Search

CN-121984721-A - Quantum-resistant classical channel authentication method, device, equipment and medium

CN121984721ACN 121984721 ACN121984721 ACN 121984721ACN-121984721-A

Abstract

The invention relates to the technical field of communication safety and discloses an anti-quantum classical channel authentication method, device, equipment and medium, wherein the method comprises the steps of detecting whether communication is established for the first time between a sending end device and a receiving end device for quantum signal transmission; if the communication is established for the first time, the classical channel between the sending end equipment and the receiving end equipment is authenticated by utilizing the anti-quantum signature, if the communication is not established for the first time, a message verification code is generated based on a secret key in an authentication quantum secret key pool, the classical channel between the sending end equipment and the receiving end equipment is authenticated, after the classical channel passes the authentication, a quantum secret key is obtained, and the quantum secret key is stored in an encryption quantum secret key pool and an authentication quantum secret key pool. The invention solves the technical problems that the key management is complex, the traditional signature algorithm is easy to be cracked by a quantum computer, and the safety requirement of future information infrastructure is difficult to be met in the prior art.

Inventors

  • ZHANG YILE
  • HU XIAOYA
  • LIU LING
  • ZHANG ZONGHUA
  • ZHANG HAO

Assignees

  • 北京全路通信信号研究设计院集团有限公司

Dates

Publication Date
20260505
Application Date
20260106

Claims (14)

  1. 1. An anti-quantum classical channel authentication method, the method comprising: detecting whether communication is established for the first time between a sending end device and a receiving end device for quantum signal transmission; if the communication is established for the first time, authenticating a classical channel between the transmitting end equipment and the receiving end equipment by using an anti-quantum signature; if the communication is not established for the first time, generating a message verification code based on a key in an authentication quantum key pool, and authenticating a classical channel between the sending terminal equipment and the receiving terminal equipment; and when the classical channel authentication is passed, obtaining a quantum key obtained after the data post-processing of the sending end equipment and the receiving end equipment, and storing the quantum key into an encryption quantum key pool and an authentication quantum key pool.
  2. 2. The method of quantum-resistant classical channel authentication according to claim 1, wherein said authenticating a classical channel between the sender device and the receiver device using quantum-resistant signatures comprises: After the receiving end equipment receives the classical channel authentication information, generating a first random number, obtaining a first hash value based on the classical channel authentication information, and transmitting the first random number and a first public key of the receiving end equipment to the transmitting end equipment; When the sending end equipment receives the classical channel authentication information, generating a second random number, obtaining a second hash value based on the classical channel authentication information, and sending the second random number and a second public key of the sending end equipment to the receiving end equipment; After the first random number and the first public key pass verification by the sending end equipment, a first anti-quantum signature is generated based on the second hash value, the first random number and a private key of the sending end equipment, and the first anti-quantum signature is sent to the receiving end equipment; After the second random number and the second public key pass verification by the receiving end device, generating a second anti-quantum signature based on the first hash value, the second random number and a private key of the receiving end device, and sending the second anti-quantum signature to the sending end device; Verifying the first anti-quantum signature by the receiving end equipment through the second public key, the first random number and the first hash value to obtain a first verification result; Verifying the second anti-quantum signature by the sending end device through the first public key, the second random number and the second hash value to obtain a second verification result; And if the first verification result and the second verification result are verification passing, determining that classical channel authentication between the sending end equipment and the receiving end equipment is passing.
  3. 3. The quantum-resistant classical channel authentication method of claim 2, wherein the generating a second quantum-resistant signature based on the first hash value, the second random number, and a private key of the receiving-end device comprises: Based on the private key of the receiving end equipment, performing secure multiparty calculation through the receiving end equipment to obtain a plurality of first promise values; responding based on a plurality of challenges corresponding to each first promise value respectively to obtain a plurality of first response values; respectively carrying out random replacement on each first response value to obtain a plurality of first response replacement values; Calculating a first challenge index based on a plurality of first promise values, a plurality of first answer replacement values, the first hash value and the second random number; A second anti-quantum signature is derived based on the plurality of first promise values, the plurality of first answer values, the first challenge index, and the plurality of first answer permutation values.
  4. 4. The quantum-resistant classical channel authentication method of claim 3, wherein the verifying, by the sender device, the second quantum-resistant signature using the first public key, the second random number, and the second hash value, to obtain a second verification result comprises: Calculating, by the transmitting device, a second challenge index based on the second random number, the second hash value, the plurality of first promise values and the plurality of first answer replacement values, where the plurality of first promise values and the plurality of first answer replacement values are included in the second anti-quantum signature; The sending end equipment restores the process of the receiving end equipment to execute secure multiparty calculation based on a plurality of first response values in the second anti-quantum signature and the second challenge index, and whether the result obtained by the receiving end equipment executing the secure multiparty calculation is a first public key of the receiving end equipment is detected; If yes, calculating to obtain a plurality of second promise values based on the view of the simulation participants in the process of restoring the receiving end equipment to execute the secure multiparty calculation; Responding, by the transmitting end device, based on a plurality of challenges corresponding to each second promise value, respectively, to obtain a plurality of second response values; randomly replacing each second response value to obtain a plurality of second response replacement values; Detecting whether the plurality of second promise values are the same as the plurality of first promise values, and whether the plurality of second answer replacement values are the same as the plurality of first answer replacement values; and if the first verification result and the second verification result are the same, determining that the second verification result is passed.
  5. 5. The method of claim 1, wherein the generating a message authentication code based on the key in the authenticated quantum key pool to authenticate the classical channel between the sender device and the receiver device comprises: Acquiring a first symmetric key from an authentication quantum key pool of the receiving end equipment, and acquiring a second symmetric key from the authentication quantum key pool of the transmitting end equipment, wherein the first symmetric key is the same as the second symmetric key; the incremental serial number generated by the sending end equipment is spliced with the classical channel authentication message to obtain a spliced classical channel authentication message; based on the second symmetric key and the spliced classical channel authentication message, obtaining a first verification value through a hash function algorithm; Transmitting the classical channel authentication message, the incremental sequence number and the first verification value to the receiving end device; Verifying the incremental serial number through the receiving end equipment, and if the incremental serial number passes the verification, splicing the incremental serial number with the classical channel authentication message to obtain a spliced classical channel authentication message; Based on the first symmetric key and the spliced classical channel authentication message, obtaining a second verification value through a hash function algorithm; And if the first verification value is the same as the second verification value, determining that classical channel authentication between the sending end equipment and the receiving end equipment is passed.
  6. 6. The method of quantum-resistant classical channel authentication of claim 5, wherein the verifying the incremented sequence number by the receiver device comprises: verifying whether the increment sequence number appears or not through the receiving end equipment, and whether the increment sequence number is larger than the last increment sequence number or not at the present time; and if the increment sequence number does not appear and the increment sequence number is larger than the last increment sequence number, determining that the increment sequence number passes verification.
  7. 7. The method of claim 1, wherein the data post-processing includes base screening, error correction, privacy amplification, and key generation.
  8. 8. The quantum classical channel authentication resistant method of claim 1, wherein the obtaining the quantum key obtained after the data post-processing by the transmitting device and the receiving device, and storing the quantum key in an encrypted quantum key pool and an authenticated quantum key pool, comprises: acquiring a first quantum key obtained after the transmitting end equipment performs data post-processing on the transmitted quantum signals, and storing a first preset number of the first quantum keys into an encryption quantum key pool of the transmitting end equipment for use when the transmitting end equipment and the receiving end equipment perform communication encryption; storing a second preset number of the first quantum keys into an authentication quantum key pool of the sending end equipment for use in classical channel authentication of the sending end equipment and the receiving end equipment; Acquiring a second quantum key obtained after the receiving end equipment performs data post-processing on the transmitted quantum signals, and storing a first preset number of the second quantum keys into an encryption quantum key pool of the receiving end equipment for use when the transmitting end equipment and the receiving end equipment perform communication encryption; And storing a second preset number of second quantum keys into an authentication quantum key pool of the receiving end equipment for use in classical channel authentication of the transmitting end equipment and the receiving end equipment.
  9. 9. The quantum-resistant classical channel authentication method of claim 8, wherein after the obtaining the quantum key obtained after the data post-processing by the transmitting device and the receiving device, and storing the quantum key in an encrypted quantum key pool and an authenticated quantum key pool, comprising: Accessing the encryption quantum key pool into a quantum encryption module, and consuming a first quantum key and a second quantum key in the encryption quantum key pool according to the communication encryption requirement between the sending end equipment and the receiving end equipment; and when the number of the first quantum key and the second quantum key in the encryption quantum key pool is smaller than a set threshold value, returning to the step of executing detection on whether communication is established for the first time between the sending end device and the receiving end device for quantum signal transmission.
  10. 10. An anti-quantum classical channel authentication device, the device comprising: the detection module is configured to detect whether communication is established for the first time between the sending end equipment and the receiving end equipment for quantum signal transmission; the first authentication module is configured to authenticate a classical channel between the transmitting end device and the receiving end device by using an anti-quantum signature if communication is established for the first time; the second authentication module is configured to generate a message verification code based on a key in an authentication quantum key pool if communication is not established for the first time, and authenticate a classical channel between the sending end device and the receiving end device; And the quantum key processing module is configured to acquire a quantum key obtained by performing data post-processing on the transmitting end equipment and the receiving end equipment after the classical channel authentication is passed, and store the quantum key into an encryption quantum key pool and an authentication quantum key pool.
  11. 11. The quantum-resistant classical channel authentication device of claim 10, wherein the first authentication module is configured to: After the receiving end equipment receives the classical channel authentication information, generating a first random number, obtaining a first hash value based on the classical channel authentication information, and transmitting the first random number and a first public key of the receiving end equipment to the transmitting end equipment; When the sending end equipment receives the classical channel authentication information, generating a second random number, obtaining a second hash value based on the classical channel authentication information, and sending the second random number and a second public key of the sending end equipment to the receiving end equipment; After the first random number and the first public key pass verification by the sending end equipment, a first anti-quantum signature is generated based on the second hash value, the first random number and a private key of the sending end equipment, and the first anti-quantum signature is sent to the receiving end equipment; After the second random number and the second public key pass verification by the receiving end device, generating a second anti-quantum signature based on the first hash value, the second random number and a private key of the receiving end device, and sending the second anti-quantum signature to the sending end device; Verifying the first anti-quantum signature by the receiving end equipment through the second public key, the first random number and the first hash value to obtain a first verification result; Verifying the second anti-quantum signature by the sending end device through the first public key, the second random number and the second hash value to obtain a second verification result; And if the first verification result and the second verification result are verification passing, determining that classical channel authentication between the sending end equipment and the receiving end equipment is passing.
  12. 12. The quantum-resistant classical channel authentication device of claim 10, wherein the second authentication module is configured to: Acquiring a first symmetric key from an authentication quantum key pool of the receiving end equipment, and acquiring a second symmetric key from the authentication quantum key pool of the transmitting end equipment, wherein the first symmetric key is the same as the second symmetric key; the incremental serial number generated by the sending end equipment is spliced with the classical channel authentication message to obtain a spliced classical channel authentication message; based on the second symmetric key and the spliced classical channel authentication message, obtaining a first verification value through a hash function algorithm; Transmitting the classical channel authentication message, the incremental sequence number and the first verification value to the receiving end device; Verifying the incremental serial number through the receiving end equipment, and if the incremental serial number passes the verification, splicing the incremental serial number with the classical channel authentication message to obtain a spliced classical channel authentication message; Based on the first symmetric key and the spliced classical channel authentication message, obtaining a second verification value through a hash function algorithm; And if the first verification value is the same as the second verification value, determining that classical channel authentication between the sending end equipment and the receiving end equipment is passed.
  13. 13. An electronic device comprising a memory, a processor, the processor being configured to read and execute a computer program stored in the memory to implement the steps of the anti-quantum classical channel authentication method of any one of claims 1-9.
  14. 14. A computer readable storage medium having stored therein computer executable instructions which when executed implement the steps of the anti-quantum classical channel authentication method of any one of claims 1 to 9.

Description

Quantum-resistant classical channel authentication method, device, equipment and medium Technical Field The present invention relates to the field of communications security technologies, and in particular, to a method, an apparatus, a device, and a medium for quantum-resistant classical channel authentication. Background The train control system is a key component in railway transportation and is responsible for monitoring, controlling and issuing instructions of train operation, so that the train can run efficiently and stably. Therefore, the train control system has strict requirements on the security of transmission data. Currently, the train control system mainly adopts CRC or 3DES encryption algorithm to ensure the data integrity and authenticity, and realizes the key distribution among all the main control devices in an off-line mode. But the off-line key distribution mode faces the security risks of physical interception, tampering and internal leakage, and the manual updating cost is high. Once the secret key is intercepted or leaked, the data are subject to security risks such as tampering, counterfeiting and the like, so that the stability and reliability of train operation are affected, and the life health of passengers is endangered. In the prior art, the security of a key distribution link is improved by introducing a quantum key distribution technology into a train control system for communication, but during key transmission, the quantum key distribution technology depends on classical channels to complete tasks such as parameter negotiation, information synchronization, error correction and the like besides using quantum channels to transmit quantum states, and the tasks are indispensable for realizing key synchronization by two communication parties. However, if the classical channel has no reliable authentication mechanism, the communication is easy to attack by a man-in-the-middle, and the message is easy to forge or falsify by an attacker, thereby affecting the security of the whole quantum key distribution system. The conventional classical channel authentication method relies on message authentication codes generated by pre-shared symmetric keys or uses a signature algorithm to perform authentication, however, in high security level scenes such as a train control system, the message authentication code authentication method faces the problem of complex key management, and the conventional signature algorithm has the problem of being cracked by a quantum computer, so that the security requirement of future information infrastructure is difficult to meet. Therefore, a classical channel authentication mechanism is needed that is suitable for the operation environment of the train control system, and can resist quantum computing threat and improve the overall communication security. Disclosure of Invention The invention provides an anti-quantum classical channel authentication method, device, equipment and medium, which can solve the technical problems that a classical channel authentication mechanism in the prior art is complex in key management and difficult to meet the security requirement of future information infrastructure in high-security-level scenes such as a train control system and the like, and a message authentication code authentication method faces the technical problem that a traditional signature algorithm is easily cracked by a quantum computer. In order to achieve the above purpose, the present invention provides the following technical solutions: an anti-quantum classical channel authentication method, the method comprising: detecting whether communication is established for the first time between a sending end device and a receiving end device for quantum signal transmission; if the communication is established for the first time, authenticating a classical channel between the transmitting end equipment and the receiving end equipment by using an anti-quantum signature; if the communication is not established for the first time, generating a message verification code based on a key in an authentication quantum key pool, and authenticating a classical channel between the sending terminal equipment and the receiving terminal equipment; and when the classical channel authentication is passed, obtaining a quantum key obtained after the data post-processing of the sending end equipment and the receiving end equipment, and storing the quantum key into an encryption quantum key pool and an authentication quantum key pool. Based on the same inventive concept, the invention also provides an anti-quantum classical channel authentication device, which comprises: the detection module is configured to detect whether communication is established for the first time between the sending end equipment and the receiving end equipment for quantum signal transmission; the first authentication module is configured to authenticate a classical channel between the transmitting end device and