Search

CN-122027204-A - PQC-SM2 hybrid authentication and encryption service security communication system and method

CN122027204ACN 122027204 ACN122027204 ACN 122027204ACN-122027204-A

Abstract

The invention discloses a PQC-SM2 mixed authentication and encryption service security communication system, a method, a device, equipment and a medium, wherein the method comprises the steps of carrying out bidirectional identity authentication processing with a service receiver under the condition that a new service request is requested by service and/or the identity authentication time exceeds a preset time threshold; after the two-way identity authentication processing is passed, a preset quantum algorithm and a preset national encryption algorithm are applied to negotiate a session key with the service receiver, the service request is encrypted according to the session key, the encrypted service request is sent to the service receiver, the encrypted service response data is received and decrypted according to the session key, the service corresponding to the service request is completed according to the service response data, the potential safety risk or the applicability limitation of a key negotiation link is effectively avoided, and the overall safety of service data transmission is comprehensively ensured.

Inventors

  • WU QIAN
  • XIONG YUCAI
  • ZHANG JIAN
  • WU WEIWEI
  • Zha Jiangjiang

Assignees

  • 中电信量子信息科技集团有限公司

Dates

Publication Date
20260512
Application Date
20251229

Claims (18)

  1. 1. A PQC-SM2 hybrid authenticated and encrypted service security communication system, comprising a service initiator and a service receiver: The service initiator is used for carrying out bidirectional identity authentication processing with the service receiver under the condition that the new service request and/or the identity authentication time exceeds a preset time threshold value, negotiating a session key with the service receiver by applying a preset quantum algorithm and a preset national encryption algorithm after the bidirectional identity authentication processing is passed, encrypting the service request according to the session key, sending the encrypted service request to the service receiver, receiving encrypted response data, decrypting the encrypted response data according to the session key, and completing the service corresponding to the service request according to the response data; The service receiving party is used for carrying out bidirectional identity authentication processing with the service initiating party, the bidirectional identity authentication processing is initiated by the service initiating party, after the bidirectional identity authentication processing is passed, a preset post-quantum algorithm and a preset national encryption algorithm are applied to negotiate a session key with the service initiating party, an encryption service request sent by the service initiating party is received, the encryption service request is decrypted according to the session key, service response data are determined according to the service request, the service response data are encrypted according to the session key, and the encrypted service response data are sent to the service initiating party.
  2. 2. The PQC-SM2 hybrid authentication and encryption service security communication system of claim 1 wherein the identity authentication response includes a receiver identity authentication signature including a receiver national encryption algorithm signature and a receiver postquantum algorithm signature, the service initiator being configured to determine an initiator identity authentication signature based on a preset initiator signature certificate, the initiator identity authentication signature including a national encryption algorithm signature and an initiator postquantum algorithm signature; The two-way identity authentication request comprises an initiator identity authentication signature and a preset key parameter, the service receiver is used for receiving the two-way identity authentication request sent by the service initiator, the initiator national encryption algorithm signature and the initiator post-quantum algorithm signature are verified according to a preset receiver root certificate, after the initiator national encryption algorithm signature and the initiator post-quantum algorithm signature pass through according to the preset receiver root certificate, the receiver identity authentication signature is determined according to a preset receiver signature certificate, the receiver identity authentication signature is determined according to the receiver national encryption algorithm signature and the receiver post-quantum algorithm signature, the identity authentication response is determined according to the receiver identity authentication signature and the preset key parameter, and the identity authentication response is sent to the service initiator.
  3. 3. The PQC-SM2 hybrid authentication and encryption service security communication system of claim 2 wherein the authentication response includes key agreement data, the service initiator being configured to initiate a session key agreement request with the service receiver to determine a session key based on the key agreement data by applying a pre-set post-quantum algorithm and a pre-set national encryption algorithm to negotiate a session key with the service receiver if authentication of the service receiver is successful; The service receiver is used for determining key negotiation data according to the preset key parameter, the key negotiation data is used for initiating a session key negotiation request by the service initiator, and the identity authentication signature of the receiver and the key negotiation data are used as identity authentication response.
  4. 4. The PQC-SM2 hybrid authentication and encryption service security communication system of claim 3 wherein the key agreement data comprises a preset receiver signed certificate, a receiver negotiating encryption public key, the service initiator is configured to determine a shared key ciphertext and a shared ciphertext according to the receiver negotiating encryption public key, the receiver negotiating encryption public key is determined according to a preset post quantum algorithm, an initiator random number is determined, a receiver national public key is determined according to the preset receiver signed certificate, an initiator ciphertext is determined according to the receiver national public key and the initiator random number, the shared key ciphertext and the initiator ciphertext are transmitted to a service receiver, and a session key is determined according to the negotiation response parameter, the shared ciphertext and a preset initiator national private key. The preset key parameter comprises a preset initiator signature certificate, the service receiver is used for determining a shared key ciphertext and an initiator ciphertext according to the session key negotiation request, decrypting the shared key ciphertext according to a preset receiver decryption private key, determining a shared ciphertext, determining a receiver decryption private key according to a preset post quantum algorithm, decrypting the initiator Fang Miwen according to a preset receiver national private key, determining an initiator random number according to the preset receiver national private key, determining an initiator national public key according to the preset initiator signature certificate, determining a receiver random number, determining a receiver ciphertext according to the initiator national public key and the receiver random number, determining an intermediate key according to the initiator random number, the receiver random number and the shared ciphertext, determining a session key and a receiver key verification parameter according to the intermediate key, taking the receiver ciphertext and the receiver key verification parameter as negotiation response parameters, and returning the negotiation response parameters to the service initiator.
  5. 5. The PQC-SM2 hybrid authentication and encryption service security communication system of claim 4 wherein the negotiation response parameters include a receiver ciphertext and a receiver key verification parameter, the service initiator is configured to determine a receiver nonce based on the receiver ciphertext and the preset initiator ciphertext private key, determine an intermediate key based on the initiator nonce, the receiver nonce, and the shared ciphertext, determine an initiator key verification parameter and a candidate session key based on the intermediate key, and take the candidate session key as a session key if the receiver key verification parameter passes based on the initiator key verification parameter.
  6. 6. A method of PQC-SM2 hybrid authentication and encryption service security communication, for use with a service initiator, the method comprising: Under the condition that the service request and/or the identity authentication time exceeds a preset time threshold, carrying out bidirectional identity authentication processing with a service receiver; after the bidirectional identity authentication processing is passed, a preset post quantum algorithm and a preset national encryption algorithm are applied to negotiate a session key with the service receiver; Encrypting the service request according to the session key; The encrypted service request is sent to the service receiver, so that the service receiver decrypts the encrypted service request according to the session key, determines the service request, determines service response data according to the service request, encrypts the service response data according to the session key, and sends the encrypted response data to a service initiator; receiving the encrypted service response data, and decrypting the encrypted service response data according to the session key; And completing the service corresponding to the service request according to the service response data.
  7. 7. The PQC-SM2 hybrid authentication and encryption service security communication method of claim 6 wherein the authentication response includes a receiver authentication signature including a receiver national encryption algorithm signature and a receiver postquantum algorithm signature, the two-way authentication process with the service receiver comprising: determining an initiator identity authentication signature according to a preset initiator signature certificate, wherein the initiator identity authentication signature comprises a national cryptographic algorithm signature and an initiator post quantum algorithm signature; The initiator identity authentication signature and a preset key parameter are sent to the service receiver, so that the service receiver completes identity authentication according to the initiator national encryption algorithm signature and the initiator post quantum algorithm signature, and an identity authentication response is determined and returned according to the preset key parameter and a preset receiver signature certificate; receiving the identity authentication response; And verifying the national cryptographic algorithm signature of the receiver and the post quantum algorithm signature of the receiver according to a preset initiator root certificate.
  8. 8. The PQC-SM2 hybrid authentication and encryption service security communication method of claim 7 wherein the authentication response includes key agreement data and the application of a pre-set post-quantum algorithm and a pre-set national encryption algorithm negotiates session keys with the service recipient after the two-way authentication process passes, comprising: Under the condition that the identity verification of the service receiver is successful, according to the key negotiation data, a preset quantum algorithm and a preset national encryption algorithm are applied to negotiate a session key with the service receiver to initiate a session key negotiation request to the service receiver, and the session key is determined.
  9. 9. The PQC-SM2 hybrid authentication and encryption service security communication method of claim 8 wherein the key agreement data includes a preset recipient signed certificate, a recipient negotiating encryption public key, the applying a preset post quantum algorithm and a preset national encryption algorithm to negotiate a session key with the service recipient to initiate a session key negotiation request to the service recipient based on the key agreement data, determining a session key comprises: Determining a shared secret key ciphertext and a shared ciphertext according to the receiver negotiation encryption public key, wherein the receiver negotiation encryption public key is determined according to a preset quantum algorithm; Determining an initiator random number, and determining a receiver national secret public key according to the preset receiver signature certificate; Determining Fang Miwen to initiate according to the recipient national secret public key and the initiator random number; The shared secret key ciphertext and the initiator ciphertext are sent to a service receiver, so that the service receiver determines a session key and key verification parameters according to the shared secret key ciphertext and the initiator Fang Miwen, and returns the negotiation response parameters to the service initiator; and determining a session key according to the negotiation response parameter, the shared ciphertext and a preset initiator country secret key.
  10. 10. The PQC-SM2 hybrid authentication and encryption service security communication method of claim 9 wherein the negotiation response parameters include a receiver ciphertext and a receiver key verification parameter, and the determining the session key based on the negotiation response parameters, the shared ciphertext and a preset initiator national secret key comprises: determining a receiver random number according to the receiver ciphertext and the preset initiator national secret private key; Determining an intermediate key according to the initiator random number, the receiver random number and the shared ciphertext; determining an initiator key verification parameter and a candidate session key according to the intermediate key; And under the condition that the receiving party key verification parameter passes according to the initiating party key verification parameter, taking the candidate session key as a session key.
  11. 11. A method of PQC-SM2 hybrid authentication and encryption service security communication, for use with a service receiver, the method comprising: Performing bidirectional identity authentication processing with a service initiator, wherein the bidirectional identity authentication processing is initiated by the service initiator; After the bidirectional identity authentication processing is passed, a preset post quantum algorithm and a preset national encryption algorithm are applied to negotiate a session key with a service initiator; Receiving an encrypted service request sent by the service initiator; decrypting the encrypted service request according to the session key; Determining service response data according to the service request; encrypting the service response data according to the session key; And sending the encrypted service response data to the service initiator so that the service initiator decrypts the encrypted service response data according to the session key, determines the service response data, and completes the service corresponding to the service request according to the response data.
  12. 12. The PQC-SM2 hybrid authentication and encryption service security communication method of claim 11 wherein the two-way authentication request includes an initiator identity authentication signature and a preset key parameter, the initiator identity authentication signature includes a national encryption algorithm signature and an initiator post quantum algorithm signature, the two-way identity authentication with the service initiator includes: receiving a bidirectional identity authentication request sent by a service initiator; Verifying the national cryptographic algorithm signature of the initiator and the post-initiator quantum algorithm signature according to a preset receiver root certificate; after verifying that the national cryptographic algorithm signature of the initiator and the post-initiator quantum algorithm signature pass according to a preset receiver root certificate, determining a receiver identity authentication signature according to a preset receiver signature certificate, wherein the receiver identity authentication signature comprises a receiver national cryptographic algorithm signature and a receiver post-quantum algorithm signature; determining an identity authentication response according to the identity authentication signature of the receiver and the preset key parameter; And sending the identity authentication response to the service initiator so that the service initiator verifies the national cryptographic algorithm signature of the receiver and the post quantum algorithm signature of the receiver according to a preset initiator root certificate.
  13. 13. The PQC-SM2 hybrid authentication and encryption service security communication method of claim 12 wherein the determining an authentication response based on the recipient authentication signature and the preset key parameters comprises: Determining key negotiation data according to the preset key parameter, wherein the key negotiation data is used for initiating a session key negotiation request by the service initiator; And taking the identity authentication signature of the receiver and the key negotiation data as an identity authentication response.
  14. 14. The PQC-SM2 hybrid authentication and encryption service security communication method of claim 13 wherein the preset key parameters include a preset initiator signature certificate and the negotiating a session key with the service initiator using a preset post-quantum algorithm and a preset national encryption algorithm after the two-way authentication process is passed includes: determining a shared key ciphertext and an initiator ciphertext according to the session key negotiation request; Decrypting the shared secret key ciphertext according to a preset receiver decryption private key to determine a shared secret key; Decrypting the initiation Fang Miwen according to a preset receiver national secret private key to determine an initiator random number, wherein the preset receiver national secret private key is determined according to a preset national secret algorithm; determining an initiator national secret public key according to the preset initiator signature certificate; determining a receiver random number, and determining a receiver ciphertext according to the initiator national secret key and the receiver random number; Determining an intermediate key according to the initiator random number, the receiver random number and the shared ciphertext; determining a session key and a receiver key verification parameter according to the intermediate key; And taking the receiver ciphertext and the receiver key verification parameter as negotiation response parameters, and returning the negotiation response parameters to the service initiator so that the service initiator determines a session key according to the negotiation response parameters and the shared ciphertext.
  15. 15. A PQC-SM2 hybrid authenticated and encrypted service security communication device for use with a service initiator, the device comprising: The initiator bidirectional authentication module is used for carrying out bidirectional identity authentication processing with the service receiver under the condition that the service request new service request and/or the identity authentication time exceeds a preset time threshold; The initiator negotiates a session key module, which is used for negotiating a session key with the service receiver by applying a preset post quantum algorithm and a preset national encryption algorithm after the two-way identity authentication processing is passed; A service request encryption module for encrypting the service request according to the session key; A service request sending module, configured to send the encrypted service request to the service receiver, so that the service receiver decrypts the encrypted service request according to the session key, determines the service request, determines service response data according to the service request, encrypts the service response data according to the session key, and sends the encrypted response data to a service initiator; the service response data receiving module is used for receiving the encrypted service response data and decrypting the encrypted service response data according to the session key; And the service completion module is used for completing the service corresponding to the service request according to the service response data.
  16. 16. A PQC-SM2 hybrid authentication and encryption service security communication device for use with a service receiver, the device comprising: the receiver identity authentication module is used for carrying out bidirectional identity authentication processing with a service initiator, wherein the bidirectional identity authentication processing is initiated by the service initiator; The receiver negotiates a session key module, which is used for negotiating a session key with a service initiator by applying a preset post quantum algorithm and a preset national encryption algorithm after the two-way identity authentication process is passed; A service request receiving module, configured to receive an encrypted service request sent by the service initiator; the service request decryption module is used for decrypting the encrypted service request according to the session key; the service response data determining module is used for determining service response data according to the service request; a service response data encryption module for encrypting the service response data according to the session key; and the service response data transmitting module is used for transmitting the encrypted service response data to the service initiator so that the service initiator decrypts the encrypted service response data according to the session key, determines the service response data and completes the service corresponding to the service request according to the response data.
  17. 17. An apparatus comprising a processor, a memory, and a program or instruction stored on the memory and executable on the processor, which when executed by the processor, performs the steps of the PQC-SM2 hybrid authentication and encryption service security communication method as recited in claims 6-10 or 11-14.
  18. 18. A readable storage medium, wherein a program or instructions is stored on the readable storage medium, which when executed by a processor, implements the steps of the PQC-SM2 hybrid authentication and encryption service security communication method as recited in claims 6-10 or 11-14.

Description

PQC-SM2 hybrid authentication and encryption service security communication system and method Technical Field The invention belongs to the field of secure communication, and particularly relates to a PQC-SM2 hybrid authentication and encryption service secure communication system, a method, a device, equipment and a medium. Background With the deep development of network services, the security and applicability of session keys are more highly required by secure communication between service systems. At present, in the session key negotiation process, a part of service systems adopt a single cipher algorithm system, and cannot fully cope with diversified security challenges and compliance scenes, so that potential security risks or applicability limitations exist in a key negotiation link, and the overall security guarantee of service data transmission is affected. Disclosure of Invention In view of the foregoing, embodiments of the present invention are provided to overcome the foregoing problems of failing to adequately cope with diversified security challenges and compliance scenarios, resulting in potential security risks or limitations of applicability in a key negotiation link, and affecting overall security of service data transmission, or to at least partially solve the foregoing problems, a PQC-SM2 hybrid authentication and encryption service security communication system, method, apparatus, device, and medium. In a first aspect, the embodiment of the invention provides a PQC-SM2 hybrid authentication and encryption service security communication system, which comprises a service initiator and a service receiver, wherein the service initiator is used for performing bidirectional identity authentication processing with the service receiver under the condition that a new service request and/or an identity authentication time exceeds a preset time threshold value, negotiating a session key with the service receiver by applying a preset quantum algorithm and a preset national encryption algorithm after the bidirectional identity authentication processing is passed, encrypting the service request according to the session key, sending the encrypted service request to the service receiver, receiving encrypted response data, decrypting the encrypted response data according to the session key, and completing a service corresponding to the service request according to the response data; The service receiving party is used for carrying out bidirectional identity authentication processing with the service initiating party, the bidirectional identity authentication processing is initiated by the service initiating party, after the bidirectional identity authentication processing is passed, a preset post-quantum algorithm and a preset national encryption algorithm are applied to negotiate a session key with the service initiating party, an encryption service request sent by the service initiating party is received, the encryption service request is decrypted according to the session key, service response data are determined according to the service request, the service response data are encrypted according to the session key, and the encrypted service response data are sent to the service initiating party. Optionally, the identity authentication response comprises a receiver identity authentication signature, the receiver identity authentication signature comprises a receiver national cryptographic algorithm signature and a receiver post quantum algorithm signature, the service initiator is used for determining an initiator identity authentication signature according to a preset initiator signature certificate, the initiator identity authentication signature comprises the national cryptographic algorithm signature and the initiator post quantum algorithm signature, the initiator identity authentication signature and a preset key parameter are sent to the service receiver; The two-way identity authentication request comprises an initiator identity authentication signature and a preset key parameter, the service receiver is used for receiving the two-way identity authentication request sent by the service initiator, the initiator national encryption algorithm signature and the initiator post-quantum algorithm signature are verified according to a preset receiver root certificate, after the initiator national encryption algorithm signature and the initiator post-quantum algorithm signature pass through according to the preset receiver root certificate, the receiver identity authentication signature is determined according to a preset receiver signature certificate, the receiver identity authentication signature is determined according to the receiver national encryption algorithm signature and the receiver post-quantum algorithm signature, the identity authentication response is determined according to the receiver identity authentication signature and the preset key parameter, and the identity authentication respon