Search

CN-122001582-A - Method for realizing anti-quantum IPsec VPN based on KEM mechanism negotiation

CN122001582ACN 122001582 ACN122001582 ACN 122001582ACN-122001582-A

Abstract

The invention discloses a method for realizing anti-quantum IPsec VPN based on KEM mechanism negotiation, aiming at improving the security of IPsec in quantum computing environment. The method realizes algorithms through KEM and integrates the algorithms into IPsec to realize quantum security key negotiation, ensures secure communication under the condition of quantum computing, is applicable to various hardware and software platforms, is compatible with the existing IPsec, and supports smooth upgrading. By implementing the KEM mechanism in IPsec, the method provides a powerful and future reliable solution for network security communication, can effectively resist security threat brought by quantum computation, and improves the security protection capability of an information system.

Inventors

  • HE HONGJIE
  • CHEN WEI
  • GAO DONGQI
  • ZHU ZHENZHONG

Assignees

  • 格尔软件股份有限公司

Dates

Publication Date
20260508
Application Date
20260402

Claims (8)

  1. 1. A method for realizing anti-quantum IPsec VPN based on KEM mechanism negotiation is characterized by comprising the following steps: The method comprises the steps of 1, an IKE 2 initial exchange stage, wherein an initiator sends an IKE_SA_INIT request message to a responder, the IKE_SA_INIT request message comprises an algorithm suite list supported by the initiator, the responder returns an IKE_SA_INIT response message to the initiator, the algorithm suite selected by the responder is contained, the initiator generates an anti-quantum public-private key pair through KeyGen operation based on a preset KEM algorithm and sends the anti-quantum public key to the responder through a key exchange load in the IKE_SA_INIT request message, the responder generates an anti-quantum ciphertext and a shared key through Encaps operation based on the received anti-quantum public key and sends the anti-quantum ciphertext to the initiator through a key exchange load in the IKE_SA_INIT response message, and the initiator recovers the shared key through Decaps operation based on the anti-quantum private key of the initiator and the received anti-quantum ciphertext; Step 2, IKEv2 identity authentication stage, namely the initiator and the responder exchange IKE_AUTH information, wherein the IKE_AUTH information is encrypted and protected by using an IKE SA key derived by the shared key; and step 3, in the secure communication stage, the two parties derive an IPsec SA session key based on the shared key, and the encryption algorithm and the authentication algorithm are combined to ensure the data transmission security.
  2. 2. The method for realizing quantum IPsec VPN based on KEM mechanism negotiation of claim 1, wherein the KEM algorithm adopted by the initiator and the responder in step 1 is a key encapsulation algorithm based on Yu Ge cryptographic problems.
  3. 3. The method for negotiating an anti-quantum IPsec VPN based on KEM mechanism according to claim 1 wherein said key encapsulation algorithm based on lattice cryptographic problem is selected from the group consisting of ML-KEM512, ML-KEM768, ML-KEM1024, KYBER512, KYBER768, KYBER1024, CTRU512, CTRU768, CTRU 1024.
  4. 4. The method of claim 1, wherein the step 1 further comprises the step that the initiator generates an anti-quantum public-private key pair based on the KEM algorithm, the responder generates an anti-quantum ciphertext and a shared key through Encaps operation based on the received anti-quantum public key, and the initiator recovers the shared key through Decaps operation.
  5. 5. The method for negotiating and implementing anti-quantum IPsec VPN based on KEM mechanism according to claim 1, wherein said deriving of said shared key comprises: Performing key derivation on the shared key based on a pseudo-random function and random numbers of both sides to obtain SKEYSEED; And deriving an IKE SA key based on the SKEYSEED and preset parameters.
  6. 6. The method for implementing quantum IPsec VPN based on KEM mechanism negotiation of claim 1, wherein step 3 comprises deriving an IPsec SA session key based on the IKE SA key, wherein the IPsec SA session key is combined with a SM 4-CBC encryption algorithm and an HMAC-SM 3 authentication algorithm to ensure data transmission security.
  7. 7. The method for realizing quantum IPsec VPN based on KEM mechanism negotiation of claim 1 further comprising a timing update mechanism for re-triggering KEM key generation and negotiation after a preset time period or a transmission flow threshold, wherein the KEM private key is destroyed immediately after use by adopting a safe storage mode.
  8. 8. The method for realizing quantum IPsec VPN based on KEM mechanism negotiation of claim 1 further comprising mixed mode support of conducting key negotiation by adopting a traditional DH/ECDH algorithm and a KEM algorithm simultaneously to derive a mixed shared key.

Description

Method for realizing anti-quantum IPsec VPN based on KEM mechanism negotiation Technical Field The invention belongs to the technical field of network security, and particularly relates to a method for realizing quantum IPsec VPN based on KEM mechanism negotiation. The method aims to improve the security of the IPsec VPN in the quantum computing environment and ensure the communication security in the quantum computing age. Background IPsec (Internet Protocol Security) is a widely used network security protocol, which is largely used in Virtual Private Network (VPN) environments. The IKE (INTERNET KEY Exchange) is a key component of IPsec, and is responsible for performing identity authentication, algorithm and key negotiation, and establishing a security association, where the IPsec is based on IKE to ensure data transmission security. The security feature of the existing IKE for key agreement is based on the traditional public key cryptography algorithm. Recently, the National Institute of Standards and Technology (NIST) initiated the Post-quantum cryptography standardization project (Post-Quantum Cryptography Standardization), which was formally promulgated in 2024 by multiple rounds of evaluation, including the Module-Lattice based key encapsulation mechanism ML-KEM (original CRYSTALS-Kyber). Meanwhile, various key encapsulation mechanisms based on the lattice password problem, such as KYBER, CTRU and the like, are internationally realized. Compared to QKD schemes that require specialized equipment, KEM-based schemes have better versatility and compatibility, enabling smooth upgrades without changing existing network architecture. However, quantum computers can use the Shor algorithm to quickly resolve large integer and solve discrete logarithm problems, thereby quickly cracking traditional public key algorithms based on these problems, such as RSA algorithms and ECC algorithms. With the further development of quantum computing, traditional public key cryptography algorithms, the security matrix, is becoming more and more vulnerable, facing the risk of being effectively broken. In various quantum resistant schemes proposed in the past, the dependence on a QKD (quantum key distribution) system exists, and the challenges on cost, environmental complexity, difficulty in popularization and deployment and the like are presented, so that the quantum key distribution system faces a plurality of inconveniences in practical application, and is mainly represented by: (1) At high cost, QKD systems require specialized equipment that is expensive, costly, and requires significant engineering effort due to the modifications involved in existing infrastructure, which is not conducive to large-scale applications (2) The QKD system is introduced to increase the complexity of the system, provide new challenges for implementation, deployment, debugging and troubleshooting, and cause security problems once errors occur (3) Poor interoperability QKD techniques currently lack uniform standards, and it is often difficult to interoperate between QKD systems of different vendors, limiting the application of QKD in heterogeneous network environments The above inconvenience severely limits the application of various quantum attack resistant schemes in the past in the practical field of production. Recently, researchers have proposed anti-quantum cryptography algorithms based on Lattice (Lattice), code-based, multivariate (Multivariate) based, etc. Among them, a Key Exchange Mechanism (KEM) based on lattice problem, which is capable of dynamically negotiating to generate a shared key, is receiving a great deal of attention due to its security and high efficiency, and is considered as a powerful method for securing secure communication in the quantum computing era. Therefore, how to overcome the defect that various quantum attack resistant schemes rely on QKD systems in the past, combining KEM with IKE to provide security communication capability against quantum attack for IPsec VPN has become a problem to be solved. Disclosure of Invention The invention aims to provide a method for realizing quantum IPsec VPN based on KEM mechanism negotiation, which solves the problems in the background technology. In order to achieve the above purpose, the invention provides a method for realizing quantum IPsec VPN based on KEM mechanism negotiation, comprising the following steps: The method comprises the steps of 1, an IKE 2 initial exchange stage, wherein an initiator sends an IKE_SA_INIT request message to a responder, the IKE_SA_INIT request message comprises an algorithm suite list supported by the initiator, the responder returns an IKE_SA_INIT response message to the initiator, the algorithm suite selected by the responder is contained, the initiator generates an anti-quantum public-private key pair through KeyGen operation based on a preset KEM algorithm and sends the anti-quantum public key to the responder through a key exchange load