Nothing Special   »   [go: up one dir, main page]

CN114866227A - Quantum key distribution method and device - Google Patents

Quantum key distribution method and device Download PDF

Info

Publication number
CN114866227A
CN114866227A CN202210262049.9A CN202210262049A CN114866227A CN 114866227 A CN114866227 A CN 114866227A CN 202210262049 A CN202210262049 A CN 202210262049A CN 114866227 A CN114866227 A CN 114866227A
Authority
CN
China
Prior art keywords
quantum key
ssl vpn
key data
vpn gateway
quantum
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210262049.9A
Other languages
Chinese (zh)
Other versions
CN114866227B (en
Inventor
李金英
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202210262049.9A priority Critical patent/CN114866227B/en
Publication of CN114866227A publication Critical patent/CN114866227A/en
Application granted granted Critical
Publication of CN114866227B publication Critical patent/CN114866227B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a quantum key distribution method and device. The method is applied to firewall equipment and comprises the following steps: after configuring a plurality of SSL VPN gateways using quantum keys on the quantum exchange cipher machine, applying quantum key data with set size from the quantum exchange cipher machine; splitting quantum key data into M parts of quantum key data, and uniquely allocating each part of quantum key data in the M parts of quantum key data to an SSL VPN gateway using a quantum key; according to the splitting rule set for each SSL VPN gateway using the quantum key, quantum key data distributed to each SSL VPN gateway using the quantum key are continuously split, and each split quantum key data corresponding to each SSL VPN gateway using the quantum key is stored in the kernel. The method and the device can save the memory resource of the firewall equipment.

Description

Quantum key distribution method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a quantum key distribution method and apparatus.
Background
SSL VPN is a new Virtual Private Network (VPN) technology that uses Secure Socket Layer (SSL) protocol to implement remote access. Based on Secure hypertext Transfer Protocol (HTTPS), the Secure hypertext Transfer Protocol (HTTP Protocol) operates SSL, and using certificate-based authentication, data encryption, and message integrity verification mechanisms provided by the SSL Protocol, the Secure hypertext Transfer Protocol (HTTPS) is used to remotely access intranet resources.
At present, quantum key negotiation symmetric encryption keys are generally used between the SSL VPN client and the SSL VPN gateway configured in the firewall device, so as to improve the security of the SSL connection established between the SSL VPN client and the SSL VPN gateway. The quantum key used by the firewall device and the quantum key used by the SSL VPN gateway are usually obtained by the firewall device through separate application from the quantum exchange key machine after the SSL VPN gateway is configured, so that in the case that a plurality of SSL VPN gateways using quantum keys are configured on the firewall device, more memory resources of the firewall device are occupied.
Disclosure of Invention
In order to overcome the problems in the related art, the application provides a quantum key method and a quantum key device.
According to a first aspect of embodiments of the present application, there is provided a quantum key distribution method, which is applied to a firewall device, and includes:
after configuring a plurality of SSL VPN gateways using quantum keys on the quantum exchange cipher machine, applying quantum key data with set size from the quantum exchange cipher machine;
splitting the quantum key data into M parts of quantum key data, and uniquely allocating each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using the quantum key, wherein the size of each part of quantum key data in the M parts of quantum key data is the same, and the value of M is the total number value of all SSL VPN gateways using the quantum key;
continuously splitting quantum key data distributed to each SSL VPN gateway using the quantum key according to a splitting rule set for each SSL VPN gateway using the quantum key, storing each split quantum key data corresponding to each SSL VPN gateway using the quantum key into a kernel, so that each SSL VPN gateway using the quantum key selects quantum key data required to be used by each SSL VPN client from split unused quantum key data corresponding to the SSL VPN gateway using the quantum key in the kernel when receiving a client Hello (Clinet Hello) message carrying a quantum key identification field sent by any SSL VPN client, generating a Server Hello message carrying a gateway identification of the SSL VPN gateway using the quantum key and the content of the carried quantum key identification field as the quantum key identification corresponding to the selected quantum key data, sending the Server Hello message to the SSL VPN client, and negotiating a symmetric encryption key with the SSL VPN gateway using the quantum key by the SSL VPN client according to the quantum key data and the gateway identification corresponding to the quantum key identification carried in the Server Hello message
According to a second aspect of embodiments of the present application, there is provided a quantum key distribution apparatus, the apparatus being applied to a firewall device, the apparatus including:
the application module is used for applying quantum key data with set size from the quantum exchange cipher machine after configuring a plurality of SSL VPN gateways using quantum keys on the application module;
the distribution module is used for splitting the quantum key data into M parts of quantum key data and uniquely distributing each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using the quantum key, wherein the size of each part of quantum key data in the M parts of quantum key data is the same, and the value of M is the total number value of all SSL VPN gateways using the quantum key;
a storage module, configured to continue to split the quantum key data allocated to each SSL VPN gateway using the quantum key according to a splitting rule set for each SSL VPN gateway using the quantum key, and store each split quantum key data corresponding to each SSL VPN gateway using the quantum key into a kernel, so that each SSL VPN gateway using the quantum key selects quantum key data that needs to be used by each SSL VPN client from a split unused quantum key data corresponding to the SSL VPN gateway using the quantum key in the kernel when receiving a Clinet Hello message carrying a quantum key identification field sent by any SSL VPN client, and generates a Server Hello message carrying a gateway identification of the SSL VPN gateway using the quantum key and a content of the carried quantum key identification field as a quantum key identification corresponding to the selected quantum key data, and sending the Server Hello message to the SSL VPN client, so that the SSL VPN client negotiates a symmetric encryption key with the SSL VPN gateway using the quantum key according to the quantum key data and the gateway identification corresponding to the quantum key identification carried in the obtained Server Hello message.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
in the embodiment of the application, after the firewall equipment configures a plurality of SSL VPN gateways using quantum keys, quantum key data with set size is applied for one time from a quantum exchange cipher machine; then, the firewall device splits the quantum key data into M parts of quantum key data, and uniquely allocates each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using the quantum key, wherein the size of each part of quantum key data in the M parts of quantum key data is the same, and the value of M is the total number value of all SSL VPN gateways using the quantum key; finally, the firewall device continues to split the quantum key data distributed to each SSL VPN gateway using the quantum key according to the splitting rule set for each SSL VPN gateway using the quantum key, and stores each split quantum key data corresponding to each SSL VPN gateway using the quantum key into the kernel, so that each SSL VPN gateway using the quantum key selects the quantum key data needed to be used by the SSL VPN client from the split unused quantum key data corresponding to the SSL VPN gateway using the quantum key in the kernel when receiving the Clinet Hello message carrying the quantum key identification field sent by any SSL VPN client, generates the gateway identification carrying the SSL VPN gateway using the quantum key and the Server Hello message carrying the quantum key identification field as the quantum key identification corresponding to the selected quantum key data, and sending the Server Hello message to the SSL VPN client, and negotiating a symmetric encryption key with the SSL VPN gateway using the quantum key by the SSL VPN client according to the quantum key data and the gateway identifier corresponding to the quantum key identifier carried in the obtained Server Hello message.
Therefore, through the quantum key distribution process, the memory resource of the firewall equipment can be saved, the gateway identification of the SSL VPN gateway configured on the firewall equipment participates in the negotiation of the related symmetric encryption key, and the communication safety is further improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic flowchart of a quantum key distribution method according to an embodiment of the present application;
fig. 2 is a schematic split view of quantum key data provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a quantum key distribution device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The words "if" or "if" as used herein may be interpreted as "at … …" or "at … …" depending on the context.
Next, examples of the present application will be described in detail.
The embodiment of the application provides a quantum key distribution method, which is applied to firewall equipment, and as shown in fig. 1, the method may include the following steps:
s11, after configuring multiple SSL VPN gateways using quantum keys, the quantum key crypto engine applies for quantum key data of a set size.
And S12, splitting the quantum key data into M parts of quantum key data, and uniquely allocating each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using the quantum key.
In this step, the size of each quantum key data in the M quantum key data is the same, and the value of M is the total number value of all SSL VPN gateways using quantum keys.
S13, according to the splitting rule set for each SSL VPN gateway using quantum key, continuing to split the quantum key data distributed to each SSL VPN gateway using quantum key, and storing each split quantum key data corresponding to each SSL VPN gateway using quantum key into the kernel, so that each SSL VPN gateway using quantum key selects the quantum key data needed to be used by the SSL VPN client from the split unused quantum key data corresponding to the SSL VPN gateway using quantum key in the kernel when receiving the Clinet Hello message carrying quantum key identification field sent by any SSL VPN client, and generates the Server Hello message carrying the gateway identification of the SSL VPN gateway using quantum key and the content of the carried quantum key identification field as the quantum key identification corresponding to the selected quantum key data, and sending the Server Hello message to the SSL VPN client, and negotiating a symmetric encryption key with the SSL VPN gateway using the quantum key by the SSL VPN client according to the quantum key data and the gateway identifier corresponding to the quantum key identifier carried in the obtained Server Hello message.
It should be noted that, in the embodiment of the present application, for the firewall device, in the case of configuring a gateway that does not need to use a quantum key on itself, the existing operation is still performed, and details are not described here.
Specifically, in the step S11, the setting size may be set according to the actual requirement of the network where the firewall device is located, for example, the setting size is 5M, and the like.
In step S12, the quantum key data allocated by the firewall device for each SSL VPN gateway using the quantum key may be marked with a respective gateway identifier (e.g., gateway ID).
For example, suppose that 5 SSL VPN gateways using quantum keys are configured in the firewall device, and after the firewall device has configured the 5 SSL VPN gateways using quantum keys, 5M quantum key data are applied from the quantum exchange crypto engine; then, the firewall device splits the 5M quantum key data into 5 shares of 1M quantum key data, and allocates a unique share of 1M quantum key data to the 5 SSL VPN gateways using quantum keys, and marks the corresponding quantum key data with the gateway IDs of the SSL VPN gateways using quantum keys, as shown in fig. 2.
In step S13, the splitting rules set for each SSL VPN gateway using a quantum key may be completely the same, may be partially the same, or may be completely different.
In one example, the firewall device may continue to split the quantum key data allocated to each SSL VPN gateway using the quantum key by:
and according to the set data length, continuously splitting the quantum key data distributed to each SSL VPN gateway using the quantum key.
Here, the set data length may also be set according to the actual requirement of the network where the firewall device is located.
In addition, for any quantum key-using SSL VPN gateway configured in the firewall device, in the case of receiving a Clinet Hello message carrying a quantum key identification field and sent by any SSL VPN client, the size of quantum key data that needs to be used by the selected SSL VPN client is determined by the firewall device according to the SSL certificate of the SSL VPN client, and the specific determination process is the prior art and will not be described in detail herein.
The SSL VPN gateway using the quantum key can carry the gateway identification of the SSL VPN gateway and the quantum key identification corresponding to the selected quantum key data in the last two extension fields in the Server Hello message respectively. Here, the SSL VPN gateway and the associated SSL VPN client still negotiate symmetric encryption keys according to existing negotiation algorithms, which are not described in detail herein.
Further, in this embodiment of the present application, the firewall device may further perform the following operations:
after the split quantum key data corresponding to each SSL VPN gateway using the quantum key is stored in the kernel, if the fact that only the last quantum key data or a new SSL VPN gateway using the quantum key is left in the split quantum key data corresponding to any SSL VPN gateway using the quantum key is monitored, the quantum key data with the set size is applied from the quantum exchange cipher machine again, and the step of splitting the quantum key data into M quantum key data is executed.
Further, in order to improve the reasonable utilization rate of the quantum key data, in the embodiment of the present application, after the firewall device re-applies the quantum key data with the set size from the quantum exchange crypto engine, and before the step of splitting the quantum key data into M pieces of quantum key data is performed, the following operations may be further performed:
judging whether the activity of each SSL VPN gateway using the quantum key is recorded locally;
if the judgment result is negative, executing the step of splitting the quantum key data into M quantum key data;
when the judgment result is yes, splitting the reapplied quantum key data into N parts of quantum key data according to the activity of each SSL VPN gateway using the quantum key recorded locally, uniquely distributing each part of quantum key data in the N parts of quantum key data to one SSL VPN gateway using the quantum key, and executing the step of continuously splitting the quantum key data distributed to each SSL VPN gateway using the quantum key according to a splitting rule set for each SSL VPN gateway using the quantum key;
here, the value of N is the same as the value of M, and in N pieces of quantum key data, a gateway with higher activity corresponds to a larger quantum key data, and a gateway with lower activity corresponds to a smaller quantum key data.
The activity of each quantum key-using SSL VPN gateway recorded locally is calculated and updated every set period after the firewall device stores the split quantum key data corresponding to each quantum key-using SSL VPN gateway into the kernel.
It should be noted that, in this operation flow, in the case that the determination result is no, it is indicated that the first setting period has not been reached yet, and the firewall device has not calculated the activity of each SSL VPN gateway using the quantum key, so at this time, the firewall device does not locally have a record related to the activity of each SSL VPN gateway using the quantum key.
In the case that the determination result is yes, it is described that the firewall device has calculated the activity of each SSL VPN gateway using the quantum key at the latest set period that has passed, that is, the firewall device side has recorded the newly calculated activity of each SSL VPN gateway using the quantum key.
Specifically, in this operation flow, the firewall device may calculate the liveness of each SSL VPN gateway using the quantum key by:
and counting the times of negotiating the symmetric encryption key by using the corresponding gateway identifier in a set period of the SSL VPN gateway using the quantum key for each SSL VPN gateway using the quantum key, and determining the counted times as the activity of the SSL VPN gateway using the quantum key.
According to the technical scheme, in the embodiment of the application, after the firewall equipment configures a plurality of SSL VPN gateways using quantum keys, quantum key data with set size can be applied for one time from the quantum exchange cipher machine; then, the firewall device splits the quantum key data into M parts of quantum key data, and uniquely allocates each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using the quantum key, wherein the size of each part of quantum key data in the M parts of quantum key data is the same, and the value of M is the total number value of all SSL VPN gateways using the quantum key; finally, the firewall device continues to split the quantum key data distributed to each SSL VPN gateway using the quantum key according to the splitting rule set for each SSL VPN gateway using the quantum key, and stores each split quantum key data corresponding to each SSL VPN gateway using the quantum key into the kernel, so that each SSL VPN gateway using the quantum key selects the quantum key data needed to be used by the SSL VPN client from the split unused quantum key data corresponding to the SSL VPN gateway using the quantum key in the kernel when receiving the Clinet Hello message carrying the quantum key identification field sent by any SSL VPN client, generates the gateway identification carrying the SSL VPN gateway using the quantum key and the Server Hello message carrying the quantum key identification field as the quantum key identification corresponding to the selected quantum key data, and sending the Server Hello message to the SSL VPN client, and negotiating a symmetric encryption key with the SSL VPN gateway using the quantum key by the SSL VPN client according to the quantum key data and the gateway identifier corresponding to the quantum key identifier carried in the obtained Server Hello message.
Therefore, through the quantum key distribution process, the memory resource of the firewall equipment can be saved, the gateway identification of the SSL VPN gateway configured on the firewall equipment participates in the negotiation of the related symmetric encryption key, and the communication safety is further improved.
Based on the same inventive concept, the present application further provides a quantum key distribution device, which is applied to a firewall device, and a schematic structural diagram of the device is shown in fig. 3, and specifically includes:
an application module 31, configured to apply quantum key data of a set size from a quantum exchange crypto engine after configuring multiple SSL VPN gateways using quantum keys;
the distribution module 32 is configured to split the quantum key data into M parts of quantum key data, and uniquely distribute each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using a quantum key, where the size of each part of quantum key data in the M parts of quantum key data is the same, and a value of M is a total number value of all SSL VPN gateways using quantum keys;
a storage module 33, configured to continue to split the quantum key data allocated to each SSL VPN gateway using a quantum key according to a splitting rule set for each SSL VPN gateway using a quantum key, and store each split quantum key data corresponding to each SSL VPN gateway using a quantum key into a kernel, so that each SSL VPN gateway using a quantum key selects, when receiving a Clinet Hello message carrying a quantum key identification field and sent by any SSL VPN client, a quantum key data that needs to be used by the SSL VPN client from a split unused quantum key data corresponding to the SSL VPN gateway using a quantum key in the kernel, and generates a Server Hello message carrying a gateway identification of the SSL VPN gateway using a quantum key and a content of the carried quantum key identification field as a quantum key identification corresponding to the selected quantum key data, and sending the Server Hello message to the SSL VPN client, so that the SSL VPN client negotiates a symmetric encryption key with the SSL VPN gateway using the quantum key according to the quantum key data and the gateway identification corresponding to the quantum key identification carried in the obtained Server Hello message.
Preferably, the application module 31 is further configured to:
after the storage module 33 stores the split quantum key data corresponding to each SSL VPN gateway using the quantum key into the kernel, if it is monitored that only the last quantum key data or a new SSL VPN gateway using the quantum key remains corresponding to any SSL VPN gateway using the quantum key, the quantum key data with the set size is applied from the quantum exchange crypto engine again, and the distribution module 32 is triggered to execute the step of splitting the quantum key data into M quantum key data.
Preferably, the storage module 33 is specifically configured to:
and according to the set data length, continuously splitting the quantum key data distributed to each SSL VPN gateway using the quantum key.
Preferably, the application module is further configured to:
after the quantum key data with the set size is applied from the quantum exchange cipher machine again and before the step of triggering the distribution module 32 to split the quantum key data into M quantum key data is executed, whether the activity degree of each SSL VPN gateway using the quantum key is locally recorded in the firewall device is also judged;
if the judgment result is negative, triggering the distribution module 32 to execute the step of splitting the quantum key data into M quantum key data;
when the judgment result is yes, splitting the reapplied quantum key data into N parts of quantum key data according to the activity of each SSL VPN gateway using the quantum key recorded locally, uniquely allocating each part of quantum key data in the N parts of quantum key data to one SSL VPN gateway using the quantum key, and triggering the storage module 33 to execute the step of continuously splitting the quantum key data allocated to each SSL VPN gateway using the quantum key according to the splitting rule set for each SSL VPN gateway using the quantum key;
the value of N is the same as that of M, and in the N parts of quantum key data, the higher the liveness of the gateway is, the larger the corresponding quantum key data is, and the lower the liveness of the gateway is, the smaller the corresponding quantum key data is;
the locally recorded liveness of each quantum key-using SSL VPN gateway is calculated and updated every set period after the firewall device stores the split quantum key data corresponding to each quantum key-using SSL VPN gateway into the kernel.
Preferably, the apparatus further comprises:
a computing module (not shown in fig. 3) for computing the liveness of each SSL VPN gateway using quantum keys by:
and counting the times of negotiating the symmetric encryption key by using the corresponding gateway identifier in the set period of the SSL VPN gateway using the quantum key for each SSL VPN gateway using the quantum key, and determining the counted times as the activity of the SSL VPN gateway using the quantum key.
According to the technical scheme, in the embodiment of the application, after the firewall equipment configures a plurality of SSL VPN gateways using quantum keys, quantum key data with set size can be applied for one time from the quantum exchange cipher machine; then, the firewall device splits the quantum key data into M parts of quantum key data, and uniquely allocates each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using the quantum key, wherein the size of each part of quantum key data in the M parts of quantum key data is the same, and the value of M is the total number value of all SSL VPN gateways using the quantum key; finally, the firewall device continues to split the quantum key data distributed to each SSL VPN gateway using the quantum key according to the splitting rule set for each SSL VPN gateway using the quantum key, and stores each split quantum key data corresponding to each SSL VPN gateway using the quantum key into the kernel, so that each SSL VPN gateway using the quantum key selects the quantum key data needed to be used by the SSL VPN client from the split unused quantum key data corresponding to the SSL VPN gateway using the quantum key in the kernel when receiving the Clinet Hello message carrying the quantum key identification field sent by any SSL VPN client, generates the gateway identification carrying the SSL VPN gateway using the quantum key and the Server Hello message carrying the quantum key identification field as the quantum key identification corresponding to the selected quantum key data, and sending the Server Hello message to the SSL VPN client, and negotiating a symmetric encryption key with the SSL VPN gateway using the quantum key by the SSL VPN client according to the quantum key data and the gateway identifier corresponding to the quantum key identifier carried in the obtained Server Hello message.
Therefore, through the quantum key distribution process, the memory resource of the firewall equipment can be saved, the gateway identification of the SSL VPN gateway configured on the firewall equipment participates in the negotiation of the related symmetric encryption key, and the communication safety is further improved.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A quantum key distribution method is applied to firewall equipment, and the method comprises the following steps:
after configuring a plurality of SSL VPN gateways using quantum keys on the quantum exchange cipher machine, applying quantum key data with set size from the quantum exchange cipher machine;
splitting the quantum key data into M parts of quantum key data, and uniquely allocating each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using the quantum key, wherein the size of each part of quantum key data in the M parts of quantum key data is the same, and the value of M is the total number value of all SSL VPN gateways using the quantum key;
continuously splitting quantum key data distributed to each SSL VPN gateway using the quantum key according to a splitting rule set for each SSL VPN gateway using the quantum key, storing each split quantum key data corresponding to each SSL VPN gateway using the quantum key into a kernel, so that each SSL VPN gateway using the quantum key selects the quantum key data required to be used by each SSL VPN client from the split unused quantum key data corresponding to the SSL VPN gateway using the quantum key in the kernel when receiving a Clinet Hello message carrying a quantum key identification field and sent by any SSL VPN client, and generates a Server Hello message carrying the gateway identification of the SSL VPN gateway using the quantum key and the content of the carried quantum key identification field as the quantum key identification corresponding to the selected quantum key data, and sending the Server Hello message to the SSL VPN client, so that the SSL VPN client negotiates a symmetric encryption key with the SSL VPN gateway using the quantum key according to the quantum key data and the gateway identification corresponding to the quantum key identification carried in the obtained Server Hello message.
2. The method of claim 1, wherein the continuing splitting the quantum key data allocated to each SSL VPN gateway using a quantum key according to a splitting rule set for each SSL VPN gateway using a quantum key comprises:
and according to the set data length, continuously splitting the quantum key data distributed to each SSL VPN gateway using the quantum key.
3. The method of claim 1, further comprising:
after the split quantum key data corresponding to each SSL VPN gateway using the quantum key is stored in the kernel, if it is monitored that only the last quantum key data or a new SSL VPN gateway using the quantum key is left corresponding to any SSL VPN gateway using the quantum key, the quantum key data with the set size is applied from the quantum exchange cipher machine again, and the step of splitting the quantum key data into M quantum key data is executed.
4. The method of claim 3, wherein after re-applying for the sized quantum key data from the quantum exchange crypto machine and before performing the step of splitting the quantum key data into M quantum key data, the method further comprises:
judging whether the activity of each SSL VPN gateway using the quantum key is recorded locally;
if the judgment result is negative, executing the step of splitting the quantum key data into M quantum key data;
when the judgment result is yes, splitting the reapplied quantum key data into N parts of quantum key data according to the activity of each SSL VPN gateway using the quantum key recorded locally, uniquely distributing each part of quantum key data in the N parts of quantum key data to one SSL VPN gateway using the quantum key, and executing the step of continuously splitting the quantum key data distributed to each SSL VPN gateway using the quantum key according to a splitting rule set for each SSL VPN gateway using the quantum key;
the value of N is the same as that of M, and in the N parts of quantum key data, the higher the liveness of the gateway is, the larger the corresponding quantum key data is, and the lower the liveness of the gateway is, the smaller the corresponding quantum key data is;
the locally recorded liveness of each quantum key-using SSL VPN gateway is calculated and updated every set period after the firewall device stores the split quantum key data corresponding to each quantum key-using SSL VPN gateway into the kernel.
5. The method of claim 4, wherein the liveness of each SSL VPN gateway using quantum keys is calculated by:
and counting the times of negotiating the symmetric encryption key by using the corresponding gateway identifier in the set period of the SSL VPN gateway using the quantum key for each SSL VPN gateway using the quantum key, and determining the counted times as the activity of the SSL VPN gateway using the quantum key.
6. A quantum key distribution apparatus, wherein the apparatus is applied to a firewall device, the apparatus comprising:
the application module is used for applying quantum key data with set size from the quantum exchange cipher machine after configuring a plurality of SSL VPN gateways using quantum keys on the application module;
the distribution module is used for splitting the quantum key data into M parts of quantum key data and uniquely distributing each part of quantum key data in the M parts of quantum key data to one SSL VPN gateway using the quantum key, wherein the size of each part of quantum key data in the M parts of quantum key data is the same, and the value of M is the total number value of all SSL VPN gateways using the quantum key;
a storage module, configured to continue to split quantum key data allocated to each SSL VPN gateway using a quantum key according to a splitting rule set for each SSL VPN gateway using a quantum key, and store each split quantum key data corresponding to each SSL VPN gateway using a quantum key into a kernel, so that each SSL VPN gateway using a quantum key selects quantum key data that needs to be used by an SSL VPN client from a split unused quantum key data corresponding to the SSL VPN gateway using a quantum key in the kernel when receiving a Clinet Hello message carrying a quantum key identification field sent by any SSL VPN client, and generates a Server Hello message carrying a gateway identification of the SSL VPN gateway using a quantum key and a content of the carried quantum key identification field as a quantum key identification corresponding to the selected quantum key data, and sending the Server Hello message to the SSL VPN client, so that the SSL VPN client negotiates a symmetric encryption key with the SSL VPN gateway using the quantum key according to the quantum key data and the gateway identification corresponding to the quantum key identification carried in the obtained Server Hello message.
7. The apparatus of claim 6, wherein the storage module is specifically configured to:
and according to the set data length, continuously splitting the quantum key data distributed to each SSL VPN gateway using the quantum key.
8. The apparatus of claim 6, wherein the application module is further configured to:
after the storage module stores the split quantum key data corresponding to each SSL VPN gateway using the quantum key into the kernel, if it is monitored that only the last quantum key data or a new SSL VPN gateway using the quantum key remains corresponding to any SSL VPN gateway using the quantum key, the quantum key data with the set size is applied from the quantum exchange cipher machine again, and the distribution module is triggered to execute the step of splitting the quantum key data into M quantum key data.
9. The apparatus of claim 8, wherein the application module is further configured to:
after the quantum key data with the set size is applied from the quantum exchange cipher machine again and before the step of triggering the distribution module to split the quantum key data into M quantum key data is executed, whether the activity degree of each SSL VPN gateway using the quantum key is locally recorded in firewall equipment is also judged;
if the judgment result is negative, triggering the distribution module to execute the step of splitting the quantum key data into M quantum key data;
when the judgment result is yes, splitting the reapplied quantum key data into N parts of quantum key data according to the activity of each SSL VPN gateway using the quantum key recorded locally, uniquely distributing each part of quantum key data in the N parts of quantum key data to one SSL VPN gateway using the quantum key, and triggering a storage module to execute the step of continuously splitting the quantum key data distributed to each SSL VPN gateway using the quantum key according to a splitting rule set for each SSL VPN gateway using the quantum key;
the value of N is the same as that of M, and the higher the liveness of the gateway is, the larger the corresponding quantum key data is, and the lower the liveness of the gateway is, the smaller the corresponding quantum key data is;
the locally recorded liveness of each quantum key-using SSL VPN gateway is calculated and updated every set period after the firewall device stores the split quantum key data corresponding to each quantum key-using SSL VPN gateway into the kernel.
10. The apparatus of claim 9, further comprising:
a computing module, configured to compute liveness of each SSL VPN gateway using the quantum key by:
and counting the times of negotiating the symmetric encryption key by using the corresponding gateway identifier in the set period of the SSL VPN gateway using the quantum key for each SSL VPN gateway using the quantum key, and determining the counted times as the activity of the SSL VPN gateway using the quantum key.
CN202210262049.9A 2022-03-17 2022-03-17 Quantum key distribution method and device Active CN114866227B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210262049.9A CN114866227B (en) 2022-03-17 2022-03-17 Quantum key distribution method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210262049.9A CN114866227B (en) 2022-03-17 2022-03-17 Quantum key distribution method and device

Publications (2)

Publication Number Publication Date
CN114866227A true CN114866227A (en) 2022-08-05
CN114866227B CN114866227B (en) 2024-10-01

Family

ID=82628106

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210262049.9A Active CN114866227B (en) 2022-03-17 2022-03-17 Quantum key distribution method and device

Country Status (1)

Country Link
CN (1) CN114866227B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU176010U1 (en) * 2017-05-17 2017-12-26 Российская Федерация, от имени которой выступает ФОНД ПЕРСПЕКТИВНЫХ ИССЛЕДОВАНИЙ Fiber-optic superconducting single-photon detector
CN109039615A (en) * 2018-10-15 2018-12-18 北京天融信网络安全技术有限公司 Utilize the method and relevant device and storage medium of SSL VPN agreement acquisition quantum key
CN110138559A (en) * 2019-06-03 2019-08-16 北京智芯微电子科技有限公司 The method and system of quantum-key distribution are carried out to the terminal in platform area
CN110519046A (en) * 2019-07-12 2019-11-29 如般量子科技有限公司 Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN112422283A (en) * 2020-11-19 2021-02-26 北京电子科技学院 Quantum key transmission method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU176010U1 (en) * 2017-05-17 2017-12-26 Российская Федерация, от имени которой выступает ФОНД ПЕРСПЕКТИВНЫХ ИССЛЕДОВАНИЙ Fiber-optic superconducting single-photon detector
CN109039615A (en) * 2018-10-15 2018-12-18 北京天融信网络安全技术有限公司 Utilize the method and relevant device and storage medium of SSL VPN agreement acquisition quantum key
CN110138559A (en) * 2019-06-03 2019-08-16 北京智芯微电子科技有限公司 The method and system of quantum-key distribution are carried out to the terminal in platform area
CN110519046A (en) * 2019-07-12 2019-11-29 如般量子科技有限公司 Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN112422283A (en) * 2020-11-19 2021-02-26 北京电子科技学院 Quantum key transmission method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张飞扬: "QKD网络中的认证组密钥协商协议设计", 现代计算机, 5 March 2021 (2021-03-05) *

Also Published As

Publication number Publication date
CN114866227B (en) 2024-10-01

Similar Documents

Publication Publication Date Title
CN105027493B (en) Safety moving application connection bus
US9083684B2 (en) Communication node, key synchronization method, and key synchronization system
DE112010003149B4 (en) Collaborative encryption and decryption by agents
CN107528688A (en) A kind of keeping of block chain key and restoration methods, device based on encryption commission technology
CN110933084B (en) Cross-domain shared login state method, device, terminal and storage medium
CN109902494A (en) Data encryption storage method, device and document storage system
US9137212B2 (en) Communication method and apparatus using changing destination and return destination ID's
LU93024B1 (en) Method and arrangement for establishing secure communication between a first network device (initiator) and a second network device (responder)
CN108173644A (en) Data transmission encryption method and device, storage medium, equipment and server
CN111953492B (en) ERP (Enterprise resource planning) networking monitoring system based on quantum key encryption and application method thereof
CN111262699A (en) Quantum security key service method and system
CN107426339A (en) A kind of cut-in method, the apparatus and system of data interface channel
CN110519259B (en) Method and device for configuring communication encryption between cloud platform objects and readable storage medium
CN114629678B (en) TLS-based intranet penetration method and device
CN113691313A (en) Satellite-ground integrated quantum key link virtualization application service system
CN115766002A (en) Method for realizing encryption and decryption of Ethernet data by adopting quantum key distribution and software definition
CN112734576A (en) Block chain consensus system and method
CN114362947B (en) Wide-area quantum key service method and system
CN107819888A (en) A kind of method, apparatus and network element for distributing relay address
CN112367160A (en) Virtual quantum link service method and device
EP3878149A1 (en) Hardware security module
CN114866227A (en) Quantum key distribution method and device
Amir et al. Scaling secure group communication systems: Beyond peer-to-peer
CN116016529A (en) Load balancing management method and device for IPSec VPN (Internet protocol security virtual private network) equipment
CN110417722A (en) A kind of business datum communication means, communication equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant