Search

CN-121984678-A - Quantum-resistant hybrid password gateway and data transmission method

CN121984678ACN 121984678 ACN121984678 ACN 121984678ACN-121984678-A

Abstract

The embodiment of the invention provides an anti-quantum hybrid password gateway and a data transmission method, belonging to the technical field of network security. The gateway comprises a quantum key management module, an entity authentication module, a mixed certificate management module, a mixed key negotiation module and an encryption tunnel module, wherein the quantum key management module is used for acquiring a quantum key and a quantum random number generated by a quantum key distribution network, the entity authentication module is used for executing challenge response authentication on a communication terminal, the mixed certificate management module is used for executing mixed certificate authentication processing, the mixed key negotiation module is used for executing mixed key negotiation processing to generate a communication session key, and the encryption tunnel module is used for establishing an anti-quantum encryption communication tunnel based on the communication session key and executing encryption transmission processing of communication data through the anti-quantum encryption communication tunnel. According to the scheme, the anti-quantum encryption communication tunnel with the key derivation and quantum key dynamic refreshing mechanism is constructed, so that the transmission safety and stability of communication data in an anti-quantum attack environment are improved.

Inventors

  • TAN PINGXIANG
  • WU XIAOJUN
  • HUA CHAO
  • KANG KE
  • Xiong Qingcai
  • Lei Mingchuan
  • FU YI
  • Qiu Qimou
  • WANG PAN

Assignees

  • 四川凉山水洛河电力开发有限公司

Dates

Publication Date
20260505
Application Date
20260320

Claims (10)

  1. 1. An anti-quantum hybrid cryptographic gateway, the gateway comprising: the quantum key management module is used for acquiring a quantum key and a quantum random number generated by the quantum key distribution network; the entity authentication module is used for generating a challenge value based on the quantum random number, and executing challenge response authentication on the communication terminal based on a post quantum cryptography algorithm so as to determine the identity legitimacy of the communication terminal; the mixed certificate management module is used for managing commercial password certificates and post quantum password certificates corresponding to the communication terminal, and executing mixed certificate authentication processing based on the commercial password certificates and the post quantum password certificates in the communication establishment process so as to determine whether the communication terminal has authentication rights participating in key negotiation; the mixed key negotiation module is used for executing mixed key negotiation processing based on the quantum key, the post quantum cryptographic algorithm and the commercial cryptographic algorithm under the condition that the communication terminal has authentication authority so as to generate a communication session key; And the encryption tunnel module is used for establishing an anti-quantum encryption communication tunnel based on the communication session key and executing encryption transmission processing of communication data through the anti-quantum encryption communication tunnel.
  2. 2. The anti-quantum hybrid cryptographic gateway of claim 1, wherein the entity authentication module is configured to: Generating a challenge value based on the quantum random number, and transmitting the challenge value to a communication terminal; receiving challenge response signature data generated by the communication terminal based on the challenge value and a post quantum cryptography private key of the communication terminal; Performing signature verification processing on the challenge response signature data based on a post quantum cryptography public key corresponding to the communication terminal to obtain a signature verification result; and when the signature verification result is verification passing, determining the identity validity of the communication terminal, and allowing the communication terminal to participate in the mixed key negotiation processing.
  3. 3. The anti-quantum hybrid cryptographic gateway of claim 1, wherein the hybrid certificate management module is configured to: receiving certificate identification information sent by a communication terminal, and acquiring a commercial password certificate and a post quantum password certificate corresponding to the communication terminal based on the certificate identification information; Performing certificate signature verification processing on authentication data sent by a communication terminal based on the commercial password certificate and the post quantum password certificate respectively to obtain a corresponding certificate verification result; determining a hybrid certificate authentication result based on the certificate authentication result; and when the mixed certificate authentication result is authentication passing, determining that the communication terminal has authentication authority which participates in the key negotiation processing executed by the mixed key negotiation module.
  4. 4. The anti-quantum hybrid cryptographic gateway of claim 3, wherein in determining a hybrid certificate authentication result based on the certificate verification result, the hybrid certificate management module is further configured to: extracting a first certificate public key parameter in the commercial password certificate and a second certificate public key parameter in the post quantum password certificate; Constructing a hybrid certificate fingerprint value based on the first certificate public key parameter and the second certificate public key parameter, The mixed certificate fingerprint value is obtained by performing preset hash calculation on the first certificate public key parameter and the second certificate public key parameter; Performing matching processing based on the mixed certificate fingerprint value and terminal authentication fingerprints in a preset terminal fingerprint library to obtain a fingerprint matching result; and when the certificate verification results are verification passing and the fingerprint matching result is successful, determining that the mixed certificate authentication result is authentication passing.
  5. 5. The anti-quantum hybrid cryptographic gateway of claim 1, wherein the hybrid key agreement module is configured to: Performing a post quantum key negotiation process with a communication terminal based on the post quantum cryptographic algorithm to generate a first negotiation key; performing commercial cryptographic key negotiation processing with the communication terminal based on the commercial cryptographic algorithm to generate a second negotiation key; Acquiring a quantum key provided by the quantum key management module, and taking the quantum key as a third negotiation key; Constructing a hybrid key entropy vector based on the first negotiation key, the second negotiation key and the third negotiation key, and performing key derivation function processing on the hybrid key entropy vector to generate a communication session key.
  6. 6. The anti-quantum hybrid cryptographic gateway of claim 5, wherein in constructing a hybrid key entropy vector, the hybrid key negotiation module is further configured to: performing key segmentation processing on the first negotiation key, the second negotiation key and the third negotiation key respectively to obtain a plurality of corresponding key subsections; Mapping the key subsections of the first negotiation key, the key subsections of the second negotiation key and the key subsections of the third negotiation key to different positions in a mixed key entropy vector respectively based on a preset vector mapping rule; And generating perturbation factors based on quantum keys corresponding to the third negotiation keys, and executing random perturbation processing on at least a part of key subsections in the mixed key entropy vector based on the perturbation factors so as to obtain the mixed key entropy vector.
  7. 7. The anti-quantum hybrid cryptographic gateway of claim 5, wherein in performing a key derivation function process on the hybrid key entropy vector, the hybrid key negotiation module is further configured to: Generating a corresponding sub-segment index value based on each key sub-segment in the mixed key entropy vector, and combining the sub-segment index value with the key sub-segment to form a derivative input vector; Performing a first round of key derivation function processing based on the derivation input vector to generate an intermediate derivation key; Generating a random perturbation factor based on the quantum key corresponding to the third negotiation key, and injecting the random perturbation factor into the intermediate derivative key to obtain a perturbation intermediate key; a second round of key derivation function processing is performed based on the perturbed intermediate key to generate the communication session key.
  8. 8. The quantum hybrid cryptographic gateway of claim 1, wherein the cryptographic tunnel module is configured to: Generating a tunnel master key based on the communication session key, and generating a data encryption subkey and a data integrity verification subkey based on the tunnel master key derivative; Performing a packet encryption process on the communication data based on the data encryption subkey to generate an encrypted data packet; Performing an integrity check computation on the encrypted data packet based on the data integrity check subkey to generate a data check tag; And packaging the encrypted data packet and the data verification tag into an anti-quantum communication tunnel data frame, and sending the communication data through the anti-quantum encryption communication tunnel.
  9. 9. The quantum hybrid cryptography gateway of claim 1 further comprising a quantum key dynamic refresh module; the quantum key dynamic refreshing module is used for: monitoring a communication data transmission state after the quantum encryption resistant communication tunnel is established; when the transmission quantity of communication data reaches a preset threshold value or the communication duration reaches a preset duration, acquiring a new quantum key from the quantum key management module; performing a key update process based on the new quantum key and a current communication session key to generate an updated communication session key, and reconfiguring encryption parameters of the quantum-encrypted-resistant communication tunnel based on the updated communication session key.
  10. 10. A method of data transmission, the method being implemented based on the quantum hybrid cryptographic gateway of any one of claims 1-9, the method comprising: Generating a challenge value based on a quantum random number generated by a quantum key distribution network, and executing challenge response authentication based on a post quantum cryptography algorithm based on the challenge value and a communication terminal to determine identity legitimacy of the communication terminal; Acquiring a commercial password certificate and a post quantum password certificate corresponding to the communication terminal, and executing mixed certificate authentication processing based on the commercial password certificate and the post quantum password certificate to determine whether the communication terminal has authentication rights participating in key negotiation; Under the condition that the communication terminal has authentication authority, performing hybrid key negotiation processing with the communication terminal based on a post quantum cryptographic algorithm, a commercial cryptographic algorithm and a quantum key to generate a first negotiation key, a second negotiation key and a third negotiation key; constructing a mixed key entropy vector based on the first negotiation key, the second negotiation key and the third negotiation key, and performing key derivation function processing on the mixed key entropy vector to generate a communication session key; And establishing an anti-quantum encryption communication tunnel based on the communication session key, and executing encryption transmission processing of communication data through the anti-quantum encryption communication tunnel.

Description

Quantum-resistant hybrid password gateway and data transmission method Technical Field The invention relates to the technical field of network security, in particular to an anti-quantum hybrid password gateway and a data transmission method. Background With the development of quantum computing technology, traditional cryptographic systems built based on large integer decomposition and discrete logarithm difficulty problems face potential threats. Once large-scale quantum computing devices are put into practical use, existing widely used public key cryptographic algorithms may be broken in a short time, thereby bringing a large impact to the security system of the existing communication network. In order to cope with the risks, the academic world and the industry sequentially provide a plurality of post-quantum cryptography algorithms, and the resistance of a cryptography system to quantum computing attacks is improved by constructing a novel cryptography structure which does not depend on the traditional number theory problem. Meanwhile, the quantum key distribution technology is mature gradually, key safe sharing is realized through quantum state transmission, and a key generation mode with safe information theory can be provided theoretically. However, in an actual network system, it is often difficult to achieve both security and compatibility by relying on only a single type of cryptographic mechanism. For example, quantum key distribution systems typically rely on dedicated links and equipment, which are costly to deploy and difficult to replace on a large scale in existing communication networks. Although the post quantum cryptography algorithm can resist quantum computing attack, the algorithm structure, the key length and the computing complexity of the post quantum cryptography algorithm are different from those of the existing commercial cryptography system, and certain compatibility problems can be brought by directly replacing the existing system. Therefore, in the existing network environment, how to effectively fuse the quantum key, the post-quantum cryptographic algorithm and the existing commercial cryptographic system on the premise of not damaging the existing cryptographic infrastructure, and construct a communication security mechanism which takes security, compatibility and deployability into consideration gradually becomes an important research direction in the current cryptographic communication system. In the prior art, part of systems try to improve communication security by simply overlaying a plurality of key negotiation mechanisms, but a unified fusion structure is often lacking among keys of different sources, and a cooperative processing mechanism aiming at the characteristics of the multi-source keys is also lacking in a key generation process, so that the security advantages of various cryptographic technologies are difficult to fully develop. Therefore, how to construct a communication security architecture capable of carrying out unified fusion and collaborative derivation on a quantum key, a post-quantum cryptographic key and a traditional commercial cryptographic key so as to realize secure data transmission under an anti-quantum environment becomes a technical problem to be solved. Disclosure of Invention The embodiment of the invention aims to provide an anti-quantum hybrid password gateway and a data transmission method, which at least solve the technical problem that a single password mechanism in the existing communication system is difficult to simultaneously consider anti-quantum security and system compatibility. In order to achieve the above object, a first aspect of the present invention provides an anti-quantum hybrid cryptographic gateway, which includes a quantum key management module configured to obtain a quantum key and a quantum random number generated by a quantum key distribution network, an entity authentication module configured to generate a challenge value based on the quantum random number and perform challenge response authentication on a communication terminal based on a post-quantum cryptographic algorithm to determine identity legitimacy of the communication terminal, a hybrid certificate management module configured to manage a commercial cryptographic certificate and a post-quantum cryptographic certificate corresponding to the communication terminal and perform hybrid certificate authentication processing based on the commercial cryptographic certificate and the post-quantum cryptographic certificate in a communication establishment process to determine whether the communication terminal has authentication authority to participate in key negotiation, and a hybrid key negotiation module configured to perform hybrid key negotiation processing based on the quantum key, the post-quantum cryptographic algorithm and the commercial cryptographic algorithm to generate a communication session key in case that the communication terminal has authentica