CN108111301B - Method and system for implementing SSH protocol based on post-quantum key exchange - Google Patents

Abstract

The invention belongs to the field of information technology, and in particular relates to a method and a system for realizing SSH protocol based on post-quantum key exchange. The method includes: the client and the server respectively calculate a public and private key pair; calculate the client's temporary session public key, and send the client's public key and the client's temporary session public key to the server; the server authenticates the client; calculating the server Temporary session public key; calculate the server temporary session variable and temporary session error correction variable, and the initial seed of the server shared key; the server uses the post-quantum algorithm to generate the final server shared key for this session; Authentication; the client calculates the client's temporary session variable and the initial seed of the client's shared key through the server's identity authentication; the client uses the post-quantum algorithm to generate the final client's shared key for this session. The method and its system can effectively resist quantum computer attacks and ensure network security.

Description

Method and system for realizing SSH protocol based on post-quantum key exchange

Technical Field

The invention belongs to the technical field of information, and particularly relates to a method for realizing an SSH protocol based on post-quantum key exchange and a system for realizing the SSH protocol based on the post-quantum key exchange.

Background

With the continuous development of computer networks, the network scale becomes larger and larger, and the demand of people for remote login functions, such as configuration and management of remote servers, is also promoted. SSH (secure shell) is one of the most widely used telnet protocols at present, and compared with other protocols providing telnet, SSH can provide various security services such as authentication of both communication parties, encrypted transmission of communication data, integrity check and the like.

The SSH protocol standard specifies a layered architecture of SSH, as shown in the SSH protocol architecture diagram shown in fig. 1, which includes three parts, namely a transport layer protocol, user authentication and a connection layer protocol, where the transport layer protocol is located at the bottom layer of SSH, can provide security services such as key agreement, data encryption, identity authentication, and the like, and is a basis for SSH to provide secure remote login. At present, the key negotiation part in the SSH transport layer is completed by a DH (Diffie-Hellman) algorithm, i.e. two communication parties negotiate a shared key on the public network by using the DH algorithm, and the shared key is used for encrypting and decrypting all data to be transmitted, thereby ensuring the security of the session. The key agreement algorithm plays a key role in the SSH protocol, and must have a sufficiently high security, and the security of the current DH algorithm depends on the difficulty of solving discrete logarithms. The discrete logarithm problem can only be solved in exponential time using today's computer files. However, with the advent of quantum computers and quantum algorithms, the discrete logarithm problem has proven to be solved in polynomial time with quantum computers, which means that DH algorithms are no longer as secure in the quantum era.

On one hand, in order to prevent the DH algorithm from being attacked by man-in-the-middle, SSH needs to support not only the DH algorithm but also RSA, SHA256, and the like in the key agreement phase, and the complexity is relatively high. On the other hand, the quantum cryptography technology has been developed rapidly. The research of these quantum cryptography techniques seriously threatens the current public key cryptography system depending on the digital theory, and brings a serious threat to the security of SSH, and the proposal of Shor algorithm makes the cryptographic algorithm depending on the discrete logarithm difficulty no longer so secure, and the DH algorithm also faces a huge challenge, if the DH algorithm cannot guarantee the security of the shared key negotiated by both communication parties, then the SSH provides security service. With the deep research of quantum algorithm, the problem of discrete logarithm is easy and convenient to solve, the shared secret key negotiated by the DH algorithm is easy to break, and the SSH provides security service and is seriously questioned.

In addition, a plurality of security holes are exposed in SSH at the present stage, and particularly, in the process of establishing connection by the SSH protocol, whether two communication parties are illegally invaded or controlled is not verified, the two communication parties cannot determine the credible state of the opposite end and cannot determine whether the opposite end is invaded or illegally controlled by an attacker, so that an attack opportunity is provided for the attacker. Although the existing SSH protocol has many advantages and many users, it still has some vulnerabilities and disadvantages, such as being easily attacked by ciphertext selection and SQL injection, and thus, the improvement of the existing problems becomes a technical problem to be solved.

Disclosure of Invention

The technical problem to be solved by the present invention is to provide a method for implementing an SSH protocol based on post-quantum key exchange and a system for implementing an SSH protocol based on post-quantum key exchange, which use quantum cryptography theory knowledge to achieve the purpose of resisting quantum computer attacks and ensure network security, in order to overcome the above-mentioned disadvantages in the prior art.

The technical scheme adopted for solving the technical problem of the invention is that the method for realizing the SSH protocol based on the post-quantum key exchange comprises a key exchange step, wherein the key exchange step comprises the following steps:

the client and the server randomly sample from the Gaussian distribution of the first parameter, and respectively calculate a public and private key pair of the client and a public and private key pair of the server;

the client randomly samples from the Gaussian distribution of the second parameter, calculates a client temporary session public key, and sends the client public key and the client temporary session public key to the server;

the server receives the client public key and the client temporary session public key, performs identity verification on the client, and if the verification fails, the server directly disconnects the link, otherwise performs the next step;

calculating a server temporal session public key from the random sampling on the gaussian distribution of the second parameter;

the server calculates a server temporary session variable and a temporary session error-eliminating variable according to the client temporary session public key, the client vector, the server temporary session public key, the server vector and the random sampling of the server on the Gaussian distribution of the first parameter and the second parameter, and further calculates a server shared key initial seed according to the server temporary session variable and the temporary session error-eliminating variable;

the server generates a final server shared key of the session by using a post-quantum algorithm according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error-eliminating variable and the initial seed of the server shared key;

the client performs identity authentication on the server according to the server public key;

the client side calculates a client side temporary session variable according to a client side temporary session public key, a client side vector, a server temporary session public key and random sampling of the client side on Gaussian distribution of a first parameter and a second parameter through identity authentication of a server, and further calculates a client side shared key initial seed according to the client side temporary session variable and a temporary session error-eliminating variable;

the client generates a final client shared key of the session by using a post-quantum algorithm according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error-eliminating variable and the client shared key initial seed;

and if the authentication of either the server or the client can not be passed, the key exchange is terminated.

Preferably, the server temporary session public key k_sComprises the following steps:

k_s＝(p_cc+x)(s_sd+r_s)+2g_s

wherein:

c＝H₁(client, server, x), which is a client vector;

x＝ar_c+2f_ca client side temporary session public key;

r_ciand f_ciGaussian distribution χ of beta from second parameter for client_βQ is a positive integer;

d＝H₁(server, client, y, x), which is a server vector;

y＝ar_s+2f_sa server temporary session public key;

r_si，f_si，g_sifor server from the Gaussian distribution χ with second parameter β_βQ is a positive integer;

p_c＝as_c+2e_cis a client public key;

s_ciand e_ciFrom the first parameter of the client to the alpha Gaussian distribution x_αA random sampling value of (1), q is a positive integer, s_cStill the client private key;

and the temporary session error-elimination variable w is:

w＝Cha(k_s)

wherein: cha () is a feature correlation function.

Preferably, according to (w, y, p)_s) Server shared secret key initial seed sigma_sComprises the following steps:

σ_s＝Mod₂(k_s,w)

wherein: mod₂() Modulo-2 function, Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2，q mod 2n＝1，

Unit matrix

v∈M_q，w∈{0,1}；

Server shared secret sk_sComprises the following steps:

sk_s＝H(client,server,x,y,w,σ_s)。

preferably, the client temporary session variable k_cComprises the following steps:

k_c＝(p_sd+y)(s_cc+r_c)+2g_c

wherein:

g_cifor server from the Gaussian distribution χ with second parameter β_βQ is a positive integer;

p_s＝as_s+2e_sis a server public key;

s_siand e_siFor the server, from the first parameter of alpha Gaussian distribution x_αA random sampling value of (1), q is a positive integer, s_sStill the server private key.

Preferably, according to (w, y, p)_s) Client sharing key initial seed sigma_cComprises the following steps:

σ_c＝Mod₂(k_c,w)

wherein: mod₂() Modulo-2 function, Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2，q mod 2n＝1，

Unit matrix

v∈M_q，w∈{0,1}；

Client shared secret sk_cComprises the following steps:

sk_c＝H(client,server,x,y,w,σ_c)。

preferably, before the key exchanging step, the method further comprises: the step of verifying the credible states of the two communication parties comprises the following steps:

sending a request for verifying the credible state of the client to a server;

after receiving a request of a client, a server randomly generates a first random number with M bits, and sends the first random number and a request for verifying the self credibility state to the client, wherein M is a natural number;

after receiving the first random number and the verification request, the client correspondingly generates an M-bit second random number, measures the integrity of the trusted request, encrypts the first random number, the configuration register value and the measurement log SML, and sends an encryption result, the second random number and the TPM public key to the server;

after receiving the data, the server judges whether the client is the first client requesting to establish SSH connection, if so, checks whether a trusted certificate exists locally, and if so, directly performs the next step; otherwise, the integrity measurement is requested to the local machine credibility, then the second random number, the configuration register value of the second random number and the measurement log SML are encrypted, and the encryption result and the TPM public key are sent to the client side together;

the server verifies the credibility state of the client according to the data sent by the client, if the client passes the verification, a credibility verification passing certificate is generated, the certificate comprises the client IP, the unique identifier of the client, the IP and the identifier of the local server, the time for generating the certificate and the validity period of the certificate, the TPM public key sent by the client is used for encryption, and the encryption result and the verification passing information are sent to the client together;

after the client receives the data, the client verifies the credible state of the server, if the verification is passed, the client also generates a credible certificate, the content comprises the server IP, the unique identifier of the server, the IP and the identifier of the local client, the time for generating the certificate and the validity period of the certificate, the TPM public key sent by the server is used for encryption, and the encryption result and the verification passing information are sent to the server together;

after receiving the trusted voucher, the server decrypts the trusted voucher by using the TPM private key of the server and stores the trusted voucher in the local area, so that the trusted states of the server and the server pass verification, and otherwise, the server is directly disconnected.

A system for realizing SSH protocol based on post-quantum key exchange comprises a key exchange module, wherein the key exchange module comprises a first key unit, a second key unit, a first verification unit and a second verification unit, wherein:

the first key unit is located in the server and used for completing the following functions:

randomly sampling from the Gaussian distribution of the first parameter, and calculating a public and private key pair of the server;

after the first verification unit passes the identity authentication of the client, calculating a server temporary session public key from random sampling on Gaussian distribution of a second parameter;

calculating a server temporary session variable and a temporary session error-eliminating variable according to the client temporary session public key, the client vector, the client temporary server vector and the random sampling of the server on the Gaussian distribution of the first parameter and the second parameter;

calculating a server shared key initial seed according to the server temporary session variable and the temporary session error-eliminating variable;

generating a final server shared key of the session by using a post-quantum algorithm according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error-eliminating variable and the initial seed of the server shared key;

the first verification unit is positioned in the server and used for receiving the client public key and the client temporary session public key and verifying the identity of the client, if the verification cannot pass, the server directly disconnects the link, otherwise, the server performs subsequent authentication;

the second key unit is located at the client and used for completing the following functions:

randomly sampling from the Gaussian distribution of the first parameter, and calculating a public-private key pair of the client;

randomly sampling from the Gaussian distribution of the second parameter, calculating a client temporary session public key, and sending the client public key and the client temporary session public key to a server;

after the second verification unit passes the identity authentication of the server, calculating a client temporary session variable according to the client temporary session public key, the client vector, the server temporary session public key and the random sampling of the client on the Gaussian distribution of the first parameter and the second parameter, and further calculating a client shared key initial seed according to the client temporary session variable and the temporary session error-eliminating variable;

generating a final server shared key of the session by using a post-quantum algorithm according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error-eliminating variable and the client shared key initial seed;

and the second verification unit is positioned at the client and used for verifying the identity of the server according to the server public key, terminating the key exchange if the verification cannot pass, and otherwise, performing subsequent authentication.

Preferably, in the first key unit:

server temporary session public key k_sComprises the following steps:

k_s＝(p_cc+x)(s_sd+r_s)+2g_s

wherein:

c＝H₁(client, server, x), which is a client vector;

x＝ar_c+2f_ca client side temporary session public key;

r_ciand f_ciGaussian distribution χ of beta from second parameter for client_βQ is a positive integer;

d＝H₁(server, client, y, x), which is a server vector;

y＝ar_s+2f_sa server temporary session public key;

r_si，f_si，g_sifor server from the Gaussian distribution χ with second parameter β_βQ is a positive integer;

p_c＝as_c+2e_cis a client public key;

s_ciand e_ciFrom the first parameter of the client to the alpha Gaussian distribution x_αA random sampling value of (1), q is a positive integer, s_cStill the client private key;

and the temporary session error-elimination variable w is:

w＝Cha(k_s)

wherein: cha () is a feature correlation function;

according to (w, y, p)_s) Server shared secret key initial seed sigma_sComprises the following steps:

σ_s＝Mod₂(k_s,w)

wherein: mod₂() Modulo-2 function, Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2，q mod 2n＝1，

Unit matrix

v∈M_q，w∈{0,1}；

Server shared secret sk_sComprises the following steps:

sk_s＝H(client,server,x,y,w,σ_s)。

preferably, in the second key unit,

client temporary session variable k_cComprises the following steps:

k_c＝(p_sd+y)(s_cc+r_c)+2g_c

wherein:

g_cifor server from the Gaussian distribution χ with second parameter β_βQ is a positive integer;

p_s＝as_s+2e_sis a server public key;

s_siand e_siFor the server, from the first parameter of alpha Gaussian distribution x_αA random sampling value of (1), q is a positive integer, s_sStill the server private key;

and, according to (w, y, p)_s) Client sharing key initial seed sigma_cComprises the following steps:

σ_c＝Mod₂(k_c,w)

wherein: mod₂() Modulo-2 function, Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2，q mod 2n＝1，

Unit matrix

v∈M_q，w∈{0,1}；

Client shared secret sk_cComprises the following steps:

sk_c＝H(client,server,x,y,w,σ_c)。

preferably, the system further comprises a verification trusted module to verify the trusted status of the two communication parties, where the verification trusted module includes a first trusted unit located in the server and a second trusted unit located in the client, and is configured to perform the following functions:

the second trusted unit sending a request to verify a client trusted status to the first trusted unit;

after receiving a request of a client, the first trusted unit randomly generates an M-bit first random number, and sends the first random number and a request for verifying the trusted state of the first trusted unit to the second trusted unit, wherein M is a natural number;

after receiving the first random number and the verification request, the second trusted unit correspondingly generates an M-bit second random number, then requests the TPM for integrity measurement, encrypts the first random number, the configuration register value and the measurement log SML, and sends an encryption result, the second random number and the TPM public key to the first trusted unit;

after receiving the data, the first trusted unit judges whether the client is the first client requesting to establish SSH connection, if so, checks whether a trusted certificate exists locally, and if so, directly performs the next step; otherwise, the integrity measurement is requested to the local trust, then the second random number, the configuration register value of the second random number and the measurement log SML are encrypted, and the encryption result and the TPM public key are sent to the second trust unit;

the first trusted unit verifies the trusted state of the client according to the data sent by the second trusted unit, if the verification is passed, a trusted verification passing certificate is generated, the certificate comprises a client IP, a client unique identifier, an IP and an identifier of a local server, time for generating the certificate and a certificate validity period, and is encrypted by using a TPM public key sent by the client, and an encryption result and verification passing information are sent to the client together;

after the client receives the data, the trusted state of the server is verified, if the data passes the verification, the second trusted unit also generates a trusted certificate, the content comprises a server IP, a server unique identifier, an IP and an identifier of the local client, the time for generating the certificate and the certificate validity period, the TPM public key sent by the server is used for encryption, and the encryption result and the verification passing information are sent to the first trusted unit together;

and after receiving the trusted credential, the first trusted unit decrypts the trusted credential by using the TPM private key of the first trusted unit and stores the trusted credential in the local area, so that the trusted states of the first trusted unit and the trusted unit pass verification, and otherwise, the first trusted unit and the trusted unit are directly disconnected.

The invention has the beneficial effects that: according to the method for realizing the SSH protocol based on the post-quantum key exchange and the system for realizing the SSH protocol based on the post-quantum key exchange, the post-quantum key exchange protocol and the credible authentication method are used for solving some potential threats of the SSH protocol. The post-quantum key exchange protocol can solve the problem that the shared key at the key exchange stage in the current SSH protocol is possibly broken, and the trusted authentication can solve the problem that platforms of two parties using the SSH protocol for communication are not trusted.

Drawings

FIG. 1 is a schematic diagram of SSH protocol architecture;

FIG. 2 is a flow diagram of a prior art SSH protocol telnet;

fig. 3 is a flowchart of key exchange in a method for implementing an SSH protocol based on post-quantum key exchange according to embodiment 1 of the present invention;

fig. 4 is a flowchart of a trusted certification process in the method for implementing the SSH protocol based on post-quantum key exchange according to embodiment 1 of the present invention.

Detailed Description

In order to make those skilled in the art better understand the technical solution of the present invention, the following describes in detail a method for implementing an SSH protocol based on post-quantum key exchange and a system for implementing an SSH protocol based on post-quantum key exchange according to the present invention with reference to the accompanying drawings and the detailed description.

The technical idea of the invention is as follows: until now, the improvement of the SSH protocol at present is the improvement by using the modern cryptography technology, and the improvement by using the quantum cryptography technology is not involved. The present invention utilizes quantum cryptography to improve the above-mentioned technical problems. The quantum algorithm can solve the discrete logarithm problem in polynomial time, and ensures the states of two communication parties to be credible before SSH connection is established, so as to take the safety and credibility of the SSH protocol into account.

The invention provides an improved method for trusted SSH protocol authentication based on a post-quantum key exchange algorithm. After the trusted verification passes, SSH utilizes a post quantum key exchange algorithm to complete a key agreement stage and a two-party identity authentication stage between a client and a remote server, and the changed users do not need to care about a bottom layer implementation principle and change a previous login method. The method has the advantages of strong user transparency, high speed, simple and easily understood algorithm, and capability of providing the function of the post-quantum computer on the one hand, namely preventing the shared secret key generated by both communication parties from being broken by the quantum computer on the premise of not reducing the original SSH remote login security; on the other hand, the trusted status of both the client and the server can be verified.

Example 1:

the embodiment provides a method for realizing an SSH protocol based on post-quantum key exchange, which can effectively prevent a shared key generated by a communication client and a server from being broken by a quantum computer; on the other hand, the trusted status of both the client and the server can be verified.

The protocol structure of the improved SSH scheme is a three-layer architecture specified in the current SSH protocol, and the specific protocol architecture refers to fig. 1. The SSH comprises a transmission layer, user authentication and connection establishment from bottom to top in sequence, and the session establishment process comprises version negotiation, algorithm negotiation and key negotiation, user authentication and connection request.

Currently, the flow of telnet between two communicating parties using SSH protocol is shown in fig. 2.

First, version negotiation: the client and the server mutually send own protocol version number and software version number to carry out version negotiation so as to determine whether to continue the session, and the following steps are carried out after the version negotiation is successful. The information sent at this stage is transmitted in a plaintext mode;

and secondly, algorithm negotiation: the client and the server respectively send a public key algorithm list, an encryption algorithm list, a compression algorithm list and the like supported by the client and the server, and the client and the server negotiate various algorithms to be used finally in the session according to the algorithms supported by the client and the server. Wherein, although the key agreement algorithm can be agreed in theory, in practice, SSH must support DH algorithm only and only at present;

thirdly, key agreement: the client and the server negotiate a shared key using a DH key exchange algorithm. At this stage, the RSA algorithm and the SHA256 algorithm are required to assist, so that the probability of being broken is reduced;

fourthly, user authentication: the client sends the user password to the server in a ciphertext mode, and the server carries out validity authentication on the identity of the user;

step five, establishing connection: after the user authentication is successful, the client sends a session request, the server responds to the request type of the client, and the two parties establish connection for data transmission.

In the SSH protocol at the present stage, a DH algorithm is used for negotiating a key, and meanwhile, in order to prevent the key from being attacked by a man-in-the-middle, an RSA algorithm and an SHA256 algorithm are used for signature authentication so as to ensure the legality of the identities of two communication parties. The cooperative work of the algorithms ensures high security of the shared secret key. However, with the continuous approach of quantum era and the rapid development of computer technology, SSH will face huge challenges and risks.

Based on the above current situation, this embodiment provides an improved trusted SSH authentication scheme based on a post-quantum key exchange protocol, so that the SSH key exchange phase can resist attacks from a quantum computer, the security of SSH is improved, and the lifetime of SSH in the quantum era is extended. Particularly, based on the lattice theory of quantum cryptography, the complexity of the R-LWE (Ring-Learning With Errors) problem can be finally reduced to the lattice SVP (short Vectors Problem) problem, which has proven to be NP-difficult. Therefore, the authentication key exchange algorithm based on the R-LWE can well resist the attack of quantum computation, and has the advantages of high computation speed, easiness in understanding and the like.

In the method for implementing the SSH protocol based on post-quantum key exchange according to this embodiment, when the client establishes an SSH connection with the server, the two parties first send a Trusted certification request to the opposite end, then respectively send integrity measurement to their Trusted requests (TPM requests, Trusted Platform modules), and send related information to the opposite end and verify the Trusted status of the opposite end, and when both parties' Trusted statuses are verified, both parties start password negotiation. When key agreement is carried out, the two parties respectively carry out random sampling from Gaussian distribution with the same parameters, calculate own public and private key pairs, then send own public keys to the opposite terminal and receive the public keys of the opposite terminal, verify the identity of the opposite terminal, then calculate temporary public and private key pairs of the session and other needed variables, send data to the opposite terminal after calculation is finished, and simultaneously calculate own shared keys of the session. Therefore, the credible state of the terminal is ensured, the key negotiation process of resisting the quantum computer is realized, and the high-safety remote login process is provided.

As shown in fig. 3, the key exchange step in the method for implementing the SSH protocol based on post-quantum key exchange includes:

the client and the server randomly sample from the Gaussian distribution of the first parameter, and respectively calculate a public and private key pair of the client and a public and private key pair of the server;

the client randomly samples from the Gaussian distribution of the second parameter, calculates a client temporary session public key, and sends the client public key and the client temporary session public key to the server;

the server receives the client public key and the client temporary session public key, performs identity verification on the client, and if the verification fails, the server directly disconnects the link, otherwise performs the next step;

the server calculates a server temporary session public key from random sampling on Gaussian distribution of the second parameter through identity authentication of the client;

the server calculates a server temporary session variable and a temporary session error-eliminating variable according to the client temporary session public key, the client vector, the server temporary session public key, the server vector and the random sampling of the server on the Gaussian distribution of the first parameter and the second parameter, and further calculates a server shared key initial seed according to the server temporary session variable and the temporary session error-eliminating variable;

the server generates a final server shared key of the session by using a post-quantum algorithm according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error-eliminating variable and the initial seed of the server shared key;

the client performs identity authentication on the server according to the server public key;

the client side calculates a client side temporary session variable according to a client side temporary session public key, a client side vector, a server temporary session public key and random sampling of the client side on Gaussian distribution of a first parameter and a second parameter through identity authentication of a server, and further calculates a client side shared key initial seed according to the client side temporary session variable and a temporary session error-eliminating variable;

the client generates a final client shared key of the session by using a post-quantum algorithm according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error-eliminating variable and the client shared key initial seed;

and if the authentication of either the server or the client can not be passed, the key exchange is terminated.

On the server side, the server temporary session public key k_sComprises the following steps:

k_s＝(p_cc+x)(s_sd+r_s)+2g_s

wherein:

c＝H₁(client, server, x) is a client vector, client is a client host, and server is a server host;

x＝ar_c+2f_ca client side temporary session public key;

r_ciand f_ciGaussian distribution χ of beta from second parameter for client_βQ is a positive integer (e.g., q is 5); here, multiple sampling is performed, and the sum of the results of the multiple sampling is used as a result to increase the randomness of the sampling.

d＝H₁(server, client, y, x), which is a server vector;

y＝ar_s+2f_sa server temporary session public key;

r_si，f_si，g_sifor server from the Gaussian distribution χ with second parameter β_βQ is a positive integer (e.g., q is 5);

p_c＝as_c+2e_cis a client public key;

s_ciand e_ciFrom the first parameter of the client to the alpha Gaussian distribution x_αQ is a positive integer (e.g., q is 5), and s is the random sample value of (1)_cStill the client private key;

and the temporary session error-elimination variable w is:

w＝Cha(k_s)

wherein: cha () is a feature correlation function;

according to (w, y, p)_s) Server shared secret key initial seed sigma_sComprises the following steps:

σ_s＝Mod₂(k_s,w)

wherein: mod₂() Modulo-2 function, Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2，q mod 2n＝1，

Unit matrix

v∈M_q，w∈{0,1}；

Server shared secret sk_sComprises the following steps:

sk_s＝H(client,server,x,y,w,σ_s)。

at the client level, a client temporary session variable k_cComprises the following steps:

k_c＝(p_sd+y)(s_cc+r_c)+2g_c

wherein:

g_cifor server from the Gaussian distribution χ with second parameter β_βThe random sample value of (a) above,q is a positive integer (e.g., q ═ 5);

p_s＝as_s+2e_sis a server public key;

s_siand e_siFor the server, from the first parameter of alpha Gaussian distribution x_αQ is a positive integer (e.g., q is 5), and s is the random sample value of (1)_sStill the server private key;

according to (w, y, p)_s) Client sharing key initial seed sigma_cComprises the following steps:

σ_c＝Mod₂(k_c,w)

wherein: mod₂() Modulo-2 function, Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2，q mod 2n＝1，

Unit matrix

v∈M_q，w∈{0,1}；

Client shared secret sk_cComprises the following steps:

sk_c＝H(client,server,x,y,w,σ_c)。

preferably, before the key exchanging step, the method further comprises: the step of verifying the credible states of the two communication parties comprises the following steps:

sending a request for verifying the credible state of the client to a server;

after receiving a request of a client, a server randomly generates a first random number with M bits, and sends the first random number and a request for verifying the self credibility state to the client, wherein M is a natural number;

after receiving the first random number and the verification request, the client correspondingly generates an M-bit second random number, measures the integrity of the trusted request, encrypts the first random number, the configuration register value and the measurement log SML, and sends an encryption result, the second random number and the TPM public key to the server;

after receiving the data, the server judges whether the client is the first client requesting to establish SSH connection, if so, checks whether a trusted certificate exists locally, and if so, directly performs the next step; otherwise, the integrity measurement is requested to the local machine credibility, then the second random number, the configuration register value of the second random number and the measurement log SML are encrypted, and the encryption result and the TPM public key are sent to the client side together;

the server verifies the credibility state of the client according to the data sent by the client, if the client passes the verification, a credibility verification passing certificate is generated, the certificate comprises the client IP, the unique identifier of the client, the IP and the identifier of the local server, the time for generating the certificate and the validity period of the certificate, the TPM public key sent by the client is used for encryption, and the encryption result and the verification passing information are sent to the client together;

after the client receives the data, the client verifies the credible state of the server, if the verification is passed, the client also generates a credible certificate, the content comprises the server IP, the unique identifier of the server, the IP and the identifier of the local client, the time for generating the certificate and the validity period of the certificate, the TPM public key sent by the server is used for encryption, and the encryption result and the verification passing information are sent to the server together;

after receiving the trusted voucher, the server decrypts the trusted voucher by using the TPM private key of the server and stores the trusted voucher in the local area, so that the trusted states of the server and the server pass verification, and otherwise, the server is directly disconnected.

The following will describe in detail the process of establishing an SSH remote connection of the method for implementing an SSH protocol based on post-quantum key exchange in this embodiment, and the method is divided into six steps:

the first step is as follows: and (4) version negotiation.

Before version negotiation, the two parties firstly establish a TCP connection: a TCP request connection is sent by the client to the server.

After the TCP connection is successfully established, the client enters a waiting phase. The server sends a first message to the client, and the message content is an SSH protocol version number and a software version number. The protocol version number comprises a major version number and a minor version number, and the message content is as follows:

"SSH- < major protocol version number > < minor protocol version number > - < software version number > \\ n"

After receiving the message, the client returns a message to the server, the content is the relevant version number of the client, and the format of the content is consistent with that of the message sent by the server.

And after receiving the version number sent by the client, the server compares the version number with the version number of the server to determine whether the version number is compatible. If not, directly disconnecting TCP, if compatible, the server generates a number to identify the client as the host of the SSH connection with the client, and then enters the next stage.

The second step is that: and (5) verifying the credibility.

Trusted verification of both parties to the communication starts from system power-on start up until the last application, and each step in between measures and extends the measure values into a PCR (Platform configuration Register). Meanwhile, the two parties also store the measurement operation, the measurement result and the intermediate states of each step into a storage measurement log SML (storage Measure Log).

The detailed flow of verifying the trusted status of the two communication parties is shown in fig. 4, and is specifically described as follows:

1, a client firstly sends a request for verifying the trusted state of the client to a server;

2, after receiving a request from a client, the server randomly generates a first random number RandNum1 with M bits (M is a natural number and is generally 160), and then sends the first random number and a request for verifying the self-trusted state to the client;

3 after receiving the first random number and the verification request, the client side preferably generates a second random number RandNum2 with M bits randomly and correspondingly, then requests the TPM for integrity measurement, encrypts the first random number RandNum1, the PCR value and the measurement log SML, and finally sends the encryption result, the second random number RandNum2 and the TPM public key to the server;

4, after receiving the data, the server firstly judges whether the client is the first client requesting to establish SSH connection, if so, checks whether a trusted certificate exists locally, and if so, directly performs the next step; otherwise, the integrity measurement is requested to the local TPM, then the random number RandNum2, the PCR value of the random number RandNum2 and the measurement log SML are encrypted, and the encryption result and the TPM public key are sent to the client side;

the server verifies the credibility state of the client according to the data sent by the client, if the client passes the verification, a credibility verification passing certificate is generated, the certificate comprises the client IP, the unique identifier of the client, the IP and the identifier of the local server, the time for generating the certificate and the validity period of the certificate, the information is encrypted by using the TPM public key sent by the client, and the encrypted result and the verification passing information are sent to the client together;

after receiving the data, the client verifies the credibility state of the server, and similarly, if the verification is passed, the client also generates a credibility certificate, the content comprises the server IP, the unique identifier of the server, the IP and the identifier of the local client, the time for generating the certificate and the validity period of the certificate, the TPM public key sent by the server is used for encrypting the information, and the encrypted result and the information passing the verification are sent to the server together;

and 7, after receiving the trusted certificate, the server decrypts the trusted certificate by using the TPM private key of the server and stores the trusted certificate in the local. At this time, the trusted states of both parties pass the verification, and the following steps can be carried out, otherwise, the connection is directly disconnected.

The third step: and (4) negotiating an algorithm.

Due to the flexibility of SSH design, SSH can negotiate a wide variety of algorithms, such as data encryption algorithms, key exchange algorithms, compression algorithms, authentication algorithms, and integrity check algorithms. The client and the server send algorithm lists supported by the client and the server to the opposite terminal, the first algorithm of each algorithm type list is a preferred algorithm, and the server takes the algorithm priority of the client as consideration. If there is no algorithm in common for both parties of a certain algorithm type, the session will terminate.

The key agreement is completed by using the post-quantum authentication key exchange algorithm based on the R-LWE, so that the post-quantum authentication key exchange algorithm based on the R-LWE is set as a preferred algorithm of the key agreement.

The fourth step: and (4) key agreement.

The whole key exchange process is mainly divided into three steps, data is exchanged twice, and the flow can refer to fig. 3.

To facilitate the description of the entire process of key exchange, the following parameters are defined:

n is a safety parameter and must be a power of 2, and the function f (x) xⁿ+1；

q is an odd prime number, with the definition of q 2^w(logn)；

Definition of R ═ Z [ x]/< f (x) >, which is Z [ x ]]A ring of all polynomials modulo f (x) above, defining R analogously_q＝Z_q[x]/＜f(x)＞。

Function H₁Is defined as shown in formula (1-1):

the function H can be seen from the formula (1-1)₁Is operative to map a character string to

A sampling result χ of_γWhere γ is a positive real number. The function H is defined as H: {0,1}^*→{0,1}^kThe key generation function is a key generation function, generally a hash function, and different numbers of bits of keys can be obtained by using different hash functions.

The following is a detailed description of the overall process of key exchange:

1, the client firstly generates a public and private key pair of the client: from the first parameterIs alpha Gaussian distribution χ_αUp-sampling randomly to obtain s_cAnd e_cThen calculate p_c＝as_c+2e_cAfter the calculation is successful, s is calculated_cAnd p_cAs their own private and public keys, respectively, i.e. client-side private key s_cAnd client public key p_cAnd both are stored locally. It should be understood here that the present embodiment adopts gaussian distribution to achieve the purpose of resisting quantum computer attack, and the following calculation formulas correspond to gaussian distribution.

2, the server firstly generates a public-private key pair of itself: gaussian distribution χ of α from the same first parameter as the client_αUp-random sampling and calculating to obtain s_sAnd e_sAnd calculate p_s＝as_s+2e_sAfter the calculation is successful, s is calculated_sAnd p_sAs their own private and public keys, respectively, i.e. server private key s_sAnd server public key p_sAnd stores both locally. This phase may be performed simultaneously with the client.

3 after the client successfully generates the own public and private key pair, the second parameter is the Gaussian distribution χ of beta_βR is obtained by up-random multiple sampling calculation_cAnd f_cCalculating client-side temporary session public key x ═ ar_c+2f_cFinally, the calculation results, namely the client temporary session public key x and the client public key p_cAre sent to the server together. And the server enters a waiting stage after calculating the public and private key pair of the server.

4 after receiving the data sent by the client, the server firstly sends the client public key p sent by the client_cAnd comparing the identity of the client host with the local database of the client host, and verifying the identity of the client host. If the local database does not have the client public key p corresponding to the client_cIf the connection is the first connection, the public key p of the client is used_cIP, and the client's name are saved to a local database. In general, there is no possibility that the identity is not passed, and the first connection only needs to store the data sent by the other party and then continue the connection.

If the second parameter is beta, and the client identity authentication is passed, the Gaussian distribution x is also obtained when the second parameter is beta_βUp-sampling randomly and calculating to obtain r_s、f_sAnd g_sComputing server temporary session public key y ═ ar_s+2f_s。

While computing a server temporary session variable k according to equation (1-2)_s：

k_s＝(p_cc+x)(s_sd+r_s)+2g_s (1-2)

Wherein: client vector c ═ H₁(client, server, x), server vector d ═ H₁(server, client, y, x), the temporary session variable is a temporary public key generated only for the session, and the temporary public key is automatically deleted after the session is ended, so as to ensure higher security.

Subsequently, the server calculates a temporary session error-free variable w, preferably according to equation (1-3), in order to remove the error.

w＝Cha(k_s) (1-3)

Wherein: cha () is a feature correlation function, defined as follows:

let q mod 2n equal to 1,

unit matrix

Defining a feature correlation function Cha () calculation formula as shown in (1-4):

wherein: v is an element of M_qI.e. v is M_qOf (1).

After the server successfully calculates the data, the calculation result (w, y, p) is calculated_s) Sent to the client together. After the data is sent out, the server calculates the initial seed sigma of the server shared key by using the formula (1-5)_s。

σ_s＝Mod₂(k_s,w) (1-5)

Wherein: mod₂() For the modulo-2 function, the following is defined:

let q mod 2n equal to 1,

unit matrix

The calculation formula for defining the modulo function Mod2 is shown in (1-6):

Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2 (1-6)

wherein v ∈ M_qW is equal to {0,1 }. For M_qIt can be proved by simple calculation that u ═ v + cha (v) · (q-1)/2 mod q is an element in E.

It should be understood here that the shared key initial seed, although to some extent it may be considered as the finally negotiated shared key, may be calculated by an attacker according to the information exchanged by the two parties for security reasons, and therefore cannot be directly used for the shared key, where a hash function is used for additional processing.

Finally, the server calculates the server shared key by using the data calculated above, and the calculation formula is shown as (1-7):

sk_s＝H(client,server,x,y,w,σ_s) (1-7)

wherein: the H () function is typically a hash function, such as a SHA256 hash function.

The server shared key sk at this time_sThe shared key is finally calculated by the key agreement algorithm and is used for encrypting data to be transmitted subsequently and ensuring the security of the session.

5 the client receives the data (w, y, p) sent by the server_s) Then, firstly, identity authentication is carried out, and the server public key p is used_sData associated with a locally stored server public keyComparing the libraries, if the local database does not have the relevant information of the server, the public key p of the server is compared_sIP, and name are stored in a local database. If the second parameter is present and the identity authentication is passed, the second parameter is a Gaussian distribution χ of beta_βUp-random sampling g_cCalculating a client temporary session variable k according to the formula (1-8)_c：

k_c＝(p_sd+y)(s_cc+r_c)+2g_c (1-8)

Similarly, the definition c ═ H₁(client,server,x)，d＝H₁(server,client,y,x)

Finally, the client calculates the client shared key initial seed sigma_cSharing the secret key sk with the client_cThe calculation formulas are respectively shown in formulas (1-9) and (1-10):

σ_c＝Mod₂(k_c,w) (1-9)

sk_c＝H(client,server,x,y,w,σ_c) (1-10)

sk_cnamely the client shared key generated in the client key negotiation stage.

After successfully calculating the own shared key, the client and the server send an SSH2_ MSG _ NEWKEYS message to the opposite end to tell the opposite end that the own shared key is generated, and the key agreement phase is ended. The next step can be performed.

The above calculation process will be verified first:

as can be seen from equations (1-7) and (1-10), the client shares the key sk_cSharing the secret key sk with the server_sHas the same calculation function and basically the same function parameter type, only sigma_cAnd σ_sAre different and thus want to prove sk_cAnd sk_sEquality, one can translate into a proof of σ_cAnd σ_sAre equal. Sigma_cAnd σ_sAre respectively shown in formulas (1-11) and (1-12):

σ_c＝Mod₂(k_c,w) (1-11)

σ_s＝Mod₂(k_s,w) (1-12)

as can be seen from equations (1-11) and (1-12), σ_cAnd σ_sAll using the function Mod₂(k, v) and the second input parameter w of the function is also the same, in other words, σ_cAnd σ_sWhether or not to be equal is determined by a first input parameter k_cAnd k_sTo decide. Then sigma is judged_cAnd σ_sWhether they are equal can be converted to a decision k_cAnd k_sWhether or not they are the same. Client and server computing k_cAnd k_sAre shown in equations (1-13) and equations (1-14), respectively.

Wherein:

while

Combining equations (1-13) and equations (1-14) and

and

equations (1-15) can be obtained:

when it is, then k is considered_iAnd k_jAre equal. Therefore, in practical application, when selecting parameters, it is ensured that k is ensured that the selected parameters can satisfy the condition_cAnd k_sAre equal. Thus, the simultaneous equations (1-11) -equation (1-15), σ_cAnd σ_sAre equal, so sk_cAnd sk_sAre equal.

The security of this key exchange algorithm depends on the difficulty of the R _ LWE search type problem. I.e., in the R-LWE distribution, given a_iAnd b_iSolving can satisfy equation b_i＝＜a_i,s＞+e_iThe vector s is very difficult, even if a quantum computer is used for calculation, the solution can be carried out only in exponential time, and the identity authentication of both communication parties is also completed in the key exchange stage under the condition that other identity authentication algorithms are not required to be supported, man-in-the-middle attack is prevented, and the safety of an SSH transmission layer is improved.

Furthermore, SSH supports multiple encryption algorithms, such as DES, 3DES, AES, etc., which require different numbers of key bits, and not necessarily 256 bits, but for example, if the shared key finally generated in this scheme is 256 fixed bits, it is necessary to continue processing the shared key in order to use the key well. When the required key is less than 256 bits, it is convenient, and only the previously required bits need to be taken out, for example, the encryption algorithm needs a 128-bit key, and then the first 128 bits of data of the shared key are taken out as the encryption key. But when the required key is larger than 256 bits, additional operations are required. The specific calculation method is shown as (1-16) - (1-18):

k₁＝SHA256(sk||session_id) (1-16)

k₂＝SHA256(sk||k₁) (1-17)

k₃＝SHA256(sk||k₁||k₂) (1-18)

when the required key is greater than 256 bits, k is calculated according to equation (1-16)₁The encryption key K is sk K₁；

If the key required is greater than 512 bits, k is calculated according to equation (1-17)₂The encryption key K is sk K₁||k₂；

If the required key length is calculated according to equations (1-17) or is not sufficient, k is calculated according to equations (1-18)₃The encryption key K is sk K₁||k₂||k₃。

And the like until the key is lengthened to the required key length according to the method.

In this way, after the client and the server successfully calculate the shared key, the ID of the session is calculated by using the version numbers of the client and the server and the shared key as the input of the hash value, and the session ID will not change in the whole session. The calculation formula is shown as (1-19):

Hash＝SHA256(C_V||S_V||p_c||y||w||p_s||x||sk) (1-19)

wherein, C _ V and S _ V are version number character strings of the client and the server respectively, sk is a shared secret key, and | is a connector.

The fifth step: and (4) user authentication.

After successfully negotiating out the shared key, the two parties enter into the authentication phase. Firstly, the client sends a user authentication request to a request server, after receiving the request, the server returns an authentication mode list supported by the server to the client, and simultaneously checks the configuration information of the server on authentication overtime and authentication frequency upper limit. And then the client selects a preferred authentication method from an authentication list supported by the server, sends information required by the authentication method to the server for authentication, and if the authentication is successful, the client and the server enter the next stage. Otherwise, the connection is disconnected.

SSH mainly supports two authentication approaches: a host-based authentication approach and a password-based authentication approach. However, the key agreement part authenticates the identities of the client and the server, so that the user authentication mode at this stage does not suggest the use of a host-based authentication mode any more, and the use of a password-based authentication mode is recommended, because the authentication of the identity of the communication host is completed, the identity of the user can be authenticated, and the security strength of communication is further improved.

And a sixth step: a connection is requested.

After the authentication is successful, the client sends a session request, and the server receives the client request and then processes the client request in time. Session requests include the following categories: requesting a pseudo terminal, opening a shell, executing a command, starting X forwarding, starting TCP/IP port forwarding, applying for compressed data, starting an authentication agent and the like.

In summary, the method for implementing the SSH protocol based on post-quantum key exchange provides a trusted SSH improvement method based on the R-LWE post-quantum authentication key exchange algorithm: when the client and the server use SSH to carry out remote connection, the two parties firstly send information such as own protocol version number, software version number and the like to the opposite end to carry out version negotiation. After the version negotiation is successful, the two parties respectively send a credible certification request to the opposite end and verify the credible state of the other party, and when the credible states of the two parties are verified, the two parties start algorithm negotiation and key negotiation. In the key agreement stage, both parties sample from discrete Gaussian distribution of the same parameter, calculate own public and private key pairs and other necessary intermediate variables, then send own public keys and other data to the opposite end, complete identity authentication and generation of a shared key, and the shared key is generated by a back quantum algorithm, so that quantum attack can be resisted, the security in the key agreement stage is improved, and the shared key is prevented from being cracked by a third party. After the shared key is generated, the two parties encrypt the data to be transmitted by using the key to complete the user authentication and connection request part.

It can be seen that, the method for implementing the SSH protocol based on the post-quantum key exchange improves the SSH scheme by using the post-quantum authentication key exchange algorithm based on R-LWE and the trusted computing technology at the stage of the SSH transmission layer, firstly, the trusted computing technology is used to verify the trusted states of both communication parties before SSH algorithm negotiation, so as to prevent the situation that one party is possibly attacked by hackers and the other party is completely unknown, secondly, the post-quantum authentication key exchange algorithm based on R-LWE is used to complete key negotiation and identity authentication, then, the negotiated shared key is used to encrypt and transmit data, and finally, the remote security service process is completed. Therefore, a post-quantum authentication key exchange algorithm based on R-LWE and a trusted computing technology are integrated into an SSH protocol, an SSH key negotiation stage is simplified, connection establishment speed is increased, a shared key is prevented from being cracked by a quantum computer, and the capability of SSH for resisting quantum computing attack is improved. Meanwhile, the credible state of the host is verified, the SSH session security is improved, and the possibility that one communication party is illegally controlled by the other communication party is greatly reduced.

Example 2:

the embodiment provides a system for realizing an SSH protocol based on post-quantum key exchange, which can effectively prevent a shared key generated by a communication client and a server from being broken by a quantum computer; on the other hand, the trusted status of both the client and the server can be verified.

The system for realizing the SSH protocol based on the post-quantum key exchange comprises a key exchange module, wherein the key exchange module comprises a first key unit, a second key unit, a first verification unit and a second verification unit, and the key exchange module comprises:

the first key unit is positioned at the server and used for completing the following functions:

randomly sampling from the Gaussian distribution of the first parameter, and calculating a public and private key pair of the server;

after the first verification unit passes the identity authentication of the client, calculating a server temporary session public key from random sampling on the Gaussian distribution of the second parameter;

calculating a server temporary session variable and a temporary session error-eliminating variable according to the client temporary session public key, the client vector, the client temporary server vector and the random sampling of the server on the Gaussian distribution of the first parameter and the second parameter;

calculating a server shared key initial seed according to the server temporary session variable and the temporary session error-eliminating variable;

generating a final server shared key of the session by using a post-quantum algorithm according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error-eliminating variable and the initial seed of the server shared key;

the first verification unit is positioned in the server and used for receiving the client public key and the client temporary session public key and verifying the identity of the client, if the verification cannot pass, the server directly disconnects the link, otherwise, the server performs subsequent authentication;

the second key unit is positioned at the client and used for completing the following functions:

randomly sampling from the Gaussian distribution of the first parameter, and calculating a public-private key pair of the client;

randomly sampling from the Gaussian distribution of the second parameter, calculating a client temporary session public key, and sending the client public key and the client temporary session public key to a server;

after the second verification unit passes the identity authentication of the server, calculating a client temporary session variable according to the client temporary session public key, the client vector, the server temporary session public key and the random sampling of the client on the Gaussian distribution of the first parameter and the second parameter, and further calculating a client shared key initial seed according to the client temporary session variable and the temporary session error-eliminating variable;

generating a final server shared key of the session by using a post-quantum algorithm according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error-eliminating variable and the client shared key initial seed;

and the second verification unit is positioned at the client and used for verifying the identity of the server according to the server public key, terminating the key exchange if the verification cannot pass, and otherwise, performing subsequent authentication.

In a first key unit:

server temporary session public key k_sComprises the following steps:

k_s＝(p_cc+x)(s_sd+r_s)+2g_s

wherein:

c＝H₁(client, server, x), which is a client vector;

x＝ar_c+2f_ca client side temporary session public key;

r_ciand f_ciGaussian distribution χ of beta from second parameter for client_βQ is a positive integer (e.g., q is 5);

d＝H₁(server, client, y, x), which is a server vector;

y＝ar_s+2f_sa server temporary session public key;

r_si，f_si，g_sifor server from the Gaussian distribution χ with second parameter β_βQ is a positive integer (e.g., q is 5);

p_c＝as_c+2e_cis a client public key;

s_ciand e_ciFrom the first parameter of the client to the alpha Gaussian distribution x_αQ is a positive integer (e.g., q is 5), and s is the random sample value of (1)_cStill the client private key;

and the temporary session error-elimination variable w is:

w＝Cha(k_s)

wherein: cha () is a feature correlation function;

according to (w, y, p)_s) Server shared secret key initial seed sigma_sComprises the following steps:

σ_s＝Mod₂(k_s,w)

wherein: mod₂() Modulo-2 function, Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2，q mod 2n＝1，

Unit matrix

v∈M_q，w∈{0,1}；

Server shared secret sk_sComprises the following steps:

sk_s＝H(client,server,x,y,w,σ_s)。

in the second key unit, the first key unit,

client temporary session variable k_cComprises the following steps:

k_c＝(p_sd+y)(s_cc+r_c)+2g_c

wherein:

g_cifor server from the Gaussian distribution χ with second parameter β_βQ is a positive integer (e.g., q is 5);

p_s＝as_s+2e_sis a server public key;

s_siand e_siFor the server, from the first parameter of alpha Gaussian distribution x_αQ is a positive integer (e.g., q is 5), and s is the random sample value of (1)_sStill the server private key;

and, according to (w, y, p)_s) Client sharing key initial seed sigma_cComprises the following steps:

σ_c＝Mod₂(k_c,w)

wherein: mod₂() Modulo-2 function, Mod₂(v,w)＝(v+w·(q-1)/2)mod q mod 2，q mod 2n＝1，

Unit matrix

v∈M_q，w∈{0,1}；

Client shared secret sk_cComprises the following steps:

sk_c＝H(client,server,x,y,w,σ_c)。

preferably, the system for implementing the SSH protocol based on post-quantum key exchange further includes a verification Trusted Module to verify Trusted statuses of both communication parties, and since the verification Trusted Module is added, it is required that each communication host has a built-in TPM (Trusted Platform Module) chip. The verification trusted module comprises a first trusted unit located at the server and a second trusted unit located at the client, and is used for completing the following functions:

the second trusted unit sends a request for verifying the trusted status of the client to the first trusted unit;

after receiving a request of a client, a first trusted unit randomly generates an M-bit first random number, and sends the first random number and a request for verifying the trusted state of the first trusted unit to a second trusted unit, wherein M is a natural number;

after receiving the first random number and the verification request, the second trusted unit correspondingly generates an M-bit second random number, then requests the TPM for integrity measurement, encrypts the first random number, the configuration register value and the measurement log SML, and sends an encryption result, the second random number and the TPM public key to the first trusted unit;

after receiving the data, the first trusted unit judges whether the client is the first client requesting to establish SSH connection, if so, checks whether a trusted certificate exists locally, and if so, directly performs the next step; otherwise, the integrity measurement is requested to the local trusted unit, then the second random number, the configuration register value of the second random number and the measurement log SML are encrypted, and the encryption result and the TPM public key are sent to the second trusted unit;

the first trusted unit verifies the trusted state of the client according to the data sent by the second trusted unit, if the data passes the verification, a trusted verification passing certificate is generated, the certificate comprises a client IP, a client unique identifier, an IP and an identifier of a local server, the time for generating the certificate and the certificate validity period, and is encrypted by using a TPM public key sent by the client, and the encrypted result and verification passing information are sent to the client together;

after the client receives the data, the trusted state of the server is verified, if the data passes the verification, the second trusted unit also generates a trusted certificate, the content comprises a server IP, a unique identifier of the server, an IP and an identifier of the local client, the time for generating the certificate and the validity period of the certificate, the TPM public key sent by the server is used for encryption, and the encryption result and the verification passing information are sent to the first trusted unit;

after receiving the trusted credential, the first trusted unit decrypts the trusted credential by using the TPM private key of the first trusted unit and stores the trusted credential locally, so that the trusted states of the first trusted unit and the trusted unit pass verification, and otherwise, the first trusted unit is directly disconnected.

In the trusted SSH protocol improvement method based on the post-quantum key exchange algorithm, when a user uses the improved SSH protocol to remotely log in a server, the SSH firstly verifies whether hosts of two communication parties are trusted, and then completes a key negotiation stage and a two-party identity authentication stage between a client and the remote server by using the post-quantum key exchange algorithm. The method has the advantages of strong user transparency, high speed, simple and easily understood algorithm, capability of providing credible certification and post-quantum computer functions on the premise of not reducing the original SSH remote login security, and further enhancement of the SSH security.

It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1. a method for realizing SSH protocol based on post-quantum key exchange, comprising key exchange step, is characterized in that, key exchange step comprises: The client and the server randomly sample from the Gaussian distribution of the first parameter, and calculate the client's public-private key pair and the server's public-private key pair respectively; The client randomly samples from the Gaussian distribution of the second parameter, calculates the client's temporary session public key, and sends the client's public key and the client's temporary session public key to the server; The server receives the client's public key and the client's temporary session public key, and authenticates the client. If the verification fails, the server will directly disconnect the link, otherwise, proceed to the next step; Calculate the server temporary session public key from random sampling on the Gaussian distribution of the second parameter; The server calculates the server temporary session variable and the temporary session error correction according to the client temporary session public key, the client vector, the server temporary session public key, the server vector, and the random sampling of the server on the Gaussian distribution of the first parameter and the second parameter variable, and then calculate the initial seed of the server shared key according to the server temporary session variable and the temporary session error cancellation variable; The server uses the post-quantum algorithm to generate the final server shared key of the session according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error correction variable and the initial seed of the server shared key; The client authenticates the server according to the server public key; The client passes the identity authentication of the server, and calculates the client according to the client's temporary session public key, the client vector, the server vector, the server's temporary session public key, and the client's random sampling on the Gaussian distribution of the first parameter and the second parameter. terminal temporary session variable, and then calculate the initial seed of the client shared key according to the client temporary session variable and the temporary session error elimination variable; Based on the client vector, server vector, client temporary session public key, server temporary session public key, temporary session error correction variable and client shared key initial seed, the client uses the post-quantum algorithm to generate the final client share of the session. key; If either server or client authentication fails, the key exchange is terminated; Before the key exchange step, the method further includes: verifying the trusted status of the two communication parties, the verifying the trusted status of the two communication parties includes: a predetermined step and a trusted status verification step, and the predetermined step includes: Send a request to verify the client's trusted status to the server; After receiving the request from the client, the server randomly generates a first random number of M bits, and sends the first random number and the request for verifying its own trust status to the client, where M is a natural number; After receiving the first random number and the verification request, the client generates a second random number of M bits, and then requests the trusted integrity measurement, encrypts the first random number, the configuration register value, and the measurement log SML. The encryption result, the second random number, and the TPM public key are sent to the server together. 2. the method for realizing SSH protocol based on post-quantum key exchange according to claim 1, is characterized in that, server temporary session public key k _s is: k _s =(p _c c+x)(s _s d+r _s )+2g _s in: c=H ₁ (client, server, x), is the client vector; x=ar _c +2f _c , which is the client's temporary session public key;

r _ci and f _ci are the random sampling values of the client from the Gaussian distribution χ _β whose second parameter is β, and q is a positive integer; d=H ₁ (server, client, y, x), is the server vector; y=ar _s +2f _s , is the temporary session public key of the server;

r _si , f _si , and g _si are random sampling values of the server from a Gaussian distribution χ _β whose second parameter is β, and q is a positive integer; p _c =as _c +2e _c , is the client public key;

s _ci and e _ci are the random sampling values of the client from the α Gaussian distribution χ _α as the first parameter, q is a positive integer, and s _c is still the client private key; And, the temporary session debug variable w is: w=Cha(k _s ) Among them: Cha() is the feature association function. 3. the method for realizing SSH protocol based on post-quantum key exchange according to claim 2, is characterized in that, according to (w, y, p _s ), server shared key initial seed σ _s is: σ _s =Mod ₂ (k _s ,w) Wherein: Mod ₂ () is a modulo 2 function, Mod ₂ (v,w)=(v+w·(q-1)/2)mod q mod 2, q mod 2n=1,

identity matrix

v∈M _q , w∈{0,1}; The server shared secret sk _s is: sk _s =H(client, server, x, y, w, σ _s ). 4. the method for realizing SSH protocol based on post-quantum key exchange according to claim 2, is characterized in that, client temporary session variable k _c is: k _c =(p _s d+y)(s _c c+r _c )+2g _c in:

g _ci is the random sampling value of the server from the Gaussian distribution χ _β whose second parameter is β, and q is a positive integer; p _s =as _s + _2es , is the server public key;

s _si and _{es si} are random sampling values of the server from a Gaussian distribution χ _α whose first parameter is α, q is a positive integer, and s _s is still the private key of the server. 5. the method for realizing SSH protocol based on post-quantum key exchange according to claim 4, is characterized in that, according to (w, y, p _s ), client shared key initial seed σ _c is: σ _c =Mod ₂ (k _c ,w) Wherein: Mod ₂ () is a modulo 2 function, Mod ₂ (v,w)=(v+w·(q-1)/2)mod q mod 2, q mod 2n=1,

identity matrix

v∈M _q , w∈{0,1}; The client shared secret sk _c is: sk _c =H(client, server, x, y, w, σ _c ). 6. The method for realizing SSH protocol based on post-quantum key exchange according to any one of claims 1-5, wherein the trusted state verification step comprises: After the server receives the data, it determines whether the client is the first client that requests to establish an SSH connection. If so, it checks whether there is a trusted certificate locally. If there is a trusted certificate locally and the trusted certificate is still within the validity period, Then proceed directly to the next step; otherwise, you need to first request the integrity measurement from the local trusted machine, and then encrypt the second random number with its own configuration register value and measurement log SML, and send the encryption result together with the TPM public key to the client. end; The server verifies the trusted status of the client according to the data sent by the client. If the verification passes, it generates a credential that passes the credential verification, which includes the client IP, the unique identifier of the client, the IP and identifier of the local server, and the generated certificate The time and validity period of the certificate are encrypted, and the TPM public key sent by the client is used for encryption, and the encryption result is sent to the client together with the verification information; After the client receives the data, it verifies the trusted status of the server. If the verification is passed, the client also generates a trusted certificate, which includes the server IP, the server unique identifier, the IP and identifier of the local client, and the generated certificate. The time and validity period of the certificate are encrypted, and the TPM public key sent by the server is used for encryption, and the encryption result is sent to the server together with the verification information; After the server receives the trusted credential, it decrypts the trusted credential with its own TPM private key and saves it locally. In this way, the trusted status of both parties is verified, otherwise the connection is directly disconnected. 7. a system based on post-quantum key exchange to realize SSH protocol, comprising key exchange module and verification trusted module, it is characterized in that, described key exchange module comprises the first key unit, the second key unit and The first verification unit, the second verification unit, wherein: The first key unit, located in the server, is used to complete the following functions: Randomly sample from the Gaussian distribution of the first parameter, and calculate the public-private key pair of the server; After the first verification unit passes the identity authentication of the client, calculate the server temporary session public key from random sampling on the Gaussian distribution of the second parameter; According to the client temporary session public key, the client vector, the client temporary server vector, and the random sampling of the server on the Gaussian distribution of the first parameter and the second parameter, calculate the server temporary session variable and the temporary session error elimination variable; And, calculating the initial seed of the shared key of the server according to the temporary session variable of the server and the temporary session error cancellation variable; According to the client vector, server vector, client temporary session public key, server temporary session public key, temporary session error correction variable and server shared key initial seed, use post-quantum algorithm to generate the final server shared key of this session; The first verification unit, located at the server, is used for receiving the client public key and the client temporary session public key, and performing identity verification on the client, if the verification fails, the server will directly disconnect the link, otherwise, perform subsequent verification; The second key unit, located at the client, is used to complete the following functions: Randomly sample from the Gaussian distribution of the first parameter, and calculate the client's public-private key pair; Randomly sample from the Gaussian distribution of the second parameter, calculate the client's temporary session public key, and send the client's public key and the client's temporary session public key to the server; After the second verification unit passes the identity authentication of the server, according to the client's temporary session public key, the client vector, the server vector, the server's temporary session public key, and the client's Gaussian distribution on the first parameter and the second parameter Random sampling, calculate the client temporary session variable, and then calculate the client shared key initial seed according to the client temporary session variable and the temporary session error cancellation variable; And, according to the client vector, the server vector, the client temporary session public key, the server temporary session public key, the temporary session error correction variable and the client shared key initial seed, the post-quantum algorithm is used to generate the final server shared secret of this session. key; The second verification unit, located on the client side, is used to perform identity verification on the server according to the server public key, if the verification fails, terminate the key exchange, otherwise perform subsequent verification; The verification trustworthy module is used to verify the trustworthy state of both parties in the communication, and the verification trustworthy module includes: a first trustworthy unit located at the server and a second trusted unit located at the client, for completing the following functions : The second trusted unit sends a request for verifying the trusted state of the client to the first trusted unit; after receiving the request from the client, the first trusted unit randomly generates a first random number of M bits, Send the first random number and the request for verifying its own trusted state to the second trusted unit, where M is a natural number; After receiving the first random number and the verification request, the second trusted unit correspondingly generates a second random number of M bits, and then requests the TPM for an integrity measurement, and combines the first random number with the configuration register value and the measurement log. SML encryption, the encryption result, the second random number and the TPM public key are sent to the first trusted unit together. 8. The system for realizing SSH protocol based on post-quantum key exchange according to claim 7, characterized in that, in the first key unit: The server temporary session public key k _s is: k _s =(p _c c+x)(s _s d+r _s )+2g _s in: c=H ₁ (client, server, x), is the client vector; x=ar _c +2f _c , which is the client's temporary session public key;

r _ci and f _ci are the random sampling values of the client from the Gaussian distribution χ _β whose second parameter is β, and q is a positive integer; d=H ₁ (server, client, y, x), is the server vector; y=ar _s +2f _s , is the temporary session public key of the server;

r _si , f _si , and g _si are random sampling values of the server from a Gaussian distribution χ _β whose second parameter is β, and q is a positive integer; p _c =as _c +2e _c , is the client public key;

s _ci and e _ci are the random sampling values of the client from the α Gaussian distribution χ _α as the first parameter, q is a positive integer, and s _c is still the client private key; And, the temporary session debug variable w is: w=Cha(k _s ) Among them: Cha() is the feature association function; According to (w, y, p _s ), the initial seed σ _s of the server shared key is: σ _s =Mod ₂ (k _s ,w) Wherein: Mod ₂ () is a modulo 2 function, Mod ₂ (v,w)=(v+w·(q-1)/2)mod q mod 2, q mod 2n=1,

identity matrix

v∈M _q , w∈{0,1}; The server shared secret sk _s is: sk _s =H(client, server, x, y, w, σ _s ). 9. The system for realizing SSH protocol based on post-quantum key exchange according to claim 8, wherein, in the second key unit, The client temporary session variable k _c is: k _c =(p _s d+y)(s _c c+r _c )+2g _c in:

g _ci is the random sampling value of the server from the Gaussian distribution χ _β whose second parameter is β, and q is a positive integer; p _s =as _s + _2es , is the server public key;

s _si and _{es si} are the random sampling values of the server from the α Gaussian distribution χ _α as the first parameter, q is a positive integer, and s _s is still the private key of the server; And, according to (w, y, p _s ), the initial seed σ _c of the client shared secret key is: σ _c =Mod ₂ (k _c ,w) Wherein: Mod ₂ () is a modulo 2 function, Mod ₂ (v,w)=(v+w·(q-1)/2)mod q mod 2, q mod 2n=1,

identity matrix

v∈M _q , w∈{0,1}; The client shared secret sk _c is: sk _c =H(client, server, x, y, w, σ _c ). 10. The system for implementing SSH protocol based on post-quantum key exchange according to any one of claims 7-9, wherein the first trusted unit and the second trusted unit are also used to complete The following functions: After the first trusted unit receives the data, it determines whether the client is the first client that requests the establishment of an SSH connection, and if so, checks whether there is a trusted credential locally, and if there is a trusted credential locally and the trusted credential exists. If the credential is still within the validity period, proceed directly to the next step; otherwise, you need to request the integrity measurement from the local trusted machine, and then encrypt the second random number, its own configuration register value, and measurement log SML, and encrypt the encryption result with TPM. send the public key together to the second trusted unit; The first trusted unit verifies the trusted status of the client according to the data sent by the second trusted unit, and if the verification passes, generates a trusted verification pass certificate, the certificate includes the client IP, the unique identifier of the client, this certificate. The IP and identifier of the computer server, the time when the certificate was generated, and the validity period of the certificate, and encrypted with the TPM public key sent by the client, and the encryption result and the verification pass information are sent to the client; After the client receives the data, it verifies the trusted status of the server. If the verification is passed, the second trusted unit also generates a trusted credential, the content including the server IP, the server unique identifier, the IP and identification of the local client character, the time when the certificate was generated, and the validity period of the certificate, and encrypted using the TPM public key sent by the server, and the encryption result and the verification pass information are sent to the first trusted unit; After receiving the trusted credential, the first trusted unit decrypts the trusted credential with its own TPM private key, and saves it locally, so that the trusted status of both parties passes the verification, otherwise the connection is directly disconnected .

Images