Search

CN-121984674-A - Cross-domain quantum key filling method and system

CN121984674ACN 121984674 ACN121984674 ACN 121984674ACN-121984674-A

Abstract

The invention relates to the field of information security and discloses a cross-domain quantum key filling method and a system, wherein a first key filling station responds to a first service terminal request, analyzes a target terminal identification and reports step by step when judging cross domains; the cross-domain key filling management center generates a cross-domain master key based on quantum true random numbers according to target attribution, and distributes the cross-domain master key to a source domain key filling service center and a target domain key filling service center through a quantum secure channel, the service centers of the two parties negotiate a derivative session key by using a shared master key and issue the derivative session key, and a site receives the session key, generates a service key by combining a service context and fills the service key to a terminal. The system also integrates dynamic request triggering based on consumption rate, mixed encryption channel and physical overwriting destruction mechanism of storage unit. The invention adopts a layered cascade architecture, combines a quantum entropy source and a post quantum algorithm, solves the problem of trust transfer among heterogeneous domains, and realizes the full life cycle safety closed-loop management of the key for resisting quantum computing attack.

Inventors

  • FANG MING
  • YOU XIN
  • LI ANJING
  • QIU ZHIYUAN
  • LI YI
  • XIE CHENYU
  • ZHANG ZHIRAN
  • LU SHICAI
  • ZHOU PEI
  • LIU YANG
  • ZHANG RUILIANG
  • FENG WENXIN
  • LI DAOYU
  • WANG YUFENG
  • HUANG QIAN

Assignees

  • 中国南方电网有限责任公司超高压输电公司贵阳局

Dates

Publication Date
20260505
Application Date
20260203

Claims (10)

  1. 1. The cross-domain quantum key filling method is characterized by comprising the following steps of: s1, a first key filling station receives a request service key instruction from a first service terminal, analyzes the request service key instruction to obtain a unique identifier of a second service terminal, and sends the request key instruction to a first domain key filling service center when the fact that a key cannot be directly distributed is judged; S2, when the first domain key filling service center judges that the unique identifier of the second service terminal does not belong to the jurisdiction, a cross-domain main key request instruction is sent to the cross-domain key filling management center; S3, the cross-domain key filling management center determines a second domain key filling service center according to the unique identifier of the second service terminal, generates a cross-domain master key by utilizing an internally integrated quantum random number generator, and distributes the cross-domain master key to the first domain key filling service center and the second domain key filling service center respectively; s4, the first domain key filling service center and the second domain key filling service center negotiate by using the shared cross-domain master key to generate a session key, and the session key is respectively issued to the first key filling site and the second key filling site; S5, the first key filling station and the second key filling station generate service keys by using the session keys, and fill the service keys to the first service terminal and the second service terminal respectively.
  2. 2. The method for cross-domain quantum key filling according to claim 1, wherein the specific step of analyzing the request service key command in the step S1 to obtain the unique identifier of the second service terminal, and sending the request key command to the first domain key filling service center when it is determined that the key cannot be directly distributed comprises: the first key filling station analyzes the key command of the request service by using a command analysis module, and extracts the unique identifier of the second service terminal; The first key filling station inquires a locally stored key distribution routing table or a terminal association list, and compares the unique identifier of the second service terminal with a local district terminal list; and if the unique identifier of the second service terminal is not in the local district terminal list, the first key charging station generates the key requesting instruction comprising the unique identifier of the first key charging station, the unique identifier of the first service terminal and the unique identifier of the second service terminal.
  3. 3. A cross-domain quantum key filling method according to claim 1, the method is characterized in that the step S3 comprises the following steps: the cross-domain key filling management center receives the request cross-domain master key instruction and analyzes the unique identifier of the second service terminal from the request cross-domain master key instruction; The cross-domain key filling management center takes the unique identifier of the second service terminal as an index key, searches in a whole network terminal index database, and inquires to obtain the unique identifier of the second domain key filling service center to which the unique identifier of the second service terminal belongs; and the whole network terminal index database stores the mapping relation between the unique identifiers of all registered service terminals and the unique identifiers of the key charging service centers of the affiliated domains.
  4. 4. A cross-domain quantum key filling method as claimed in claim 1, wherein, The step S3 of generating a cross-domain master key by using an internally integrated quantum random number generator comprises the following steps: The cross-domain key filling management center calls a quantum random number generator, and a true random number sequence is generated based on collapse characteristics of a photon state; the cross-domain key filling management center executes a truncation operation on the true random number sequence, and intercepts a sequence with a specified length as the cross-domain master key; and the cross-domain key filling management center packages the cross-domain master key, the unique identifier of the first domain key filling service center, the unique identifier of the second domain key filling service center and the route identifier information into a cross-domain key distribution message, and sends the cross-domain master key, the unique identifier of the first domain key filling service center and the route identifier information through a quantum security channel.
  5. 5. The method of claim 1, wherein the step S4 of negotiating by the first domain key filling service center and the second domain key filling service center to generate the session key using the shared cross-domain master key comprises: The first domain key filling service center calls an internal quantum random number generator to generate a first quantum random number sequence, the second domain key filling service center calls the internal quantum random number generator to generate a second quantum random number sequence, and the two parties exchange the first quantum random number sequence and the second quantum random number sequence; The two parties calculate and generate the session key by using a key derivation function algorithm, wherein the cross-domain master key, the first quantum random number sequence, the second quantum random number sequence and the session unique identifier are input parameters; The key derivation function algorithm is configured as a hash-based message authentication code algorithm.
  6. 6. The method of claim 1, wherein the step S5 of the first key charging station and the second key charging station generating a service key using the session key comprises: the first key filling station and the second key filling station receive and decrypt to obtain the session key; Calculating the spliced session key, the business context information and the preset filling character string by utilizing a cryptographic hash algorithm, and outputting the business key; The service context information includes a service type, an effective time window, and a security level parameter.
  7. 7. The cross-domain quantum key filling method according to claim 1, wherein the step S1 further comprises a key request triggering step before the first key filling station receives the request service key command from the first service terminal: the first service terminal monitors the quantity of the filling secret keys stored locally; When the number of the filling secret keys is lower than a preset threshold value, the first service terminal generates the service secret key request instruction; The value of the preset threshold is obtained by multiplying the number of key updating periods in a preset time period by the number of keys consumed in a single key updating process.
  8. 8. The cross-domain quantum key filling method according to claim 1, wherein the process of sending the request cross-domain master key instruction in the step S2 and the process of distributing the cross-domain master key in the step S3 are performed through a quantum secure channel; The process of sending the key request instruction in the step S1 and the process of issuing the session key in the step S4 are executed through a network security channel; the quantum security channel is established between the cross-domain key filling management center and the first domain key filling service center and between the cross-domain key filling management center and the second domain key filling service center through quantum key distribution equipment; The network security channel is established between the first domain key filling service center and the first key filling site, is encrypted by utilizing quantum random number keys in a synchronous quantum random number key library stored by both sides, and performs identity authentication by adopting a post quantum cryptography algorithm.
  9. 9. The method of claim 1, further comprising the step of destroying old keys: When the service key reaches the effective period or is marked as invalid, the first service terminal executes multiple rounds of data overwriting operation on the physical storage unit address storing the service key; The multi-round data overwrite operation is configured to sequentially cover the physical memory cell addresses using an all-zero data fill mode, an all-one data fill mode, and a locally generated quantum random number sequence fill mode.
  10. 10. A cross-domain quantum key filling system, which is characterized by being applied to the cross-domain quantum key filling method as claimed in any one of claims 1-9, and comprising a cross-domain key filling management center, a plurality of domain key filling service centers, a plurality of key filling sites and a plurality of service terminals; The key filling station is configured to receive a service key request instruction from the service terminal, analyze the target terminal identification, send the key request instruction to the domain key filling service center to which the target terminal belongs if the target terminal is not in the local jurisdiction, and take charge of receiving the session key to generate the service key to fill to the service terminal; the domain key filling service center is configured to receive a key request instruction, apply a cross-domain master key to the cross-domain key filling management center if the request is judged to belong to the cross-domain request, and generate a session key based on cross-domain master key negotiation with other domain key filling service centers and send the session key to the key filling site; The cross-domain key filling management center is configured to generate a cross-domain master key by utilizing the integrated quantum random number generator and distribute the cross-domain master key to the source domain key filling service center and the target domain key filling service center according to the attribution relation of the target terminal; and the service terminal is configured to initiate a request when the filling key is insufficient and receive the service key for cross-domain secure communication.

Description

Cross-domain quantum key filling method and system Technical Field The invention relates to the technical field of information security, in particular to a cross-domain quantum key filling method and a cross-domain quantum key filling system. Background The electric power system is used as a key energy infrastructure, and with the development of the intelligent power grid, massive intelligent terminals and mobile equipment are connected, so that the network boundary is increasingly generalized. In order to cope with advanced network threat and potential quantum computation decoding risk, the power industry introduces a quantum key filling technology, utilizes a quantum random number generator to generate true random numbers, and provides key supply for equipment such as a power distribution automation switch, a load management terminal and the like which cannot be directly connected to a fixed quantum key distribution network. However, existing quantum key filling techniques have significant technical limitations in practical applications. First, existing charging systems are often deployed within a single secure domain, and lack unified trust and collaboration mechanisms between different regions or different levels of networks. In a heterogeneous network communication scene related to cross-provincial power grid dispatching or cross-power generation side interaction, a key management system of each independent domain cannot establish trusted connection, so that a high-entropy source key is difficult to realize safe synchronization in a cross-domain environment, and the same safety strength requirement during business cross-domain intercommunication cannot be met. Second, in terms of updating and usage control of keys, the prior art generally employs a fixed static threshold or manual periodic maintenance to trigger a key request. The mechanism can not be dynamically adjusted according to the real-time fluctuation of the power service data flow, and is easy to cause communication interruption due to key exhaustion in the service peak period or increase leakage risk due to excessive key stocking in the service valley period. Meanwhile, the existing service key generation mechanism generally does not mathematically bind the key with context information such as service type, valid time window, etc., once the key is intercepted, an attacker can launch replay attack in an unauthorized period or unspecified service scenario. Finally, existing schemes have guard shortboards in the full lifecycle management of keys. In the key failure processing link, lacking physical level destroying measures aiming at the storage medium, residual data in the storage unit is easy to recover due to the remanence effect, and a complete quantum-resistant safety closed loop from generation, transmission and use to destroy cannot be formed. Disclosure of Invention The invention mainly solves the technical problems of insufficient key distribution safety, non-closed loop of a key filling link and lack of a dynamic trigger mechanism in the existing cross-domain communication scene. The invention provides a cross-domain quantum key filling method and system based on a hierarchical architecture, which realize the key full life cycle safety management from a terminal to a cross-domain management center. The first aspect of the present invention provides a cross-domain quantum key filling method, which adopts a layered cascade key negotiation mechanism, and specifically comprises the following steps: The first key charging station responds to a service key request initiated by the first service terminal and analyzes the instruction to extract the unique identification of the target terminal. The site compares the route list or the terminal association list stored locally, and when the target terminal is judged not to belong to the local jurisdiction, the site packages the request into a request key instruction and reports the request key instruction to the first domain key filling service center step by step. After confirming that the target terminal is not subject to local domain jurisdiction, the first domain key filling service center further applies for the cross-domain master key to the cross-domain key filling management center. The cross-domain key filling management center determines the attribution of a target domain according to the identification of the target terminal, generates a true random number sequence by utilizing the collapse characteristic of the photon state, and intercepts the sequence with the specified length to serve as a cross-domain master key. And then, distributing the cross-domain master key to a first domain key filling service center of the source end and a second domain key filling service center of the destination end respectively through the established quantum security channel. The first domain key charging service center and the second domain key charging service center perform a negotiation process usi