CN-122028040-A - Satellite identity authentication method based on quantum random number generation technology

Abstract

The invention relates to a satellite identity authentication method based on a quantum random number generation technology, which is characterized in that a ground main control station respectively sends preset root keys to a satellite end and a ground terminal, wherein a Quantum Random Number Generator (QRNG) is arranged in the satellite end, the ground terminal generates a quantum random number (R) and a downlink signaling message to return to the ground terminal after sending an access request signaling to the satellite end, at the moment, the satellite end selects one of symmetrical or asymmetrical algorithm modes to carry out identity authentication according to the length of a signaling frame reserved bit, the ground terminal generates an encryption authentication message by using the preset root key, the satellite end sends an access confirmation signaling after carrying out authentication confirmation on the encryption authentication message, and if the encryption authentication message is not matched with the preset root key, connection is refused and an alarm is triggered.

Inventors

• SHU RONG
• PEI YUYANG
• XIA CONGJUN
• LI ZAIGUANG
• Wang Puju

Assignees

• 中国科学院微小卫星创新研究院
• 弦海（上海）量子科技有限公司

Dates

Publication Date

20260512

Application Date

20260213

Claims (9)

1. 1. The satellite identity authentication method based on the quantum random number generation technology is used for realizing the safe transmission of signaling among a ground main control station, a satellite end and a ground terminal, and is characterized by comprising the following steps: Step S1, a ground main control station respectively stores preset root keys in hardware security modules of a satellite end and a ground terminal, wherein a Quantum Random Number Generator (QRNG) is arranged in the satellite end; step S2, the ground terminal sends an access request signaling to the satellite terminal, wherein the ground terminal sends the access request signaling through a wide beam, and the access request signaling comprises an access signaling field and reserved bits; Step S3, the satellite terminal generates a downlink signaling message and transmits the downlink signaling message and the quantum random number R to the ground terminal, wherein the satellite terminal generates a high-entropy random number R through a built-in Quantum Random Number Generator (QRNG) and transmits the downlink signaling message and the random number R to the ground terminal; S4, the ground terminal generates an uplink signaling message and returns the encrypted authentication message to the satellite terminal, wherein the ground terminal generates the encrypted authentication message by using a preset root key and one of a symmetric algorithm and an asymmetric algorithm according to the received random number R; the encrypted authentication information is coded by adopting a preset coding mode and then returned to the satellite end together with the uplink signaling information; And S5, the satellite terminal generates an authentication confirmation message by using the same random number R and a preset root key and using the same encryption algorithm as the ground terminal, compares the authentication confirmation message with the encryption authentication message, confirms that the access is legal if the authentication confirmation message is matched with the encryption authentication message, issues an access confirmation signaling to the ground terminal, refuses to connect and triggers an alarm if the authentication confirmation message is not matched with the encryption authentication message.
2. 2. The method for authenticating satellite identity based on quantum random number generation technology as claimed in claim 1, wherein the root key is updated periodically in step S1, the ground master station distributes the identical root key K to the satellite terminal and the ground terminal if the system uses a symmetric algorithm mode, and the ground master station generates a pair of root keys including a public key KA transmitted to the satellite terminal and a private key KB transmitted to the ground terminal if the system uses an asymmetric encryption mode.
3. 3. The satellite identity authentication method based on the quantum random number generation technology as claimed in claim 2, wherein: When the system uses a symmetric algorithm mode, the encrypted authentication message is an authentication ciphertext, and the steps S4 and S5 are specifically as follows: Step S4, the ground terminal generates an uplink signaling message and an authentication ciphertext to return to the satellite terminal, wherein the ground terminal utilizes a preset root key K according to a received random number R, a key derivation algorithm SM3 is used for obtaining a derived key K1, the derived key K1 generates the authentication ciphertext C1 through a national encryption symmetric encryption algorithm SM4, and the authentication ciphertext C1 and the uplink signaling message are returned to the satellite terminal after being coded by a preset coding mode; And S5, the satellite terminal generates an authentication ciphertext C2 by using the same random number R, a preset root key K and the same encryption algorithm key derivation algorithm and coding method as those of the ground terminal, compares the authentication ciphertext C2 with the authentication ciphertext C1, confirms access legitimacy and issues an access confirmation signaling to the ground terminal if the authentication ciphertext C2 is consistent and the time stamp does not exceed the effective time window, and refuses connection and triggers an alarm if the authentication ciphertext C2 is not consistent and the time stamp does not exceed the effective time window.
4. 4. The satellite identity authentication method based on the quantum random number generation technology as claimed in claim 2, wherein: when the system uses an asymmetric algorithm mode, the encrypted authentication message is a signature message, and the step S4 and the step S5 specifically comprise the following steps: Step S4, the ground terminal generates an uplink signaling message and a signature message and returns the uplink signaling message to the satellite terminal, and the ground terminal generates a message M1 to be signed by using an asymmetric encryption algorithm according to the received random number R and the uplink signaling message, calls a private key KB, performs digital signature operation on the message M to be signed to generate a signature message D1, and returns the signature message D1 and the uplink signaling message to the satellite terminal; step S5, the satellite terminal uses the same random number R and the same public key KA to carry out signature verification on the signature message D1 by using the same asymmetric encryption algorithm as that of the ground terminal, if the signature verification is successful, the satellite terminal carries out signature verification on the signature message D1 and further verifies whether the communication accords with the expectation, if the communication accords with the expectation, the satellite terminal confirms that the access is legal, issues an access confirmation signaling to the ground terminal, and if the communication does not accord with the expectation, the connection is refused and an alarm is triggered.
5. 5. The method of claim 4, wherein the step S5 is further performed to verify whether the communication meets the expected operation, the step includes the step that the satellite terminal performs consistency check and policy matching check on the binding relation of the ground terminal identifier, the access request parameter, the time stamp, the serial number and the random number R, if the fields are in a preset valid time window and the serial number is not repeated or returned, the communication is judged to meet the expected operation, otherwise, the communication is judged to not meet the expected operation, the connection is refused and an alarm is triggered.
6. 6. The method for authenticating satellite based on quantum random number generation technology of claim 1, wherein in step S2, the reserved bit length is dynamically switched according to bandwidth resources.
7. 7. The method for authenticating satellite identity based on quantum random number generation technology of claim 1, wherein the satellite end uses a satellite-borne security chip or a hardware acceleration module to solve the influence of encryption and decryption steps on communication system delay.
8. 8. The method for authenticating satellite based on quantum random number generation technology of claim 1, wherein the root key is isolated from other operational data, protected from unauthorized access, and stored by encryption means.
9. 9. The method of claim 1, wherein the specific method for determining the length of the reserved bit in step S3 is that if the reserved bit is less than 512 bits, the reserved bit is determined to be shorter, and if the reserved bit is greater than or equal to 512 bits, the reserved bit is determined to be sufficient.

Description

Satellite identity authentication method based on quantum random number generation technology Technical Field The invention relates to the technical field of satellite communication, in particular to a satellite identity authentication method based on quantum random number generation. Background At present, a signaling message in satellite communication generally adopts a transparent transmission mode, and lacks effective identity authentication and encryption protection, so that the satellite communication is vulnerable to various attacks, in particular man-in-the-middle attacks and replay attacks. The traditional identity authentication method based on the asymmetric encryption algorithm is not widely applied in satellite environments with limited resources, particularly in the low-orbit satellite where the terminal needs frequent access and delay sensitivity in the access authentication process due to high calculation overhead and bandwidth occupation. Meanwhile, the existing asymmetric encryption and decryption algorithm is easy to cause a series of problems that a transmission key needs to be changed to a physical layer, signaling encryption and decryption operations are excessively delayed and the like due to the fact that the key length is too complex, the satellite terminal MCU is insufficient in computational power and the like. Disclosure of Invention In order to solve the technical problems, the invention provides an identity authentication method which has low power consumption, low delay and high safety on the basis of ensuring the transparent transmission of satellite communication signaling. The specific technical scheme is as follows: A satellite identity authentication method based on a quantum random number generation technology is used for realizing the safe transmission of signaling among a ground main control station, a satellite end and a ground terminal, and comprises the following steps: Step S1, a ground main control station respectively stores preset root keys in hardware security modules of a satellite end and a ground terminal, wherein a Quantum Random Number Generator (QRNG) is arranged in the satellite end; Step S2, the ground terminal sends an access request signaling to the satellite terminal, wherein the ground terminal sends the access request signaling through a wide beam, and the access request signaling comprises an access signaling field and a reserved bit; Step S3, the satellite terminal generates a downlink signaling message and transmits the downlink signaling message and the quantum random number R to the ground terminal, wherein the satellite terminal generates a high-entropy random number R through a built-in Quantum Random Number Generator (QRNG), the random number R is used for subsequent session key derivation and ensures that key materials in the communication process are not easy to predict; The symmetric algorithm mode has the advantages of simple algorithm, high processing speed, suitability for scenes with fewer reserved bits and more tense bandwidth of signaling frames, and capability of improving safety, wherein the PQC algorithm can effectively prevent a quantum computer from cracking the attack of the public key encryption algorithm, but is relatively complex and suitable for environments needing stronger safety; Meanwhile, the random number R generated by the quantum random number generator QRNG has extremely high entropy, high generation rate and long cracking time, and has small influence on the overall delay caused by the system. S4, the ground terminal generates an uplink signaling message and returns the encrypted authentication message to the satellite terminal, wherein the ground terminal generates the encrypted authentication message by using a preset root key and one of a symmetric algorithm and an asymmetric algorithm according to the received random number R; the encrypted authentication information is coded by adopting a preset coding mode and then returned to the satellite end together with the uplink signaling information; And S5, the satellite terminal generates an authentication confirmation message by using the same random number R and a preset root key and using the same encryption algorithm as the ground terminal, compares the authentication confirmation message with the encryption authentication message, confirms that the access is legal if the authentication confirmation message is matched with the encryption authentication message, issues an access confirmation signaling to the ground terminal, refuses to connect and triggers an alarm if the authentication confirmation message is not matched with the encryption authentication message. Further, in step S1, the root keys are updated periodically, if the system uses a symmetric algorithm mode, the ground master control station distributes the identical root keys K to the satellite end and the ground terminal, and if the system uses an asymmetric encryption mode, the ground master co