CN118413389B - Quantum security-based zero trust network access method and system - Google Patents
Quantum security-based zero trust network access method and system Download PDFInfo
- Publication number
- CN118413389B CN118413389B CN202410807077.3A CN202410807077A CN118413389B CN 118413389 B CN118413389 B CN 118413389B CN 202410807077 A CN202410807077 A CN 202410807077A CN 118413389 B CN118413389 B CN 118413389B
- Authority
- CN
- China
- Prior art keywords
- key
- ciphertext
- static
- message
- shared
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 84
- 230000006854 communication Effects 0.000 claims abstract description 89
- 238000004891 communication Methods 0.000 claims abstract description 87
- 230000008569 process Effects 0.000 claims abstract description 30
- 230000004044 response Effects 0.000 claims abstract description 21
- 230000003068 static effect Effects 0.000 claims description 145
- 238000004422 calculation algorithm Methods 0.000 claims description 26
- 238000012795 verification Methods 0.000 claims description 26
- 238000009826 distribution Methods 0.000 claims description 20
- 238000012360 testing method Methods 0.000 claims description 12
- 239000000284 extract Substances 0.000 claims description 9
- 238000005538 encapsulation Methods 0.000 claims description 7
- 238000004806 packaging method and process Methods 0.000 claims description 5
- 238000013475 authorization Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 238000009795 derivation Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 4
- 239000003999 initiator Substances 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000004927 fusion Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- CLVFWRBVFBUDQU-UHFFFAOYSA-N 1,4-bis(2-aminoethylamino)-5,8-dihydroxyanthracene-9,10-dione Chemical compound O=C1C2=C(O)C=CC(O)=C2C(=O)C2=C1C(NCCN)=CC=C2NCCN CLVFWRBVFBUDQU-UHFFFAOYSA-N 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to the field of network security, in particular to the field of post quantum cryptography and zero trust network access, and particularly relates to a method and a system for accessing a zero trust network based on quantum security. The zero trust network has a first device and a second device that need to communicate with each other. The method comprises the following steps: the first device generates a first part of shared secret key and sends the first part of shared secret key to the second device through an initialization message; the second device processes the initialization message while generating a second partial shared key, and transmits the second partial shared key as a response message to the first device. The shared secret key has quantum security, the two parties calculate a session secret key based on the shared secret key, and in the subsequent communication process, the session secret key is used for encrypting and decrypting communication data.
Description
Technical Field
The invention relates to the field of network security, in particular to the field of post quantum cryptography and zero trust network access, and particularly relates to a method and a system for accessing a zero trust network based on quantum security.
Background
With the development of cloud computing and mobile internet, the conventional network security model cannot meet the requirement of network security in the current production activities. In the conventional network security model, the inside of the network is assumed to be a trusted area, and the outside of the network is assumed to be an untrusted area, being guarded based on the boundaries of the network. However, with the continued change and increase in network attack approaches, such models have not been effective against threats and advanced persistent threats existing inside the network (ADVANCED PERSISTENT THREAT, APT).
To address this problem, zero trust network access (Zero Trust Network Access, ZTNA) has evolved. ZTNA is a completely new network security model that considers both the inside and outside of the network as untrusted areas, thus requiring authentication and authorization of all network accesses. ZTNA by establishing an end-to-end encrypted communication channel, fine control and supervision of network access is achieved. In a zero trust network architecture, authentication and authorization of users and devices is achieved through public key infrastructure (Public Key Infrastructure, PKI), and encryption and decryption of data is achieved through symmetric encryption algorithms.
However, with the development of quantum computing technology, conventional public key cryptography algorithms (such as RSA, ECC, etc.) have been at risk of being hacked by quantum computers. Once broken, an attacker can eavesdrop and tamper with the network, resulting in a serious security event.
Therefore, how to realize quantum security zero-trust network access becomes an important challenge in the current network security field. Under the background, it is necessary to provide a method and a system for accessing a zero trust network based on quantum security, so that the access of the zero trust network can have quantum security and resist quantum attacks possibly existing in the future.
Disclosure of Invention
One or more embodiments of the present disclosure describe a method and a system for accessing a zero trust network based on quantum security, which combine the access security of the zero trust network with the quantum security of a post quantum password, and provide a safer and more reliable network access scheme.
According to a first aspect, there is provided a method for accessing a quantum security-based zero trust network, where the zero trust network includes a first device and a second device connected by a quantum security communication channel, the first device holds a second static public key in a first static key pair and a second static key pair of the second device, the first static key pair and the second static key pair are both generated based on a KEM, and the KEM supports a post-quantum algorithm.
The method comprises at least one round of key exchange procedure, wherein the ith round of key exchange procedure comprises the following steps performed by the first device:
a first random number is generated, and a temporary key pair is generated based on the KEM that contains a temporary private key and a temporary public key.
And packaging the second static public key and the first random number based on the KEM to obtain a first shared key and a first ciphertext.
And encrypting the first static public key and the first timestamp of the first static key pair by taking the first shared key as a key to obtain a fourth ciphertext.
And sending a first message to the second device, wherein the first message contains the temporary public key, the first ciphertext and the fourth ciphertext.
In response to receiving a second message sent by the second device, extracting a second ciphertext encapsulated with the temporary public key and a third ciphertext encapsulated with the first static public key contained therein.
And decapsulating the second ciphertext by using the temporary private key to obtain a second shared key.
And decapsulating the third ciphertext by using the first static private key of the first static key pair to obtain a third shared key.
And generating a first session key and a second session key by taking the first shared key, the second shared key and the third shared key as key-derived input secret values.
According to one embodiment, the zero trust network further has a quantum key distribution device therein, and the key exchange process further includes:
After receiving a second message sent by the second device, extracting a pre-shared key identifier contained in the second message, inquiring the quantum key distribution device for a corresponding pre-shared key according to the pre-shared key identifier, and incorporating the pre-shared key into the input secret value;
Or before sending the first message to the second device, obtaining a pre-shared key and a pre-shared key identifier by the quantum key distribution device, incorporating the pre-shared key identifier into the first message, and incorporating the pre-shared key into the input secret.
According to one embodiment, the first message further comprises a first device identification of the first device, and the key exchange procedure further comprises:
Generating a first message authentication code for the first ciphertext and a fourth message authentication code for the fourth ciphertext based on the first device identification and the first timestamp before sending the first message to the second device;
and classifying the first message verification code and the fourth message verification code into the first message.
And extracting a second device identification, a second message authentication code and a third message authentication code of the second device contained in the second message after receiving the second message sent by the second device;
and based on the second equipment identifier, verifying the second ciphertext by using the second message verification code, and verifying the third ciphertext by using the third message verification code.
According to one embodiment, after the generating the first session key and the second session key, the key exchange process further comprises:
Encrypting first test data using the first session key and transmitting to the second device;
And in response to receiving second ciphertext test data transmitted by the second device, decrypting using the second session key, and if the decryption is successful, confirming that the session key was successfully generated.
And, after the key exchange process is completed, the method further comprises:
Encrypting first communication data using the first session key whenever the first communication data is sent to the second device;
the second communication data is decrypted using the second session key whenever the second communication data transmitted by the second device is received.
According to a second aspect, there is provided a method for accessing a quantum security-based zero trust network, where the zero trust network includes a first device and a second device connected by a quantum security communication channel, the second device holds a second static key pair, the second static key pair is generated based on a KEM, and the KEM supports a post quantum algorithm;
The method comprises at least one round of key exchange procedure, wherein the ith round of key exchange procedure comprises the following steps performed by the second device:
in response to receiving a first message sent by the first device, extracting a temporary public key contained therein, a first ciphertext packaged using a second static public key of the second static key pair, and a fourth ciphertext encrypted using the first shared key.
And decapsulating the first ciphertext by using a second static private key in the second static key pair to obtain the first shared key.
Decrypting the fourth ciphertext using the first shared key to obtain a first static public key and a first timestamp of a first static key pair of the first device, the first static key pair being generated based on the KEM.
And generating a second random number, and packaging the second random number and the temporary public key based on the KEM to obtain a second shared secret key and a second ciphertext.
And obtaining a third shared secret key and a third ciphertext based on the KEM package by using the first static public key and the second random number.
And sending a second message to the first device, wherein the second message comprises the second ciphertext and a third ciphertext.
And generating a first session key and a second session key by taking the first shared key, the second shared key and the third shared key as key-derived input secret values.
According to one embodiment, the zero trust network further has a quantum key distribution device therein, and the key exchange process further includes:
Before sending a second message to the first device, obtaining a pre-shared key and a pre-shared key identification by the quantum key distribution device, incorporating the pre-shared key identification into the second message, and incorporating the pre-shared key into the input secret;
Or after receiving the first message sent by the first device, extracting the pre-shared key identification contained in the first message, inquiring the quantum key distribution device for the corresponding pre-shared key according to the pre-shared key identification, and incorporating the pre-shared key into the input secret value.
According to one embodiment, the second message further comprises a second device identification of the second device, and the key exchange procedure further comprises:
generating a second message authentication code for the second ciphertext and a third message authentication code for the third ciphertext based on the second device identification before sending the second message to the first device;
And classifying the second message verification code and the third message verification code into the second message.
And extracting a first device identification, a first message verification code and a fourth message verification code of the first device contained in the first message after receiving the first message sent by the first device;
After decrypting the fourth ciphertext, based on the first device identification and the first timestamp, the first ciphertext is verified using the first message authentication code, and the fourth ciphertext is verified using the fourth message authentication code.
According to one embodiment, after the generating the first session key and the second session key, the key exchange process further comprises:
Encrypting second test data by using the second session key and sending the second test data to the first device;
and in response to receiving the first ciphertext test data transmitted by the first device, decrypting using the first session key, and if the decrypting is successful, confirming that the session key was successfully generated.
And, after the key exchange process is completed, the method further comprises:
encrypting second communication data using the second session key whenever the second communication data is sent to the first device;
The first communication data is decrypted using the first session key whenever the first communication data transmitted by the first device is received.
According to a third aspect, there is provided an access system of a quantum security-based zero trust network, the zero trust network including a first device and a second device connected by a quantum security communication channel, the first device holding a second static public key of a first static key pair and a second static key pair of the second device, the first static key pair and the second static key pair each being generated based on a KEM, the KEM supporting a postquantum algorithm, the system performing a key exchange procedure by the first device, comprising:
The first device is configured to generate a first random number and generate a temporary key pair containing a temporary private key and a temporary public key based on the KEM.
The first device is further configured to encapsulate the second static public key and the first random number based on the KEM to obtain a first shared key and a first ciphertext.
The first device is further configured to encrypt a first static public key of the first static key pair and a first timestamp with the first shared key as a key to obtain a fourth ciphertext.
The first device is further configured to send a first message to the second device, the first message containing the temporary public key, the first ciphertext and a fourth ciphertext.
The first device is further configured to extract a second ciphertext encapsulated using the temporary public key and a third ciphertext encapsulated using the first static public key contained therein in response to receiving a second message sent by the second device.
The first device is further configured to decapsulate the second ciphertext using the temporary private key to obtain a second shared key.
The first device is further configured to decapsulate the third ciphertext using the first static private key of the first static key pair to obtain a third shared key.
The first device is further configured to generate a first session key and a second session key with the first shared key, the second shared key, and the third shared key as key-derived input secret values.
According to a fourth aspect, there is provided an access system of a quantum security-based zero trust network, the zero trust network comprising a first device and a second device connected by a quantum secure communication channel, the second device holding a second static key pair, the second static key pair being generated based on a KEM, the KEM supporting a post-quantum algorithm, the system performing a key exchange procedure by the second device, comprising:
The second device is configured to, in response to receiving the first message sent by the first device, extract a temporary public key contained therein, a first ciphertext encapsulated using a second static public key of the second static key pair, and a fourth ciphertext encrypted using the first shared key.
The second device is further configured to decapsulate the first ciphertext using a second static private key of the second static key pair to obtain the first shared key.
The second device is further configured to decrypt the fourth ciphertext using the first shared key to obtain a first static public key and a first timestamp of a first static key pair of the first device, the first static key pair being generated based on the KEM.
The second device is further configured to generate a second random number, and encapsulate the second random number and the temporary public key based on the KEM to obtain a second shared key and a second ciphertext.
The second device is further configured to obtain a third shared key and a third ciphertext based on the KEM encapsulation using the first static public key and the second random number.
The second device is further configured to send a second message to the first device, the second message containing the second ciphertext and a third ciphertext.
The second device is further configured to generate a first session key and a second session key with the first shared key, the second shared key, and the third shared key as key-derived input secret values.
In the embodiment of the specification, an access method and an access system of a quantum security-based zero trust network are provided, and a post-quantum algorithm is introduced on the existing zero trust network to realize quantum security key exchange, generation and communication. By adopting the KEM supporting the post-quantum algorithm on the device to generate the key pair and using the end-to-end quantum security protocol when the devices communicate, the two-way verification of quantum security and key negotiation are realized. Further, by adopting a flexible mixed deployment mode, the QKD equipment is supported to be additionally deployed, and the fusion of the quantum keys is realized.
Drawings
In order to more clearly illustrate the technical solution of the embodiments of the present invention, the drawings that are required to be used in the description of the embodiments will be briefly described below. It is evident that the drawings in the following description are only some embodiments of the present invention and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a schematic diagram of an access system of a quantum security-based zero trust network according to an embodiment of the present invention;
Fig. 2 is a schematic diagram of an access method of a quantum security-based zero trust network according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of a key exchange method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an access system of a quantum security-based zero trust network according to an embodiment of the present invention;
fig. 5 is a second schematic diagram of an access system of a quantum security-based zero trust network according to an embodiment of the present invention.
Detailed Description
As previously mentioned, in prior art zero trust networks, the reliance on public key infrastructure PKI for authentication and authorization of network access, as well as data encryption and decryption based on symmetric encryption algorithms. Under the background of rapid development of quantum computing technology, such network authorization and network access do not have quantum security, and there is a risk of being cracked.
In view of this, one or more embodiments of the present description propose introducing a post quantum algorithm based on a zero trust network access architecture to enable two-way authentication and key agreement for device quantum security. In terms of development, the following three aspects are divided.
(1) All network accesses require authentication and authorization: whether the network access request is from a device inside or outside the network, authentication and authorization are required to access the network resources. That is, it is considered that the access device is not trusted whether it is inside or outside the network, requiring authentication and authorization of all network accesses it issues.
(2) End-to-end quantum secure encryption channel: in the technical scheme, all network communication needs to be carried out through encryption of an end-to-end quantum security communication channel deployed between devices. That is, all network communications are encrypted and only the two parties can decrypt, and by establishing an end-to-end quantum security communication channel, fine control and supervision of network access is achieved.
(3) Flexible mixing mode: in the technical scheme, before the equipment communicates, a short KEM public-private key generation, encapsulation and decapsulation process is executed to obtain a quantum-secure session key, and network messages are exchanged in a communication channel by using the key to realize quantum-secure network access. Furthermore, a flexible mixing mode is adopted, and quantum key distribution equipment QKD can be additionally deployed, so that fusion of quantum security session keys is realized.
Based on the above technical concept, in order to achieve the access of the zero trust network with quantum security, the embodiments in this specification propose that when any device joins the zero trust network, registration is required, during which a KEM method supporting a post-quantum algorithm is used to generate a static key pair, which includes a static public key and a static private key. The static private key remains local while the static public key is distributed to other devices in the zero trust network.
When any device needs to initiate communication to other devices, a temporary KEM public-private key generation, encapsulation and decapsulation process is executed with the communication target device once by using the static key pair generated by the KEM and the static public key of the communication target device held by the KEM in the registration stage, so as to obtain a quantum secure session key. In the subsequent communication, both communication parties encrypt and decrypt communication data by using a session key, so that the quantum security of both communication parties is ensured. Furthermore, the two communication parties can also repeatedly update the session key periodically so as to ensure the security of network communication in real time. Thereby realizing the access of the zero trust network with quantum security.
The above is a brief description of a method of accessing a quantum security-based zero trust network as presented in the embodiments of the present specification. In order to make the objects, technical solutions and advantages of the embodiments in the present specification more apparent, the technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.
FIG. 1 illustrates a schematic diagram of an access system for a quantum security based zero trust network in one embodiment. In the exemplary network shown in fig. 1, where the principle of zero trust network security is applied (in other embodiments of the present specification simply referred to as zero trust network), multiple devices that can communicate with each other are connected by a quantum secure communication channel, for example, a secure communication channel set up based on the WireGuard protocol, shown by a double horizontal line between a first device and a second device in fig. 1.
The first device, the second device, and the third device shown in fig. 1 are exemplary network carriers with communication functions in a zero-trust network, which may be a certain network device, a host, or software, or may be a set of devices with the same network protocol domain attribute, for example, centralized network ports of all network devices included in a subnet divided by network segments, which is not specifically limited in this specification.
In this embodiment, a management and control platform is also deployed, which is responsible for registering, managing and distributing the static public keys of the devices in the network. For example, in fig. 1, when a first device joins a zero-trust network, a static key pair needs to be generated and the static public key thereof is sent to a management platform (the device registration process is indicated by a double-arrow dashed line in fig. 1), and after the management platform receives the static public key of the first device, the management platform distributes the static public key to other devices that need to directly communicate with the first device in the zero-trust network, where in fig. 1, the devices are a second device and a third device.
Also illustrated in fig. 1 is a quantum key distribution device QKD, which is responsible for distributing, querying, quantum keys so that two communicating parties can share one random and quantum-secure key with each other. In a zero trust network, there may be one or more QKD's, or alternatively QKD's may not be used, which is not limited in any way by the embodiments of the present disclosure. In the embodiment of fig. 1, a zero trust network employing a deployment policy for dual QKD is shown, and embodiments will be described in detail below based on this network architecture as well.
When multiple QKD are deployed in a network, the QKD are connected through a quantum secure communication channel, and the key pools are synchronized so that the results of the query are idempotent when a communication device in the network queries one QKD for quantum keys distributed by other QKD. For example, in the embodiment shown in fig. 1, two QKD's are deployed in a zero trust network, connected by a quantum-secure communication channel, and a synchronized key pool can be maintained between the two QKD's.
For the system embodiment shown in fig. 1, it is understood that setting up a communication channel between network devices may be implemented using a variety of communication protocols, and the WireGuard protocol shown in this embodiment is not meant to be limiting.
When the zero trust network shown in fig. 1 is used for networking, device registration and static key generation operations are required for each device joining the network. This may be accomplished by deploying the control services on the administration platform and installing a schedule of client-terminated control services on the device, or in other embodiments, by deploying the zero-trust controller on the administration platform and installing a zero-trust agent on the device to send registration information to the zero-trust controller. In summary, in a zero-trust network, there are multiple implementation manners of network-access registration of devices, which are not exemplified in this embodiment of the present disclosure, and in an actual scenario, a manner with central control may be selected as needed, so as to implement registration management and key distribution of network-access devices.
Illustratively, in the networking process, when a device joins the zero trust network, and when the device registers, the device uses a KEM method supporting a post-quantum algorithm (Post Quantum Cryptography, PQC) to call a key generation function of the KEM to generate a pair of keys, where the keys have quantum security, and the pair of keys are called a static key pair, and include a static public key and a corresponding static private key. The static private key is maintained locally on the device and the static public key is uploaded to the management platform. The management platform, upon receiving the static public key, distributes it to other devices in the zero trust network that need to communicate directly with the device.
The foregoing is a brief introduction to an access system for a quantum security-based zero trust network in which each access initiated by any device to other devices requires authentication and authorization and data transfer in a secure communication channel in one embodiment of the invention. In this process, involving key exchange and session key generation between the mutual access devices, embodiments of the present invention design a set of quantum-secure key exchange methods for the mutual access devices and generate quantum-secure session keys based thereon. This method will be described in detail below.
Fig. 2 is a schematic diagram of an access method of a quantum security-based zero trust network according to an embodiment of the present invention. In network communications, communication devices are divided into an initiator and a responder, and in the embodiment of the present specification, a first device represents the initiator of communication and a second device represents the responder of communication.
Referring to fig. 2, the key exchange process has a loop marker block thereon, which indicates that the key exchange between communication devices is performed more than once in a zero trust network. As described above, it is possible to set the two parties of communication to periodically and repeatedly perform updating of the session key, so as to ensure the security of network communication in real time. For example, a key exchange may be performed with each initialization of a communication session; the key exchange can be carried out with a certain frequency in a long communication session, and the session key is updated continuously; the key exchange may be triggered by a certain trigger condition preset by both communication parties, and the embodiment of the present specification is not limited specifically.
In an exemplary process of key exchange, first, a first device as a communication initiator generates an initialization message (in fig. 2, the "generation initialization message" is shown), in which a temporary key pair generated by the first device for encrypting the key exchange message, a first partial shared key for creating a session key, which is obtained by encapsulation using a static public key of a second device, are wrapped.
Then, after receiving the initialization message, the second device as a communication responder unpacks the first partial shared key therefrom (shown as "processing the initialization message" in fig. 2), and generates a second partial shared key for creating a session key (shown as "generating a response message" in fig. 2), which is transmitted as a response message to the first device, the second partial shared key being obtained by respectively packaging the public key of the received temporary key pair and the static public key of the first device.
After receiving the response message, the first device decrypts the ciphertext using the private key of the temporary key pair and its own static private key to obtain a second shared key (in fig. 2, "processing the response message"). The first device and the second device both hold a first part shared key and a second part shared key for making the session key, and in the key exchange process, the two devices also jointly verify the temporary key pair and the static key pair of the two devices, so that the communication security in the key exchange process is ensured.
Finally, the first device and the second device each calculate and generate a session key based on the key derivation function according to the held first partial shared key and second partial shared key (in fig. 2, "generate session key").
The foregoing is a generalized description of the key exchange process, and in order to ensure the correctness of the session key generated by both parties, in some embodiments, both parties will also perform a confirmation action of the session key after the session key is generated, which will be described below.
In one embodiment, the first device and the second device each generate a first session key and a second session key according to a key derivation function calculation, wherein the first session key is used for encrypting data in communication initiated by the first device to the second device; the second session key is used to encrypt data in a communication initiated by the second device to the first device.
In this embodiment, after generating the session key, the first device encrypts a test data (e.g., null application data) using the first session key and sends the ciphertext to the second device. After receiving the encrypted data, the second device decrypts the encrypted data using the first session key and, if the decryption is successful, confirms that the first session key was successfully generated. Based on the same logic, the second session key is validated: the second device encrypts a test data (e.g., null application data) using the second session key and sends the ciphertext to the first device. After receiving the encrypted data, the first device decrypts the encrypted data by using the second session key, and if the decryption is successful, the first device confirms that the second session key is successfully generated.
After the session key generation or after the session key confirmation action is completed, both parties can use the session key to perform encrypted communication.
In one embodiment, each time a first device sends first communication data to a second device (the "first device sends message to second device" timing block in fig. 2), the first communication data is encrypted using a first session key; the first session key is used to decrypt the encrypted first communication data sent by the first device whenever the second device receives the data.
In this embodiment, the second device also communicates with the first device in the same manner: encrypting the second communication data using the second session key whenever the second device sends the second communication data to the first device (the "second device sends message to first device" timing block in fig. 2); the encrypted second communication data sent by the second device is decrypted using the second session key whenever the first device receives the data.
By adopting the design of the bidirectional independent session key, the communication security in the zero-trust network can be further improved, and even if the key of one communication direction is revealed, the communication security of the other communication direction is not affected.
The above is an overall overview of a quantum security-based access method for a zero trust network, where in the method, two communication parties obtain a session key for subsequent communication through key exchange, and on the basis of the security principle of the zero trust network, use the session key to encrypt and decrypt communication data of the two parties. It can be understood that the quantum security in the method is embodied above the session key, that is, whether the generation process (key exchange) of the session key can have the quantum security is the key of the quantum security in the method. The key exchange process will be described in further detail below with reference to the drawings and examples.
Fig. 3 shows a flowchart of a key exchange method according to an embodiment of the present invention, in which a communication initiator is represented by a first device and a communication responder is represented by a second device. In the zero trust network, a first device and a second device are connected through a quantum secure communication channel, and in a device registration stage, the two devices have completed the generation and exchange of a static key pair, namely the first device holds a first static key pair of the first device and a second static public key of the second device, and the second device holds a second static key pair of the second device and the first static public key of the first device. In the method, a key is generated, packaged and unpacked by using a KEM supporting a post-quantum algorithm. The device registration process and the system architecture of the zero-trust network are described above, and will not be described in detail herein.
Referring to fig. 3, in this embodiment, the key exchange includes at least the following steps.
In step S301, the first device generates a first random number and generates a temporary key pair comprising a temporary private key and a temporary public key based on the KEM.
In step S303, the first device encapsulates the second static public key and the first random number based on the KEM to obtain a first shared key and a first ciphertext.
In step S305, the first device encrypts the first static public key and the first timestamp with the first shared key as an encryption key, to obtain a fourth ciphertext.
According to one implementation, a first device encrypts the first static public key and the first timestamp using an AEAD algorithm.
In step S307, the first device sends a first message to the second device, where the first message includes the temporary public key, the first ciphertext and the fourth ciphertext.
In one scenario of this embodiment, a first device generates a first message authentication code for the first ciphertext and a fourth message authentication code for the fourth ciphertext based on a first device identification of the first device and the first timestamp before sending the first message to the second device; and classifying the first equipment identifier, the first message verification code and the fourth message verification code into the first message.
In one example of this scenario, the first message authentication code and the fourth message authentication code are generated based on a MAC algorithm. In other examples, other algorithms with message integrity check functions may be used to encode the message check codes for the first ciphertext and the fourth ciphertext, which is not limited in this specification.
In step S309, the second device extracts the temporary public key contained therein, the first ciphertext encapsulated using the second static public key, and the fourth ciphertext encrypted using the first shared key, in response to receiving the first message sent by the first device.
In step S311, the second device uses the second static private key in the second static key pair to decapsulate the first ciphertext to obtain the first shared key. And decrypting the fourth ciphertext by using the first shared key to obtain the first static public key and a first timestamp.
In step S313, the second device generates a second random number, and encapsulates the second random number with the temporary public key based on the KEM to obtain a second shared key and a second ciphertext.
In step S315, the second device obtains a third shared key and a third ciphertext based on the KEM encapsulation using the first static public key and the second random number.
In step S317, the second device sends a second message to the first device, where the second message includes the second ciphertext and a third ciphertext.
In one scenario of this embodiment, a second device generates a second message authentication code for the second ciphertext and a third message authentication code for the third ciphertext based on a second device identification of the second device before sending the second message to the first device; and classifying the second equipment identifier, the second message verification code and the third message verification code into the second message.
In one example of this scenario, the second message authentication code and the third message authentication code are generated based on a MAC algorithm. In other examples, other algorithms with message integrity check functions may be used to encode the message check code for the second ciphertext and the third ciphertext, which is not limited in this specification.
In step S319, the first device extracts the second ciphertext encapsulated with the temporary public key and the third ciphertext encapsulated with the first static public key contained therein in response to receiving the second message sent by the second device.
In step S321, the first device uses the temporary private key to decapsulate the second ciphertext to obtain a second shared key; and decapsulating the third ciphertext by using the first static private key of the first static key pair to obtain a third shared key.
In the steps described above, the first device, the second device will use the message authentication code to perform integrity verification on the respective received message.
According to one implementation, after step S317 (the first device receives the second message), the first device extracts the second device identifier, the second message authentication code, and the third message authentication code contained therein; and based on the second equipment identifier, verifying the second ciphertext by using the second message verification code, and verifying the third ciphertext by using the third message verification code.
According to another implementation, after step S311 (the second device decapsulates the fourth ciphertext), the second device uses the first message authentication code to authenticate the first ciphertext and uses the fourth message authentication code to authenticate the fourth ciphertext based on the first device identification and the first timestamp.
If the steps are successfully completed, the first equipment and the second equipment complete the exchange of the shared key, and both sides hold the first shared key, the second shared key and the third shared key which are needed for manufacturing the session key. Next, a session key will be computationally generated from the key derivation function.
In step S323, the first device generates a first session key and a second session key with the first shared key, the second shared key, and the third shared key as key-derived input secret values.
In step S325, the second device generates a first session key and a second session key using the first shared key, the second shared key, and the third shared key as key-derived input secret values.
According to one implementation of this embodiment, a quantum key distribution device QKD is deployed in the zero trust network, through which the second device requests a quantum key and a quantum key identification (quantum key ID) and takes the quantum key as a pre-shared key and the quantum key identification as a pre-shared key identification, before step S317 (the second device sends a second message to the first device). The pre-shared key identification is incorporated into the second message and the pre-shared key is used as one of the inputs to generate a session key in step S325. Next, after receiving the second message sent from the second device, the first device extracts the pre-shared key identifier contained therein in step S319, and accordingly queries the quantum key distribution device for the corresponding quantum key as the pre-shared key, which the first device uses as one of the inputs for generating the session key in step S323.
According to another implementation of this embodiment, a quantum key distribution device QKD is deployed in the zero trust network, through which the first device requests a quantum key and a quantum key identification (quantum key ID) and takes the quantum key as a pre-shared key and the quantum key identification as a pre-shared key identification, before step S307 (the first device sends a first message to the second device). The pre-shared key identification is incorporated into the first message and the pre-shared key is used as one of the inputs to generate a session key in step S323. Next, after receiving the first message sent from the first device, the second device extracts the pre-shared key identifier contained therein, and accordingly queries the quantum key distribution device for the corresponding quantum key as a pre-shared key in step S309, and takes the pre-shared key as one of the inputs for generating the session key in step S325.
It will be appreciated that the key derivation method may be varied, and may be to splice a plurality of secret values to obtain a new key, or to perform an increment operation on a plurality of secret values to obtain a new key, or to perform a hybrid calculation on a plurality of secret values according to some specific key derivation algorithm to obtain a new key, for example, argon2id, PBKDF2, etc. The embodiments in this specification do not list the key derivation methods one by one.
One or more of the above embodiments provide a method of accessing a zero trust network based on quantum security. In the zero trust network, a KEM supporting a post-quantum algorithm is used for generating a static key pair for newly registered equipment, and in the communication process of the equipment, a key negotiation with quantum security is carried out in an end-to-end encryption mode. Further, a quantum key distribution device is adopted, a quantum key is provided, and key fusion is performed when a session key is generated through calculation. Each time the communication is carried out between the devices, the communication data is encrypted and decrypted by using the session key with quantum security. Thus, according to embodiments in the present specification, quantum secure communication can be implemented in a zero trust network.
In another embodiment of the invention, an access system of the quantum security-based zero trust network is also provided, and the device can be deployed on any device or platform with computing and processing capabilities. Fig. 4 shows a schematic diagram of the system 400 according to one embodiment, wherein the zero trust network includes a first device and a second device connected through a quantum secure communication channel, the first device holds a second static public key in a second static key pair of the first static key pair and the second device, the first static key pair and the second static key pair are both generated based on a KEM, the KEM supports a post quantum algorithm, and the system performs a key exchange process through the first device, and the method includes:
the first device 401 is configured to generate a first random number and to generate a temporary key pair comprising a temporary private key and a temporary public key based on the KEM.
The first device 401 is further configured to encapsulate the second static public key and the first random number based on the KEM to obtain a first shared key and a first ciphertext.
The first device 401 is further configured to encrypt the first static public key of the first static key pair and the first timestamp with the first shared key as a key, to obtain a fourth ciphertext.
The first device 401 is further configured to send a first message to the second device, the first message containing the temporary public key, the first ciphertext and a fourth ciphertext.
The first device 401 is further configured to extract the second ciphertext encapsulated with the temporary public key and the third ciphertext encapsulated with the first static public key contained therein in response to receiving the second message sent by the second device.
The first device 401 is further configured to decapsulate the second ciphertext using the temporary private key to obtain a second shared key.
The first device 401 is further configured to decapsulate the third ciphertext using the first static private key of the first static key pair to obtain a third shared key.
The first device 401 is further configured to generate a first session key and a second session key with the first shared key, the second shared key, and the third shared key as key-derived input secret values.
In another embodiment of the invention, an access system of the quantum security-based zero trust network is also provided, and the device can be deployed on any device or platform with computing and processing capabilities. Fig. 5 shows a schematic diagram of the system 500 according to one embodiment, wherein the zero trust network includes a first device and a second device connected through a quantum secure communication channel, the second device holds a second static key pair, the second static key pair is generated based on a KEM, the KEM supports a post quantum algorithm, and the system performs a key exchange process through the second device, including:
The second device 501 is configured to, in response to receiving a first message sent by the first device, extract a temporary public key contained therein, a first ciphertext encapsulated using a second static public key of the second static key pair, and a fourth ciphertext encrypted using a first shared key.
The second device 501 is further configured to decapsulate the first ciphertext using a second static private key of the second static key pair to obtain the first shared key.
The second device 501 is further configured to decrypt the fourth ciphertext using the first shared key to obtain a first static public key and a first timestamp of a first static key pair of the first device, the first static key pair being generated based on the KEM.
The second device 501 is further configured to generate a second random number, and encapsulate the second random number and the temporary public key based on the KEM to obtain a second shared key and a second ciphertext.
The second device 501 is further configured to obtain a third shared key and a third ciphertext based on the KEM encapsulation using the first static public key and the second random number.
The second device 501 is further configured to send a second message to the first device, the second message comprising the second ciphertext and a third ciphertext.
The second device 501 is further configured to generate a first session key and a second session key with the first shared key, the second shared key, and the third shared key as key-derived input secret values.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; these modifications or substitutions do not depart from the essence of the corresponding technical solutions from the protection scope of the technical solutions of the embodiments of the present application.
Claims (8)
1. The access method of the zero trust network based on quantum security comprises a first device and a second device which are connected through a quantum security communication channel, wherein the first device holds a second static public key in a first static key pair and a second static key pair of the second device, the first static key pair and the second static key pair are both generated based on a KEM, and the KEM supports a post-quantum algorithm;
The method comprises at least one round of key exchange procedure, wherein the ith round of key exchange procedure comprises the following steps performed by the first device:
Generating a first random number and generating a temporary key pair comprising a temporary private key and a temporary public key based on the KEM;
Packaging the second static public key and the first random number based on the KEM to obtain a first shared key and a first ciphertext;
Encrypting a first static public key and a first timestamp of the first static key pair by taking the first shared key as a key to obtain a fourth ciphertext;
generating a first message verification code for the first ciphertext and a fourth message verification code for the fourth ciphertext based on a first device identifier and a first timestamp of the first device;
transmitting a first message to the second device, wherein the first message comprises the temporary public key, a first message verification code, a fourth message verification code, a first device identifier, the first ciphertext and a fourth ciphertext;
Extracting a second device identification of the second device, a second message authentication code, a third message authentication code, a second ciphertext packaged using the temporary public key, and a third ciphertext packaged using the first static public key contained in the second message in response to receiving a second message sent by the second device;
based on the second device identifier, verifying the second ciphertext by using the second message verification code, and verifying the third ciphertext by using the third message verification code;
Decapsulating the second ciphertext using the temporary private key to obtain a second shared key;
Using a first static private key of the first static key pair to decapsulate the third ciphertext to obtain a third shared key;
And generating a first session key and a second session key by taking the first shared key, the second shared key and the third shared key as key-derived input secret values.
2. The method of claim 1, wherein the zero trust network further has a quantum key distribution device therein, the key exchange process further comprising:
After receiving a second message sent by the second device, extracting a pre-shared key identifier contained in the second message, inquiring the quantum key distribution device for a corresponding pre-shared key according to the pre-shared key identifier, and incorporating the pre-shared key into the input secret value;
Or before sending the first message to the second device, obtaining a pre-shared key and a pre-shared key identifier by the quantum key distribution device, incorporating the pre-shared key identifier into the first message, and incorporating the pre-shared key into the input secret.
3. The method of claim 1, wherein after the generating the first session key and the second session key, the key exchange process further comprises:
Encrypting first test data using the first session key and transmitting to the second device;
Decrypting, using the second session key, in response to receiving second ciphertext test data transmitted by the second device, and if the decrypting is successful, confirming that the session key was successfully generated;
and, after the key exchange process is completed, the method further comprises:
Encrypting first communication data using the first session key whenever the first communication data is sent to the second device;
the second communication data is decrypted using the second session key whenever the second communication data transmitted by the second device is received.
4. The access method of the zero trust network based on quantum security comprises a first device and a second device which are connected through a quantum security communication channel, wherein the second device holds a second static key pair, the second static key pair is generated based on a KEM, and the KEM supports a post quantum algorithm;
The method comprises at least one round of key exchange procedure, wherein the ith round of key exchange procedure comprises the following steps performed by the second device:
In response to receiving a first message sent by the first device, extracting a temporary public key contained therein, a first device identification of the first device, a first message authentication code, a fourth message authentication code, a first ciphertext packaged using a second static public key of the second static key pair, and a fourth ciphertext encrypted using a first shared key;
using a second static private key in the second static key pair to decapsulate the first ciphertext to obtain the first shared key;
decrypting the fourth ciphertext using the first shared key to obtain a first static public key and a first timestamp of a first static key pair of the first device, the first static key pair being generated based on the KEM;
Based on the first device identifier and a first timestamp, verifying the first ciphertext by using the first message verification code, and verifying the fourth ciphertext by using the fourth message verification code;
Generating a second random number, and packaging the second random number and the temporary public key based on the KEM to obtain a second shared secret key and a second ciphertext;
Using the first static public key and the second random number, and obtaining a third shared secret key and a third ciphertext based on the KEM package;
generating a second message authentication code for the second ciphertext and a third message authentication code for the third ciphertext based on a second device identification of the second device;
Sending a second message to the first device, wherein the second message comprises the second message verification code, a third message verification code, a second device identifier, the second ciphertext and a third ciphertext;
And generating a first session key and a second session key by taking the first shared key, the second shared key and the third shared key as key-derived input secret values.
5. The method of claim 4, wherein the zero trust network further has a quantum key distribution device therein, the key exchange process further comprising:
Before sending a second message to the first device, obtaining a pre-shared key and a pre-shared key identification by the quantum key distribution device, incorporating the pre-shared key identification into the second message, and incorporating the pre-shared key into the input secret;
Or after receiving the first message sent by the first device, extracting the pre-shared key identification contained in the first message, inquiring the quantum key distribution device for the corresponding pre-shared key according to the pre-shared key identification, and incorporating the pre-shared key into the input secret value.
6. The method of claim 4, wherein after the generating the first session key and the second session key, the key exchange process further comprises:
Encrypting second test data by using the second session key and sending the second test data to the first device;
decrypting, using the first session key, in response to receiving first ciphertext test data transmitted by the first device, and if the decrypting is successful, confirming that the session key was successfully generated;
and, after the key exchange process is completed, the method further comprises:
encrypting second communication data using the second session key whenever the second communication data is sent to the first device;
The first communication data is decrypted using the first session key whenever the first communication data transmitted by the first device is received.
7. An access system of a quantum security-based zero trust network, wherein the zero trust network comprises a first device and a second device connected through a quantum security communication channel, the first device holds a second static public key in a first static key pair and a second static key pair of the second device, the first static key pair and the second static key pair are both generated based on a KEM, the KEM supports a post-quantum algorithm, and the system performs a key exchange process through the first device, and the access system comprises:
The first device is configured to generate a first random number and generate a temporary key pair containing a temporary private key and a temporary public key based on the KEM;
the first device is further configured to encapsulate the second static public key and the first random number based on the KEM to obtain a first shared key and a first ciphertext;
The first device is further configured to encrypt a first static public key and a first timestamp of the first static key pair with the first shared key as a key to obtain a fourth ciphertext;
the first device is further configured to generate a first message authentication code for the first ciphertext and a fourth message authentication code for the fourth ciphertext based on a first device identification and a first timestamp of the first device;
The first device is further configured to send a first message to the second device, the first message including the temporary public key, a first message authentication code, a fourth message authentication code, a first device identification, the first ciphertext and a fourth ciphertext;
The first device is further configured to, in response to receiving a second message sent by the second device, extract a second device identification of the second device contained therein, a second message authentication code, a third message authentication code, a second ciphertext packaged using the temporary public key, and a third ciphertext packaged using the first static public key;
the first device is further configured to verify the second ciphertext using the second message authentication code and verify the third ciphertext using the third message authentication code based on the second device identification;
The first device is further configured to decapsulate the second ciphertext using the temporary private key to obtain a second shared key;
the first device is further configured to decapsulate the third ciphertext using a first static private key of the first static key pair to obtain a third shared key;
the first device is further configured to generate a first session key and a second session key with the first shared key, the second shared key, and the third shared key as key-derived input secret values.
8. An access system of a quantum security-based zero trust network, wherein the zero trust network comprises a first device and a second device which are connected through a quantum security communication channel, the second device holds a second static key pair, the second static key pair is generated based on a KEM, the KEM supports a post quantum algorithm, and the system executes a key exchange process through the second device, and the access system comprises:
The second device is configured to, in response to receiving a first message sent by the first device, extract a temporary public key contained therein, a first device identification of the first device, a first message authentication code, a fourth message authentication code, a first ciphertext packaged using a second static public key of the second static key pair, and a fourth ciphertext encrypted using a first shared key;
the second device is further configured to decapsulate the first ciphertext using a second static private key of the second static key pair to obtain the first shared key;
The second device is further configured to decrypt the fourth ciphertext using the first shared key to obtain a first static public key and a first timestamp of a first static key pair of the first device, the first static key pair being generated based on the KEM;
the second device is further configured to verify the first ciphertext using the first message authentication code and verify the fourth ciphertext using the fourth message authentication code based on the first device identification, a first timestamp;
The second device is further configured to generate a second random number, and encapsulate the second random number and the temporary public key based on the KEM to obtain a second shared key and a second ciphertext;
The second device is further configured to obtain a third shared key and a third ciphertext based on the KEM encapsulation using the first static public key and the second random number;
The second device is further configured to generate a second message authentication code for the second ciphertext and a third message authentication code for the third ciphertext based on a second device identification of the second device;
The second device is further configured to send a second message to the first device, the second message including the second message authentication code, a third message authentication code, a second device identification, the second ciphertext and a third ciphertext;
The second device is further configured to generate a first session key and a second session key with the first shared key, the second shared key, and the third shared key as key-derived input secret values.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410807077.3A CN118413389B (en) | 2024-06-21 | 2024-06-21 | Quantum security-based zero trust network access method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410807077.3A CN118413389B (en) | 2024-06-21 | 2024-06-21 | Quantum security-based zero trust network access method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118413389A CN118413389A (en) | 2024-07-30 |
| CN118413389B true CN118413389B (en) | 2024-09-17 |
Family
ID=92032447
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410807077.3A Active CN118413389B (en) | 2024-06-21 | 2024-06-21 | Quantum security-based zero trust network access method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118413389B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119168644B (en) * | 2024-11-21 | 2025-02-28 | 正则量子(北京)技术有限公司 | A blockchain transaction signature and verification method and device supporting quantum security |
| CN119211914A (en) * | 2024-11-26 | 2024-12-27 | 正则量子(北京)技术有限公司 | A method and device for implementing quantum secure MQTT based on KEM |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113810432A (en) * | 2021-11-19 | 2021-12-17 | 阿里云计算有限公司 | Quantum-safe data encryption method, encryption equipment and storage medium |
| CN117527202A (en) * | 2022-08-05 | 2024-02-06 | 华为技术有限公司 | Quantum key negotiation system, method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3754896A1 (en) * | 2019-06-18 | 2020-12-23 | Koninklijke Philips N.V. | Authenticated key agreement |
| US12192184B2 (en) * | 2021-12-08 | 2025-01-07 | John A. Nix | Secure session resumption using post-quantum cryptography |
| EP4465588A1 (en) * | 2022-02-14 | 2024-11-20 | Huawei Technologies Co., Ltd. | Quantum key transmission method, device and system |
| DE102022203725A1 (en) * | 2022-04-13 | 2023-10-19 | Robert Bosch Gesellschaft mit beschränkter Haftung | Method for exchanging cryptographic keys between communication participants |
| CN116488806A (en) * | 2023-05-04 | 2023-07-25 | 中电科网络安全科技股份有限公司 | Key encapsulation method, device, equipment and storage medium |
-
2024
- 2024-06-21 CN CN202410807077.3A patent/CN118413389B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113810432A (en) * | 2021-11-19 | 2021-12-17 | 阿里云计算有限公司 | Quantum-safe data encryption method, encryption equipment and storage medium |
| CN117527202A (en) * | 2022-08-05 | 2024-02-06 | 华为技术有限公司 | Quantum key negotiation system, method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118413389A (en) | 2024-07-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110971415B (en) | An anonymous access authentication method and system for a space-earth integrated spatial information network | |
| CN111052672B (en) | Secure key transfer protocol without certificate or pre-shared symmetric key | |
| Wang et al. | SDN-based handover authentication scheme for mobile edge computing in cyber-physical systems | |
| TWI388180B (en) | Key generation in a communication system | |
| JP4002035B2 (en) | A method for transmitting sensitive information using unsecured communications | |
| WO2017185999A1 (en) | Method, apparatus and system for encryption key distribution and authentication | |
| US8838972B2 (en) | Exchange of key material | |
| CN118413389B (en) | Quantum security-based zero trust network access method and system | |
| CN108683501B (en) | Multiple identity authentication system and method with timestamp as random number based on quantum communication network | |
| US20060094401A1 (en) | Method and apparatus for authentication of mobile devices | |
| JP2012110009A (en) | Methods and arrangements for secure linking of entity authentication and ciphering key generation | |
| GB2535749A (en) | Authentication module | |
| CN108964897B (en) | Identity authentication system and method based on group communication | |
| WO2023082599A1 (en) | Blockchain network security communication method based on quantum key | |
| JP2016519873A (en) | Establishing secure voice communication using a generic bootstrapping architecture | |
| Noh et al. | Secure authentication and four-way handshake scheme for protected individual communication in public wi-fi networks | |
| CN101635922B (en) | Safety communication method of wireless mesh network | |
| KR100749846B1 (en) | Device for realizing security function in mac of portable internet system and authentication method using the device | |
| US20070055870A1 (en) | Process for secure communication over a wireless network, related network and computer program product | |
| CN119155681A (en) | Security enhanced wireless local area network system | |
| CN117459231A (en) | Quantum-safe SD-WAN network system and construction method thereof | |
| KR101451163B1 (en) | System and method for access authentication for wireless network | |
| WO2008004174A2 (en) | Establishing a secure authenticated channel | |
| KR20040088137A (en) | Method for generating encoded transmission key and Mutual authentication method using the same | |
| Oguta | Security Analysis of Wimax Technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |