[go: up one dir, main page]

WO2021047476A1 - Procédé et système de distribution de clé et dispositif portable - Google Patents

Procédé et système de distribution de clé et dispositif portable Download PDF

Info

Publication number
WO2021047476A1
WO2021047476A1 PCT/CN2020/113814 CN2020113814W WO2021047476A1 WO 2021047476 A1 WO2021047476 A1 WO 2021047476A1 CN 2020113814 W CN2020113814 W CN 2020113814W WO 2021047476 A1 WO2021047476 A1 WO 2021047476A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
wearable device
key distribution
random number
distribution network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2020/113814
Other languages
English (en)
Chinese (zh)
Inventor
赵勇
刘春华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANDONG INSTITUTE OF QUANTUM SCIENCE AND TECHNOLOGY Co Ltd
Quantumctek Co Ltd
Original Assignee
SHANDONG INSTITUTE OF QUANTUM SCIENCE AND TECHNOLOGY Co Ltd
Quantumctek Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANDONG INSTITUTE OF QUANTUM SCIENCE AND TECHNOLOGY Co Ltd, Quantumctek Co Ltd filed Critical SHANDONG INSTITUTE OF QUANTUM SCIENCE AND TECHNOLOGY Co Ltd
Publication of WO2021047476A1 publication Critical patent/WO2021047476A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Definitions

  • This application belongs to the technical field of secure communication, and in particular relates to a key distribution method, system and wearable device.
  • the current quantum secure communication network is generally set up for specific customers, and most of them are government agencies, such as accessing the quantum secure communication network on a fixed telephone inside the unit.
  • communication in most occasions in daily life does not need to be strictly confidential, there is also a need for confidential communication.
  • a dedicated quantum encryption mobile phone is specially purchased for the confidentiality needs of a few occasions, the cost is relatively high. . Therefore, it is necessary to discuss how to apply quantum keys to individual users' mobile terminals.
  • Quantum keys (or quantum random keys) combined with a one-time encryption algorithm can theoretically guarantee the unconditional security of communication, but in the specific practical stage, it is still affected by the specific communication equipment and usage methods.
  • Mobile terminals have the characteristics of flexibility of use and geographic variability. If the quantum key is sent to the mobile terminal in a wired form before the confidential communication, the mobile terminal loses the advantage of flexibility, and it is no different from a fixed telephone, which will cause inconvenience in use.
  • the quantum key is sent to the mobile terminal in a wireless form before confidential communication, the security during the transmission process cannot be guaranteed, and the key has the risk of being intercepted; even if the two-level key form is used, the required communication services
  • the second-level key is sent after the first-level encryption shared with the mobile terminal, so the first-level key needs to be stored in the mobile terminal in advance.
  • Quantum Wireless Secure Communication System and Mobile Terminal proposes a technical solution for pre-storing the key to the mobile terminal: the service terminal pre-assigns the same mobile terminal that needs to perform secure communication in advance. Quantum key, so that the mobile terminal can perform secure communication in real time; if the at least two mobile terminals that have not previously allocated the same quantum key need to temporarily perform secure communication, the service terminal will encrypt the same quantum key Then, they are allocated to mobile terminals that need to conduct confidential communication in real time. In this way, there is a risk that the phone itself is stolen, or the key is stolen by Trojan horse software.
  • this application provides a key distribution method, system and wearable device, which stores random numbers in advance in the wearable device to establish communication, and allocates quantum to the wearable device with the same random number.
  • Random key quantum key distribution (QKD) technology can be used to generate the quantum random key, or it can be generated by a quantum random number generator).
  • QKD quantum key distribution
  • the mobile terminal obtains the quantum random key from the wearable device for confidential communication, and before distributing the key, it also performs identity authentication based on the biometric information obtained by the wearable device.
  • the user can obtain the business key as needed at any time and use
  • the threshold is low, ensuring the security of confidential communication.
  • a key distribution method based on a wearable device includes the following steps:
  • a plurality of wearable devices respectively send a key distribution request to the key distribution network, where the key distribution request includes a random number;
  • the key distribution network receives the key distribution request, and distributes service keys required for communication to wearable devices with the same random number.
  • the key distribution network manages a key application record table, and the record table includes the following fields: application random number, key identification, and distribution status of the key; wherein, the distribution status of the key Counting the wearable devices to which the key is currently allocated, and/or recording the device information of the wearable device.
  • the allocating service keys required for communication to wearable devices with the same random number includes:
  • the key application record table look up the key application records with the number of currently allocated devices equal to N, and check whether the random number exists, if it exists, then reject the key distribution request; if it does not exist,
  • the specific value of the upper limit N of the number of users to be shared with the key may be set by the key distribution network, or may be carried in the key distribution request sent by the wearable device to the key distribution network.
  • the key distribution request further includes user biometric information obtained via a wearable device, and/or device information of the wearable device;
  • the key distribution network After the key distribution network receives the key distribution request sent by any wearable device, it performs identity authentication based on the user biometric information and/or the device information, and if the authentication is passed, performs the key based on the random number Distribution; if the authentication fails, the key distribution request of the wearable device is rejected.
  • the key distribution network pre-stores the biometric information of the registered user and the binding relationship table of the corresponding wearable device; the identity authentication includes: searching the pre-stored binding relationship table for whether there is and received If the user's biometric information and/or the device information of the wearable device are consistent with the record, if it is found, the authentication is passed, and if it is not found, the authentication is not passed.
  • the key distribution network sends an alarm signal to the wearable device, and after the wearable device receives the alarm signal, it alarms the surroundings or specific institutions by voice or other forms;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it collects the current location in real time, and sends it to the key distribution network every set time interval;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it deletes the pre-stored shared key with the key distribution network, and deletes other stored sensitive information ;
  • the key distribution network cancels or suspends the use authority of the wearable device.
  • one of the plurality of wearable devices first sends a key distribution request to the key distribution network, and the key distribution request includes a random number and the identity of other users who are allowed to share the same key with itself information.
  • binding relationship table of the key distribution network also stores user identity information bound to each wearable device, and the key application record table also contains a piece of "designated sharer" information;
  • the key distribution network After the key distribution network receives a key distribution request, it first determines whether the random number is included in the key application record form.
  • the key distribution request is the initiator. If the request carries the "designated sharer" information, when the key is allocated for it, the "designated sharer" carried in the key distribution request is also written Enter the key application record form;
  • the wearable device obtains the service key, and displays the service key in an encoded form for the mobile terminal to scan.
  • the wearable device divides the service key into multiple segments, which are sequentially displayed in coded form for scanning by the mobile terminal.
  • the wearable device pre-stores a shared quantum key with the key distribution network for encryption and decryption of communication with the key distribution network.
  • the mobile terminal pre-stores a shared quantum key between the mobile terminal and the wearable device to be scanned for encryption and decryption of the service key.
  • One or more embodiments provide a key distribution system based on a wearable device, including:
  • a plurality of wearable devices respectively send a key distribution request to the key distribution network, where the key distribution request includes a random number;
  • the key distribution network receives the key distribution request, and distributes service keys required for communication to wearable devices with the same random number.
  • the key distribution network manages a key application record table, and the record table includes the following fields: application random number, key identification, and distribution status of the key; wherein, the distribution status of the key Counting the wearable devices to which the key is currently allocated, and/or recording the device information of the wearable device.
  • the allocating service keys required for communication to wearable devices with the same random number includes:
  • the key application record table look up the key application records with the number of currently allocated devices equal to N, and check whether the random number exists, if it exists, then reject the key distribution request; if it does not exist,
  • the specific value of the upper limit N of the number of users of the shared key may be set by the key distribution network, or may be carried in the key distribution request sent by the wearable device to the key distribution network.
  • the key distribution request further includes user biometric information obtained via a wearable device, and/or device information of the wearable device;
  • the key distribution network After the key distribution network receives the key distribution request sent by any wearable device, it performs identity authentication based on the user biometric information and/or the device information, and if the authentication is passed, performs the key based on the random number Distribution; if the authentication fails, the key distribution request of the wearable device is rejected.
  • the key distribution network pre-stores the biometric information of the registered user and the binding relationship table of the corresponding wearable device; the identity authentication includes: searching the pre-stored binding relationship table for whether there is and received If the user's biometric information and/or the device information of the wearable device are consistent with the record, if it is found, the authentication is passed, and if it is not found, the authentication is not passed.
  • the key distribution network sends an alarm signal to the wearable device, and after the wearable device receives the alarm signal, it alarms the surroundings or specific institutions by voice or other forms;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it collects the current location in real time, and sends it to the key distribution network every set time interval;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it deletes the pre-stored shared key with the key distribution network, and deletes other stored sensitive information ;
  • the key distribution network cancels or suspends the use authority of the wearable device.
  • one of the plurality of wearable devices first sends a key distribution request to the key distribution network, and the key distribution request includes a random number and the identity of other users who are allowed to share the same key with itself .
  • binding relationship table of the key distribution network also stores user identity information bound to each wearable device, and the key application record table also contains a piece of "designated sharer" information;
  • the key distribution network After the key distribution network receives a key distribution request, it first determines whether the random number is included in the key application record form.
  • the key distribution request is the initiator. If the request carries the "designated sharer" information, when the key is allocated for it, the "designated sharer" carried in the key distribution request is also written Enter the key application record form;
  • system further includes a mobile terminal that obtains the service key from a wearable device; the wearable device displays the obtained service key in an encoded form for the mobile terminal to scan.
  • the wearable device divides the service key into multiple segments, which are sequentially displayed in coded form for scanning by the mobile terminal.
  • the wearable device pre-stores a shared quantum key with the key distribution network for encryption and decryption of communication with the key distribution network.
  • the mobile terminal pre-stores a shared quantum key between the mobile terminal and the wearable device to be scanned for encryption and decryption of the service key.
  • One or more embodiments provide a key distribution network
  • the key distribution network manages a key application record table, and the record table includes the following fields: application random number, key identification, and distribution status of the key; wherein, the distribution status of the key Counting the wearable devices to which the key is currently allocated, and/or recording the device information of the wearable device.
  • the allocating service keys required for communication to wearable devices with the same random number includes:
  • the key application record table look up the key application records with the number of currently allocated devices equal to N, and check whether the random number exists, if it exists, then reject the key distribution request; if it does not exist,
  • the specific value of the upper limit N of the number of users of the shared key may be set by the key distribution network, or may be carried in the key distribution request sent by the wearable device to the key distribution network.
  • the key distribution request further includes user biometric information obtained via a wearable device, and/or device information of the wearable device;
  • the key distribution network After the key distribution network receives the key distribution request sent by any wearable device, it performs identity authentication based on the user biometric information and/or the device information, and if the authentication is passed, performs the key based on the random number Distribution; if the authentication fails, the key distribution request of the wearable device is rejected.
  • the key distribution network pre-stores the biometric information of the registered user and the binding relationship table of the corresponding wearable device; the identity authentication includes: searching the pre-stored binding relationship table for whether there is and received If the user's biometric information and/or the device information of the wearable device are consistent with the record, if it is found, the authentication is passed, and if it is not found, the authentication is not passed.
  • a key distribution request sent by the wearable device of the initiator is received, where the key distribution request includes a random number and other user identity information that is allowed to share the same key with itself.
  • binding relationship table of the key distribution network also stores user identity information bound to each wearable device, and the key application record table also contains a piece of "designated sharer" information;
  • the key distribution network After the key distribution network receives a key distribution request, it first determines whether the random number is included in the key application record form.
  • the key distribution request is the initiator. If the request carries the "designated sharer" information, when the key is allocated for it, the "designated sharer" carried in the key distribution request is also written Enter the key application record form;
  • the key distribution network pre-stores a shared quantum key with the wearable device, which is used for encryption and decryption of communication with the wearable device.
  • One or more embodiments provide a wearable device that stores random numbers in advance
  • the key distribution request also includes the user biometric information collected by the wearable device, and/or the device information of the wearable device, and/or the upper limit of the number of key distribution members, and/or the key "Designated sharer" information.
  • the service key is displayed in an encoded form for the mobile terminal to scan.
  • the service key is divided into multiple segments, which are sequentially displayed in coded form for scanning by the mobile terminal.
  • the wearable device pre-stores a shared quantum key with the key distribution network for encryption and decryption of communication with the key distribution network.
  • the wearable device pre-stores a shared quantum key with the mobile terminal, which is used for encryption and decryption of communication with the mobile terminal.
  • One or more embodiments provide a secure communication method for performing secure communication based on the service key obtained by the above distribution method.
  • the user who wants to establish communication only needs to agree on a random number and store it in the wearable device, then the random key can be obtained through the key distribution network, and the user can change and distribute at any time.
  • the security of the new business key is significantly improved.
  • This application uses a wearable device with the function of uploading biometric information as an isolator between the key distribution network and the mobile terminal that actually uses the quantum key for communication, which solves the problem of dynamically distributing quantum keys for legal mobile terminals.
  • the problem is that the key distribution network recognizes the biometric information uploaded by the wearable device, which ensures that the mobile terminal that distributes the key is the owner.
  • This application uses the two-dimensional code optical scanning method to solve the "last mile" of quantum key transmission, which can effectively prevent the signal leakage problem of near-field wireless transmission methods such as Bluetooth.
  • the mobile terminal and the corresponding wearable device can both pre-store the shared quantum key between the two, and the wearable device will encrypt
  • the service key is displayed in the form of a two-dimensional code, and the mobile terminal scans the two-dimensional code and decrypts to obtain the service key. In this way, even if the two-dimensional code graphic on the wearable device is captured by other camera equipment or camera equipment, the attacker cannot obtain the key through illegal scanning.
  • Figure 1 is a flow chart of the key distribution method
  • Fig. 2 is a flowchart of an example of key distribution based on a wearable device.
  • the mobile terminals referred to in this application include but are not limited to mobile phones and tablets, and all electronic devices capable of network connection are suitable for the mobile terminals of this application.
  • the wearable devices mentioned in this application include, but are not limited to, smart rings, smart bracelets, smart watches, smart necklaces and other small devices that come in contact with the human body and are carried around.
  • the wearable device has the function of biological information recognition, the function of wireless network transmission of data, the key storage function, and the two-dimensional code display function.
  • Wearable device access to the network that is, the wearable device is registered to the key distribution network in advance, and the shared quantum key with the key distribution network is stored in advance.
  • the registration method is: wearable device holders (which can be individuals, or wearable device manufacturers, sellers, and users) first go to the operating agency of the key distribution network to go through the relevant procedures for registration and access to the network, and the key The operating agency of the distribution network is responsible for reviewing the user’s network access application. If approved, each wearable device that applies for network access will be issued a unique quantum identity number distributed by the key distribution network in the entire network. The quantum identity number is Stored in the permanent storage medium of the wearable device applying for access to the network.
  • the shared key pre-stored on the wearable device during registration with the key distribution network can be used for a long time. If you want to improve security, you can change the shared key stored on the wearable device regularly.
  • One method is that the key distribution network generates a new key, encrypts the new shared key with the old shared key, and sends it to the wearable device.
  • the biometric information can be one or more of heartbeat information, blood pressure information, fingerprint information, retina information, iris information, voiceprint information, vein information, facial information, and handwriting signature information, which are collected and submitted through a wearable device To the key distribution network.
  • This embodiment discloses a key distribution method, as shown in Figure 1,
  • Step 1 A plurality of wearable devices respectively send a key distribution request to the key distribution network, and the key distribution request includes a random number;
  • Step 2 The key distribution network receives the key distribution request, and distributes the service key required for communication to the wearable device with the same random number.
  • the random number may be agreed in advance and stored in the multiple wearable devices; it may also be generated by any one of the multiple wearable devices and then shared with other wearable devices.
  • the key distribution network manages a key application record table, and the record table includes the following fields: an application random number, a key identifier, and a distribution situation of the key.
  • the distribution of the key counts the wearable devices to which the key is currently distributed, and/or records the device information of the wearable device.
  • the key distribution network when the key distribution network generates a new quantum key, the quantum key is stored and the identification information of the quantum key is generated, a new record is created in the key application record table, and the The identification information is entered into the key identification field, and the allocation status field is set to "unallocated", or the initial value is 0.
  • the distribution situation includes:
  • the allocating service keys required for communication to wearable devices with the same random number specifically includes:
  • Step 2.1 Obtain the random number in the key distribution request
  • Step 2.2 Look for the random number in all the "incomplete allocation" items in the key application record table:
  • the quantum random key corresponding to the random number is sent to the wearable device, and the corresponding "allocation situation" is set to "Fully allocated”.
  • the above distribution method can be extended to the situation of more than two users, the upper limit of the number of users to be shared with the key is N, N ⁇ 2, and the communication is distributed to wearable devices with the same random number
  • the required business keys specifically include:
  • the specific value of the upper limit N can be set by the key distribution network, or it can be the earliest that the key distribution network is sent to the key distribution network among multiple wearable devices that are to share the same service key.
  • the key distribution request is carried in the key distribution request of the wearable device.
  • the random number is 5a9bec90256f83, and the maximum number of users of this shared key is 10, then the same random number 5a9bec90256f83 is sent to the key distribution network Users, on a first-come, first-served basis, up to 10 people can be assigned to the business key corresponding to the random number 5a9bec90256f83 in the key application record table.
  • the above key distribution method can be extended to the situation where the number of users sharing the key is not limited, that is, as long as the legal wearable device holds the agreed random number to initiate the key distribution request, the key The distribution network allocates the key corresponding to the random number to it.
  • the key distribution request further includes user biometric information of the holder obtained by the wearable device, and/or device information of the wearable device.
  • the key distribution network After the key distribution network receives the key distribution request sent by any wearable device, it performs identity authentication based on the user biometric information and/or the device information, and if the authentication is passed, performs the key based on the random number Distribution; if the authentication fails, the key distribution request of the wearable device is rejected.
  • the key distribution network pre-stores the biometric information of the registered user and the binding relationship table of the corresponding wearable device.
  • the table includes the biometric information of the user and the device information of the user's wearable device.
  • the identity authentication refers to finding in the binding relationship table whether there is a record consistent with the received user biometric information and/or the device information of the wearable device. If it exists, the authentication is passed, otherwise, the authentication is not passed. .
  • if the identity authentication fails perform one or more of the following operations:
  • the key distribution network sends an alarm signal to the wearable device, and after the wearable device receives the alarm signal, it alarms the surroundings or specific institutions by voice or other forms;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it collects the current location in real time, and sends it to the key distribution network every set time interval;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it deletes the pre-stored shared key with the key distribution network, and deletes other stored sensitive information ;
  • the key distribution network cancels or suspends the use authority of the wearable device.
  • the binding relationship table of the key distribution network also stores user identity information (for example, mobile phone number, social network account, etc.) bound to each wearable device.
  • user identity information for example, mobile phone number, social network account, etc.
  • one of the multiple wearable devices as the initiator first sends a key distribution request, and specifies the identity of other users who are allowed to share the same key with itself in the key distribution request.
  • the key application record form also contains a "designated sharer" information.
  • the key distribution network After the key distribution network receives a key distribution request, if the random number is not included in the key application record form, the key distribution request is the initiator. If the request carries the information of "designated sharer" , While assigning the key to it, the "designated sharer" carried in the key distribution request should be written into the key application record form, as shown in Table 2:
  • the key corresponding to the random number carried in the key distribution request is in an incompletely distributed state, it is necessary to further check whether the applicant is in the designated sharer list corresponding to the key. If it is not in the table, it will be rejected Assign the key.
  • the distribution status stores the information of all applicants who have applied for the quantum random key, so that the number of applicants can also be calculated, and the stored applicant information can also be used for further authority control or Additional services and other uses.
  • wearable devices are not directly used as communication tools, and wearable devices are directly used for voice calls or text information communication, and more mobile terminals are used. Based on this, the method further includes:
  • Step 3 The wearable device provides the received service key to the mobile terminal.
  • Multiple users use mobile terminals to obtain the service key from the wearable device, and perform confidential communication based on the service key.
  • the wearable device preferably provides the received service key to the mobile terminal in the form of a two-dimensional code.
  • the wearable device can divide the key K into several parts , One by one converted into two-dimensional codes for mobile terminals to scan.
  • the plurality of wearable devices are registered in the key distribution network in advance, and the shared quantum key with the key distribution network is stored in advance.
  • the shared quantum key is used for encryption and decryption between the wearable device and the key distribution network information communication.
  • the quantum random key K shared by the mobile terminal has a small capacity, and its use can be used as a key seed to generate a business key that can be used for one-time encryption; or as an existing traditional
  • the use of business keys for symmetric encryption algorithms such as 3DES, AES, etc.
  • 3DES 3DES, AES, etc.
  • the method given in this embodiment allows users to change and distribute new service keys at any time. The security is significantly improved, and mobile phones or other mobile terminals do not require any hardware modification.
  • the mobile terminal and the wearable device are connected in a wireless or wired manner; for stricter security considerations, in order to avoid clear text transmission between the mobile terminal and the wearable device, the mobile terminal can also be connected to the wearable device. Both the terminal and the corresponding wearable device are registered in the key distribution network, and the mobile terminal and the corresponding wearable device both pre-store the shared quantum key between the two.
  • the wearable device encrypts the service key and displays the encrypted service key in the form of a two-dimensional code; the mobile terminal scans the two-dimensional code and decrypts to obtain the service key. In this way, even if the two-dimensional code graphic on the wearable device is captured by other camera equipment or camera equipment, the attacker cannot obtain the key through illegal scanning.
  • the wearable device W1 and the wearable device W2 agree on a one-time random number.
  • This random number can be generated by the party to which W1 or W2 belongs, and then notified to the other party.
  • the wearable device W1 collects the biometric information of its own user, together with the random number, uses the shared quantum key encryption with the key distribution network Q, and sends it to the key distribution network Q;
  • the key distribution network Q decrypts the information sent by W1 after receiving it, searches the biometric information sent by W1 in its own stored biometric information database, and compares and verifies it. If it matches, the key distribution network Q generates a quantum random Key K, use the shared quantum key with wearable device W1 to encrypt K, send it to wearable device W1, and set the distribution status in the key application record table to "incomplete distribution";
  • the wearable device W1 After the wearable device W1 receives the quantum random key K, it converts the information contained in it into a two-dimensional code and displays it on the screen of the wearable device W1; the mobile terminal T1 scans the two-dimensional code to obtain the quantum random key K;
  • the wearable device W2 collects the biometric information of its own user, together with the random number, uses the shared quantum key encryption with the key distribution network Q, and sends it to the key distribution network Q;
  • the key distribution network Q decrypts the information sent by W2 after receiving it, searches the biometric information sent by W2 in its own stored biometric information database, and compares and verifies it. If it matches, the key distribution network Q applies for the key Look up the random number in the "not fully allocated" record in the record table. If it is found, use the shared quantum key between the corresponding quantum random key K and the wearable device W2 to encrypt K, and then issue it To wearable device W2;
  • the wearable device W2 After the wearable device W2 receives the quantum random key K, it converts the information contained in it into a two-dimensional code and displays it on the screen of the wearable device W2; the mobile terminal T2 scans the two-dimensional code to obtain the quantum random key K.
  • the mobile terminals T1 and T2 can use the shared quantum random key K for secure communication.
  • this embodiment provides a key distribution system, including:
  • a plurality of wearable devices respectively send a key distribution request to the key distribution network, where the key distribution request includes a random number;
  • the key distribution network receives the key distribution request, and distributes service keys required for communication to wearable devices with the same random number.
  • the random number may be agreed in advance and stored in the multiple wearable devices; it may also be generated by any one of the multiple wearable devices and then shared with other wearable devices.
  • the key distribution network manages a key application record table, and the record table includes the following fields: an application random number, a key identifier, and a distribution situation of the key.
  • the distribution of the key counts the wearable devices to which the key is currently distributed, and/or records the device information of the wearable device.
  • the allocating service keys required for communication to wearable devices with the same random number specifically includes:
  • the quantum random key corresponding to the random number is sent to the wearable device, and the allocation status field of the record where the random number is located is set to full allocation.
  • the above distribution method can be extended to the situation of more than two users, the upper limit of the number of users to be shared with the key is N, N ⁇ 2, and the communication is distributed to wearable devices with the same random number
  • the required business keys specifically include:
  • the specific value of the upper limit N can be set by the key distribution network, or it can be the earliest that the key distribution network is sent to the key distribution network among multiple wearable devices that are to share the same service key.
  • the key distribution request is carried in the key distribution request of the wearable device.
  • the above key distribution method can be extended to the situation where the number of users sharing the key is not limited, that is, as long as the legal wearable device holds the agreed random number to initiate the key distribution request, the key The distribution network allocates the key corresponding to the random number to it.
  • the key distribution request further includes user biometric information of the holder obtained by the wearable device, and/or device information of the wearable device.
  • the key distribution network After the key distribution network receives the key distribution request sent by any wearable device, it performs identity authentication based on the user biometric information and/or the device information, and if the authentication is passed, performs the key based on the random number Distribution; if the authentication fails, the key distribution request of the wearable device is rejected.
  • the key distribution network pre-stores the biometric information of the registered user and the binding relationship table of the corresponding wearable device.
  • the table includes the biometric information of the user and the device information of the user's wearable device.
  • the identity authentication refers to finding in the binding relationship table whether there is a record consistent with the received user biometric information and/or the device information of the wearable device. If it exists, the authentication is passed, otherwise, the authentication is not passed. .
  • if the identity authentication fails perform one or more of the following operations:
  • the key distribution network sends an alarm signal to the wearable device, and after the wearable device receives the alarm signal, it alarms the surroundings or specific institutions by voice or other forms;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it collects the current location in real time, and sends it to the key distribution network every set time interval;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it deletes the pre-stored shared key with the key distribution network, and deletes other stored sensitive information ;
  • the key distribution network cancels or suspends the use authority of the wearable device.
  • the binding relationship table of the key distribution network also stores user identity information (for example, mobile phone number, social network account, etc.) bound to each wearable device.
  • user identity information for example, mobile phone number, social network account, etc.
  • one of the plurality of wearable devices as the initiator first sends a key distribution request, and specifies the identity of other users who are allowed to share the same key with itself in the key distribution request.
  • the key application record form also contains a "designated sharer" information.
  • the key distribution network After the key distribution network receives a key distribution request, if the random number is not included in the key application record form, it means that the requester of the key distribution request is the first initiator of the shared key. If the request carries the "designated sharer" information, the "designated sharer" carried in the key distribution request should be written into the key application record form at the same time when the key is allocated for it.
  • the key corresponding to the random number carried in the key distribution request is in an incompletely distributed state, it is necessary to further check whether the applicant is in the designated sharer list corresponding to the key. If it is not in the table, it will be rejected Assign the key.
  • the distribution status stores the information of all applicants who have applied for the quantum random key, so that the number of applicants can also be calculated, and the stored applicant information can also be used for further authority control or Additional services and other uses.
  • the wearable device pre-stores a shared quantum key with the key distribution network for encryption and decryption of communication with the key distribution network.
  • wearable devices are not directly used as communication tools, and wearable devices are directly used for voice calls or text information communication, and more mobile terminals are used.
  • the system further includes:
  • the mobile terminal obtains the service key from the wearable device.
  • Multiple users use mobile terminals to obtain the service key from the wearable device, and perform confidential communication based on the service key.
  • the wearable device preferably provides the received service key to the mobile terminal in the form of a two-dimensional code.
  • the wearable device can divide the key K into several parts , One by one converted into two-dimensional codes for mobile terminals to scan.
  • the plurality of wearable devices are registered in the key distribution network in advance, and the shared quantum key with the key distribution network is stored in advance.
  • the shared quantum key is used for encryption and decryption between the wearable device and the key distribution network information communication.
  • This embodiment provides a key distribution network.
  • the key distribution network manages a key application record table, and the record table includes the following fields: an application random number, a key identifier, and the distribution of the key; wherein the distribution of the key is related to the current
  • the wearable device that distributes the key counts, and/or records the device information of the wearable device.
  • the quantum random key corresponding to the random number is sent to the wearable device, and the allocation status field of the record where the random number is located is set to full allocation.
  • the above distribution method can be extended to the situation of more than two users, the upper limit of the number of users to be shared with the key is N, N ⁇ 2; the distribution of communications to wearable devices with the same random number
  • the required business keys include:
  • the specific value of the upper limit N can be set by the key distribution network, or it can be the earliest that the key distribution network is sent to the key distribution network among multiple wearable devices that are to share the same service key.
  • the key distribution request is carried in the key distribution request of the wearable device.
  • the above key distribution method can be extended to the situation where the number of users sharing the key is not limited, that is, as long as the legal wearable device holds the agreed random number to initiate the key distribution request, the key The distribution network allocates the key corresponding to the random number to it.
  • the key distribution request further includes user biometric information obtained via a wearable device, and/or device information of the wearable device;
  • the key distribution network After the key distribution network receives the key distribution request sent by any wearable device, it performs identity authentication based on the user biometric information and/or the device information, and if the authentication is passed, performs the key based on the random number Distribution; if the authentication fails, the key distribution request of the wearable device is rejected.
  • the key distribution network pre-stores the biometric information of the registered user and the binding relationship table of the corresponding wearable device.
  • the table includes the biometric information of the user and the wearable device of the user.
  • Device information; the identity authentication includes: searching in the pre-stored binding relationship table whether there is a record consistent with the received user biometric information and/or the device information of the wearable device, and if it is found, the authentication is passed If it is not found, the authentication is not passed.
  • if the identity authentication fails perform one or more of the following operations:
  • the key distribution network sends an alarm signal to the wearable device, and after the wearable device receives the alarm signal, it alarms the surroundings or specific institutions by voice or other forms;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it collects the current location in real time, and sends it to the key distribution network every set time interval;
  • the key distribution network sends an alarm signal to the wearable device. After the wearable device receives the alarm signal, it deletes the pre-stored shared key with the key distribution network, and deletes other stored sensitive information ;
  • the key distribution network cancels or suspends the use authority of the wearable device.
  • the binding relationship table of the key distribution network also stores user identity information (for example, mobile phone number, social network account, etc.) bound to each wearable device.
  • user identity information for example, mobile phone number, social network account, etc.
  • one of the plurality of wearable devices as the initiator first sends a key distribution request, and specifies the identity of other users who are allowed to share the same key with itself in the key distribution request.
  • the key application record form also contains a "designated sharer" information.
  • the key distribution network After the key distribution network receives a key distribution request, if the random number is not included in the key application record form, the key distribution request is the initiator. If the request carries the information of "designated sharer" , When assigning the key to it, the "designated sharer" carried in the key distribution request should be written into the key application record form.
  • the key corresponding to the random number carried in the key distribution request is in an incompletely distributed state, it is necessary to further check whether the applicant is in the designated sharer list corresponding to the key. If it is not in the table, it will be rejected Assign the key.
  • the distribution status stores the information of all applicants who have applied for the quantum random key, so that the number of applicants can also be calculated, and the stored applicant information can also be used for further authority control or Additional services and other uses.
  • the key distribution network pre-stores a shared quantum key with the wearable device, which is used for encryption and decryption of communication with the wearable device.
  • This embodiment provides a wearable device that stores random numbers in advance
  • the key distribution request further includes the user biometric information collected by the wearable device, and/or the device information of the wearable device, and/or the upper limit of the number of key distributors, and / Or the "designated sharer" information of the key.
  • the wearable device after receiving the service key, displays the service key in an encoded form for the mobile terminal to scan.
  • the service key is divided into multiple segments, which are sequentially displayed in coded form for scanning by the mobile terminal.
  • the wearable device preferably provides the received service key to the mobile terminal in the form of a two-dimensional code.
  • the wearable device pre-stores a shared quantum key with the key distribution network for encryption and decryption of communication with the key distribution network.
  • the wearable device pre-stores a shared quantum key with the mobile terminal for encryption and decryption of communication with the mobile terminal.
  • the user who wants to establish communication only needs to agree on a random number and store it in the wearable device, then the random key can be obtained through the key distribution network, and the user can change and distribute it at any time.
  • the security of the new service key is significantly improved.
  • This application uses a wearable device with the function of uploading biometric information as an isolator between the key distribution network and the mobile terminal that actually uses the quantum key for communication, which solves the problem of dynamically distributing quantum keys for legal mobile terminals.
  • the problem is that the key distribution network recognizes the biometric information uploaded by the wearable device, which ensures that the mobile terminal that distributes the key is the owner.
  • This application uses the two-dimensional code optical scanning method to solve the "last mile" of quantum key transmission, which can effectively prevent the signal leakage problem of near-field wireless transmission methods such as Bluetooth.
  • the mobile terminal and the corresponding wearable device can both pre-store the shared quantum key between the two, and the wearable device will encrypt
  • the service key is displayed in the form of a two-dimensional code, and the mobile terminal scans the two-dimensional code and decrypts to obtain the service key. In this way, even if the two-dimensional code graphic on the wearable device is captured by other camera equipment or camera equipment, the attacker cannot obtain the key through illegal scanning.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un procédé et un système de distribution de clé pour une clé quantique, et un dispositif portable. Le procédé comprend les étapes suivantes : une pluralité de dispositifs portables envoient respectivement des requêtes de distribution de clé à un réseau de distribution de clé, chaque requête de distribution de clé comprenant un nombre aléatoire ; le réseau de distribution de clé reçoit la demande de distribution de clé et distribue des clés de service nécessaires à des communications vers les dispositifs portables ayant le même nombre aléatoire. Un utilisateur qui s'apprête à établir une communication doit simplement convenir d'un nombre aléatoire et mémorise le nombre aléatoire dans le dispositif portable, une clé aléatoire peut être obtenue au moyen du réseau de distribution de clé et l'utilisateur peut changer et émettre une nouvelle clé de service à tout moment ; la sécurité s'en trouve nettement améliorée.
PCT/CN2020/113814 2019-09-09 2020-09-07 Procédé et système de distribution de clé et dispositif portable Ceased WO2021047476A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910857912.3A CN112564892B (zh) 2019-09-09 2019-09-09 一种密钥分配方法、系统和可穿戴设备
CN201910857912.3 2019-09-09

Publications (1)

Publication Number Publication Date
WO2021047476A1 true WO2021047476A1 (fr) 2021-03-18

Family

ID=74866843

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/113814 Ceased WO2021047476A1 (fr) 2019-09-09 2020-09-07 Procédé et système de distribution de clé et dispositif portable

Country Status (2)

Country Link
CN (1) CN112564892B (fr)
WO (1) WO2021047476A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113781715A (zh) * 2021-09-03 2021-12-10 深圳市丰巢网络技术有限公司 一种智能柜格口封禁方法、装置、存储介质及电子设备
CN117119449A (zh) * 2023-10-20 2023-11-24 长江量子(武汉)科技有限公司 车云安全通信方法及系统

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117411632B (zh) * 2023-11-30 2025-03-25 中科驭数(北京)科技有限公司 密钥管理方法、密钥管理装置及存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110243331A1 (en) * 2008-12-10 2011-10-06 Nec Corporation Shared random numbers management method and management system in secret communication network
CN109561056A (zh) * 2017-09-27 2019-04-02 山东量子科学技术研究院有限公司 一种保密通信方法、系统、移动终端和可穿戴设备
CN109951381A (zh) * 2019-04-24 2019-06-28 长春大学 一种基于量子密钥公共云服务平台的邮件安全传输方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618109B (zh) * 2014-12-31 2018-04-27 国家电网公司 一种基于数字签名的电力终端数据安全传输方法
CN105704729B (zh) * 2016-01-22 2019-03-08 南京大学 一种采用改进的人工蜂群算法的无线传感器部署方法
CN106452750B (zh) * 2016-10-19 2019-05-03 长春大学 一种用于移动设备的量子加密通信方法
CN106789000A (zh) * 2016-12-13 2017-05-31 北京握奇智能科技有限公司 一种基于tee技术和可穿戴设备的私密通话系统和方法
US10390218B2 (en) * 2017-02-17 2019-08-20 At&T Intellectual Property I, L.P. Dynamically requesting mobile devices to report network information

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110243331A1 (en) * 2008-12-10 2011-10-06 Nec Corporation Shared random numbers management method and management system in secret communication network
CN109561056A (zh) * 2017-09-27 2019-04-02 山东量子科学技术研究院有限公司 一种保密通信方法、系统、移动终端和可穿戴设备
CN109951381A (zh) * 2019-04-24 2019-06-28 长春大学 一种基于量子密钥公共云服务平台的邮件安全传输方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113781715A (zh) * 2021-09-03 2021-12-10 深圳市丰巢网络技术有限公司 一种智能柜格口封禁方法、装置、存储介质及电子设备
CN113781715B (zh) * 2021-09-03 2023-05-26 深圳市丰巢网络技术有限公司 一种智能柜格口封禁方法、装置、存储介质及电子设备
CN117119449A (zh) * 2023-10-20 2023-11-24 长江量子(武汉)科技有限公司 车云安全通信方法及系统
CN117119449B (zh) * 2023-10-20 2024-01-19 长江量子(武汉)科技有限公司 车云安全通信方法及系统

Also Published As

Publication number Publication date
CN112564892A (zh) 2021-03-26
CN112564892B (zh) 2022-02-22

Similar Documents

Publication Publication Date Title
US12335725B2 (en) Quorum-based secure authentication
WO2021047477A1 (fr) Procédé et système d'attribution de clé, terminal mobile et dispositif portable
US10327142B2 (en) Secure short message service (SMS) communications
CN101500224B (zh) 电信智能卡的多应用管理服务器、多应用管理方法及系统
CN110378097A (zh) 保障传感器数据安全
WO2021047476A1 (fr) Procédé et système de distribution de clé et dispositif portable
JP7151928B2 (ja) 認証サーバ、認証サーバの制御方法及びプログラム
CN107333263B (zh) 一种改进型的sim卡以及移动通信身份识别方法和系统
JP7124988B2 (ja) 認証サーバ、認証システム、認証サーバの制御方法及びプログラム
WO2018121377A1 (fr) Procédé, dispositif et système de transaction utilisés dans un environnement de réalité virtuelle
US20230208637A1 (en) Key management method and apparatus
EP3198752B1 (fr) Partage de données utilisant la communication par le corps
CN105701390A (zh) 加密终端远程管理的方法、加密终端及管理器
US20250047667A1 (en) Collaboration application integration for user-identity verification
CN110138712A (zh) 身份认证方法、装置、介质、机器人及系统
CN106656986A (zh) 一种生物特征鉴权的方法及装置
WO2019216847A2 (fr) Système de sécurité de données basé sur sim
CN115412236A (zh) 一种密钥管理和密码计算的方法、加密方法及装置
CN116582281B (zh) 一种基于密码技术的安全人脸识别方法、系统及设备
JP2014135558A (ja) 情報移譲システム、情報移譲方法、情報移譲プログラム
JP7248184B2 (ja) サーバ、システム、方法及びプログラム
WO2022237550A1 (fr) Procédé, appareil et système d'authentification de contrôle d'accès pour empêcher une fuite de confidentialité
JP2023060352A (ja) サーバ、システム、方法及びプログラム
WO2023236042A1 (fr) Procédé et appareil de reconnaissance de caractéristiques biologiques, et dispositif électronique et support de stockage
HK1240376B (zh) 用於虚拟现实环境的交易方法、装置及系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20862647

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20862647

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20862647

Country of ref document: EP

Kind code of ref document: A1