Search

CN-122027137-A - Working method and working system of root key center

CN122027137ACN 122027137 ACN122027137 ACN 122027137ACN-122027137-A

Abstract

The application discloses a working method and a working system of a root key center, wherein the method comprises the steps that terminal equipment initiates a registration request to the root key center; the root key center generates a root key file corresponding to the terminal equipment according to the registration request, generates a first key file list according to all the root key files and stores the first key file list in the local area, executes encryption operation on the root key file, generates a second key file list based on the ciphertext of the root key file, issues the second key file list to the terminal equipment according to the information in the registration request, initiates authentication operation to the root key center after the terminal equipment receives the second key file list, and obtains the root key file and stores the root key file in the local area after the authentication is passed. The application ensures the safety of root key generation and distribution, improves the overall robustness of the quantum security network, and simultaneously gives consideration to the convenience of deployment and the high efficiency of operation, thereby having extremely high practical value and popularization prospect.

Inventors

  • CAO FEI
  • YANG GE
  • ZHANG SHIFENG
  • ZHU MENGYA
  • WANG HUI

Assignees

  • 矩阵时光数字科技有限公司

Dates

Publication Date
20260512
Application Date
20260225

Claims (8)

  1. 1. A method of operating a root key center, wherein a party to the method comprises the root key center and at least one terminal device, the method comprising the steps of: step 1, a terminal device initiates a registration request req to a root key center; Step 2, the root key center generates a root key file Rfile corresponding to the terminal equipment according to the registration request req, and generates a first key file list1 according to all generated root key files and stores the first key file list in the local; Step 3, the root key center executes encryption operation on the generated root key file Rfile, generates a second key file list2 based on the encrypted root key file ciphertext enc (Rfile), and issues the second key file list2 to the terminal equipment according to the information in the registration request req; And 4, after receiving the second key file list2, the terminal equipment initiates authentication operation to the root key center, and after passing the authentication, obtains the root key file and stores the root key file locally.
  2. 2. The method according to claim 1, wherein the registration request req includes a hardware code ID of the terminal device itself and a required root key size a, and the specific procedure of step 1 is as follows: The input interface of the root key center receives the registration request req, forwards the registration request req to the registration unit of the root key center, forwards the registration request req to the network access code unit and the issuing unit of the root key center, the network access code unit generates a device number DID for each terminal device, establishes a first corresponding relation between a hardware code ID and the device number DID, and sends the first corresponding relation to the storage unit of the root key center for storage, and the issuing unit stores the hardware code ID.
  3. 3. The method according to claim 2, wherein the specific process of step 2 is: Step 2-1, the network access code unit of the root key center sends the registration request req and the generated device number DID to the key generation unit of the root key center; Step 2-2, a quantum random number generator in a key generation unit generates a root key file Rfile with the size of A according to the root key size A in a registration request req, and records a root key file index RFI corresponding to the root key file Rfile; Step 2-3, the key generating unit establishes a second corresponding relation between the hardware code ID and the device number DID, the root key file index RFI and the root key file Rfile, and sends the second corresponding relation to the storage unit for storage; And 2-4, repeating the steps 2-1 to 2-3 for all the terminal devices by the key generation unit, recording the second corresponding relation of all the terminal devices, sending the second corresponding relation to the storage unit, integrating the first key file list1 by the storage unit and storing the first key file list in the local, and sending a notification of the completion of generating the root key file to the network access code unit by the key generation unit.
  4. 4. The method for operating a root key center according to claim 3, wherein the specific process of step 3 is: Step 3-1, the network access code unit sends the first corresponding relation between the generated device number DID and the hardware code ID to the issuing unit after receiving the notification of the completion of the generation of the root key file sent by the key generating unit; step 3-2, the issuing unit generates an issuing instruction of the corresponding terminal equipment locally according to the hardware code ID in the first corresponding relation and sends the issuing instruction to the key generating unit, wherein the issuing instruction comprises the hardware code ID; the key generating unit negotiates with the terminal equipment through the issuing unit and the output unit according to the issuing instruction to generate a key k1 of a root key file Rfile corresponding to the hardware code ID, and updates the key k1 into a first key file list1 in the storage unit to obtain an updated first key file list1'; Step 3-4, the key generating unit uses the key k1 to execute encryption operation on the root key file Rfile to obtain a root key file ciphertext enc (Rfile) =Rfile @ k1, calculates a first hash value H1 of the root key file ciphertext enc (Rfile), and records a first hash value parameter, namely a character string str1 and an input random number s1; Step 3-5, the key generation unit encapsulates the first hash value H1, the first hash value parameter string str1, the input random number s1 and the root key file ciphertext enc (Rfile) to generate root key file information mes= [ H1, str1, s1, enc (Rfile) ]; The key generation unit establishes a fourth corresponding relation between the hardware code ID, the device number DID and the root key file information mes, and sends the fourth corresponding relation to the issuing unit and the storage unit, and the storage unit stores the fourth corresponding relation; And 3-6, selecting a fourth corresponding relation corresponding to the hardware code ID according to the hardware code ID in the issuing instruction by the issuing unit to generate a second key file list2, and issuing the second key file list2 to corresponding terminal equipment through an output interface.
  5. 5. The method according to claim 4, wherein in step 3-4, the step of calculating the first hash value H1 of the root key file ciphertext enc (Rfile), and recording the first hash value parameter string str1 and inputting the random number s1 comprises: Generating an irreducible polynomial p 1 (x) locally, obtaining an input random number s1 from a quantum random number generator, recording a character string consisting of each coefficient except the highest term in the irreducible polynomial p 1 (x) as str1, generating a first hash function H p1,s1 by using the irreducible polynomial p 1 (x) and the input random number s1, inputting a root key file ciphertext (Rfile) into the first hash function H p1,s1 to obtain a first hash value H1=h p1,s1 (enc (Rfile)), and recording first hash value parameters, namely the character string str1 and the input random number s1.
  6. 6. The method for operating the root key center according to claim 4, wherein the specific process of step 4 is: The terminal equipment obtains the device code DID ' and the root key file information mes ' from the second key file list2 according to the hardware code ID of the terminal equipment, analyzes the root key file information mes ' to obtain a hash value H1', a hash value parameter character string str1', an input random number s1' and a root key file ciphertext enc (Rfil) ', and performs temporary storage processing locally; Step 4-2, the terminal equipment uses the received hash value parameter character string str1 'and the input random number s1' to generate a second hash function H p1',s1' , inputs a root key file ciphertext enc (Rfile) 'into the second hash function H p1',s1' to obtain a second hash value H2=h p1',s1' (enc (Rfile)'), encapsulates the equipment number DID 'and the second hash value H2 to obtain an authentication operation parameter para= [ DID', H2]; The terminal equipment uses the secret key k2 to execute encryption operation on the authentication operation parameter para to obtain authentication operation parameter ciphertext enc (para) = [ DID', H2] k2, encapsulates the hardware code ID of the terminal equipment and the authentication operation parameter ciphertext enc (para), generates authentication data data= [ ID, enc (para) ], and sends the authentication data data= [ ID, enc (para) ] to the root secret key center to initiate an authentication operation request; step 4-3, the input interface of the root key center receives the authentication data' and forwards the authentication data to the authentication unit of the root key center; Step 4-4, the authentication unit executes authentication operation based on the received authentication data ', wherein the authentication unit calls a second corresponding relation, a fourth corresponding relation and a fifth corresponding relation from the storage unit according to the hardware code ID ' in the authentication data ', obtains a negotiated key k2 from the fifth corresponding relation, and executes decryption operation on an authentication operation parameter ciphertext enc (para) by using the key k2 to obtain a device code DID ' and a hash value H2': (1) Comparing whether the device code DID' is consistent with the device code DID in the second corresponding relation and the fourth corresponding relation; (2) Comparing whether the hash value H2' is consistent with a first hash value H1 in root key file information mes in a fourth corresponding relation; Under the condition that the authentication unit judges that the authentication data passes authentication under the condition that the authentication unit (1) and the authentication unit (2) are consistent, the authentication unit sends feedback information passing authentication to the terminal equipment corresponding to the hardware code ID' through the issuing unit and the output interface; And 4-5, receiving feedback information passing authentication by the terminal equipment, performing decryption operation on the temporarily stored root key file ciphertext enc (Rfile) by using the negotiated key k1, obtaining a root key file Rfile, and performing local storage.
  7. 7. A working system of a root key center, applied to the working method of the root key center according to any one of claims 1 to 6, characterized in that the working system comprises the root key center and at least one terminal device connected with the root key center, wherein the terminal device is used for initiating a registration request and an authentication operation request to the root key center, and the root key center is used for generating a corresponding root key file according to the registration request and executing issuing and authentication operations.
  8. 8. The system of claim 7, wherein the root key center comprises an input interface, a registration unit, a network access code unit, a key generation unit, a storage unit, a issuing unit, an authentication unit and an output interface, wherein the input interface is in communication connection with the registration unit and the authentication unit, the registration unit, the network access code unit, the key generation unit, the storage unit, the authentication unit, the issuing unit and the output interface are in communication connection in sequence, and the issuing unit is also in communication connection with the registration unit, the network access code unit and the key generation unit; The input interface is used for receiving a registration request req and authentication data ', forwarding the registration request req to the registration unit and forwarding the authentication data' to the authentication unit; The registration unit is used for forwarding a registration request req to the network access code unit and the issuing unit; The network access code unit is used for generating a device number DID for each terminal device, establishing a first corresponding relation, sending the first corresponding relation to the storage unit for storage, sending a registration request req and the generated device number DID to the key generation unit, and sending the first corresponding relation to the issuing unit after receiving a notification of completion of generation of the root key file sent by the key generation unit; The key generation unit is used for generating a root key file Rfile, negotiating with the terminal equipment through the issuing unit and the output unit to obtain a key k1 and a key k2, performing encryption operation on the root key file Rfile to obtain a root key file ciphertext enc (Rfile), calculating a first hash value H1 of the root key file ciphertext enc (Rfile), recording a first hash value parameter, generating root key file information mes, establishing a second corresponding relation, sending the second corresponding relation to the storage unit for storage, establishing a fourth corresponding relation, sending the fourth corresponding relation to the issuing unit and the storage unit, establishing a fifth corresponding relation, and sending the fifth corresponding relation to the storage unit for storage; The storage unit is used for storing a first corresponding relation, a second corresponding relation, a fourth corresponding relation and a fifth corresponding relation, integrating and forming a first key file list1, storing the first key file list1' after being locally stored and updated; The issuing unit is used for storing hardware coding ID, generating an issuing instruction of corresponding terminal equipment according to the hardware coding ID in the first corresponding relation, selecting a fourth corresponding relation corresponding to the hardware coding ID according to the hardware coding ID in the issuing instruction to generate a second key file list2, issuing the second key file list2 to the corresponding terminal equipment through an output interface, and sending feedback information passing authentication to the corresponding terminal equipment through the output interface after the authentication is passed; The authentication unit is used for executing authentication operation based on the authentication data', and sending feedback information passing authentication to the issuing unit after passing authentication; The output interface is used for issuing the second key file list2 to the corresponding terminal equipment, and sending feedback information passing authentication to the corresponding terminal equipment after the authentication is passed.

Description

Working method and working system of root key center Technical Field The application relates to the technical field of information security, in particular to a working method and a working system of a root key center. Background When a quantum security network is constructed, terminal equipment (such as a quantum key distribution terminal, a security communication module and the like) must complete reliable identity authentication and key initialization before being accessed to the network for the first time after leaving a factory. For this purpose, a trusted root key center is typically required to generate factory cure data and an initial root key file for the device. The root key file is the basis for all subsequent session key derivation, device authentication and encrypted communication, and the security directly determines the security level of the whole network. Currently, the implementation of such systems faces two core challenges, namely, first, the generation of the root key file itself must be highly random, unpredictable and tamper resistant, preventing the key from being speculated or hacked due to insufficient entropy sources of the key or generation algorithm imperfections. Second, it is more critical how to securely issue the generated root key file to terminal devices distributed throughout the area. In a realistic deployment, the network channel between the root key center and the terminal device may be public or not completely trusted, with the risk of interception, interception or tampering. If the root key file leaks during the distribution process, the whole security system will collapse. In the prior art, the distribution is usually performed by manually filling the factory environment through a secure medium (such as a special encrypted U shield) in advance, or relying on a pre-established cable network which is supposed to be absolutely secure. The method has the advantages that when the equipment is large in scale and geographically dispersed, the problems of high logistics cost, low efficiency, easiness in human error or medium loss and the like are faced, and the method has the advantages that the method has unrealistic requirements on the safety of the infrastructure and is difficult to be suitable for a quantum network deployment scene with large-scale and wide-area distribution. Therefore, there is a need for a system and method that ensures secure, reliable, efficient generation and distribution of root key files in an incompletely trusted network environment. Disclosure of Invention The application aims to provide a working method and a working system of a root key center to solve the problems in the background technology. The invention provides a working method of a root key center, wherein a participant of the method comprises the root key center and at least one terminal device, and the method comprises the following steps: step 1, a terminal device initiates a registration request req to a root key center; Step 2, the root key center generates a root key file Rfile corresponding to the terminal equipment according to the registration request req, and generates a first key file list1 according to all generated root key files and stores the first key file list in the local; Step 3, the root key center executes encryption operation on the generated root key file Rfile, generates a second key file list2 based on the encrypted root key file ciphertext enc (Rfile), and issues the second key file list2 to the terminal equipment according to the information in the registration request req; And 4, after receiving the second key file list2, the terminal equipment initiates authentication operation to the root key center, and after passing the authentication, obtains the root key file and stores the root key file locally. As an improvement of the present invention, the registration request req includes a hardware code ID of the terminal device itself and a required root key size a, and the specific procedure of step 1 is as follows: The input interface of the root key center receives the registration request req, forwards the registration request req to the registration unit of the root key center, forwards the registration request req to the network access code unit and the issuing unit of the root key center, the network access code unit generates a device number DID for each terminal device, establishes a first corresponding relation between a hardware code ID and the device number DID, and sends the first corresponding relation to the storage unit of the root key center for storage, and the issuing unit stores the hardware code ID. As an improvement of the invention, the specific process of the step 2 is as follows: Step 2-1, the network access code unit of the root key center sends the registration request req and the generated device number DID to the key generation unit of the root key center; Step 2-2, a quantum random number generator in a key generation unit generates a