption result sent by the second network device, so as to obtain a second decryption result, where the second encryption result is obtained by the second network device according to the first encryption result and obtain a security association identifier according to the first quantum key, the first encryption result, and the second decryption result, so as to protect communication between the first network device and the second network device.
The embodiment of the application also provides first network equipment. The method of the embodiment of the present application may be implemented by the first network device of the embodiment of the present application. Specifically, the first network device includes an acquisition module, an encryption module, a decryption module, and a derivation module. The acquisition module is used for acquiring a first quantum key from a first network node accessed to first network equipment. The encryption module is used for carrying out post-quantum cryptography encryption processing on the first quantum key and sending a first encryption result subjected to the post-quantum cryptography encryption processing to the second network equipment. The decryption module is used for performing decryption processing on the received second encryption result sent by the second network device so as to obtain a second decryption result, and the second encryption result is obtained by the second network device according to the first encryption result. The deriving module is used for obtaining a security association identifier according to the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device.
The present application provides a communication system based on a national cryptographic IPSec VPN protocol, the communication system comprising the first network device, the second network device and the quantum key distribution network of the above embodiments, the quantum key distribution network being configured to distribute quantum keys to the first network device or the second network device. In particular, the quantum key distribution network comprises a network node, a quantum network link control center, the network node being used in the quantum key distribution network for storing the quantum key. The quantum network link center can establish quantum key distribution and relay links among network nodes according to the names of the network nodes, and the relay links are used for data transfer and other functions. The quantum key distribution network is used for realizing services such as quantum key generation, quantum key relay, quantum key provision and the like.
Referring to fig. 2, in some embodiments, the first network device and the second network device communicate, e.g., exchange keys, via an IPSec encryption tunnel, which refers to an encrypted communication tunnel established between the first network device and the second network device for protecting transmission of IP packets at the network layer using IPsec (Internet Protocol Security) protocols. Each network device is provided with an accessed network node, and the network device applies the quantum key to the network node through a trusted channel. After the application of the quantum key is passed, the network node sends the quantum key to the network device through a trusted channel. When the first network device successfully applies for and obtains the quantum key distributed by the network node accessed to the first network device, the quantum network link control center synchronously controls the network node accessed to the second network device to generate the quantum key, but the quantum key is not immediately sent to the second network device. The corresponding relations among the first network equipment, the second network equipment and the network nodes are provided by the management and control platform.
It should be noted that, in the embodiment of the present application, the FIPS203 Module-Lattice-based Key-Encapsulation MECHANISM STANDARD is taken as a PQC Key Encapsulation algorithm, the FIPS 204 Module-Lattice-Based Digital Signature Standard is taken as a PQC digital signature algorithm, and the following description of the related operations of the PQC algorithm refers to the above FIPS standard. Of course, in other embodiments, other algorithms such as NewHope algorithm, sidh algorithm, HQC algorithm, etc. may be used as the related algorithm of the PQC. It should be further noted that, the embodiments of the present application are directed to IPSec VPN protocols defined by GM/T0022 "IPSec VPN technical specification" and GB/T36968 "information security technology IPSec VPN technical specification", hereinafter referred to as "national secret IPSec VPN protocol".
Specifically, in the embodiment of the application, the first network device acquires a first quantum key from a first network node accessed to the first network device, and the first quantum key is used for generating a key with higher security so as to resist quantum computing attack. And the first network device performs post quantum cryptography encryption processing on the first quantum key, and sends a first encryption result subjected to the post quantum cryptography encryption processing to the second network device. By combining the post quantum cryptography technology and the quantum key distribution technology, the confidentiality of the key is improved, and the encryption result is sent to the second network equipment for sharing, so that the first network equipment and the second network equipment ensure the consistency of data in the communication of the communication network.
Then, the second network device receives a first encryption result of the first network device for performing post-quantum cryptography encryption processing on the first quantum key, wherein the first quantum key is acquired from the accessed first network node by the first network device. And then, carrying out decryption processing on the first encryption result to obtain a first decryption result. And then carrying out encryption processing on the first decryption result to obtain a second encryption result. After obtaining the second encryption result, the second network device sends the second encryption result to the first network device.
And then, the first network equipment decrypts the received second encryption result sent by the second network equipment to obtain a second decryption result, so that the information of the second network equipment is shared, and the consistency of the data of the first network equipment and the second network equipment in the communication process of the communication network is ensured.
Finally, the first network device obtains a security association identifier according to the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device. In this way, the quantum key distribution technology and the post quantum cryptography algorithm are combined to generate the security association identifier, so that the quantum computing attack resistance of communication between the first network device and the second network device is enhanced.
In the embodiment of the present application, an initiator IPSec VPN gateway is a first network device, hereinafter referred to as an initiator gateway, and the IPSec VPN gateway is configured to obtain a session key through a national security IPSec VPN key exchange protocol and establish an IPSec encryption channel by using the session key to encrypt and decrypt service data transmitted through a network. The responder IPSec VPN gateway is a network device, hereinafter referred to as a responder gateway. The quantum network node is a network node, and the quantum network node is used for storing and providing the generated quantum key for the IPSec VPN gateway through a trusted channel. Referring to fig. 3, the initiator gateway obtains a first quantum key qk_uuid1 from a first quantum network node that accesses the first network device. After the first quantum key QK_UUID1 is obtained, the first quantum key QK_UUID1 is encrypted through a post quantum cryptographic algorithm to obtain a first encryption result, wherein the first encryption result comprises an IKEv1 protocol Header (HDR), XCH1 and SIG1. The initiator gateway sends the first encryption result to the second network device.
Then, the responder gateway receives the first encryption result sent by the initiator gateway, and decrypts the first encryption result to obtain a first decryption result. And the responder gateway performs post quantum cryptography encryption processing on the first decryption result to obtain a second encryption result, wherein the second encryption result comprises HDR, XCH2 and SIG2. After obtaining the second encryption result, the responder gateway sends the second encryption result to the initiator gateway.
And then, the initiator gateway receives the second encryption result sent by the client and decrypts the second encryption result to obtain a second decryption result. And then, the initiator calculates a security association identifier SKEYID according to the national security IPSec VPN protocol according to the related information in the first encryption result and the related information of the second decryption result. And encrypting the communication between the initiator gateway and the responder gateway according to the security association identifier SKEYID to protect communication data. In this way, it is ensured that the communication between the initiator gateway and the responder gateway can be protected, providing secure data transfer, even in the face of the threat that quantum computers may pose. By using post-quantum cryptography algorithms and quantum key distribution techniques, communications can be more secure against the threat that quantum computers may pose.
In summary, in the anti-quantum security enhancement method, the communication system, the first network device and the second network device of the national cryptographic IPSec VPN protocol of the communication network according to the embodiments of the present application, for a communication process of the first network device and the second network device, the first network device applies for obtaining a first quantum key and a quantum key identifier, and encrypts data exchanged in the quantum key identifier and the communication process by using a post quantum cryptographic algorithm to protect transmission of the quantum key identifier, where the post quantum cryptographic algorithm is a series of encryption algorithms intended to resist quantum computing attacks. And after the second network equipment obtains the quantum key identifier, applying for obtaining a second quantum key, and using the quantum key in the communication for establishing the security alliance between the first network equipment and the second network equipment. This enhances the quantum resistance of the network communication between the first network device and the second network device.
Referring to fig. 4, in some embodiments, the method further comprises:
016: accessing a first network node through a pre-established channel;
017: loading a security certificate of the first network device or a security certificate of the second network device.
In some embodiments, the access module is configured to access the first network node through a pre-established channel, and the loading module is configured to load a security certificate of the first network device or a security certificate of the second network device.
In some embodiments, the processor is further configured to access the first network node over a pre-established channel and load a security certificate of the first network device or a security certificate of the second network device.
Specifically, before data transmission is performed with the second network device, the first network device accesses the first network node through a pre-established channel, and the pre-established channel can protect data in the data transmission process, so that the risk of unauthorized access in the transmission process is reduced. Then, the first network device loads the security certificate of the first network device or the security certificate of the second network device, and after the security certificate is loaded, the security certificate is used for establishing and maintaining a secure communication channel, so that the security of data in the transmission process is enhanced.
Continuing the above example, please refer to fig. 3 again, before the initiator gateway and the responder gateway perform data transmission, the initiator gateway accesses the first quantum network node with the closest physical distance and authorized completion through a trusted channel, where the trusted channel refers to a mechanism or protocol for providing a secure communication path between two communication entities, and one way of establishing is that the initiator gateway and the first quantum network node are directly connected inside the same cabinet and shielded by a network cable. Such a channel ensures confidentiality, integrity and availability of data during transmission, preventing unauthorized access, tampering or eavesdropping. Meanwhile, the public key in the key pair of the other side's post-quantum cryptography algorithm or the certificate of the self post-quantum cryptography algorithm issued by the certificate system is loaded by the initiator gateway and the responder gateway in an offline import mode, the certificate comprises an encryption certificate and a signature certificate, and the transmission of the key or the certificate cannot be monitored or attacked through the Internet or other network paths in an offline import mode, so that the safety of the transmission process is ensured.
Thus, the initiator gateway accesses the first quantum network node through the trusted channel and loads the security certificate in an offline import mode, thereby ensuring confidentiality of network equipment data and reducing the risk of data leakage.
Referring to fig. 5, in some embodiments, step 011 (acquiring a first quantum key from a first network node accessing a first network device) includes:
0111: sending a quantum key application to a first network node accessed to first network equipment;
0112: and receiving a first quantum key and a quantum key identifier which are distributed by the first network node according to the quantum key application, wherein the quantum key identifier is obtained by labeling the first quantum key by the first network node by utilizing an identification code of first network equipment.
In some embodiments, the sending module is configured to send the quantum key application to a first network node that is accessed to the first network device. The receiving module is used for receiving a first quantum key and a quantum key identifier which are distributed by the first network node according to the quantum key application, wherein the quantum key identifier is obtained by marking the first quantum key by the first network node by utilizing an identification code of first network equipment.
In some embodiments, the processor is further configured to send a quantum key application to a first network node that accesses the first network device, and receive a first quantum key and a quantum key identifier that the first network node distributes according to the quantum key application, where the quantum key identifier is obtained by labeling the first quantum key with an identification code of the first network device by the first network node.
Specifically, the first network device sends a quantum key application to a first network node accessing the first network device. After the first network node passes the quantum key application, a first quantum key generated from the quantum key distribution network and a quantum key identifier are distributed to network equipment, wherein the quantum key identifier is obtained by labeling the first quantum key by the first network node through the identification code of the first network equipment, and the quantum key identifier is beneficial to management and use of the quantum key. This results in a first quantum key and a quantum key identifier for key derivation in a subsequent process.
Continuing the above example, referring again to fig. 3, the initiator gateway and the responder gateway send messages 1 and 2 according to the national-security IPSec VPN protocol for first-phase key agreement. After the key agreement is completed, a quantum key application is sent to a first quantum network node directly connected with an initiator gateway to obtain a quantum key. The first quantum network node directly connected with the initiator gateway distributes a first quantum key QK_UUID1 and a quantum key identifier UUID_QK which are generated by a quantum key distribution network and are more than 128 bits to the initiator gateway through a trusted channel, wherein the quantum key identifier is obtained by labeling the first quantum key by the first quantum network node accessed to the initiator gateway by using a unique universal identification code of the initiator gateway, and the quantum key identifier is beneficial to management and use of the quantum key. Meanwhile, the quantum network link control center generates a matched second quantum key QK_UUID2 through the quantum key distribution network and stores the second quantum key QK_UUID2 in a second quantum network node of the access responder gateway instead of directly distributing the second quantum key QK_UUID2 to the responder gateway.
In this way, the initiator gateway obtains the first quantum key qk_uuid1 and the quantum key identifier uuid_qk for subsequent key derivation.
Referring to fig. 6, in some embodiments, step 012 (performing post-quantum cryptography encryption processing on the first quantum key and transmitting a first encryption result of the post-quantum cryptography encryption processing to the second network device) includes:
0121: splicing the quantum key identifier and the randomly generated first random number to obtain a first encrypted message;
0122: performing post quantum cryptography derivation processing on the first encrypted message to obtain a first session key;
0123: performing exclusive-or processing on the first temporary key and the first session key which are randomly generated to obtain a first exclusive-or key, and transmitting the encrypted first exclusive-or key to second network equipment;
0124: performing post quantum cryptography encryption processing on the first encrypted message to obtain a second encrypted message in the first encrypted result;
0125: encrypting the first session random number according to the first temporary key to obtain a first session encryption message in a first encryption result;
0126: obtaining a first verification message according to the quantum key identifier, the first session random number and the first identification information;
0127: performing post quantum cryptography signature processing on the first verification message to obtain a first signature message in a first encryption result;
0128: and sending the first encryption result to the second network equipment.
In some embodiments, the concatenation module is configured to perform concatenation processing on the quantum key identifier and the first random number generated randomly to obtain a first encrypted message, and the derivation module is configured to perform post quantum cryptography derivation processing on the first encrypted message to obtain the first session key. The processing module is used for performing exclusive-or processing on the first temporary key and the first session key which are randomly generated to obtain a first exclusive-or key, and the first exclusive-or key is encrypted and then sent to the second network equipment. The encryption module is used for carrying out post quantum cryptography encryption processing on the first encrypted message so as to obtain a second encrypted message in the first encrypted result. The encryption module is further used for encrypting the first session random number according to the first temporary key to obtain a first session encryption message in the first encryption result. The splicing module is also used for obtaining a first verification message according to the quantum key identifier, the first session random number and the first identification information. The signature module is used for carrying out post quantum cryptography signature processing on the first verification message so as to obtain a first signature message in the first encryption result. The sending module is used for sending the first encryption result to the second network equipment.
In some embodiments, the processor is further configured to splice the quantum key identifier and the randomly generated first random number to obtain a first encrypted message, perform post-quantum cryptographic derivation processing on the first encrypted message to obtain a first session key, perform exclusive-or processing on the randomly generated first temporary key and the first session key to obtain a first exclusive-or key, encrypt the first exclusive-or key, send the encrypted first exclusive-or key to the second network device, and perform post-quantum cryptographic encryption processing on the first encrypted message to obtain a second encrypted message in the first encrypted result. The processor is further configured to encrypt the first session random number according to the first temporary key to obtain a first session encrypted message in a first encrypted result, obtain a first verification message according to the quantum key identifier, the first session random number and the first identification information, and perform post quantum cryptographic signature processing on the first verification message to obtain a first signed message in the first encrypted result and send the first encrypted result to the second network device.
Specifically, the first network device performs splicing processing on the quantum key identifier and the first random number generated randomly to obtain a first encrypted message. The first network device then performs a post quantum cryptography derivation process on the first encrypted message to obtain a first session key. Then, the first network device performs exclusive-or processing on the randomly generated first temporary key and the first session key to obtain a first exclusive-or key, and the first exclusive-or key is encrypted and then sent to the second network device. The first network device performs post quantum cryptography encryption processing on the first encrypted message to obtain a second encrypted message in the first encrypted result. And the first network equipment encrypts the first session random number according to the first temporary key to obtain a first session encryption message in the first encryption result. The first network device obtains a first verification message according to the quantum key identifier, the first session random number and the first identification information, and performs post-quantum cryptographic signature processing on the first verification message to obtain a first signature message in a first encryption result. And finally, the first network equipment sends the first encryption result to the second network equipment. Thus, the first network device increases the confidentiality of the quantum key identifier by concatenating the quantum key identifier with the first random number, and processes the quantum key identifier and its derivatives using a post-quantum cryptographic algorithm to combine the quantum key distribution technique with the post-quantum cryptographic technique to increase the complexity of the quantum key identifier.
Continuing the above example, message 3 is the first encryption result. Referring back to fig. 3, after the initiator gateway obtains the first quantum key qk_uuid1 and the quantum key identifier uuid_qk, the initiator gateway sends a message 3 to the responder gateway, where the message 3 includes HDR, XCH1, and SIG1. First, the initiator gateway splices the quantum key identifier and the first random number r1 generated randomly to obtain a first encrypted message m1. Next, the initiator gateway operates the G function of the PQC algorithm on the first encrypted message m1 as the encrypted message m in the PQC key encapsulation algorithm to obtain the first session key K1. The initiator gateway performs exclusive or processing on the randomly generated first temporary key SK1 and the first session key K1 to obtain a first exclusive or key Y1, namely Sk1 is the same as K1, and the first exclusive or key Y1 is sent to the responder gateway in an SM2 elliptic curve public key encryption protection mode. The initiator gateway then performs PQC encryption encapsulation on the first encrypted message m1 to obtain a second encrypted message m2.
In addition, the initiator gateway uses the first temporary key SK1 to carry out SM2 elliptic curve public key encryption protection on the first session random number Nonce1 calculated by the initiator gateway to obtain a first session encryption message H1. In the conventional national secret IPSec VPN protocol, the initiator gateway also uses the first temporary key SK1 to perform SM2 elliptic curve public key encryption protection on the first identification information ID1 of the initiator. XCH1 in message 3 is obtained by performing concatenation processing on a first exclusive-or key Y1 encrypted and protected by using an SM2 elliptic curve public key, a second encrypted message m2, a first session encrypted message H1, a first identification information ID1 symmetrically encrypted and protected by using an SM4, an encryption certificate cert_sig_1 of the initiator gateway, and a signature certificate cert_enc_1 of the initiator gateway. When the initiator gateway has a PQC certificate, XCH1 also needs to splice the PQC encryption certificate cert_pqc_sig_1 of the initiator gateway and the PQC signature certificate cert_pqc_enc_1 of the initiator gateway. XCH1 is as follows:
XCH1 = Asymmetric_Encrypt(Sk1⊕K1 , pub_2)| PQC_Encaps(m1,pqc_pub_2) | Symmetric_Encrypt(Nonce1,Sk1) | Symmetric_Encrypt(ID1,Sk1) | CERT_sig_1 | CERT_enc_1 | [CERT_PQC_sig_1] | [ CERT_PQC_enc_1].
Meanwhile, the initiator gateway performs splicing processing on the first temporary secret key SK1, the first session random number Nonce1 calculated by the initiator gateway, the first identification information ID1 of the initiator gateway and the encryption certificate CERT_sig_1 to obtain a first temporary spliced body, and performs digital signature on the first temporary spliced body by using an SM2 elliptic curve algorithm. The initiator gateway splices the first quantum key QK_UUID1, the first session random number Nonce1 calculated by the initiator and the first identification information ID1 of the initiator to obtain a first verification message, and then performs PQC signature protection on the first verification message serving as signed data M in the PQC signature algorithm by using a post-quantum cryptographic signature algorithm to obtain a first signature message M1.SIGi is obtained by splicing the first temporary splice body digitally signed by using an SM2 elliptic curve algorithm and the first signature message. SIGi are shown below:
SIG1 = Asymmetric_Sign(Sk1 | Nonce1 | ID1 | CERT_enc_1, priv_1) | PQC_Sign(UUID_QK| Nonce1 | ID1, pqc_priv_1)
And finally the initiator gateway sends the message 3 to the responder gateway.
In this way, the initiator gateway sends the first session random number Nonce1 calculated by the initiator itself to the responder gateway, so that the responder gateway obtains the first session random number Nonce1 for the subsequent process. The initiator gateway increases the confidentiality of the quantum key identifier by concatenating the quantum key identifier uuid_qk with the randomly generated first random number r1, and processes the quantum key identifier uuid_qk and its derivative by using a post quantum cryptographic algorithm to combine the quantum key distribution technique with the post quantum cryptographic technique to increase the complexity of the quantum key identifier.
Referring to fig. 7, in some embodiments, step 013 (performing decryption processing on the received second encryption result sent by the second network device to obtain a second decryption result, where the second encryption result is obtained by the second network device according to the first encryption result) includes:
0131: receiving a second encryption result sent by the second network device, wherein the second encryption result is obtained by encrypting the first decryption result by the second network device, and the first decryption result is obtained by decrypting the first encryption result by the second network device;
0132: and carrying out post quantum cryptography decryption processing on the second encryption result to obtain a second decryption result, wherein the second decryption result comprises a third encryption message, a quantum key identifier, a second exclusive-or key, a second session encryption message and a second signature message.
In some embodiments, the receiving module is configured to receive a second encryption result sent by the second network device, where the second encryption result is obtained by encrypting the first decryption result by the second network device, and the first decryption result is obtained by decrypting the first encryption result by the second network device. The decryption module is used for performing post quantum cryptography decryption processing on the second encryption result to obtain a second decryption result, wherein the second decryption result comprises a third encryption message, a quantum key identifier, a second exclusive-or key, a second session encryption message and a second signature message.
In some embodiments, the processor is further configured to receive a second encryption result sent by the second network device, where the second encryption result is obtained by encrypting the first decryption result by the second network device, and the first decryption result is obtained by decrypting the first encryption result by the second network device. And performing post quantum cryptography decrypting processing on the second encryption result to obtain a second decryption result, wherein the second decryption result comprises a third encryption message, a quantum key identifier, a second exclusive-or key, a second session encryption message and a second signature message.
Specifically, the first network device receives a second encryption result sent by the second network device, the second encryption result is obtained by performing post quantum cryptography encryption processing on the first decryption result by the second network device, and the first decryption result is obtained by performing decryption processing on the first encryption result by the second network device. And then, the first network device decrypts the second encryption result to obtain a second decryption result, wherein the second decryption result comprises a third encryption message, a quantum key identifier, a second exclusive-or key, a second session encryption message and a second signature message. In this way the first network device determines the availability of a channel for communication with the second network device and obtains key information for the second network device, which key information can be used in combination with the associated key information of the network device to generate a higher security key.
Continuing the above example, message 4 is the second encryption result. Referring to fig. 3 again, the initiator gateway receives the message 4 sent by the responder gateway, where the message 4 is obtained by performing post quantum cryptography encryption processing on a first decryption result by the client, and the first decryption result is obtained by performing decryption processing on the message 3 by the secure access gateway. Then, the initiator gateway decrypts the message 4 to obtain a second decryption result, where the second decryption result includes the third encrypted message M3, the quantum key identifier uuid_qk, the second exclusive-or key Y2, the second session encrypted message H2, and the second signed message M2.
In this way, the initiator gateway determines the availability of the channel for communication with the responder and obtains the key information of the responder, and the key information can be combined with the related key information of the initiator gateway to generate a key with higher security.
Referring to fig. 8, in some embodiments, the method further comprises:
018: obtaining a second verification message according to the second signature message, wherein the second verification message is obtained by the quantum key identifier, the second session random number and the second identification information;
019: and performing post quantum verification processing on the second signature message to confirm that the correctness of the second verification message is obtained.
In some embodiments, the processing module is configured to obtain a second authentication message from the second signed message, the second authentication message obtained from the quantum key identifier, the second session random number, and the second identification information. And the signature verification module is used for performing posterior quantum signature verification processing on the second signature message so as to confirm the correctness of the second verification message.
In some embodiments, the processor is further configured to obtain a second verification message according to the second signature message, where the second verification message is obtained from the quantum key identifier, the second session random number, and the second identification information, and perform a post quantum signing process on the second signature message to confirm that the second verification message is obtained.
Specifically, the first network device obtains a second verification message according to the second signature message, and the second verification message is obtained by splicing the quantum key identifier, the second session random number and the second identification information. And the first network equipment performs post quantum cryptography signing verification processing on the second signature message to confirm the correctness of the second verification message. By means of signature verification, the first network device can confirm the identity and the data integrity of the second network device, and safety guarantee is provided for subsequent data transmission.
Continuing the above example, please refer to fig. 3 again, the initiator gateway obtains a second verification message according to the second signature message M2, and then performs post quantum cryptography signing verification processing on the second signature message M2 to confirm the correctness of the second verification message, that is, to confirm that the correct quantum key identifier uuid_qk, the second session random number Nonce2, and the second identification information ID2 are received.
In this way, the initiator gateway and the responder gateway achieve secure data exchange and communication, ensuring confidentiality, integrity and source authenticity of the data.
Referring to fig. 9, in some embodiments, the method further comprises:
020: obtaining a second session key according to the third encrypted message;
021: obtaining a second temporary key according to the second session key and the second exclusive-or key;
022: and decrypting the second session encryption message according to the second temporary key to obtain a second session random number.
In some embodiments, the deriving module is further configured to obtain a second session key from the third encrypted message, and the processing module is configured to obtain a second temporary key from the second session key and the second exclusive-or key. The decryption module is further configured to decrypt the second session encrypted message according to the second temporary key to obtain a second session random number.
In some embodiments, the processor is further configured to obtain a second session key from the third encrypted message, obtain a second temporary key from the second session key and the second exclusive-or key, and decrypt the second session encrypted message according to the second temporary key to obtain the second session random number.
Specifically, the first network device calculates to obtain a second session key according to the third encrypted message, and then obtains a second temporary key according to the second session key and the second exclusive-or key. And then, the first network equipment decrypts the second session encryption message according to the second temporary key to obtain a second session random number. The second session random number is thus obtained to generate a security association identifier for securing communications between the first network device and the second network device.
Continuing the above example, please refer to fig. 3 again, the initiator gateway obtains the second session key K2 according to the third encrypted message m3, and obtains the second temporary key SK2 according to the second session key K2 and the second exclusive-or key Y2. Next, the initiator gateway decrypts the second session encrypted message H2 according to the second temporary key SK2 to obtain a second session random number Nonce2.
In this manner, the initiator gateway obtains the second session Nonce2 to generate the security association identifier SKEYID for use in securing communications between the first network device and the second network device.
Referring to fig. 10, in some embodiments, the method further comprises:
023: performing key negotiation with the second network device to exchange the identification random number;
Step 014 (deriving a security association identifier from the first quantum key, the first encryption result and the second decryption result to secure communications between the first network device and the second network device) includes:
0141: and obtaining a security association identifier according to the identification random number, the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number.
In some embodiments, the negotiation module is further configured to perform a key negotiation with the second network device to exchange the identification random number. The processing module is further configured to obtain a security association identifier according to the identification random number, the first quantum key, the first encryption result, and the second decryption result, so as to protect communication between the first network device and the second network device, where the identification random number includes a first identification random number and a second identification random number.
In some embodiments, the processor is further configured to perform key agreement with the second network device to exchange an identification random number, and obtain a security association identifier according to the identification random number, the first quantum key, the first encryption result, and the second decryption result to secure communications between the first network device and the second network device, the identification random number including the first identification random number and the second identification random number.
Specifically, the first network device performs key agreement with the second network device to exchange the identification random number. And obtaining a security association identifier according to the identification random number, the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number. This increases the confidentiality of the security association identifier by adding the identification random number, and thus the communication between the first network device and the second network device can be well protected.
Continuing the above example, the initiator gateway performs key agreement with the responder gateway, the initiator gateway sends a message 1 to the responder gateway, the responder gateway sends a message 2 to the initiator gateway, the message 1 includes HDR and ISAKMP Security Alliance (SA), and the message 2 includes HDR, SA, encryption certificate cert_sig_2 of the responder gateway, and signature certificate cert_enc_2 of the responder gateway. If the gateway of the response party has the PQC security certificate, the gateway of the response party also needs to send the PQC encryption certificate CERT_PQC_sig_2 of the gateway of the response party and the PQC signature certificate CERT_PQC_enc_2 of the gateway of the response party. In this process, the initiator gateway and the responder gateway also exchange an identification random number Cookie. The initiator gateway obtains a security association identifier SKEYID according to the identification random number Cookie, the first quantum key QK_UUID1, the message 3 and the message 4, wherein the identification random number Cookie comprises a first identification random number Cookie1 of the initiator gateway and a second identification random number Cookie2 of the responder gateway.
Thus, the confidentiality of the security association identifier SKEYID is increased by adding the identification random number Cookie, and communication between the initiator gateway and the responder gateway can be well protected.
Referring to fig. 11, in some embodiments, step 014 (deriving a security association identifier from the first quantum key, the first encryption result, and the second decryption result to secure communications between the first network device and the second network device) includes:
0142: splicing according to the first session random number, the second session random number and the first quantum key to obtain a session splice;
0143: splicing the first identification random number and the second identification random number to obtain an identification spliced body;
0144: and obtaining a security association identifier according to the session splice and the identification splice so as to protect communication between the first network device and the second network device.
In some embodiments, the splicing module is further configured to perform a splicing process according to the first session random number, the second session random number, and the first quantum key to obtain a session splice, and splice the first identifier random number and the second identifier random number to obtain an identifier splice. The deriving module is further configured to obtain a security association identifier from the session splice and the identification splice to protect communications between the first network device and the second network device.
In some embodiments, the processor is further configured to perform a concatenation process according to the first session random number, the second session random number, and the first quantum key to obtain a session concatenation body, and splice the first identifier random number and the second identifier random number to obtain an identifier concatenation body, and obtain a security association identifier according to the session concatenation body and the identifier concatenation body, so as to protect communications between the first network device and the second network device.
Specifically, the first network device performs splicing processing according to the first session random number, the second session random number and the first quantum key to obtain a session splice body. And then, the first network equipment splices the first identification random number and the second identification random number to obtain an identification splice body. Finally, the first network device obtains a security association identifier according to the session splice and the identification splice to protect communication between the first network device and the second network device. In this way, the security of the communication data between the first network device and the second network device is enhanced by processing the quantum key and other random numbers generated randomly and deriving a security association identifier with quantum computing attack resistance for protecting the communication between the first network device and the second network device.
Continuing the above example, the initiator gateway first removes the ISAKMP common header from the first session random number Nonce1 to obtain n1_b, and removes the ISAKMP common header from the second session random number Nonce2 to obtain n2_b. And the initiator gateway performs splicing processing on the N1_b and the N2_b and the first quantum key QK_UUID1 to obtain a session splice N1_b|N2_b|QK_UUID. And then, the initiator gateway splices the first identification random number Cookie1 and the second identification random number Cookie2 to obtain an identification splicer Cookie1|Cookie2. Finally, the initiator gateway uses a HASH (HASH) Function with a Pseudo-Random Function (PRF) to take the session splice n1_b|n2_b|qk_uuid and the identification splice Cookie1|cookie2 as inputs to output and obtain the security association identifier SKEYID. The initiator gateway derives the subsequent derivative key skeyid_d, the verification key skeyid_a and the encryption key skeyid_e according to the security association identifier SKEYID and the national security IPSec VPN protocol.
Finally, the initiator gateway performs subsequent exchange of the first-stage messages 5 and 6 and two-stage key exchange according to the national secret IPSec VPN protocol based on the obtained derivative key SKEYID_d, the verification key SKEYID_a and the encryption key SKEYID_e, and obtains a final session key.
In this way, the initiator gateway processes the first quantum key QK_UUID1 and other random numbers generated randomly and derives a security association identifier SKEYID with quantum computation attack resistance, and then generates keys with different functions by using the security association identifier SKEYID so as to protect subsequent communication between the initiator gateway and the responder gateway, thereby enhancing the security of communication data between the initiator gateway and the responder gateway.
Referring to fig. 12, an embodiment of the present application provides a quantum security enhancement method for a national security IPSec VPN protocol of a communication network, where the communication network includes a first network device and a second network device, and the method is used by the second network device, and the method includes:
031: receiving a first encryption result obtained by the first network equipment for carrying out post quantum cryptography encryption processing on a first quantum key, wherein the first quantum key is acquired from an accessed first network node by the first network equipment;
032: decrypting the first encryption result to obtain a first decryption result;
033: performing post quantum cryptography encryption processing on the first decryption result, and transmitting a second encryption result subjected to the post quantum cryptography encryption processing to the first network device;
034: and obtaining a security association identifier according to the second quantum key, the first decryption result and the second encryption result so as to protect communication between the first network device and the second network device.
The embodiment of the application also provides a network device which comprises a memory and a processor. The method of the embodiment of the application can be realized by the network equipment of the embodiment of the application. Specifically, the memory stores a computer program, and the processor is configured to receive a first encryption result obtained by performing post quantum cryptography encryption processing on a first quantum key by using a first network device, where the first quantum key is acquired by the first network device from an accessed first network node. And decrypting the first encryption result to obtain a first decryption result, performing post quantum cryptography encryption processing on the first decryption result, and transmitting a second encryption result subjected to the post quantum cryptography encryption processing to the first network device. The processor is further configured to obtain a security association identifier based on the second quantum key, the first decryption result, and the second encryption result to secure communications between the first network device and the second network device.
The embodiment of the application also provides second network equipment. The method of the embodiment of the present application may be implemented by the second network device of the embodiment of the present application. Specifically, the second network device includes a receiving module, a decrypting module, an encrypting module, and a deriving module. The receiving module is used for receiving a first encryption result obtained by the first network device through post quantum cryptography encryption processing of the first quantum key, and the first quantum key is obtained by the first network device from an accessed first network node. The decryption module is used for carrying out post quantum cryptography encryption processing on the first decryption result and sending a second encryption result subjected to the post quantum cryptography encryption processing to the first network device. The deriving module is used for obtaining a security association identifier according to the second quantum key, the first decryption result and the second encryption result so as to protect communication between the first network device and the second network device.
Specifically, in the embodiment of the application, the first network device acquires a first quantum key from a first network node accessed to the first network device, and the first quantum key is used for generating a key with higher security so as to resist quantum computing attack. And the first network device performs post quantum cryptography encryption processing on the first quantum key, and sends a first encryption result subjected to the post quantum cryptography encryption processing to the second network device. By combining the post quantum cryptography technology and the quantum key distribution technology, the confidentiality of the key is improved, and the encryption result is sent to the second network equipment for sharing, so that the first network equipment and the second network equipment ensure the consistency of data in the communication of the communication network.
Then, the second network device receives a first encryption result of the first network device for performing post-quantum cryptography encryption processing on the first quantum key, wherein the first quantum key is acquired from the accessed first network node by the first network device. And then, carrying out decryption processing on the first encryption result to obtain a first decryption result. And then carrying out encryption processing on the first decryption result to obtain a second encryption result. After obtaining the second encryption result, the second network device sends the second encryption result to the first network device. Finally, the second network device obtains a security association identifier according to the second quantum key, the first decryption result and the second encryption result to encrypt communication between the second network device and the first network device. In this way, the quantum key distribution technology and the post quantum cryptography algorithm are combined to generate the security association identifier, so that the quantum computing attack resistance of communication between the first network device and the second network device is enhanced.
Continuing the above example, referring again to fig. 3, the initiator gateway obtains a first quantum key qk_uuid1 from a first quantum network node that accesses the first network device. After the first quantum key QK_UUID1 is obtained, the first quantum key QK_UUID1 is encrypted through a post quantum cryptography algorithm to obtain a first encryption result, wherein the first encryption result comprises HDR, XCH1 and SIG1. The initiator gateway sends the first encryption result to the second network device.
Then, the responder gateway receives the first encryption result sent by the initiator gateway, and decrypts the first encryption result to obtain a first decryption result. And the responder gateway performs post quantum cryptography encryption processing on the first decryption result to obtain a second encryption result, wherein the second encryption result comprises HDR, XCH2 and SIG2. After obtaining the second encryption result, the responder gateway sends the second encryption result to the initiator gateway.
Finally, the responder gateway obtains a security association identifier SKEYID according to the second quantum key QK_UUID2, the first decryption result and the second encryption result so as to encrypt communication between the responder gateway and the initiator gateway. In this way, the quantum computing attack resistance of communication between the initiator gateway and the responder gateway is enhanced by combining the quantum key distribution technology and the post quantum cryptography algorithm to generate the security association identifier SKEYID.
In summary, in the anti-quantum security enhancement method, the communication system, the first network device and the second network device of the national cryptographic IPSec VPN protocol of the communication network according to the embodiments of the present application, for a communication process of the first network device and the second network device, the first network device applies for obtaining a first quantum key and a quantum key identifier, and encrypts data exchanged in the quantum key identifier and the communication process by using a post quantum cryptographic algorithm to protect transmission of the quantum key identifier, where the post quantum cryptographic algorithm is a series of encryption algorithms intended to resist quantum computing attacks. And after the second network equipment obtains the quantum key identifier, applying for obtaining a second quantum key, and using the quantum key in the communication for establishing the security alliance between the first network equipment and the second network equipment. This enhances the quantum resistance of the network communication between the first network device and the second network device.
Referring to fig. 13, in some embodiments, the first decryption result includes a first signed message, and the method further includes:
035: obtaining a first verification message according to the first signature message, wherein the first verification message is obtained by a quantum key identifier, a first session random number and first identification information;
036: performing post quantum verification processing on the first signature message to confirm correctness of the obtained first verification message and quantum key identifier;
037: and acquiring the second quantum key from a second network node accessed to the second network device under the condition that the obtained quantum key identifier is correct.
In some embodiments, the deriving module is configured to derive a first authentication message from the first signed message, the first authentication message derived from the quantum key identifier, the first session random number, and the first identification information. The signature verification module is used for performing posterior quantum signature verification processing on the first signature message so as to confirm the correctness of the obtained first verification message and the quantum key identifier. The obtaining module is used for obtaining the second quantum key from the second network node accessed to the second network device under the condition that the obtained quantum key identifier is correct.
In some embodiments, the processor is further configured to obtain a first verification message according to the first signature message, where the first verification message is obtained from the quantum key identifier, the first session random number, and the first identification information, and perform a post quantum verification processing on the first signature message to confirm correctness of obtaining the first verification message and the quantum key identifier, and obtain the second quantum key from the second network node accessing the second network device if the obtained quantum key identifier is correct.
Specifically, the second network device performs post quantum cryptography signing verification processing on the first signature message, and confirms that a correct first verification message is received so as to ensure the integrity of data and the legality of a source, wherein the first verification message is obtained by a quantum key identifier, a first session random number and first identification information. And when the received first verification message is confirmed to be correct, applying for obtaining a second quantum key from a second network node accessed to the second network device according to the quantum key identifier. In this way, the obtained second quantum key is matched with the first quantum key of the network equipment, and the second quantum key is used for generating a key with high security and good quantum computing attack resistance.
Continuing the above example, please refer to fig. 3 again, the responder gateway performs post quantum cryptography signing process on the first signature message M1, and confirms that a correct first verification message is received, so as to ensure the integrity of data and validity of source, where the first verification message is obtained by the quantum key identifier uuid_qk, the first session random number Nonce1 and the first identification information ID 1. When the received quantum key identifier is confirmed to be correct, the responder gateway applies for obtaining a second quantum key QK_UUID2 from a second quantum network node accessed to the responder gateway according to the quantum key identifier UUID_QK.
Therefore, the second quantum key QK_UUID2 acquired by the gateway of the responder is ensured to be matched with the first quantum key QK_UUID1 of the network equipment, and the second quantum key is used for generating a key with high security and good quantum computing attack resistance.
Referring to fig. 14, in some embodiments, the first decryption result includes a quantum key identifier, step 033 (post quantum cryptographic encryption processing of the first decryption result) includes:
0331: splicing the quantum key identifier and the randomly generated second random number to obtain a third encrypted message;
0332: performing post quantum cryptography derivation processing on the third encrypted message to obtain a second session key;
0333: performing exclusive-or processing on the randomly generated second temporary key and the second session key to obtain a second exclusive-or key, and transmitting the encrypted second exclusive-or key to the first network equipment;
0334: performing post quantum cryptography encryption processing on the third encrypted message to obtain a fourth encrypted message in the second encryption result;
0335: encrypting the second session random number according to the second temporary key to obtain a third session encryption message in a second encryption result;
0336: obtaining a second verification message according to the quantum key identifier, the second session random number and the second identification information;
0337: performing post quantum cryptography signature processing on the second verification message to obtain a second signature message in a second encryption result;
0338: and sending the second encryption result to the first network device.
In some embodiments, the concatenation module is configured to perform concatenation processing on the quantum key identifier and the second random number generated randomly to obtain a third encrypted message, and the derivation module is configured to perform post quantum cryptography derivation processing on the third encrypted message to obtain the second session key. The processing module is used for performing exclusive-or processing on the second temporary key and the second session key which are randomly generated to obtain a second exclusive-or key, and the second exclusive-or key is encrypted and then sent to the first network equipment. The encryption module is used for carrying out post quantum cryptography encryption processing on the third encrypted message so as to obtain a fourth encrypted message in the second encryption result. The encryption module is further used for carrying out encryption processing on the second session random number according to the second temporary key to obtain a third session encryption message in the second encryption result. The splicing module is also used for obtaining a second verification message according to the quantum key identifier, the second session random number and the second identification information. The signature module is used for carrying out post quantum cryptography signature processing on the second verification message so as to obtain a second signature message in a second encryption result. The sending module is used for sending the second encryption result to the first network device.
In some embodiments, the processor is further configured to splice the quantum key identifier and the randomly generated second random number to obtain a third encrypted message, perform post-quantum cryptographic derivation processing on the third encrypted message to obtain a second session key, and perform exclusive-or processing on the randomly generated second temporary key and the second session key to obtain a second exclusive-or key, where the second exclusive-or key is encrypted and then sent to the first network device, and perform post-quantum cryptographic encryption processing on the third encrypted message to obtain a fourth encrypted message in the second encryption result. The processor is further configured to encrypt the second session random number according to the second temporary key to obtain a third session encrypted message in a second encrypted result, obtain a second verification message according to the quantum key identifier, the second session random number and the second identification information, and perform post quantum cryptographic signature processing on the second verification message to obtain a second signed message in the second encrypted result and send the second encrypted result to the first network device.
Specifically, the second network device performs splicing processing on the quantum key identifier and the second random number generated randomly to obtain a third encrypted message. The second network device then performs a post quantum cryptography derivation process on the third encrypted message to obtain a second session key. And then, the second network equipment performs exclusive-or processing on the second temporary key and the second session key which are randomly generated to obtain a second exclusive-or key, and the second exclusive-or key is encrypted and then sent to the first network equipment. And the second network equipment performs post quantum cryptography encryption processing on the third encrypted message to obtain a fourth encrypted message in the third encryption result. And the second network equipment encrypts the second session random number according to the second temporary key to obtain a second session encryption message in a second encryption result. And the second network equipment obtains a second verification message according to the quantum key identifier, the second session random number and the second identification information, and performs post quantum cryptographic signature processing on the second verification message to obtain a second signature message in a second encryption result. And finally, the second network equipment sends the second encryption result to the first network equipment. Thus, the second network device increases the confidentiality of the quantum key identifier by concatenating the quantum key identifier with the second random number, and processes the quantum key identifier and its derivatives using a post-quantum cryptographic algorithm to combine the quantum key distribution technique with the post-quantum cryptographic technique to increase the complexity of the quantum key identifier.
Continuing the above example, referring again to fig. 3, after the responder gateway obtains the second quantum key qk_uuid2, the responder gateway sends a message 4 to the initiator gateway, where the message 4 includes HDR, XCH2, and SIG2. First, the responder gateway splices the quantum key identifier and the second random number r2 generated randomly to obtain a third encrypted message m3. Then, the responder gateway operates the G function of the PQC algorithm on the third encrypted message m3 as the encrypted message m in the PQC key encapsulation algorithm to obtain the second session key K2. The responder gateway performs exclusive or processing on the randomly generated second temporary key SK2 and the second session key K2 to obtain a second exclusive or key Y2, namely Sk2 is covered with K2, and the second exclusive or key Y2 is sent to the initiator gateway in an SM2 elliptic curve public key encryption protection mode. And the gateway of the response party performs PQC encryption packaging on the third encryption message m3 to obtain a fourth encryption message m4.
In addition, the responder gateway uses the second temporary key SK2 to carry out SM2 elliptic curve public key encryption protection on the second session random number Nonce2 calculated by the responder gateway to obtain a second session encryption message H2. In the conventional national secret IPSec VPN protocol, the responder gateway also uses the second temporary key SK2 to perform SM2 elliptic curve public key encryption protection on the second identification information ID2 of the initiator. XCH1 in message 4 is obtained by performing concatenation processing on a second exclusive or key Y2 encrypted and protected by using an SM2 elliptic curve public key, namely Sk 2K 2, a fourth encrypted message m2, a second session encrypted message H2, and second identification information ID2 encrypted and protected by using SM4 symmetry. XCH2 is shown below:
XCH2 = Asymmetric_Encrypt(Sk2⊕K2 , pub_1)| PQC_Encaps(m2,pqc_pub_1) | Symmetric_Encrypt(Nonce2,Sk2) | Symmetric_Encrypt(ID2,Sk2)
Meanwhile, the responder gateway performs splicing processing on the second temporary secret key SK2, a second session random number Nonce2 calculated by the responder gateway, second identification information ID2 of the responder gateway and an encryption certificate CERT_enc_2 to obtain a second temporary spliced body, and digital signature is performed on the second temporary spliced body by using an SM2 elliptic curve algorithm. The responder gateway splices the second quantum key QK_UUID2, the second session random number Nonce2 calculated by the responder gateway and the second identification information ID2 of the responder gateway to obtain a second verification message, and then performs PQC signature protection on the second verification message serving as signed data M in the PQC signature algorithm by using the post-quantum cryptographic signature algorithm to obtain a second signature message M2.SIG2 is obtained by splicing a second temporary splicing body which is subjected to digital signature protection by using an SM2 elliptic curve algorithm and a second signature message. SIG2 is shown below:
SIG2 = Asymmetric_Sign(Sk2 | Nonce2 | ID2 | CERT_enc_2 , priv_2) | PQC_Sign(UUID_QK| Nonce 2 | ID2 , pqc_priv_2)
And finally, the responder gateway sends the message 4 to the responder gateway.
In this way, the responder gateway sends the second session random number Nonce2 calculated by the initiator itself to the initiator gateway, so that the initiator gateway obtains the second session random number Nonce2 for the subsequent process. The responder gateway increases the confidentiality of the quantum key identifier by concatenating the quantum key identifier uuid_qk with the randomly generated second random number r2, and processes the quantum key identifier uuid_qk and its derivative by using a post-quantum cryptographic algorithm to combine the quantum key distribution technique with the post-quantum cryptographic technique to increase the complexity of the quantum key identifier.
Referring to fig. 15, in some embodiments, the method further comprises:
038: performing key negotiation with the first network device to exchange an identification random number;
step 034 (deriving a security association identifier from the second quantum key, the first decryption result and the second encryption result to secure communications between the first network device and the second network device) comprises:
0341: and obtaining a security association identifier according to the identification random number, the second quantum key, the first decryption result and the second encryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number.
In some embodiments, the negotiation module is configured to perform a key negotiation with the first network device to exchange the identification random number. The deriving module is further configured to obtain a security association identifier according to the identification random number, the second quantum key, the first decryption result, and the second encryption result, so as to protect communication between the first network device and the second network device, where the identification random number includes a first identification random number and a second identification random number.
In some embodiments, the processor is further configured to perform key agreement with the first network device to exchange an identification random number, and obtain a security association identifier according to the identification random number, the second quantum key, the first decryption result, and the second encryption result to secure communications between the first network device and the second network device, the identification random number including the first identification random number and the second identification random number.
Specifically, the first network device performs key agreement with the second network device to exchange the identification random number. And obtaining a security association identifier according to the identification random number, the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number. This increases the confidentiality of the security association identifier by adding the identification random number, and thus the communication between the first network device and the second network device can be well protected.
Continuing the above example, please refer again to fig. 3, the initiator gateway performs key agreement with the responder gateway, the initiator gateway sends a message 1 to the responder gateway, the responder gateway sends a message 2 to the initiator gateway, the message 1 includes HDR and ISAKMP Security Association (SA), and the message 2 includes HDR, SA, an encryption certificate cert_sig_2, and a signature certificate cert_enc_2. If the response gateway has the PQC security certificate, the response gateway also needs to transmit the PQC encryption certificate cert_pqc_sig_2 and the PQC signature certificate cert_pqc_enc_2. In this process, the initiator gateway and the responder gateway also exchange an identification random number Cookie. And the responder gateway obtains a security association identifier SKEYID according to the identifier random number Cookie, the second quantum key QK_UUID2, the message 3 and the message 4, wherein the identifier random number Cookie comprises a first identifier random number Cookie1 of the initiator gateway and a second identifier random number Cookie2 of the responder gateway. Thus, the confidentiality of the security association identifier SKEYID is increased by adding the identification random number Cookie, and communication between the initiator gateway and the responder gateway can be well protected.
Referring to fig. 16, in some embodiments, the first decrypted message includes a first encrypted message, a first exclusive or key, and a first session encrypted message, step 034 (deriving a security association identifier from the second quantum key, the first decryption result, and the second encryption result to secure communications between the first network device and the second network device), comprises:
0342: obtaining a first session key according to the first encrypted message;
0343: obtaining a first temporary key according to the first session key and the first exclusive-or key;
0344: decrypting the first session encryption message according to the first temporary key to obtain a first session random number;
0345: splicing according to the first session random number, the second session random number and the first quantum key to obtain a session splice;
0346: splicing the first identification random number and the second identification random number to obtain an identification spliced body;
0347: and obtaining a security association identifier according to the session splice and the identification splice so as to protect communication between the first network device and the second network device.
In some embodiments, the deriving module is further configured to obtain the first session key from the first encrypted message, and obtain the first temporary key from the first session key and the first exclusive-or key. The decryption module is used for decrypting the first session encryption message according to the first temporary key to obtain the first session random number. And the splicing module is used for carrying out splicing processing according to the first session random number, the second session random number and the first quantum key to obtain a session splice body. The splicing module is also used for splicing the first identification random number and the second identification random number to obtain an identification splice body. The deriving module is further configured to obtain a security association identifier from the session splice and the identification splice to protect communications between the first network device and the second network device.
In some embodiments, the processor is further configured to obtain a first session key from the first encrypted message, obtain a first temporary key from the first session key and the first exclusive-or key, and decrypt the first session encrypted message according to the first temporary key to obtain the first session random number. The processor is further configured to perform a concatenation process according to the first session random number, the second session random number, and the first quantum key to obtain a session concatenation body, and splice the first identifier random number and the second identifier random number to obtain an identifier concatenation body, and obtain a security association identifier according to the session concatenation body and the identifier concatenation body, so as to protect communications between the first network device and the second network device.
Specifically, the second network device calculates a first session key according to the first encrypted message, and then obtains a first temporary key according to the first session key and the first exclusive-or key. The second network device then decrypts the first session encrypted message based on the first temporary key to obtain the first session random number. And then, the second network equipment splices the first session random number, the second session random number and the first quantum key to obtain a session splice body. And the second network equipment splices the first identification random number and the second identification random number to obtain an identification splice body. Finally, the second network device obtains a security association identifier according to the session splice and the identification splice to protect communication between the first network device and the second network device. In this way, the security of the communication data between the first network device and the second network device is enhanced by processing the second quantum key with other random numbers generated randomly and deriving a security association identifier with quantum computation attack resistance for protecting the communication between the first network device and the second network device.
Continuing the above example, the responder gateway performs SM2 digital envelope decapsulation on the received message 3 to obtain a first exclusive-or key Y1, and decapsulates the first encrypted message m1 according to the PQC key. The responder gateway obtains a first session key K1 according to the first encrypted message m1, and then carries out exclusive-OR processing according to the first session key K1 and the first exclusive-OR key Y1 to obtain a first temporary key SK1. The responder gateway then decrypts the first session encrypted message H1 according to the first temporary key SK1 to obtain a first session random number Nonce1.
Subsequently, the responder gateway removes the ISAKMP generic header from the first session random number Nonce1 to obtain n1_b, and removes the ISAKMP generic header from the second session random number Nonce2 to obtain n2_b. And the responder gateway performs splicing processing on the N1_b and the N2_b and the first quantum key QK_UUID1 to obtain a session splicing body N1_b|N2_b|QK_UUID. And then, the responder gateway splices the first identification random number Cookie1 and the second identification random number Cookie2 to obtain an identification splicer Cookie1|Cookie2. Finally, the responder gateway uses a Pseudo-Random Function (PRF) to input a session splice n1_b|n2_b|qk_uuid and an identification splice Cookie1|cookie2 by using a HASH Function to output and obtain a security association identifier SKEYID. The gateway of the response party derives a subsequent derivative key SKEYID_d, a verification key SKEYID_a and an encryption key SKEYID_e according to the security association identifier SKEYID and the national security IPSec VPN protocol.
Finally, the responder gateway performs subsequent exchange of the first-stage message 5 and the message 6 and two-stage key exchange according to the national secret IPSec VPN protocol based on the obtained derivative key SKEYID_d, the verification key SKEYID_a and the encryption key SKEYID_e, and obtains a final session key.
In this way, the responder gateway processes the first quantum key QK_UUID1 and other random numbers generated randomly and derives a security association identifier SKEYID with quantum computation attack resistance, and then generates keys with different functions by using the security association identifier SKEYID so as to protect subsequent communication between the initiator gateway and the responder gateway, thereby enhancing the security of communication data between the responder gateway and the initiator gateway.
The present application also provides a computer-readable storage medium containing a computer program. The computer programs, when executed by one or more processors, cause the one or more processors to perform the voice interaction method of the present application.
It is understood that the computer program comprises computer program code. The computer program code may be in the form of source code, object code, executable files, or in some intermediate form, among others. The computer readable storage medium may include: any entity or device capable of carrying computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth.
In the description of the present specification, reference to the terms "specifically," "further," "particularly," "understandably," and the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In the present specification, schematic representations of the above terms are not intended to refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (14)

1. A method of quantum security enhancement for a national cryptographic IPSec VPN protocol of a communication network, the communication network comprising a first network device and a second network device, the method for the first network device, the method comprising:
acquiring a first quantum key from a first network node accessing the first network device;
performing post-quantum cryptography encryption processing on the first quantum key, and transmitting a first encryption result subjected to the post-quantum cryptography encryption processing to the second network device;
Decrypting the received second encryption result sent by the second network device to obtain a second decryption result, wherein the second encryption result is obtained by the second network device according to the first encryption result;
and obtaining a security association identifier SKEYID according to the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device.
2. The method according to claim 1, wherein the method further comprises:
accessing the first network node through a pre-established channel;
Loading the security certificate of the first network device or the security certificate of the second network device.
3. The method of claim 1, wherein the obtaining the first quantum key from the first network node accessing the first network device comprises:
Sending a quantum key application to the first network node accessed to the first network device;
and receiving a first quantum key and a quantum key identifier which are distributed by the first network node according to the quantum key application, wherein the quantum key identifier is obtained by marking the first quantum key by the first network node by utilizing an identification code of the first network device.
4. A method according to claim 3, wherein said post-quantum cryptographic encryption of said first quantum key and transmitting a first encrypted result of said post-quantum cryptographic encryption to said second network device comprises:
Splicing the quantum key identifier and the randomly generated first random number to obtain a first encrypted message;
Performing post quantum cryptography derivation processing on the first encrypted message to obtain a first session key;
performing exclusive-or processing on the first temporary key and the first session key which are randomly generated to obtain a first exclusive-or key, and transmitting the first exclusive-or key to second network equipment after being encrypted;
performing post quantum cryptography encryption processing on the first encrypted message to obtain a second encrypted message in the first encrypted result;
Encrypting the first session random number according to the first temporary key to obtain a first session encryption message in the first encryption result;
Obtaining a first verification message according to the quantum key identifier, the first session random number and first identification information;
Performing post quantum cryptography signature processing on the first verification message to obtain a first signature message in the first encryption result;
and sending the first encryption result to the second network equipment.
5. The method of claim 4, wherein decrypting the received second encrypted result sent by the second network device to obtain a second decrypted result, the second encrypted result obtained by the second network device based on the first encrypted result, comprises:
Receiving the second encryption result sent by the second network device, wherein the second encryption result is obtained by encrypting a first decryption result by the second network device, and the first decryption result is obtained by decrypting the first encryption result by the second network device;
and carrying out post quantum cryptography decryption processing on the second encryption result to obtain a second decryption result, wherein the second decryption result comprises a third encryption message, a quantum key identifier, a second exclusive-or key, a second session encryption message and a second signature message.
6. The method of claim 5, wherein the method further comprises:
Obtaining a second verification message according to the second signature message, wherein the second verification message is obtained from the quantum key identifier, a second session random number and second identification information;
and performing post quantum verification processing on the second signature message to confirm the correctness of the second verification message.
7. The method of claim 5, wherein the method further comprises:
Obtaining a second session key according to the third encrypted message;
Obtaining a second temporary key according to the second session key and the second exclusive-or key;
And decrypting the second session encryption message according to the second temporary key to obtain a second session random number.
8. The method of claim 7, wherein the method further comprises:
performing key negotiation with the second network device to exchange an identification random number;
the obtaining the security association identifier SKEYID according to the first quantum key, the first encryption result and the second decryption result to protect communication between the first network device and the second network device includes:
And obtaining a security association identifier SKEYID according to the identification random number, the first quantum key, the first encryption result and the second decryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number.
9. The method of claim 8, wherein the deriving a security association identifier SKEYID from the first quantum key, the first encryption result, and the second decryption result to secure communications between the first network device and the second network device comprises:
Performing splicing processing according to the first session random number, the second session random number and the first quantum key to obtain a session splice;
Splicing the first identification random number and the second identification random number to obtain an identification splice body;
And obtaining a security association identifier SKEYID according to the session splice body and the identification splice body so as to protect communication between the first network device and the second network device.
10. A method of quantum security enhancement for a national cryptographic IPSec VPN protocol of a communication network, the communication network comprising a first network device and a second network device, the method for the second network device, the method comprising:
Receiving a first encryption result obtained by the first network equipment through post quantum cryptography encryption processing of a first quantum key, wherein the first quantum key is obtained by the first network equipment from an accessed first network node;
decrypting the first encryption result to obtain a first decryption result;
Performing post quantum cryptography encryption processing on the first decryption result, and transmitting a second encryption result subjected to the post quantum cryptography encryption processing to first network equipment;
And obtaining a security association identifier SKEYID according to the second quantum key, the first decryption result and the second encryption result so as to protect communication between the first network device and the second network device.
11. The method of claim 10, wherein the first decryption result comprises a first signed message, the method further comprising:
obtaining a first verification message according to the first signature message, wherein the first verification message is obtained by a quantum key identifier, a first session random number and first identification information;
Performing post quantum verification processing on the first signature message to confirm correctness of the first verification message and the quantum key identifier;
And acquiring the second quantum key from a second network node which is accessed to the second network device under the condition that the quantum key identifier is acquired correctly.
12. The method of claim 10, wherein the first decryption result includes a quantum key identifier, and wherein post-quantum cryptographic encryption of the first decryption result includes:
Splicing the quantum key identifier and the randomly generated second random number to obtain a third encrypted message;
performing post quantum cryptography derivation processing on the third encrypted message to obtain a second session key;
Performing exclusive-or processing on the randomly generated second temporary key and the second session key to obtain a second exclusive-or key, and transmitting the encrypted second exclusive-or key to the first network device;
performing post quantum cryptography encryption processing on the third encrypted message to obtain a fourth encrypted message in the second encryption result;
Encrypting the second session random number according to the second temporary key to obtain a third session encryption message in the second encryption result;
obtaining a second verification message according to the quantum key identifier, the second session random number and second identification information;
performing post quantum cryptography signature processing on the second verification message to obtain a second signature message in a second encryption result;
and sending the second encryption result to the first network equipment.
13. The method according to claim 10, wherein the method further comprises:
Performing key negotiation with the first network device to exchange an identification random number;
Obtaining a security association identifier SKEYID according to the second quantum key, the first decryption result and the second encryption result to protect communication between the first network device and the second network device, including:
And obtaining a security association identifier SKEYID according to the identification random number, the second quantum key, the first decryption result and the second encryption result so as to protect communication between the first network device and the second network device, wherein the identification random number comprises a first identification random number and a second identification random number.
14. The method of claim 13, wherein the first decryption result comprises a first encrypted message, a first exclusive-or key, and a first session encrypted message, wherein the deriving the security association identifier SKEYID from the second quantum key, the first decryption result, and the second encryption result to secure communications between the first network device and the second network device comprises:
Obtaining a first session key according to the first encrypted message;
obtaining a first temporary key according to the first session key and the first exclusive-or key;
Decrypting the first session encryption message according to the first temporary key to obtain a first session random number;
Performing splicing processing according to the first session random number, the second session random number and the first quantum key to obtain a session splice;
Splicing the first identification random number and the second identification random number to obtain an identification splice body;
And obtaining a security association identifier SKEYID according to the session splice body and the identification splice body so as to protect communication between the first network device and the second network device.
CN202411007783.6A 2024-07-25 2024-07-25 Anti-quantum security enhancement method for national secret IPSec VPN protocol Active CN118540165B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411007783.6A CN118540165B (en) 2024-07-25 2024-07-25 Anti-quantum security enhancement method for national secret IPSec VPN protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411007783.6A CN118540165B (en) 2024-07-25 2024-07-25 Anti-quantum security enhancement method for national secret IPSec VPN protocol

Publications (2)

Publication Number Publication Date
CN118540165A CN118540165A (en) 2024-08-23
CN118540165B true CN118540165B (en) 2024-11-15

Family

ID=92390338

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411007783.6A Active CN118540165B (en) 2024-07-25 2024-07-25 Anti-quantum security enhancement method for national secret IPSec VPN protocol

Country Status (1)

Country Link
CN (1) CN118540165B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118694528B (en) * 2024-08-28 2024-12-20 中电信量子信息科技集团有限公司 Anti-quantum security enhancement method for on-line certificate issuing and key pair distribution
CN119652525B (en) * 2025-02-19 2025-05-02 杭州海康威视数字技术股份有限公司 IPSec hybrid anti-quantum computing security method and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108923917A (en) * 2018-06-28 2018-11-30 浙江九州量子信息技术股份有限公司 A kind of Virtual Private Network encryption method based on quantum communications
CN111740893A (en) * 2020-06-30 2020-10-02 成都卫士通信息产业股份有限公司 Method, device, system, medium and equipment for realizing software-defined VPN

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
MY147120A (en) * 2008-09-10 2012-10-31 Mimos Berhad Method of integrating quantum key distribution with internet key exchange protocol
CN116886303B (en) * 2023-09-05 2023-12-22 中量科(南京)科技有限公司 Encryption method, device and storage medium for generating session key based on quantum key
CN117857026B (en) * 2023-12-18 2025-09-02 中电信量子科技有限公司 Encrypted communication method integrating quantum key and national secret CPE access device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108923917A (en) * 2018-06-28 2018-11-30 浙江九州量子信息技术股份有限公司 A kind of Virtual Private Network encryption method based on quantum communications
CN111740893A (en) * 2020-06-30 2020-10-02 成都卫士通信息产业股份有限公司 Method, device, system, medium and equipment for realizing software-defined VPN

Also Published As

Publication number Publication date
CN118540165A (en) 2024-08-23

Similar Documents

Publication Publication Date Title
US12010216B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
US8670563B2 (en) System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN118540165B (en) Anti-quantum security enhancement method for national secret IPSec VPN protocol
US20210152370A1 (en) Digital signature method, device, and system
JP2011501585A (en) Method, system and apparatus for key distribution
CN118540163B (en) Anti-quantum security enhancement method for national secret SSL VPN protocol
CN118540164B (en) Quantum security enhancement method for Internet key exchange protocol
US11818268B2 (en) Hub-based token generation and endpoint selection for secure channel establishment
CN118659922B (en) Quantum security enhancement method for open authorization protocol
CN115484038A (en) A data processing method and device thereof
CN114726546A (en) Digital identity authentication method, device, equipment and storage medium
CN117914483A (en) Secure communication method, apparatus, device and medium
CN118659881B (en) Quantum-resistant security enhancement method for secure shell protocol
CN118694528B (en) Anti-quantum security enhancement method for on-line certificate issuing and key pair distribution
CN118555133B (en) Quantum-resistant security enhancement method of transport layer security protocol
CN114584975B (en) An SDN-based anti-quantum satellite network access authentication method
CN118713833B (en) Quantum security enhancement method for open identity connection protocol
CN118214558B (en) Data circulation processing method, system, device and storage medium
CN117914531A (en) Data interaction method based on ECC, client device and server
CN116208327A (en) End-to-end communication method and system based on national secret encryption and PGP trust network
CN117997522A (en) Quantum session key-based data interaction method, electronic equipment and medium
CN118694529B (en) Quantum-resistant security enhancement method for secure channel protocol of password equipment
CN118659923B (en) A quantum-resistant security enhancement method for the Simple Authentication and Security Layer protocol
CN117749413B (en) Secure communication method and secure communication system based on TLCP (transport layer control protocol) business-to-business protocol
CN118631457B (en) Quantum-resistant security enhancement method of security assertion marking protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant