Nothing Special   »   [go: up one dir, main page]

CN108737079B - Distributed quantum key management system and method - Google Patents

Distributed quantum key management system and method Download PDF

Info

Publication number
CN108737079B
CN108737079B CN201710244821.3A CN201710244821A CN108737079B CN 108737079 B CN108737079 B CN 108737079B CN 201710244821 A CN201710244821 A CN 201710244821A CN 108737079 B CN108737079 B CN 108737079B
Authority
CN
China
Prior art keywords
quantum key
key
quantum
module
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710244821.3A
Other languages
Chinese (zh)
Other versions
CN108737079A (en
Inventor
陈庆
翟广华
游耀祥
冯同鑫
彭上丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quantumctek Guangdong Co ltd
Quantumctek Co Ltd
Original Assignee
Quantumctek Guangdong Co ltd
Quantumctek Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Quantumctek Guangdong Co ltd, Quantumctek Co Ltd filed Critical Quantumctek Guangdong Co ltd
Priority to CN201710244821.3A priority Critical patent/CN108737079B/en
Publication of CN108737079A publication Critical patent/CN108737079A/en
Application granted granted Critical
Publication of CN108737079B publication Critical patent/CN108737079B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a distributed quantum key management system and a method, wherein a quantum key storage and transmission encryption technology and a distributed bottom layer storage technology are organically combined to improve the security level and the use efficiency in quantum key management.

Description

Distributed quantum key management system and method
Technical Field
The invention relates to the technical field of quantum communication, in particular to a management system and a management method of a quantum key.
Background
With the progress of internet data technology and the development of business models, at present, the information technology and the network technology are utilized to help users to improve business processes and real-time business responses. Meanwhile, the networking of service information also brings security threat, once business data of the service itself, sensitive data of enterprise customers and the like are leaked, loss which is difficult to estimate is brought, and communication or stored information is tampered, so that serious consequences are brought. Therefore, the service information is networked, and the safety problem is very important.
At present, distributed computing and quantum computer theory are mature day by day, the security of a key distribution system based on a public key encryption algorithm is challenged, and a quantum communication technology guarantees unconditional security of information physically, and can avoid attack of a system with infinite computing capacity on network communication. Quantum communication networks implement Quantum Key Distribution (QKD) and use the generated quantum keys for encrypting classical traffic data. The quantum channel of the quantum communication network has the characteristics that eavesdropping is inevitably discovered and encrypted contents cannot be deciphered, so that the unconditional safety of the quantum communication network is ensured.
From the perspective of an encryption algorithm, most cryptosystems are breakable in a ciphertext-only attack, while a one-time pad algorithm can realize the so-called 'unconditional security' of network communication, but the key consumption of the one-time pad is extremely large, so that the access and use efficiency of related keys is particularly critical.
At present, many different schemes are proposed in the aspect of quantum key management, and the access process, the management mode, the terminal access security and the like of the quantum key are explained. For example, chinese patent application nos. 201610843210.6 and 201610842874.0 relate to a method for managing and configuring quantum keys, and a technical means for ensuring communication security between a user terminal and a quantum service center is discussed in order to solve the security problem of a quantum communication network in a user terminal access link.
However, the prior art including the above documents adopts a user interactive data processing system, which has a large requirement on storage space, and the user identification by using a traditional login method combining a user name and a password has a risk of easily usurping a right to modify information, and the query efficiency is significantly reduced when the data amount exceeds a certain level, which is obviously disadvantageous for quantum communication systems with a large demand on quantum keys. These disadvantages often result in the inability of existing quantum key management systems to provide quantum keys in sufficient quantities to accommodate large volume communication operations, resulting in unstable communication operations. In addition, the above documents focus on the security problem of the access link of the user terminal, and the applicant has noticed that, in the quantum key management process, the access and transmission process of the quantum key and the related data in the key management system is also a vulnerable link which is easy to be invaded, and it is bound to become a security risk in the quantum communication network.
Therefore, in the existing quantum key management scheme, there is a urgent need for improvement in terms of security of key management and effective management of massive key data.
Disclosure of Invention
Based on the above unique recognition of the defects of the prior art, the applicant designs a security means for performing encryption management control on the quantum key in the process of storing and transmitting the quantum key in the key management system and the key management method of the invention, and proposes a scheme for applying the relational index and the distributed bottom layer storage technology to the key storage, thereby effectively improving the security level and the use efficiency of the quantum key in the quantum key management system and the quantum key management method by organically combining the two.
In one aspect of the invention, a distributed quantum key management system is disclosed that may include a service layer module and a data layer module. The service layer module may be configured to receive the quantum key and perform one or more of a binning, a reading, and a destruction of the quantum key. The data layer module may be arranged to store the quantum key and the quantum key related data.
In the invention, an encryption/decryption module may be disposed in the service layer module, and is configured to encrypt the quantum key and the data related to the quantum key after the quantum key enters the service layer module. Therefore, the storage and transmission processes of the quantum key and the related data in the management system are always in an encrypted state, and the safety of the quantum key is improved.
In the invention, the data layer module can be realized by adopting a distributed bottom storage mode. In particular, the data layer module may include a distributed database unit and a distributed file system unit. Wherein the distributed file system unit may be configured to store the quantum key; the distributed database unit may be configured to store the quantum key related data, where the quantum key and the quantum key related data are in a form of ciphertext. The quantum key related data may include a key account and a key index for locating the quantum key. By pertinently and respectively adopting different storage schemes to store specific quantum keys and key related data such as key accounts and key indexes, the inquiry efficiency of the management system can be improved, and meanwhile, the possibility of efficiently accessing massive quantum keys is provided.
In the present invention, the encryption/decryption module may be further configured to encrypt the original key index of the user in the reading and/or destroying operation of the quantum key.
In the present invention, the encryption/decryption module may be further configured to decrypt the query result returned by the data layer module in the reading and/or destroying operation of the quantum key.
In the present invention, the service layer module may be further configured to perform secondary encryption on the quantum key output to the outside in the reading operation of the quantum key.
In the present invention, the service layer module may further include a key storage module, a key reading module, and a key destruction module. Wherein the key binning module is configured to perform binning of the quantum key, and may be configured to receive the quantum key from a quantum key management terminal and load the encrypted quantum key and the quantum key related data to the data layer module. The key reading module is used for executing reading operation of the quantum key, and can be configured to inquire the quantum key from the data layer module and output the inquired quantum key outwards. The key destruction module is used for executing destruction operation of the quantum key, and can be configured to inquire the quantum key from the data layer module and destroy the inquired quantum key from the data layer module.
In the present invention, the service layer module may further include a data access interface configured to receive a service request from one of the key storage module, the key reading module, and the key destruction module according to a service type, and send the service request to one of the key management terminal and the data layer module according to the service type after the user end device ID and the key account pass the identity authentication.
In another aspect of the present invention, a quantum key management method is disclosed, which may perform one or more of quantum key storage operation, quantum key reading operation, and quantum key destruction operation according to a service request.
The quantum key warehousing operation may include a step of receiving a quantum key, a step of encrypting the quantum key and data related to the quantum key, and a step of storing the encrypted quantum key and data related to the quantum key in a distributed underlying storage manner.
Further, the encrypted quantum key may be stored using a distributed file system; the storage of the encrypted quantum key related data may employ a distributed database.
Still further, the quantum key related data may include a key account and a key index. Wherein the key index may be used to locate the quantum key stored in the distributed file system.
Further, a step of authenticating validity of the key account may be further included between the step of encrypting and the step of storing.
In the present invention, the quantum key reading operation may include a step of querying the quantum key stored in the distributed file system according to an original key index of a user, and a step of outputting the quantum key outwards according to a query result.
In the present invention, the quantum key destruction operation may include a step of querying the quantum key stored in the distributed file system according to an original key index of a user, and a step of destroying the quantum key according to a query result.
Further, the querying step in the quantum key reading operation and/or the quantum key destruction operation may further include a step of encrypting the original key index of the user.
Further, the step of outputting the quantum key outwards in the quantum key reading operation may further include the step of decrypting the query result.
Further, the step of outputting the quantum key outwards in the quantum key reading operation may further include a step of performing secondary encryption on the output quantum key.
The quantum key management method according to the present invention may further include a step of authenticating whether the user end device ID corresponds to the key account one to one when receiving the service request.
Drawings
Fig. 1 schematically shows a framework diagram of a quantum key management system according to the present invention;
FIG. 2 schematically illustrates a key warehousing process in the key management method of the present invention;
FIG. 3 schematically illustrates a key reading process in the key management method of the present invention; and
fig. 4 schematically illustrates a key destruction process in the key management method of the present invention.
Detailed Description
Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. The following examples are provided by way of illustration in order to fully convey the spirit of the invention to those skilled in the art to which the invention pertains. Accordingly, the present invention is not limited to the embodiments disclosed herein.
Fig. 1 shows a quantum key management system according to the present invention, which mainly includes a service layer module and a data layer module, and can perform data exchange with an external user through a client.
The data layer module of the present invention is used to store quantum keys and related data. In the invention, aiming at the characteristics of quantum key use, namely high key reading frequency and large key quantity, a data layer module is innovatively realized by adopting a distributed bottom storage mode, and the data layer module specifically comprises a distributed database unit and a distributed file system unit which are used for storing quantum key data with different attributes.
In particular, the distributed file system unit is based on a distributed file system, which is used in the present invention to store specific quantum keys. In a distributed file system, data may not exist in the same physical disk, but may be distributed in units of blocks and stored in a storage server cluster composed of a plurality of physical disks, and managed by an upper operating system, such a storage architecture will significantly reduce the requirement for a single server storage space, can provide very strong system expansion capability and fault-tolerant capability, is very suitable for TB and even PB-level large data volume storage, and makes the storage of mass quantum keys possible. In addition, in such a distributed file system, once a file is created, written and closed, data cannot be modified normally, and only read operation and delete operation are performed, which is very suitable for the requirement that a quantum key needs to be generated by one-time import and read for multiple times in a quantum communication network. Moreover, such data access requirements simplify the data consistency problem, so that the application program can be allowed to perform data access in a streaming form, rather than user-interactive data access, so that high-throughput data access is possible, the reading efficiency of the quantum key can be effectively improved, and the method is particularly advantageous for improving the quantum communication capacity.
The distributed database unit is based on a distributed database structure, and is used for storing key-related data such as key accounts and key indexes in the invention, so that efficient access to the key-related data can be provided, and the query efficiency of related quantum keys is improved. Wherein the key index is arranged to locate the quantum key.
Alternatively, the distributed file system employed by the present invention may include, but is not limited to, HDFS (Hadoop distributed file system) and BC-oNest (distributed object storage product).
The service layer module is used for warehousing, reading and destroying the quantum key and encrypting/decrypting the quantum key in the related storage and transmission processes, and mainly comprises a key warehousing module, a key reading module, a key destroying module and an encrypting/decrypting module.
The encryption/decryption module can be used for carrying out encryption/decryption operation on the acquired quantum key and key related data such as the key account, the key index and the like so as to ensure that the quantum key data is in a ciphertext form in the quantum key related storage and transmission process, thereby improving the security of the key management system. In the present invention, the encryption/decryption module may preferably be in the form of a cryptographic card.
The key storage module is configured to obtain a quantum key from a key management terminal KMT (which may be a quantum key distribution system integrated with a key management function), and load the encrypted quantum key into the data layer module, which may include a key parsing unit and a key writing unit. The key parsing unit may be configured to parse the quantum key and the key-related data according to a service requirement (e.g., a key application request, a key reading request, etc.). The key write unit may be used to write the encrypted quantum keys and key related data (e.g., key accounts and key indices) into the data layer module.
The key destruction module is used for destroying used and/or invalid quantum keys from the data layer module, and may include a parallel operation unit, a key addressing unit and a key elimination unit.
The key reading module is used for providing positioning and query functions of the quantum key for the outside.
The key management system of the invention can also comprise a data access interface which is used for providing management and access to the key reading module, the key storage module, the key destroying module, the encryption/decryption module and the data layer module. In the present invention, the data access interface may be configured to receive a corresponding service request from one of the key storage module, the key reading module, and the key destruction module according to a service type (e.g., a key storage service, a key reading service, or a key destruction service), and send the corresponding service request to one of the key management terminal and the data layer module according to the service type after the user end device passes the identity authentication with the key account.
For example, in the key storage process, the data access interface may be called by the key storage module and receive a quantum key application request therefrom, and send the quantum key application request to the key management terminal to apply for a quantum key when it is determined that the corresponding user terminal device corresponds to the key account one to one according to the quantum key application request.
In the key reading process, the data access interface can be called by the key reading module and receives a quantum key reading request from the key reading module, and under the condition that the corresponding user side equipment is confirmed to be in one-to-one correspondence with the key account according to the quantum key reading request, the quantum key reading request is sent to the data layer module to request for reading the quantum key.
In the key destruction process, the data access interface can be called by the key destruction module and receives a quantum key destruction request from the key destruction module, and under the condition that the user side equipment is confirmed to be in one-to-one correspondence with the key account according to the quantum key destruction request, the quantum key destruction request is sent to the data layer module to request for quantum key destruction.
The key management method of the present invention will be described below in conjunction with fig. 2-4 to further understand the structure of the key management system of the present invention.
Fig. 2 schematically illustrates a key warehousing process in the key management method of the present invention.
In the key storage process, the key storage module calls a data access interface to provide a quantum key application request. The quantum key application request may include data such as quantum key length, quantum key amount, user end device ID, and key account. In the present invention, such a quantum key application request may be made in batch.
When the data access interface is called, the identity information in the quantum key application request needs to be authenticated, that is, whether the user end device ID corresponds to the key account is to be authenticated. When it is confirmed that the user end device ID corresponds to the key account, the data access interface allows the quantum key application request to be sent to the key management terminal KMT, so as to apply for pushing the corresponding quantum key. Likewise, this application can be carried out in batch form.
Key management terminal upon receiving a key application request sent via a data access interface
And then, identity authentication is carried out on the user end equipment ID and the key account data in the key application request, and the quantum key is pushed to the data access interface according to the key application request (in batch) after the identity authentication is passed.
After the service layer module receives the quantum key pushed by the key management terminal, the encryption/decryption module encrypts the pushed quantum key. Therefore, the distributed quantum key and related data (such as user end device ID, key account, key amount, key length and the like) are always in a ciphertext state in the key management system, and the security of the storage and transmission process of the quantum key is ensured.
Before storing the encrypted quantum key, the validity of the key account is authenticated. After the current valid key account is confirmed, the quantum keys applied in batch are subjected to key analysis according to the service requirement, and corresponding key indexes are generated according to key related data such as the quantum keys, the key accounts and the like. The key index will be used to query the storage location of the quantum key in the distributed file system unit of the data tier module. Those skilled in the art will recognize that the key index generated here is also in the ciphertext state in the present invention.
Finally, the key data files of the encrypted quantum keys and the corresponding generated key accounts and key indexes which are also encrypted are written into the data layer module (in batch), wherein the encrypted key accounts and key indexes can be stored in the distributed database unit, and the encrypted quantum keys are stored in the distributed file system unit.
And returning a processing result after finishing the quantum key storage operation.
In the warehousing process, the quantum key can be encrypted by the encryption/decryption module when being pushed to the key management system, so that the quantum key and related data thereof are always in a ciphertext state in the quantum key storage and transmission stage after the quantum key is pushed to the key management system, and the security of the key management system is effectively improved. In addition, the validity authentication of the key account is performed after the quantum key is pushed to the key management system and before the quantum key is written into the data layer module, and the setting improves the efficiency of applying for the quantum key in batches to the key management terminal or the quantum key distribution system. In addition, according to different data use types, contents such as key accounts, key indexes and the like and specific quantum keys are respectively stored in the distributed database unit and the distributed file system unit, so that higher query efficiency can be provided, and meanwhile, an optimal storage and access scheme is provided for massive quantum keys.
Fig. 3 schematically illustrates a key reading process in the key management method of the present invention.
In the key reading process, the user side equipment calls the key reading module to initiate a quantum key reading request. And the key reading module performs identity validity authentication on the user side equipment. Such authentication may include, but is not limited to, confirming the user's validity by a PIN code preset at the time of issuance. And after the identity validity is verified, the key reading module opens the reading authority and allows the data access interface to be called.
The key read module invokes the data access interface to make a quantum key read request. When the data access interface is called, the identity information in the quantum key reading request needs to be authenticated, that is, whether the user end device ID in the quantum key reading request corresponds to the quantum key account needs to be authenticated. When the user end device ID is confirmed to correspond to the quantum key account, the data access interface allows the quantum key reading request to be sent to the data layer module so as to apply for reading the corresponding quantum key.
In the data layer module, the stored quantum key and key related data such as a key account and a key index are in a ciphertext form encrypted by the encryption/decryption module. Therefore, in order to complete the query of the quantum key in the data layer module, the encryption/decryption module is further required to encrypt the original key index of the user to generate an encrypted user key index.
The encrypted user key index is sent to the data layer module for querying. Wherein authentication of the key account is also required. After the authentication is passed, the data such as the key index and the key request amount are obtained by analyzing according to the specific quantum key reading request. The encrypted quantum key to be read is located using the encrypted key index, and the amount of key read is checked. And after the verification is passed, returning a corresponding query result to the service layer module according to the specific quantum key reading request. Those skilled in the art will recognize that the returned query results are encrypted quantum keys.
For the encrypted quantum key returned by the data layer module, the service layer module also needs to decrypt the encrypted quantum key by using the encryption/decryption module, and then the key reading module outputs the quantum key to be read to the user end device. In order to ensure the security of quantum key transmission, the quantum key can be encrypted for the second time before being output to the user end device. The encryption algorithm of the second encryption can adopt, for example, the symmetric encryption algorithm SM1/SM 4.
As can be seen from the foregoing description of the key management system of the present invention, in the present invention, the operation of the quantum key is generally limited to writing, reading, and deleting. Therefore, in the key management method of the present invention, a key destruction process is further included.
Fig. 4 schematically illustrates a key destruction process in the key management method of the present invention.
In the key destroying process, the user terminal equipment calls the key destroying module to initiate a quantum key destroying request. And the key destruction module performs identity validity authentication on the user side equipment. Such authentication may include, but is not limited to, confirming the user's validity by a PIN code preset at the time of issuance. And after the identity validity is verified, the key destroying module allows the data access interface to be called.
The key destruction module calls a data access interface to provide a quantum key destruction request. When the data access interface is called, the identity information in the quantum key destruction request needs to be authenticated, that is, whether the user end device ID in the quantum key destruction request corresponds to the quantum key account needs to be authenticated. And when the user end equipment ID is confirmed to correspond to the quantum key account, the data access interface allows the quantum key destruction request to be sent to the data layer module so as to apply for destroying the corresponding quantum key.
In the data layer module, the stored quantum key and key related data such as a key account and a key index are in a ciphertext form encrypted by the encryption/decryption module. Therefore, in order to complete the query of the quantum key in the data layer module, the encryption/decryption module is further required to encrypt the original key index of the user to generate an encrypted user key index.
The encrypted user key index is sent to the data layer module for querying. Wherein authentication of the key account is also required. After the authentication is passed, analyzing according to the specific quantum key destruction request to obtain data such as key indexes and key request destruction quantity. And positioning the quantum key to be destroyed by utilizing the encrypted key index, destroying the corresponding quantum key, and verifying the quantity of the destroyed key.
And after the verification is passed, returning a corresponding key destruction processing result to the service layer module. Wherein, the service layer module also needs to utilize the encryption/decryption module to decrypt the key destruction processing result.
In summary, the quantum key management system and method of the present invention, on one hand, creatively propose to set up a novel encryption strategy in the storage and transmission links in the quantum key management, ensure that the quantum key and its related data are always operated in the ciphertext state in the quantum key management system, and strengthen the security protection in the quantum key management process; on the other hand, aiming at the use characteristics of the quantum key, the distributed file system and the distributed database are simultaneously introduced in an organic combination mode, mass data such as the quantum key, a key account, key indexes and the like are respectively stored in the distributed file system and the distributed database according to the characteristics of two data storage structures, so that the characteristics of the two data storage structures can be fully utilized to provide more efficient query capability, higher throughput, higher efficiency reading capability and stronger reliability and expansibility for the quantum key management system, and the defects in the prior art such as a user interaction data processing mode are well overcome.
The foregoing is merely a preferred embodiment of the invention and is not intended to limit the invention in any manner. Although the present invention has been described with reference to the preferred embodiments, it is not intended to be limited thereto. Those skilled in the art can make numerous possible variations and modifications to the present teachings, or modify equivalent embodiments to equivalent variations, without departing from the scope of the present teachings, using the methods and techniques disclosed above. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical essence of the present invention are still within the scope of the protection of the technical solution of the present invention, unless the contents of the technical solution of the present invention are departed.

Claims (16)

1. A distributed quantum key management system comprising a service layer module and a data layer module, the service layer module being arranged to receive a quantum key and to perform one or more of warehousing, reading and destruction of the quantum key, the data layer module being arranged to store the quantum key and data relating to the quantum key, characterized in that:
the service layer module comprises an encryption/decryption module for encrypting the quantum key and the data related to the quantum key after the quantum key enters the service layer module; and
the data layer module is realized by adopting a distributed bottom storage mode;
the data layer module comprises a distributed database unit and a distributed file system unit, wherein the distributed file system unit is used for storing the quantum key, the distributed database unit is used for storing the data related to the quantum key, and the quantum key and the data related to the quantum key are in a ciphertext form.
2. The quantum key management system of claim 1, wherein the quantum key related data comprises a key account and a key index, the key index to locate the quantum key.
3. The quantum key management system of claim 1, wherein the encryption/decryption module is further configured to encrypt the user's original key index during a read and/or destroy operation of the quantum key.
4. The quantum key management system of claim 1, wherein the encryption/decryption module is further configured to decrypt query results returned by the data tier module during a read and/or destroy operation of the quantum key.
5. The quantum key management system of claim 1, wherein the service layer module is further configured to perform a secondary encryption of the quantum key output to the outside during a read operation of the quantum key.
6. The quantum key management system of claim 1, wherein the service layer module further comprises a key warehousing module, a key reading module, and a key destruction module;
the key storage module is used for executing storage operation of the quantum key, and is configured to receive the quantum key from a quantum key management terminal and load the encrypted quantum key and the data related to the quantum key to the data layer module;
the key reading module is used for executing reading operation of the quantum key, and is configured to inquire the quantum key from the data layer module and output the inquired quantum key outwards;
the key destruction module is used for executing destruction operation of the quantum key, and is configured to inquire the quantum key from the data layer module and destroy the inquired quantum key from the data layer module.
7. The quantum key management system of claim 6, wherein the service layer module further comprises a data access interface configured to receive a service request from one of the key warehousing module, the key reading module, and the key destruction module according to a service type, and to send the service request to one of the key management terminal and the data layer module according to the service type after the user end device ID and the key account are authenticated.
8. A quantum key management method, it carries on one or more in quantum key warehouse entry operation, quantum key reading operation and quantum key destroy operation according to the business request, characterized by that:
the quantum key warehousing operation comprises a step of receiving a quantum key, a step of encrypting the quantum key and data related to the quantum key, and a step of storing the encrypted quantum key and the data related to the quantum key in a distributed bottom layer storage mode;
and the encrypted quantum key is stored by adopting a distributed file system, and the encrypted data related to the quantum key is stored by adopting a distributed database.
9. The quantum key management method of claim 8, wherein the quantum key related data comprises a key account and a key index, the key index to locate the quantum key stored in the distributed file system.
10. The quantum key management method of claim 8, wherein between the encrypting step and the storing step further comprising the step of authenticating the validity of a key account.
11. The quantum key management method of claim 8, wherein the quantum key reading operation comprises a step of querying the quantum key stored in the distributed file system according to an original key index of a user, and a step of outputting the quantum key outwards according to a query result.
12. The quantum key management method according to claim 8, wherein the quantum key destruction operation comprises a step of querying the quantum key stored in the distributed file system according to an original key index of a user, and a step of destroying the quantum key according to a query result.
13. The quantum key management method of claim 11 or 12, wherein the querying step further comprises the step of encrypting the original key index of the user.
14. The quantum key management method of claim 11 wherein the step of exporting the quantum key out further comprises the step of decrypting the query result.
15. The quantum key management method of claim 14 wherein the step of exporting the quantum key out further comprises the step of twice encrypting the exported quantum key.
16. The quantum key management method of claim 8, further comprising the step of authenticating whether a customer premises device ID corresponds one-to-one to a key account when receiving the service request.
CN201710244821.3A 2017-04-14 2017-04-14 Distributed quantum key management system and method Active CN108737079B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710244821.3A CN108737079B (en) 2017-04-14 2017-04-14 Distributed quantum key management system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710244821.3A CN108737079B (en) 2017-04-14 2017-04-14 Distributed quantum key management system and method

Publications (2)

Publication Number Publication Date
CN108737079A CN108737079A (en) 2018-11-02
CN108737079B true CN108737079B (en) 2021-05-07

Family

ID=63923772

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710244821.3A Active CN108737079B (en) 2017-04-14 2017-04-14 Distributed quantum key management system and method

Country Status (1)

Country Link
CN (1) CN108737079B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110048833B (en) * 2019-03-04 2021-10-29 全球能源互联网研究院有限公司 Electric power service encryption method and device based on quantum satellite key network
CN111860847B (en) * 2020-07-22 2024-03-22 安徽华典大数据科技有限公司 Quantum computation-based data encryption method
CN112800439B (en) * 2020-12-02 2022-02-08 中国电子科技集团公司第三十研究所 Key management protocol design method and system for secure storage
CN113904780B (en) * 2021-12-10 2022-03-04 湖南师范大学 Quantum-based batch identity authentication method, system, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891876A (en) * 2011-07-22 2013-01-23 中兴通讯股份有限公司 Method and system for distributed data encryption under cloud computing environment
CN106209739A (en) * 2015-05-05 2016-12-07 科大国盾量子技术股份有限公司 Cloud storage method and system
CN205945769U (en) * 2016-08-16 2017-02-08 广东国盾量子科技有限公司 Quantum key chip
CN106507344A (en) * 2016-09-23 2017-03-15 浙江神州量子网络科技有限公司 Quantum communication system and its communication means

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891876A (en) * 2011-07-22 2013-01-23 中兴通讯股份有限公司 Method and system for distributed data encryption under cloud computing environment
CN106209739A (en) * 2015-05-05 2016-12-07 科大国盾量子技术股份有限公司 Cloud storage method and system
CN205945769U (en) * 2016-08-16 2017-02-08 广东国盾量子科技有限公司 Quantum key chip
CN106507344A (en) * 2016-09-23 2017-03-15 浙江神州量子网络科技有限公司 Quantum communication system and its communication means

Also Published As

Publication number Publication date
CN108737079A (en) 2018-11-02

Similar Documents

Publication Publication Date Title
JP7426031B2 (en) Key security management system and method, medium, and computer program
US7587608B2 (en) Method and apparatus for storing data on the application layer in mobile devices
CN102932136B (en) Systems and methods for managing cryptographic keys
EP2731040B1 (en) Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method
JP6329970B2 (en) Policy enforcement with relevant data
KR101954863B1 (en) Online wallet apparatus, and method for generating and verifying online wallet
US20190050598A1 (en) Secure data storage
KR20210061426A (en) Double-encrypted secret portion allowing assembly of the secret using a subset of the double-encrypted secret portion
JP2018170802A (en) Multiple authority data security and access
EP2251810B1 (en) Authentication information generation system, authentication information generation method, and authentication information generation program utilizing a client device and said method
CN101925913A (en) Method and system for encrypted file access
CN102782694A (en) Transaction auditing for data security devices
CN108737079B (en) Distributed quantum key management system and method
CN109688133A (en) It is a kind of based on exempt from account login communication means
CN1954345B (en) Smart card data transaction system and method for providing storage and transmission security
CN103618705A (en) Personal code managing tool and method under open cloud platform
CN1322431C (en) Encryption retention and data retrieve based on symmetric cipher key
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
US8572372B2 (en) Method for selectively enabling access to file systems of mobile terminals
CN104484628B (en) It is a kind of that there is the multi-application smart card of encrypting and decrypting
CN108270739A (en) A kind of method and device of managing encrypted information
CN112565265A (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
CN106408069B (en) User data write-in and read method and the system of EPC card
CN108494724A (en) Cloud storage encryption system based on more authorized organization's encryption attribute algorithms and method
CN113569272B (en) Secure computer implementation method and secure computer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant