Search

CN-122001581-A - Quantum password security networking and data protection device behind space-based orbit data center

CN122001581ACN 122001581 ACN122001581 ACN 122001581ACN-122001581-A

Abstract

The invention provides a quantum cryptography security networking and data protection device behind a space-based orbit data center, and belongs to the technical field of space information networks and information security. The device comprises a heterogeneous key fusion management module, an integrated quantum cryptography security gateway module, a dynamic networking policy engine module, a situation sensing unit, a policy decision unit, an on-board data quantum security protection module and an inter-board blockchain module, wherein the heterogeneous key fusion management module is used for receiving and storing a QKD key and generating a PQC key pair, generating a session key through a key fusion algorithm, the integrated quantum cryptography security gateway module is used for acquiring the session key to execute network access authentication and link encryption, the dynamic networking policy engine module is used for acquiring a link state and a threat signal, the policy decision unit is internally provided with a deep reinforcement learning model to output an optimal networking path and a password suite, the on-board data quantum security protection module is used for on-board data encryption and trusted execution environment isolation, and the inter-board blockchain module is used for constructing a blockchain network to realize policy distributed cooperation. The invention integrates QKD and PQC technologies to realize dynamic policy adjustment and on-board data full life cycle protection.

Inventors

  • LI JIANGLONG
  • SHI TIANXIANG

Assignees

  • 上海伊世智能科技有限公司

Dates

Publication Date
20260508
Application Date
20260324

Claims (10)

  1. 1. The utility model provides a quantum cryptography security networking and data protection device behind day base orbit data center, is disposed on day base data center satellite node, its characterized in that includes: The heterogeneous key fusion management module is used for receiving and storing the quantum key distribution QKD key and the generated quantum password PQC key pair, and carrying out mixed processing on the quantum key and the PQC key through a key fusion algorithm to generate a session key; the integrated quantum cryptography security gateway module is connected with the heterogeneous key fusion management module and is used for acquiring a session key from the heterogeneous key fusion management module and executing network access identity authentication of the satellite node and encryption transmission of inter-satellite link data by utilizing the session key; The dynamic networking strategy engine module comprises a situation awareness unit and a strategy decision unit, wherein the situation awareness unit is used for acquiring satellite node states, inter-satellite link quality, residual key quantity, task priority and external threat signals in real time and outputting the signals to the strategy decision unit, the strategy decision unit is internally provided with a deep reinforcement learning model, and the output of the situation awareness unit is taken as input to output an optimal networking path and a corresponding password suite to be combined into an integrated quantum password security gateway module; the on-board data quantum safety protection module is connected with the heterogeneous key fusion management module and the dynamic networking strategy engine module and is used for encrypting and isolating the trusted execution environment of data in on-board storage and calculation by utilizing the session key provided by the heterogeneous key fusion management module according to the strategy of the dynamic networking strategy engine module; The inter-satellite blockchain module is connected with the dynamic networking strategy engine module and is used for constructing a blockchain network resistant to quantum attack by adopting a consensus mechanism based on a post-quantum cryptographic algorithm, recording security logs and strategy change information of satellite nodes and realizing distributed collaborative synchronization of networking paths and cryptographic suite combinations output by the strategy decision unit among the satellite nodes.
  2. 2. The post-quantum-cipher secure networking and data protecting device of the space-based orbit data center is characterized in that the integrated post-quantum-cipher secure gateway module comprises a PQC algorithm accelerating unit and a QKD interface unit, wherein the PQC algorithm accelerating unit is a hardware accelerator realized by a field programmable gate array or an application specific integrated circuit and supports Kyber, dilithium and Falcon post-quantum-cipher algorithms, the QKD interface unit is connected with satellite-borne quantum key distribution equipment through a high-speed serial interface to obtain quantum keys and store the quantum keys into a primary quantum key pool of a heterogeneous key fusion management module, when the integrated post-quantum-cipher secure gateway module executes satellite node network access authentication, the primary quantum key pool of the heterogeneous key fusion management module is read first, if the primary quantum key pool is not empty, the quantum keys are read for symmetric-cipher-based authentication, and if the primary quantum key pool is empty, the Dilithium digital certificates stored by the heterogeneous key fusion management module are read for certificate-based authentication.
  3. 3. The post-quantum cryptography security networking and data protection device of claim 1, wherein the heterogeneous key fusion management module comprises a key fusion unit, the key fusion unit generating a fused session key comprising reading a quantum key from a primary quantum key pool Obtaining a shared key by executing a post-quantum cryptographic key agreement protocol with a correspondent satellite node Invoking a quantum hash resistant function To And (3) with Calculating a first intermediate value for an input To (3) pair And (3) with Performing bit-wise exclusive OR to obtain a second intermediate value To (3) pair And (3) with Performing bitwise exclusive or to obtain a fused session key Wherein Representing bitwise exclusive or.
  4. 4. The post-quantum cryptography secure networking and data protection device of the space-based orbit data center according to claim 3, wherein the heterogeneous key fusion management module comprises a key life cycle management unit and a tertiary key pool, the tertiary key pool comprises a primary quantum key pool, a secondary fusion key pool and a tertiary PQC key pool, the key life cycle management unit dynamically adjusts a key generation strategy according to the residual quantity of the primary quantum key pool, and specifically comprises the steps of preferentially using a quantum key when the residual quantum key quantity is higher than a first threshold value, starting a quantum enhanced PQC key negotiation protocol when the residual quantum key quantity is between the first threshold value and a second threshold value, adopting a key fusion algorithm when the residual quantum key quantity is between the second threshold value and a third threshold value, and applying derivative transformation based on a historical quantum key to the PQC key when the residual quantum key quantity is lower than the third threshold value.
  5. 5. The post-quantum cryptography security networking and data protection device for a space-based orbit data center according to claim 4, wherein the situation awareness unit of the dynamic networking policy engine module comprises a quantum threat detection subunit, the quantum threat detection subunit detecting whether the inter-satellite link is under quantum computing attack comprises collecting received light power time sequence data, bit error rate time sequence data and signal polarization state parameters, respectively calculating received light power fluctuation variance Abnormal increment of error rate And rate of change of polarization state According to Calculating correction factor by ratio of reference error rate Is prepared by For a pair of And Correction is carried out to obtain And According to 、 And Calculating a comprehensive threat index When (1) And when the preset threshold value is exceeded, judging that the link is under attack threat.
  6. 6. The post-quantum cryptography security networking and data protection device of the space-based orbit data center according to claim 5, wherein the policy decision unit is internally provided with a deep reinforcement learning model, and the decision operation comprises the steps of constructing a state space containing a link signal-to-noise ratio, a residual key amount, a task priority and a comprehensive threat index, constructing an action space containing a next hop satellite node and a password suite, calculating a reward function according to a maximum threat index, a theoretical available bandwidth and a task demand bandwidth of a selected path, and outputting an optimal action with a maximized cumulative discount reward as a target.
  7. 7. The post-quantum cryptography security networking and data protection device for a space-based orbit data center according to claim 6, wherein the inter-satellite blockchain module comprises a consensus unit and an account book unit, the consensus unit operates a practical Bayesian fault-tolerant PBFT consensus protocol based on Dilithium digital signature algorithm, and the operations comprise: 1) When the current main node fails, each backup node calculates a new main node according to the current view number and the node identification; 2) The new master node sorts the policy change proposals collected from all satellite nodes to generate a pre-preparation message, signs the abstract of the pre-preparation message by using Dilithium algorithm, and broadcasts the signed pre-preparation message to all copy nodes; 3) After receiving the pre-preparation message, the duplicate node verifies Dilithium the validity of the signature by using the public key of the master node, and if the verification is passed, the duplicate node generates a preparation message and uses the Dilithium private key of the node to sign and broadcast; 4) Commit phase when node receives Generating a commit message after legally preparing the message and broadcasting the commit message after signing by using Dilithium private key of the node, wherein A maximum number of bayer pattern nodes that can be tolerated by the system; 5) Writing the agreed policy change records into a local account book; The account book unit stores blockchain data, including an identity certificate revocation list of a satellite node, a key update record, a dynamic networking strategy change log and threat alarm events, and all the account book data is encrypted and stored by adopting a grid-based cryptographic algorithm.
  8. 8. The post-quantum cryptography security networking and data protection device for a space-based orbit data center according to claim 7, wherein the on-board data quantum security protection module comprises an encryption storage unit, a trusted execution environment unit and an access control unit; The encryption storage unit encrypts sensitive data in the on-board solid state memory by slicing the data to be stored into 1MB size data blocks, and generating a 256-bit random file key for each data block Obtaining NTRU public key pair from heterogeneous key fusion management module Encryption is carried out to obtain Using AES-256-GCM encryption is carried out on the data block to obtain ciphertext block And an authentication TAG TAG, to 、 And cascade data of TAG are written into the solid-state memory; the trusted execution environment unit constructs an isolated execution environment based on ARM TrustZone technology, loads a confidential data processing task into the isolated environment to operate, and ensures that data is isolated from the common execution environment at the CPU cache and register level; The access control unit operates a lattice-based attribute-based encryption (ABE) scheme, and the specific operation comprises the steps that a data owner defines an access strategy tree containing attribute conditions, encrypts original data by using a symmetric key, inputs the symmetric key as a plaintext into an ABE encryption algorithm, combines the access strategy tree to generate a ciphertext strategy, and only satellite nodes or ground users with the attribute meeting the attribute conditions in the access strategy tree can use the attribute private key to decrypt the ciphertext strategy to obtain the symmetric key.
  9. 9. The post-quantum cryptography security networking and data protection device of claim 8, wherein the integrated post-quantum cryptography security gateway module supports a stream tag based fine-grained encryption policy, wherein the gateway module maintains a stream tag table, each entry comprising quintuple information, a data stream priority, and a data sensitivity level, wherein the quintuple information comprises a source IP address, a destination IP address, a source port, a destination port, and a protocol type, the data stream priority range is 0 to 7, the data sensitivity level range is 0 to 3, each entry further comprises a currently used encryption key identification, and wherein the packet encryption operation of the gateway module comprises: 1) After receiving the data packet, analyzing the data packet header, and extracting quintuple information, a service type field and a destination port number; 2) Inquiring a stream tag table according to the extracted quintuple information, if the table item is hit, reading an encryption key corresponding to the encryption key identification from the table item, and encrypting the data packet payload by using the encryption key; 3) If the table entry is not hit, extracting the data stream priority according to the service type field Inquiring from a preset port-sensitive level mapping table according to the destination port number to obtain a data sensitive level ; 4) According to data stream priority And data sensitivity level Calculating encryption level : ; 5) According to the encryption level Selecting encryption mode from heterogeneous key fusion management module if The data packet payload is not encrypted, if The pure PQC key is encrypted from the tertiary PQC key Chi Douqu, if Reading the fused session key from the secondary fused key pool to encrypt, if so Encrypting from the primary quantum key Chi Douqu a pure QKD key; 6) Creating new flow label list item, extracting five-tuple information and data flow priority Data sensitivity level And the encryption key identification used at the time is written into the table entry, and the data packets of the same data flow with the same source, the same destination and the same port are processed according to the same encryption strategy.
  10. 10. The device for secure networking and data protection of space-based orbital data centers according to claim 9, wherein the deep reinforcement learning model pre-trains on the ground and performs incremental training on the track comprises: 1) In the ground training stage, a satellite network simulation environment is constructed, and sample data containing different link states, key residual amounts, task priorities and threat levels are generated to form a state space For input, to move in space For output as a bonus function Performing offline training by adopting a double-depth Q network algorithm as a target to obtain initial network parameters; 2) Storing actual acquired state transition samples in the on-track running process into an experience playback pool, wherein each sample comprises the current state Executing actions Instant rewards obtained The next time state ; 3) Randomly sampling small batches of samples from an experience playback pool, calculating a target Q value, and updating network parameters by using a gradient descent method; 4) And periodically copying parameters of the evaluation network to the target network to realize on-orbit incremental learning.

Description

Quantum password security networking and data protection device behind space-based orbit data center Technical Field The invention relates to the technical field of space information networks and information security, in particular to a device for secure networking and data protection of a space-based orbit data center rear quantum password. Background The space-based orbit data center is used as a space information processing infrastructure formed by satellite nodes with calculation and storage capabilities, can finish calculation tasks such as remote sensing image processing, data fusion and target identification on orbit, and becomes a key support of global real-time information service. However, the open space environment, resource-constrained nature, and increasingly severe cyber security threats of day-based data centers place extremely high demands on their security capabilities. The core challenge faced by the existing space-based network security technology is that the rapid development of quantum computation forms an overturned threat to the traditional public key cryptosystem. Public key algorithms such as RSA, ECC and the like which are widely used at present can be effectively cracked in a quantum computing environment, so that security mechanisms such as identity authentication, key agreement and the like based on a traditional PKI system are invalid. Meanwhile, the satellite links are exposed, are easy to intercept, tamper, inject and other attacks, and on-board node resources are limited, so that the safety protection scheme of the ground data center cannot be directly transplanted. In view of the above challenges, there are mainly two types of solutions in the prior art. The quantum key distribution QKD technology can realize key distribution unconditionally and safely in theory by utilizing the quantum unclonable principle, but the volume, the weight and the power consumption of the spaceborne QKD equipment are larger and limited by an atmospheric window and pointing precision, and all-weather full-period coverage is difficult to realize. The post quantum cryptography PQC technology can realize the security protection against quantum attack on the basis of the existing hardware, but the key distribution which depends on PQC only still depends on the traditional PKI trust anchor point, and security concerns exist in the key distribution process. Furthermore, the prior art schemes suffer from significant technical fragmentation, in that the QKD scheme relies on dedicated hardware and has limited coverage, and the PQC scheme lacks organic fusion with QKD and fails to form complementary advantages. Meanwhile, most schemes only pay attention to inter-satellite link communication safety, neglect safety protection requirements of data in a day-based data center in-orbit storage and calculation processes, and most of safety mechanisms are static configuration, so that the protection level cannot be dynamically adjusted according to the link state, task priority and threat situation. Disclosure of Invention The invention aims to provide a device for safe networking and data protection of a rear quantum password of a space-based orbit data center, which aims to solve the technical problems that in the prior art, quantum key distribution and rear quantum password technology are split, on-board data lack of full life cycle protection, and static configuration of a security policy cannot adapt to a dynamic network environment, and realize the endogenous security protection of the space-based orbit data center in a quantum computing environment. In order to achieve the above object, the present invention provides a quantum cryptography security networking and data protection device for a space-based orbit data center, which is deployed on a satellite node of the space-based orbit data center, and includes: The heterogeneous key fusion management module is used for receiving and storing the quantum key distribution QKD key and the generated quantum password PQC key pair, and carrying out mixed processing on the quantum key and the PQC key through a key fusion algorithm to generate a session key; the integrated quantum cryptography security gateway module is connected with the heterogeneous key fusion management module and is used for acquiring a session key from the heterogeneous key fusion management module and executing network access identity authentication of the satellite node and encryption transmission of inter-satellite link data by utilizing the session key; The dynamic networking strategy engine module comprises a situation awareness unit and a strategy decision unit, wherein the situation awareness unit is used for acquiring satellite node states, inter-satellite link quality, residual key quantity, task priority and external threat signals in real time and outputting the signals to the strategy decision unit, the strategy decision unit is internally provided with a deep reinforcement learning