CN-121984667-A - Quantum encryption-based data synchronization method and system

Abstract

The application discloses a data synchronization method based on quantum encryption. The method is used for a first terminal and comprises the steps of sending a key application request to a password service platform, sending a device discovery request under the condition that a quantum key is received, conducting encryption processing on service data according to the quantum key to generate encrypted service data, and sending the encrypted service data to a second terminal through a session channel. Therefore, the data encryption is carried out by adopting the quantum key, the encryption strength of the service data is improved to a certain extent by utilizing the characteristic of quantum key quantum calculation cracking resistance, the transmission safety of the service data is effectively ensured, meanwhile, the first terminal and the second terminal establish a dedicated session channel, an efficient and stable transmission path is provided for encrypting the service data, the directionality and independence of the data transmission are effectively ensured, the interference and leakage risk in the data transmission process are reduced, and the data synchronization safety and the transmission efficiency are improved to a certain extent.

Inventors

• WEI PEIJUN

Assignees

• 中电信量子信息科技集团有限公司

Dates

Publication Date

20260505

Application Date

20251229

Claims (20)

1. 1. A method for data synchronization based on quantum cryptography, the method being for a first terminal, the method comprising: A key application request is sent to a password service platform, wherein the password service platform sends a key generation instruction to a sub-key distribution server according to the key application request, the quantum key distribution server generates a quantum key and a key identifier according to the key generation instruction, the quantum key and the key identifier are sent to the password service platform, and the password service platform sends the quantum key and the key identifier to the first terminal; under the condition that the quantum key is received, sending a device discovery request, wherein a second terminal establishes a session channel with the first terminal according to the received device discovery request; Encrypting the service data according to the quantum key to generate encrypted service data; And sending the encrypted service data to the second terminal through the session channel.
2. 2. The method according to claim 1, wherein the method further comprises: sending a signature identity authentication request to the password service platform, wherein the signature identity authentication request comprises a first equipment identifier and a task identifier, the password service platform performs validity check on the signature identity authentication request, and under the condition that the identity validity check is passed, the signature identity authentication request returns a pass authentication to the first terminal; and sending the key application request to the password service platform under the condition that the authentication is received.
3. 3. The method according to claim 2, wherein said sending the key application request to the cryptographic service platform in the event that the authenticated request is received comprises: The first equipment identifier and the quantum random number are spliced to generate a quantum random number authentication code, wherein the password service platform sends a link authorization instruction to the quantum key distribution server according to the authentication and the task identifier, the link authorization instruction comprises the first equipment identifier and an authorization valid period, and the quantum key distribution server establishes a quantum channel with the first terminal according to the link authorization instruction and generates the quantum random number and transmits the quantum random number to the first terminal through the quantum channel; the quantum random number authentication code is sent to the quantum key distribution server, wherein the quantum key distribution server performs splicing processing on the first equipment identifier and the quantum random number to generate a verification quantum random number authentication code, a quantum key distribution link is constructed under the condition that the quantum random number authentication code and the verification quantum random number authentication code are the same, link construction success confirmation information is sent to the first terminal, the link construction success confirmation information comprises a link identifier, and a link establishment state is fed back to the password service platform; and under the condition that the link construction success confirmation information is received, sending the key application request to the password service platform.
4. 4. The method according to claim 1, wherein the method further comprises: According to the connection confirmation information, a session request is sent to the second terminal, wherein the session request comprises a first session identifier, the second terminal performs verification processing on the received equipment discovery request, the connection confirmation information is returned to the first terminal when the equipment discovery request passes verification, the connection confirmation information comprises a target transmission rate, the second terminal generates a second session identifier according to the session request and negotiates a temporary quantum key with the first terminal, and returns negotiation success confirmation information to the first terminal when the temporary quantum key negotiation is successful; and binding the first session identifier with the second session identifier according to the successful negotiation confirmation information to generate a target session identifier so as to establish the session channel with the second terminal.
5. 5. The method of claim 4, wherein encrypting the traffic data according to the quantum key to generate encrypted traffic data comprises: The business data is subjected to block processing to generate a plurality of data blocks; calculating a first hash value of each data block; generating a synchronous data list according to the first hash value, the key identification, the target session identification and the first terminal private key of each data block; Generating a random initialization vector corresponding to each data block; encrypting the corresponding data blocks according to the quantum key and each random initialization vector to generate a plurality of encrypted data blocks; And adding a sequence number, the target session identification and the corresponding random initialization vector to each encrypted data block header to generate a plurality of target encrypted data blocks.
6. 6. The method of claim 5, wherein said sending the encrypted traffic data to the second terminal via the session channel comprises: The synchronous data list and a plurality of target encrypted data blocks are sent to the second terminal, wherein the second terminal checks the continuity of sequence numbers according to the received synchronous data list and the received target encrypted data blocks, and sends receiving state feedback to the first terminal; and if the receiving state feedback indicates that the target encrypted data block is lost, the lost target encrypted data block is sent to the second terminal again.
7. 7. The method of claim 6, wherein said transmitting the synchronization data list and the plurality of target encrypted data blocks to the second terminal comprises: And transmitting the synchronous data list and the plurality of target encrypted data blocks to the second terminal according to the target transmission rate.
8. 8. The method of claim 7, wherein said transmitting the synchronization data list and the plurality of target encrypted data blocks to the second terminal according to the target transmission rate further comprises: And when the second terminals comprise at least two, controlling the target transmission rate corresponding to each second terminal according to a preset sliding window corresponding to each second terminal so as to send the synchronous data list and a plurality of target encrypted data blocks to the second terminal.
9. 9. The method of claim 6, wherein the method further comprises: checking the received key acquisition request, wherein the second terminal sends the key acquisition request to the first terminal according to the key identification acquired from the synchronous data list; And under the condition that the key acquisition request passes the verification, encrypting the quantum key according to the temporary quantum key, generating an encrypted quantum key, and sending the encrypted quantum key to the second terminal, wherein the second terminal decrypts the encrypted quantum key according to the temporary quantum key to obtain the quantum key.
10. 10. The method according to claim 1, wherein the method further comprises: sending a key destruction request to the password service platform, the quantum key distribution server and the second terminal under the condition that the second terminal acquires the encrypted service data and completes decryption of the encrypted service data, wherein the password service platform deletes the distribution record of the quantum key, the quantum key distribution server deletes a quantum key generation log, and the second terminal deletes the quantum key; And sending a session closing request to the second terminal, wherein the second terminal closes the session channel according to the session closing request and returns session closing confirmation information to the first terminal.
11. 11. A method of quantum encryption based data synchronization for a second terminal, the method comprising: According to the received equipment discovery request, a session channel is established with a first terminal, wherein the first terminal sends a key application request to a password service platform, the password service platform sends a key generation instruction to a sub-key distribution server according to the key application request, the quantum key distribution server generates a quantum key and a key identification according to the key generation instruction and sends the quantum key and the key identification to the password service platform, the password service platform sends the quantum key and the key identification to the first terminal, and the first terminal sends the equipment discovery request under the condition of receiving the quantum key; And receiving encrypted service data, wherein the first terminal encrypts the service data according to the quantum key, generates the encrypted service data, and sends the encrypted service data to the second terminal through the session channel.
12. 12. The method of claim 11, wherein the method further comprises: Performing verification processing on the received equipment discovery request; Returning connection confirmation information to the first terminal under the condition that the equipment discovery request passes verification, wherein the first terminal sends a session request to the second terminal according to the connection confirmation information, the session request comprises a first session identifier, and the connection confirmation information comprises a target transmission rate; generating a second session identifier according to the session request and negotiating a temporary quantum key with the first terminal; And under the condition that the temporary quantum key negotiation is successful, returning negotiation success confirmation information to the first terminal, wherein the first terminal binds the first session identifier with the second session identifier according to the negotiation success confirmation information, and generates a target session identifier so as to establish the session channel with the second terminal.
13. 13. The method of claim 12, wherein the second terminal comprises at least two, the method further comprising: Each second terminal performs verification processing on the received equipment discovery request; Under the condition that the equipment discovery request passes the verification, each second terminal respectively returns connection confirmation information to the first terminal, wherein the first terminal sends a session request to the corresponding second terminal according to the received connection confirmation information, and the session request comprises a first session identifier; Each second terminal generates a corresponding second session identifier according to the session request and negotiates a corresponding temporary quantum key with the first terminal; and under the condition that the temporary quantum key negotiation is successful, each second terminal respectively returns negotiation success confirmation information to the first terminal, wherein the first terminal binds the first session identifier with the corresponding second session identifier according to the received negotiation success confirmation information, and generates a corresponding target session identifier so as to establish a corresponding session channel with the corresponding second terminal.
14. 14. The method according to claim 12, wherein the method further comprises: According to the received synchronous data list and a plurality of target encrypted data blocks, checking the continuity of sequence numbers, sending receiving state feedback to the first terminal, wherein the first terminal carries out blocking processing on the service data to generate a plurality of data blocks, calculates a first hash value of each data block, generates the synchronous data list according to the first hash value of each data block, the key identification, the target session identification and a first terminal private key, generates a random initialization vector corresponding to each data block, carries out encryption processing on the corresponding data block according to the quantum key and each random initialization vector to generate a plurality of encrypted data blocks, adds the sequence numbers, the target session identification and the corresponding random initialization vectors to the head of each encrypted data block, generates a plurality of target encrypted data blocks, and sends the synchronous data list and the plurality of target encrypted data blocks to the second terminal; And receiving the lost target encrypted data block, wherein the first terminal resends the lost target encrypted data block to the second terminal when the receiving state feedback indicates that the target encrypted data block is lost.
15. 15. The method of claim 14, wherein the method further comprises: Sending a key acquisition request to the first terminal according to the key identification acquired from the synchronous data list, wherein the first terminal verifies the received key acquisition request; And decrypting the encrypted quantum key according to the temporary quantum key to obtain the quantum key, wherein the first terminal encrypts the quantum key according to the temporary quantum key under the condition that the key acquisition request passes verification, generates the encrypted quantum key and sends the encrypted quantum key to the second terminal.
16. 16. The method of claim 15, wherein the method further comprises: Extracting the random initialization vector of each target encrypted data block header; Decrypting the corresponding encrypted data block according to the quantum key and the random initialization vector to obtain the data block; calculating a second hash value of each data block, and comparing the second hash value with the corresponding first hash value in the synchronous data list; Under the condition that the sequence number and the data block are the same, obtaining the service data; And if the two are different, sending a retransmission request of the corresponding data block to the first terminal.
17. 17. A data synchronization method based on quantum encryption, wherein the method is used for a cryptographic service platform, and the method comprises: receiving a key application request sent by a first terminal; Sending a key generation instruction to a vector subkey distribution server according to the key application request, wherein the quantum key distribution server generates a quantum key and a key identifier according to the key generation instruction, and sends the quantum key and the key identifier to the password service platform; And sending the quantum key and the key identification to the first terminal, wherein the first terminal sends a device discovery request under the condition of receiving the quantum key, the second terminal establishes a session channel with the first terminal according to the received device discovery request, the first terminal encrypts service data according to the quantum key to generate encrypted service data, and the encrypted service data is sent to the second terminal through the session channel.
18. 18. The method of claim 17, wherein the method further comprises: Receiving a signature identity authentication request sent by the first terminal, wherein the signature identity authentication request comprises a first equipment identifier and a task identifier; Carrying out validity check on the signature identity authentication request; And under the condition that the identity validity check is passed, returning a pass authentication to the first terminal, wherein the first terminal sends the key application request to the password service platform under the condition that the pass authentication is received.
19. 19. The method of claim 18, wherein the signed authentication request further comprises a timestamp and a device certificate signature value, and wherein the verifying the validity of the signed authentication request comprises: Checking whether the time stamp is within a preset valid time window, and/or Confirming whether the first equipment identifier has the key application authority according to the task identifier and the first equipment identifier and/or And checking the validity of the signature value of the device certificate.
20. 20. The method of claim 18, wherein the method further comprises: And sending a link authorization instruction to the quantum key distribution server according to the passing authentication and the task identifier, wherein the link authorization instruction comprises the first equipment identifier and an authorization validity period, the quantum key distribution server establishes a quantum channel with the first terminal according to the link authorization instruction and generates a quantum random number, the quantum random number is transmitted to the first terminal through the quantum channel, the first terminal performs splicing processing on the first equipment identifier and the quantum random number to generate a quantum random number authentication code, the quantum random number authentication code is sent to the quantum key distribution server, the quantum key distribution server performs splicing processing on the first equipment identifier and the quantum random number to generate a verification quantum random number authentication code, a quantum key distribution link is constructed under the condition that the quantum random number authentication code and the verification quantum random number authentication code are the same, link construction success confirmation information is sent to the first terminal, the link construction success confirmation information is fed back to the password service platform, and the link construction confirmation information comprises the link success request information of the first terminal under the condition that the link is successfully constructed by the password service platform is requested.

Description

Quantum encryption-based data synchronization method and system Technical Field The application relates to the technical field of communication, in particular to a data synchronization method based on quantum encryption and a data synchronization system based on quantum encryption. Background With the popularization of the internet of things, the security demands for data sharing and collaborative operation among multiple devices are increasing. Data synchronization among multiple devices generally depends on traditional encryption algorithms such as advanced encryption standard encryption algorithms, asymmetric encryption algorithms and the like, however, the traditional encryption algorithms are easy to be broken, so that data is at a certain risk of stealing and tampering in the process of cross-device synchronization. Disclosure of Invention The application provides a data synchronization method based on quantum encryption and a data synchronization system based on quantum encryption. The embodiment of the application provides a data synchronization method based on quantum encryption, which is used for a first terminal and comprises the following steps: A key application request is sent to a password service platform, wherein the password service platform sends a key generation instruction to a sub-key distribution server according to the key application request, the quantum key distribution server generates a quantum key and a key identifier according to the key generation instruction, the quantum key and the key identifier are sent to the password service platform, and the password service platform sends the quantum key and the key identifier to the first terminal; under the condition that the quantum key is received, sending a device discovery request, wherein a second terminal establishes a session channel with the first terminal according to the received device discovery request; Encrypting the service data according to the quantum key to generate encrypted service data; And sending the encrypted service data to the second terminal through the session channel. Therefore, the data encryption is carried out by adopting the quantum key, the encryption strength of the service data is improved to a certain extent by utilizing the characteristic of quantum key quantum calculation cracking resistance, the transmission safety of the service data is effectively ensured, meanwhile, the first terminal and the second terminal establish a dedicated session channel, an efficient and stable transmission path is provided for encrypting the service data, the directionality and independence of the data transmission are effectively ensured, the interference and leakage risk in the data transmission process are reduced, and the data synchronization safety and the transmission efficiency are improved to a certain extent. In certain embodiments, the method further comprises: sending a signature identity authentication request to the password service platform, wherein the signature identity authentication request comprises a first equipment identifier and a task identifier, the password service platform performs validity check on the signature identity authentication request, and under the condition that the identity validity check is passed, the signature identity authentication request returns a pass authentication to the first terminal; and sending the key application request to the password service platform under the condition that the authentication is received. Therefore, an identity authentication link is added before the key application, and the device identification and the associated task identification are utilized, so that the fact that the quantum key can be applied only by the terminal with the authority and the record is ensured to a certain extent, the possibility that an illegal terminal acquires the key is effectively blocked, and the risk of key leakage is reduced. In some embodiments, the sending the key application request to the cryptographic service platform when the authenticated request is received includes: The first equipment identifier and the quantum random number are spliced to generate a quantum random number authentication code, wherein the password service platform sends a link authorization instruction to the quantum key distribution server according to the authentication and the task identifier, the link authorization instruction comprises the first equipment identifier and an authorization valid period, and the quantum key distribution server establishes a quantum channel with the first terminal according to the link authorization instruction and generates the quantum random number and transmits the quantum random number to the first terminal through the quantum channel; the quantum random number authentication code is sent to the quantum key distribution server, wherein the quantum key distribution server performs splicing processing on the first equipment identifier and the quantum r