CN-122027325-A - Quantum cryptography-based server secure communication method

Abstract

The invention relates to the technical field of communication safety, and provides a server safety communication method based on quantum cryptography, which comprises the steps of collecting communication demand state data, quantum key resource state data and link quality state data in a dispatching period, constructing burst index and key supply pressure index, integrating service priority, burst index, key supply pressure index and key residual life, calculating an adaptation priority value of each session to be established, integrating link quality state data, candidate communication path state and path assignable key quantity, calculating risk and key matching score of each candidate communication path, determining a handshake mode corresponding to each session to be established according to the adaptation priority value and the risk and key matching score, reserving quantum key fragments for the corresponding session according to the handshake mode, establishing a binding relation, issuing a communication control instruction, and updating evaluation parameters and control parameters of a subsequent dispatching period according to an execution result.

Inventors

• LI TAIYONG
• CAO JUN
• LIAO ZHEN
• ZHANG BIN
• CHEN JUNLIANG

Assignees

• 北京合泰信安信息技术有限公司

Dates

Publication Date

20260512

Application Date

20260312

Claims (10)

1. 1. A method for secure communication of a server based on quantum cryptography, comprising: collecting communication demand state data, quantum key resource state data and link quality state data in a scheduling period from a server cluster boundary node, a quantum key management node and a session proxy node; constructing a burst index based on the communication demand state data, and constructing a key supply pressure index based on the supply-demand relation between the communication demand state data and the quantum key resource state data; Calculating the adaptive priority value of each session to be established by integrating the service priority, the burst index, the key supply pressure index and the key residual life; And reserving quantum key fragments for the corresponding session according to the handshake mode, establishing a binding relationship between the session, a communication path and the key fragments, issuing a communication control instruction, and updating evaluation parameters and control parameters of a subsequent scheduling period according to an execution result.
2. 2. The method for secure communication with a server according to claim 1, wherein the process of obtaining the communication requirement state data, the quantum key resource state data, and the link quality state data comprises: The method comprises the steps that communication demand state data in a current dispatching cycle are collected through session proxy nodes, quantum key resource state data in the current dispatching cycle are collected through quantum key management nodes, and link quality state data in the current dispatching cycle are collected through server cluster boundary nodes; The communication demand state data comprises the current window session request number, the historical window average session request number and the service priority, the quantum key resource state data comprises the current key pool allowance, the key production rate per unit time and the key average remaining life, the link quality state data comprises the candidate path error rate, the path trusted node score and the historical path oscillation frequency, and the candidate communication path state is formed by the summary results of the historical path oscillation frequency and the path security audit record.
3. 3. The method for secure communication of a server according to claim 2, wherein the constructing the burstiness index comprises: Dividing the difference between the current window conversation request number and the history window average conversation request number by the history window average conversation request number to obtain a burst index, setting the burst index as a preset burst maximum value when the history window average conversation request number is zero, setting the burst index in a short-time burst state when the burst index is larger than a preset burst threshold value, setting the burst index in a slight fluctuation state when the burst index is larger than zero but not exceeding the preset burst threshold value, not triggering burst response, setting the burst index in a non-burst state when the burst index is smaller than or equal to zero, and independently calculating the burst index according to priority classes when conversation types with different service priorities exist.
4. 4. The method for secure communication of a server according to claim 2, wherein constructing a key supply pressure index comprises: the key supply pressure index is obtained by multiplying the average key quantity of unit session by the sum of the current window session request quantity divided by the sum of the current key pool allowance and the expected new yield key quantity, when the sum of the key pool allowance and the expected new yield key quantity is zero, the key supply pressure index is set to be a preset pressure maximum value, the expected new yield key quantity is determined by the product of the key production rate of unit time and the scheduling period duration, the average key quantity of unit session is obtained according to the average handshake key consumption statistics of the similar sessions, when the key supply pressure index is larger than 1, the key supply pressure index is in a key supply tension state, and when the key supply pressure index is smaller than or equal to 1, the key supply pressure index is in a key resource assurance state.
5. 5. The method for secure communication of a server of claim 4, wherein the process of obtaining the fit preference value, risk and key match score comprises: The method comprises the steps of obtaining a key residual life normalization value by dividing the average residual life of the key by a preset maximum life threshold value through weighted linear combination of three positive contribution items of service priorities, burst index and key residual life normalization value and a negative correction item of key supply pressure index; The risk and key matching score is obtained by weighting and summing three positive contribution items of a path error rate complement value, a path trusted node score and a path assignable key quantity normalization value and one negative correction item of a historical oscillation frequency normalization value, the path error rate complement value is obtained by subtracting the current candidate path error rate from 1, the path assignable key quantity normalization value is obtained by dividing the current path assignable key quantity by the maximum assignable key quantity in all candidate paths, the historical oscillation frequency normalization value is obtained by dividing the path oscillation frequency by the maximum oscillation frequency threshold value, and 1 is obtained when the threshold value is exceeded.
6. 6. The method for secure communication of the server of claim 5, wherein determining the handshake mode for each session to be established comprises: the system comprises a handshake mode, a quantum priority mixed handshake mode, a delay enqueue mode, a quantum priority mixed handshake mode, a session entry delay enqueue mode, a quantum priority mixed handshake mode and a quantum priority mixed handshake mode, wherein the first threshold and the second threshold are preset, when the adaptation priority value is not lower than the first threshold, the risk and key matching score is not lower than the second threshold and the key supply pressure index is not higher than a preset pressure upper limit, the adaptation priority value is not lower than the first threshold, the risk and key matching score is lower than the second threshold or the key supply pressure index is higher than the preset pressure upper limit, the session entry delay enqueue is carried out when the adaptation priority value is lower than the first threshold or a candidate path meeting the lowest scoring threshold is not existed; And after the condition is met, the session which is delayed to be enqueued and participates in the handshake mode decision in the period is exited, and the session which is not exited to be enqueued after the maximum waiting time limit is exceeded does not forcedly output the quantum priority mixed handshake mode.
7. 7. The method for secure communication of the server of claim 6, wherein reserving quantum key shards for a corresponding session according to a handshake mode comprises: The reserved quantity of quantum key fragments is obtained by dividing the sum of the estimated duration of a session and the actual execution time of a handshake protocol by the communication time which can be covered by a single-chip key, the integrity of the key fragments is the proportion of the number of bits of an effective key to the nominal bit length, the key fragments with the residual service life not lower than the estimated duration of the session and the integrity not lower than a preset integrity threshold are preferentially selected, and the reserved quantity is dynamically reduced for the session of the quantum-priority mixed handshake mode according to a key supply pressure index.
8. 8. The method for secure communication of the server of claim 7, wherein establishing a binding relationship between the session, the communication path, and the key sharding comprises: the binding relation is recorded in a form of a triplet formed by a session identifier, a target communication path identifier and a key fragment index, the session identifier is distributed by a session proxy node when a session establishment request is initiated and is globally unique, the target communication path identifier is obtained by a server cluster boundary node for numbering each candidate path, the key fragment index is obtained by a quantum key management node for addressing each key fragment storage position, the corresponding key fragment is marked as a reserved state after the ternary binding relation is established, and key fragment competition of other sessions is not participated.
9. 9. The method for secure communication of the server of claim 8, wherein updating the evaluation parameter and the control parameter of the subsequent scheduling period comprises: The evaluation parameters comprise a historical window length in burst index calculation, a scheduling period duration in key supply pressure index calculation and a maximum oscillation frequency threshold in risk and key matching scoring, when the handshake success rate is lower than a preset success rate lower limit and the path oscillation frequency is not higher than a preset oscillation frequency upper limit, the scheduling period duration is shortened, when the handshake success rate is lower than the preset success rate lower limit and the path oscillation frequency is higher than the preset oscillation frequency upper limit, the maximum oscillation frequency threshold is synchronously reduced and the second threshold is improved, when the key expiration wave rate is higher than the preset wave rate upper limit, the historical window length is shortened, and when the path oscillation frequency is higher than the preset oscillation frequency upper limit, the maximum oscillation frequency threshold is reduced.
10. 10. The server secure communications method of claim 8, further comprising: After issuing a communication control instruction, continuously acquiring a path error rate, a trusted node state and path oscillation count of a target communication path of an established session at intervals of a sub-period to construct a path degradation index, freezing current path key consumption when the path degradation index exceeds a preset path degradation threshold, recalculating the risk and key matching score of each candidate path, selecting a new target communication path, releasing an original path reserved key fragment, re-reserving the new path, updating a ternary binding relation, issuing a path switching and key updating control instruction, setting the path degradation index to be a maximum value directly when the trusted state of any forwarding node becomes unreliable, immediately triggering reassignment, introducing a cooling mechanism after triggering reassignment, and suspending path degradation detection in two sub-periods.

Description

Quantum cryptography-based server secure communication method Technical Field The invention relates to the technical field of communication security, in particular to a server security communication method based on quantum cryptography. Background In a high-sensitivity server control plane safety communication scene facing to a cross-data center AI scheduling cluster, a large number of short-time and high-frequency safety sessions are required to be continuously initiated around task arrangement, parameter synchronization, scheduling token exchange, permission verification result transfer and node state confirmation among servers, the requirements on time delay, key switching continuity, link stability and safety level consistency are very high in the communication mode although the single data volume is smaller, and the problem that the quantum key supply rhythm is inconsistent with the control plane session establishment rhythm easily occurs in the cluster burst scheduling and cross-domain cooperation process, so that the safety communication establishment result of different servers in the same period is unstable. The prior art generally generates a key material through a quantum key distribution link or a quantum random source before a server communicates, and writes a quantum key into a key pool through a key management node, when the server needs to establish a secure session, extracts a key from the key pool, and completes session establishment by combining TLS, IPsec or a custom secure channel, and for the condition of insufficient quantum link resources, part of schemes also adopt a mixed mode of traditional public key exchange and a post quantum algorithm so as to maintain communication continuity. However, in the high-frequency burst control plane communication scene, the existing layering processing mode cannot continuously match and distribute a large amount of security communication requests which come in a concentrated manner in a short time according to the session priority, the delay requirement and the security level requirement, and due to the lack of a real-time collaborative allocation mechanism for the burst control plane requests, when the high-frequency short session comes in a concentrated manner, the problems of handshake queuing, link fluctuation and inconsistent security policy are easy to occur, and finally, the quick response and the long-term stability are difficult to simultaneously consider. Disclosure of Invention In view of the above existing problems, a server secure communication method based on quantum cryptography is proposed. In order to at least partially solve the above technical problems, the present invention provides a server secure communication method based on quantum cryptography, including: collecting communication demand state data, quantum key resource state data and link quality state data in a scheduling period from a server cluster boundary node, a quantum key management node and a session proxy node; constructing a burst index based on the communication demand state data, and constructing a key supply pressure index based on the supply-demand relation between the communication demand state data and the quantum key resource state data; Calculating the adaptive priority value of each session to be established by integrating the service priority, the burst index, the key supply pressure index and the key residual life; And reserving quantum key fragments for the corresponding session according to the handshake mode, establishing a binding relationship between the session, a communication path and the key fragments, issuing a communication control instruction, and updating evaluation parameters and control parameters of a subsequent scheduling period according to an execution result. As a preferred embodiment, the process for obtaining the communication requirement state data, the quantum key resource state data and the link quality state data includes: The method comprises the steps that communication demand state data in a current dispatching cycle are collected through session proxy nodes, quantum key resource state data in the current dispatching cycle are collected through quantum key management nodes, and link quality state data in the current dispatching cycle are collected through server cluster boundary nodes; The communication demand state data comprises the current window session request number, the historical window average session request number and the service priority, the quantum key resource state data comprises the current key pool allowance, the key production rate per unit time and the key average remaining life, the link quality state data comprises the candidate path error rate, the path trusted node score and the historical path oscillation frequency, and the candidate communication path state is formed by the summary results of the historical path oscillation frequency and the path security audit record. The key supply pressure index