CN-115314189-B - Communication method and system

Abstract

The present disclosure relates to a communication method and system. First, a quantum security key is obtained. The pre-shared key is then derived based on the quantum security key. Next, the pre-shared key is imported into the secure transport layer protocol. In this way, a master key may be generated based on a pre-shared key and/or authenticated based on the pre-shared key in a secure transport layer protocol. Therefore, the method and the device generate the pre-shared secret key based on the quantum security secret key in an out-of-band mode, and import the pre-shared secret key into the secure transport layer protocol, so that the pre-shared secret key has the capability of resisting quantum attack when being used for secret key exchange and identity authentication.

Inventors

• FENG KAI

Assignees

• 阿里巴巴（中国）有限公司

Dates

Publication Date

20260508

Application Date

20220621

Claims (8)

1. 1. A method of communication, comprising: Acquiring a plurality of quantum security keys and corresponding key identifications thereof; Caching the obtained plurality of quantum security keys and corresponding key identifications thereof, and When a new quantum security key is needed, key identification is used for key synchronization between two communication parties, so that the two communication parties use the same group of quantum security keys; Performing key derivation processing on the quantum security key to obtain a pre-shared key, wherein the key derivation processing comprises the step of processing the quantum security key by using a key derivation function based on a hash operation message authentication code; importing the pre-shared key from out-of-band into a secure transport layer protocol using a callback function, and In the secure transport layer protocol, a pre-master key is obtained based on the pre-shared key and the secret information, a random number from a communication partner and a random number generated by the party are based on the pre-master key, and the pre-shared key, a master key is obtained by using a key derivation function, and/or authentication is performed based on the pre-shared key.
2. 2. The method of claim 1, wherein, A quantum security key is obtained by an application engaged in the communication and a pre-shared key is derived based on the quantum security key.
3. 3. The method of claim 1, wherein, The quantum security key is provided for both communication parties through a quantum security key service.
4. 4. The method of claim 1, wherein the private information comprises: public and temporary public keys obtained from the communication partner's encrypted certificate and the present encrypted and temporary private keys, or A random number from the communication partner and a random number generated by the present.
5. 5. A communication system includes a first communication party and a second communication party, The first and/or the second party generates and/or authenticates master keys required for the communication by the first and the second party by means of the method according to any of claims 1 to 4.
6. 6. A computing device, comprising: processor, and A memory having executable code stored thereon, which when executed by the processor causes the processor to perform the method of any of claims 1 to 4.
7. 7. A computer program product comprising executable code which, when executed by a processor of an electronic device, causes the processor to perform the method of any one of claims 1 to 4.
8. 8. A non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to perform the method of any of claims 1 to 4.

Description

Communication method and system Technical Field The present disclosure relates to the field of communications technologies, and in particular, to a communication method and system combining a quantum security technology with a remote access technology. Background The SSL VPN is one of 22 types of products in commercial password product catalogue published by the national bureau of China, and is a type of SSL VPN which is modified to meet the national standard specification based on the transmission layer security protocol TLS 1.1 and combined with the actual application requirements and practical experience of China. Besides integrating the national cryptographic algorithm, the national cryptographic SSL VPN also uses a double-certificate mode, namely a signature certificate and an encryption certificate. Quantum security technology is an emerging technical field, and is mainly used for coping with threats of future quantum computers to existing cryptography systems, including asymmetric encryption algorithms such as Diffie-Hellman, RSA and ECC. The most practical solutions in quantum security technology are currently mainly divided into Quantum Key Distribution (QKD) and Post Quantum Cryptography (PQC). The bottom cryptographic algorithms of the national security standard SSL VPN (such as signature and key exchange algorithms such as RSA, ECC, SM, ECDHE, etc.) are still based on discrete logarithms, or mathematical principles such as large number decomposition, and do not have the capability of resisting quantum computer attacks. Therefore, a solution that can combine quantum security technology with remote access technology (such as national dense SSL VPN) is needed to enable remote access with the ability to resist quantum computer attacks. Disclosure of Invention One technical problem to be solved by the present disclosure is to provide a solution that can combine quantum security technology with remote access technology (such as national dense SSL VPN). According to a first aspect of the present disclosure, there is provided a communication method comprising obtaining a quantum security key, deriving a pre-shared key based on the quantum security key, importing the pre-shared key into a secure transport layer protocol, and generating a master key based on the pre-shared key and/or authenticating based on the pre-shared key in the secure transport layer protocol. Optionally, a quantum security key is obtained by an application engaged in the communication and a pre-shared key is derived based on the quantum security key. Optionally, the step of obtaining the pre-shared key based on the quantum security key comprises performing a key derivation process on the quantum security key to obtain the pre-shared key. Optionally, the key derivation process includes processing the quantum security key using a key derivation function based on a hash message authentication code. Optionally, the quantum security key is provided to both parties of the communication through a quantum security key service. Optionally, the step of obtaining the quantum security key comprises obtaining a plurality of quantum security keys and corresponding key identifications thereof, caching the obtained plurality of quantum security keys and corresponding key identifications thereof, and performing key synchronization between the two communication parties using the key identifications whenever a new quantum security key is required, so that the two communication parties use the same set of quantum security keys. Optionally, the step of generating the master key based on the pre-shared key comprises deriving the pre-master key based on the pre-shared key and the private information, and deriving the master key based on the pre-master key. Optionally, the private information includes a public key and a temporary public key obtained from an encrypted certificate of the communication partner and an encrypted private key and a temporary private key of the party, or a random number from the communication partner and a random number generated by the party. Optionally, the step of deriving the master key based on the pre-master key comprises deriving the master key using a key derivation algorithm based on the pre-master key and the random number from the communication partner and the generated random number, or deriving the master key using a key derivation algorithm based on the pre-master key and the random number from the communication partner and the generated random number, and the pre-shared key. According to a second aspect of the present disclosure, there is provided a communication system comprising a first communication party and a second communication party, the first communication party and/or the second communication party being arranged to generate a master key required for communication by the first communication party and the second communication party by the method described in the first aspect above, and/or to authenticate. A