Search

CN-122027153-A - Quantum key remote safe injection method and system based on PQC and zero trust

CN122027153ACN 122027153 ACN122027153 ACN 122027153ACN-122027153-A

Abstract

The application relates to the technical field of quantum communication, discloses a quantum key remote safe injection method and a system based on PQC and zero trust, and aims to solve the problems of high calculation cost of post quantum authentication, difficult adaptation of a resource-limited terminal and lack of continuous verification capability. The method comprises the steps of presetting a secret seed, enabling a terminal to generate a disturbance public key based on the seed and a basic temporary public key and to initiate a request, enabling a server to conduct implicit authentication by comparing the disturbance public key and to execute key encapsulation to generate a session key, enabling the server to encrypt a quantum key and to sign and send the quantum key, and enabling the terminal to use a basic private key to unpack after signature verification to obtain the quantum key. The system comprises a key injection server, a terminal security agent and a disturbance function module. The application integrates authentication logic into a cryptography primitive algebra structure, realizes internal biochemistry and light weight of authentication, obviously reduces terminal power consumption and storage occupation, enhances the capability of resisting resource exhaustion attack, and meets the continuous verification requirement of a zero trust architecture.

Inventors

  • WANG ZIXIANG
  • SUN XIN
  • Lv Bang
  • MAO YINING
  • HAN JIAJIA
  • WANG YILEI
  • ZHENG LI
  • ZHENG XIANSHUN
  • PAN YAN

Assignees

  • 国网浙江省电力有限公司电力科学研究院

Dates

Publication Date
20260512
Application Date
20260410

Claims (10)

  1. 1. The quantum key remote safe injection method based on PQC and zero trust is characterized by comprising the following steps: Signing the key pair for the quantum cipher after the key injection, distributing a secret seed, binding the secret seed with a terminal unique identifier and registering the secret seed with an identity management database; Locally generating a basic temporary key pair formed by a basic temporary public key and a basic temporary private key, calculating a disturbance seed based on a current system time stamp, a secret seed and the basic temporary public key, generating a disturbance polynomial through the disturbance seed, and calling a disturbance function to accumulate the disturbance polynomial on a polynomial vector component so as to generate a disturbance public key; Searching a corresponding secret seed based on the unique identifier of the terminal, calculating to obtain an expected disturbance public key, realizing implicit identity authentication by comparing the received disturbance public key with the expected disturbance public key, and then performing key encapsulation by using the disturbance public key to generate a post-quantum cryptography session key and a corresponding encapsulation ciphertext; The method comprises the steps of obtaining a quantum key, symmetrically encrypting by utilizing a post quantum password, and digitally signing key control information comprising a session key characteristic value, a quantum key ciphertext and a request time stamp by utilizing a self long-term signature private key; And verifying the validity of the digital signature, performing unpacking operation on the packed ciphertext by using a basic temporary private key, counteracting the offset introduced by the disturbance public key, extracting and decrypting by using the post quantum cryptography session key to obtain the quantum key.
  2. 2. The method of quantum key remote secure injection based on PQC and zero trust according to claim 1, wherein the process of processing the secret seed further comprises: The secret seed is stored in a hardware security module, a trusted execution environment or a physical unclonable function unit inside the terminal equipment; Performing physical level isolation protection on the secret seed by the hardware security module, the trusted execution environment or the physically unclonable function unit to ensure that the secret seed is not visible outside the controlled execution environment; And the key injection server carries out association mapping on the secret seed and the unique identifier of the terminal in the identity management database, and configures a corresponding seed version number for the secret seed.
  3. 3. The method of quantum key remote secure injection based on PQC and zero trust according to claim 1, wherein the process of calculating the perturbation seed comprises: acquiring a current system time stamp and performing discretization processing by using a preset time step to generate a current time window identifier; Invoking a secure hash algorithm, and performing cascading hash operation on the secret seed, the time window identifier and the basic temporary public key; generating the disturbance seed with time-varying characteristics and identity-related characteristics through the cascade hash operation, wherein the disturbance seed dynamically changes along with the replacement of the time window.
  4. 4. The method of quantum key remote secure injection based on PQC and zero trust according to claim 1, wherein the process of generating the perturbation polynomial comprises: initializing a predetermined deterministic random number generator by using the perturbation seed based on a lattice post quantum cryptography algorithm specification; extracting coefficients conforming to a preset distribution from the deterministic random number generator, wherein the preset distribution is represented as a central binomial distribution; Constructing a small norm polynomial which is equivalent to the endogenous noise level of the post quantum cryptography algorithm in terms of norm size based on the extracted coefficients, and taking the small norm polynomial as the disturbance polynomial; And when the disturbance function executes accumulation operation, keeping the dimension and algebraic domain attribute of the disturbance public key consistent with the basic temporary public key, and introducing controlled algebraic offset on coefficient distribution only.
  5. 5. The method for remotely and securely injecting a quantum key based on PQC and zero trust according to claim 1, wherein the process of generating the post quantum cryptography session key and the corresponding encapsulated ciphertext comprises: acquiring a current time window and at least one adjacent historical time window to compensate time asynchronism caused by network transmission delay; for each acquired time window, respectively combining the retrieved secret seed with the basic temporary public key to calculate a corresponding expected disturbance public key; comparing the received disturbance public key with each expected disturbance public key; and when the received disturbance public key is matched with any one of the expected disturbance public keys, judging that the identity authentication passes.
  6. 6. A quantum key remote secure injection system based on PQC and zero trust, which adopts the quantum key remote secure injection method based on PQC and zero trust as claimed in any one of claims 1 to 5, and is characterized in that the system comprises: The system comprises a receiving end, a key injection server, a quantum key management server, a target terminal, a quantum key management server and a quantum key management server, wherein the key injection server and the receiving end in the quantum key distribution equipment are cooperatively arranged in the same safety domain and serve as an authorization agent of the receiving end to execute a service end function; the system comprises a remote terminal device, a terminal security agent, a quantum key management server and a remote terminal device, wherein the terminal security agent is operated in a controlled execution environment of the remote terminal device and is used as a client of the system; A perturbation function module configured as a deterministic algebraic processing unit receiving as input a basic temporary public key and a perturbation polynomial derived from the secret seed, outputting a perturbed public key algebraically structurally associated with the basic temporary public key but containing an identity feature offset, the perturbation function module ensuring that the offset is within the error correction threshold range of the post quantum cryptography algorithm.
  7. 7. The quantum key remote secure injection system of claim 6, wherein the key injection server employs an asynchronous processing architecture: the key injection server decouples the front-end identity comparison filtering logic from the rear-end key encapsulation operation logic; In the identity comparison stage, the key injection server pre-authenticates the injection request by executing low-overhead disturbance public key consistency comparison; The key injection server controls the processing cost of the single illegal request within a preset time threshold, and filters the illegal request by utilizing the pre-authentication mechanism so as to construct the capability of defending against denial of service attack; and after the pre-authentication is passed, the key injection server triggers a key encapsulation function at the back end to execute asymmetric cryptographic operation.
  8. 8. The PQC and zero trust based quantum key remote secure injection system of claim 6, wherein the key injection server is configured to perform a replay attack blocking check: after the identity authentication is passed, the key injection server checks whether the characteristic value of the disturbance public key received currently is processed within a preset historical time threshold value or not by inquiring a cache database; If the record of the characteristic value exists in the cache database, judging that the attack is replay and rejecting the injection request; And if the record of the characteristic value does not exist in the cache database, storing the characteristic value into the cache database and setting the expiration time.
  9. 9. The PQC and zero trust based quantum key remote secure injection system of claim 6, wherein the system is configured to support secret seed online secure rotation: packaging the packaged ciphertext, the encrypted quantum key and the digital signature into a response packet; the key injection server generates a new secret seed when generating a response packet, and encrypts the new secret seed and the quantum key together through a post-quantum cryptography session key; The terminal security agent extracts the new secret seed after successfully decrypting and acquiring the quantum key; the terminal security agent replaces the old secret seed stored locally by the new secret seed according to the sent updating instruction, and updates the local seed version number; And the key injection server synchronously updates the corresponding secret seed record in the identity management database to realize forward security.
  10. 10. The PQC and zero trust based quantum key remote secure injection system of claim 6, wherein the system is configured to perform a geospatial feature based zero trust duration verification: The terminal security agent acquires the current geographic position coordinate of the terminal equipment when the injection request is initiated, and takes the geographic position coordinate as one of inputs of cascade hash operation to generate disturbance seeds containing geographic space characteristics; the terminal security agent generates the disturbance public key containing the geographic space characteristic offset through the disturbance function; After receiving the injection request, the key injection server verifies whether the terminal equipment operates in an authorized area or not by utilizing the received geographic position coordinates; the key injection server judges that the terminal equipment meets zero trust continuous verification criteria under the double conditions that the disturbance public key comparison passes and the geographic position coordinate verification passes; The key injection server supports a batch processing mode, and a plurality of quantum key pairs are injected in a single-established secure channel in a segmented encryption mode.

Description

Quantum key remote safe injection method and system based on PQC and zero trust Technical Field The invention belongs to the technical field of quantum communication, and particularly relates to a quantum key remote safe injection method and system based on PQC and zero trust. Background With the rapid development of quantum computing technology, the traditional public key cryptosystem based on large integer decomposition or discrete logarithm problem is facing serious challenges of being rapidly cracked, and Post Quantum Cryptography (PQC) is used as a key technology for guaranteeing that a future information system resists quantum attack, and has become a research hotspot in the fields of network security and secret communication. In complex application scenarios such as wide area internet of things (IoT), smart power grids and the like, the deep fusion of Quantum Key Distribution (QKD) technology and classical communication networks has important strategic significance in constructing a distributed key management system with a high security level. The Authentication Key Exchange (AKE) protocol is used as a core link for establishing a secure communication channel, and directly determines the security and reliability of the remote key injection process. Aiming at mass and resource-limited terminal equipment of the Internet of things, how to realize light-weight and high-efficiency identity authentication and session key negotiation and ensure the end-to-end safety of the key injection process under the premise of ensuring the quantum attack resistance strength is a key technical direction for overcoming the urgent need in the field of the current quantum safety communication and zero trust architecture. The prior art mainly has the following defects that firstly, an explicit authentication mode based on digital signatures shows extremely high calculation cost and storage occupation under a post quantum algorithm environment, so that an internet of things terminal with limited resources is difficult to bear performance burden caused by signature generation and verification, secondly, the existing lightweight authentication scheme often carries out simple superposition on authentication logic and a key exchange process in a protocol layer, deep fusion on a cryptography primitive layer cannot be realized, so that the extremely limited terminal still faces significant power consumption and delay challenges when independent key encapsulation operation is executed, and secondly, the existing system lacks built-in resource depletion attack resistance, a server side needs to input a large amount of calculation resources to process encapsulation requests before identity confirmation, denial of service attack is extremely easy to cause system crash, and finally, the traditional authentication mechanism is mostly dependent on static trust credentials, lacks continuous verification capability on terminal identity and calculation process, is difficult to meet security criteria which are never trusted and always verified under a zero architecture, and the problems jointly lead to efficiency and security hidden danger of a quantum key remote injection process, so that the development of the remote security scheme which can realize the internal authentication logic, has the capability of resisting quantum key injection and is particularly important. Disclosure of Invention The invention aims to make up the defects of the prior art and provides a quantum key remote safe injection method and system based on PQC and zero trust. Aiming at the problems of computational overhead, storage occupation, communication delay and the like in the traditional digital signature-based post quantum password authentication mode in the internet of things terminal with limited resources, the invention realizes the internal growth and the light weight of the authentication process by deeply fusing the identity authentication logic into the algebraic structure of the post quantum key encapsulation mechanism, combines the continuous verification principle in a zero trust architecture, and improves the anti-attack capability and the operation efficiency of the quantum key injection process. In order to achieve the purpose, the invention provides the following technical scheme that a quantum key remote safe injection method based on PQC and zero trust is provided, and the method comprises the following steps: signing the key pair for the quantum cipher after the key injection, distributing a secret seed, binding the secret seed with a terminal unique identifier and registering the secret seed with an identity management database of the key injection server; locally generating a basic temporary key pair formed by a basic temporary public key and a basic temporary private key, calculating a disturbance seed based on a current system time stamp, the secret seed and the basic temporary public key, driving a deterministic random number generator by th