[go: up one dir, main page]

WO2025236608A1 - Information verification method and related device - Google Patents

Information verification method and related device

Info

Publication number
WO2025236608A1
WO2025236608A1 PCT/CN2024/135341 CN2024135341W WO2025236608A1 WO 2025236608 A1 WO2025236608 A1 WO 2025236608A1 CN 2024135341 W CN2024135341 W CN 2024135341W WO 2025236608 A1 WO2025236608 A1 WO 2025236608A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
encrypted
random number
server
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/135341
Other languages
French (fr)
Chinese (zh)
Inventor
王靖然
王锦华
谢杨
薛伟佳
王聪丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd Technology Innovation Center
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd Technology Innovation Center
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd Technology Innovation Center, China Telecom Corp Ltd filed Critical China Telecom Corp Ltd Technology Innovation Center
Publication of WO2025236608A1 publication Critical patent/WO2025236608A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This disclosure relates to the field of information security technology, and in particular to an information verification method and related equipment.
  • This disclosure provides an information verification method and related equipment, which at least to some extent overcomes the problem that asymmetric algorithms in related technologies cannot guarantee the security of the information verification process.
  • an information verification method applied to a terminal, comprising: generating a random number and encrypting it using a quantum-resistant public key to determine an encrypted random number; determining a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; determining encrypted signaling data based on the session key and signaling data; and sending a signaling message to a server to enable the server to verify the signaling message, wherein the signaling message includes the encrypted signaling data and the encrypted random number.
  • the method before generating a random number and encrypting it using a quantum-resistant public key to determine the encrypted random number, the method further includes: determining a first shared key based on the server public key and the terminal public key; encrypting the user's login information using the first shared key to determine the user's encrypted login information; and sending the user's encrypted login information and the terminal public key to the server for user registration.
  • the signaling message further includes: the terminal login information and a hash message authentication code, wherein the hash message authentication code is generated based on the session key.
  • an information verification method applied to a server, comprising: acquiring a signaling message sent by a terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data; decrypting the encrypted random number using a quantum-resistant private key to determine a random number; determining a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; and decrypting the encrypted signaling data using the session key.
  • the signaling message further includes: the terminal login information and a hash message authentication code, wherein the hash message authentication code is generated based on a session key; before decrypting the encrypted signaling data based on the session key, the method further includes: verifying the hash message authentication code based on the session key; if the verification is successful, decrypting the encrypted signaling data based on the session key.
  • an information verification device applied to a terminal, comprising: an encrypted random number determination module, configured to generate a random number and encrypt it using a quantum-resistant public key to determine the encrypted random number; a session key first determination module, configured to determine a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; an encrypted signaling data determination module, configured to determine encrypted signaling data based on the session key and the signaling data; and a signaling message sending module, configured to send a signaling message to a server so that the server can verify the signaling message, wherein the signaling message includes the encrypted signaling data and the encrypted random number.
  • an information verification device applied to a server, comprising: a signaling message acquisition module, configured to acquire a signaling message sent by a terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data; a random number determination module, configured to decrypt the encrypted random number using a quantum-resistant private key to determine a random number; a session key second determination module, configured to determine a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; and a signaling data decryption module, configured to decrypt the encrypted signaling data using the session key.
  • an information verification system comprising: a terminal generating a random number and encrypting it using a quantum-resistant public key to determine an encrypted random number; the terminal determining a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; the terminal determining encrypted signaling data based on the session key and signaling data; the terminal sending a signaling message to a server, wherein the signaling message includes the encrypted signaling data and the encrypted random number; the server acquiring the signaling message sent by the terminal; the server decrypting the encrypted random number using a quantum-resistant private key to determine a random number; the server determining a session key based on the first shared key and the random number; and the server decrypting the encrypted signaling data using the session key.
  • an electronic device comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the information verification method described in any one of the preceding claims by executing the executable instructions.
  • a computer-readable storage medium on which a computer program is stored, which, when executed by a processor, implements the information verification method described in any one of the preceding claims.
  • a computer program product including a computer program that, when executed by a processor, implements the information verification method described above.
  • This disclosure by processing the key generated by the traditional key negotiation algorithm with the key encapsulated in a quantum-resistant algorithm, can resist quantum computing attacks and ensure information security.
  • Figure 1 shows a schematic diagram of an information verification system structure according to an embodiment of the present disclosure
  • Figure 2 shows a flowchart of an information verification method applied to a terminal according to an embodiment of the present disclosure
  • Figure 3 shows a flowchart of a specific example of an information verification method applied to a terminal according to an embodiment of the present disclosure
  • Figure 4 shows a flowchart of an information verification method applied to the server in an embodiment of this disclosure
  • Figure 5 shows a flowchart of a specific example of an information verification method applied to a server in this disclosure embodiment
  • Figure 6 shows a schematic flowchart of an information verification method applied between a terminal and a server in an embodiment of this disclosure.
  • Figure 7 shows a schematic diagram of an information verification device applied to a terminal in an embodiment of the present disclosure
  • Figure 8 shows a schematic diagram of an information verification device applied to a server in an embodiment of this disclosure
  • Figure 9 shows a structural block diagram of a computer device according to an embodiment of the present disclosure.
  • Quantum-resistant cryptography PQC, Post-Quantum cryptography
  • Hash-based Message Authentication Code Hmac
  • Figure 1 illustrates an exemplary application system architecture for which the information verification method of this disclosure can be applied.
  • the system architecture may include a terminal device 101, a network 102, and a server 103.
  • Network 102 is a medium used to provide a communication link between terminal device 101 and server 103, and can be a wired network or a wireless network.
  • the aforementioned wireless or wired networks use standard communication technologies and/or protocols.
  • the network is typically the Internet, but can also be any network, including but not limited to Local Area Network (LAN), Metropolitan Area Network (MAN), Wide Area Network (WAN), mobile, wired or wireless networks, private networks, or any combination of virtual private networks.
  • technologies and/or formats including Hypertext Markup Language (HTML), Extensible Markup Language (XML), etc. are used to represent data exchanged over the network.
  • conventional encryption technologies such as Secure Socket Layer (SSL), Transport Layer Security (TLS), Virtual Private Network (VPN), and Internet Protocol Security (IPSec) can be used to encrypt all or some links.
  • SSL Secure Socket Layer
  • TLS Transport Layer Security
  • VPN Virtual Private Network
  • IPSec Internet Protocol Security
  • customized and/or dedicated data communication technologies may be used to replace or supplement the aforementioned data communication technologies.
  • Terminal device 101 can be various electronic devices, including but not limited to smartphones, tablets, laptops, desktop computers, smart speakers, smartwatches, wearable devices, augmented reality devices, virtual reality devices, etc.
  • the client of the application installed on different terminal devices 101 may be the same, or the client of the same type of application based on different operating systems.
  • the specific form of the application client may also be different; for example, the application client may be a mobile client, a PC client, etc.
  • Server 103 can be a server that provides various services, such as a backend management server that supports the device operated by the user using terminal device 101.
  • the backend management server can analyze and process received requests and other data, and feed the processing results back to the terminal device.
  • the server can be a standalone physical server, a server cluster or distributed system consisting of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms.
  • cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms.
  • the terminal generates a random number and encrypts it using a quantum-resistant public key to determine an encrypted random number; the terminal determines a session key based on a first shared key and the random number, wherein the first shared key is determined based on the server's public key and the terminal's public key; the terminal determines encrypted signaling data based on the session key and signaling data; the terminal sends a signaling message to the server, wherein the signaling message includes encrypted signaling data and an encrypted random number; the server receives the signaling message sent by the terminal; the server decrypts the encrypted random number using a quantum-resistant private key to determine a random number; the server determines a session key based on the first shared key and the random number; and the server decrypts the encrypted signaling data using the session key.
  • Figure 2 shows a flowchart of an information verification method applied to a terminal according to an embodiment of the present disclosure.
  • the information verification method applied to a terminal provided in this embodiment of the present disclosure includes the following steps:
  • random numbers can be numbers that are random and unpredictable within a certain range.
  • the generated numbers may be completely unrelated to the preceding numbers.
  • random numbers can be used to generate key parameters such as keys and initialization vectors to ensure the security of the encryption process.
  • key parameters such as keys and initialization vectors to ensure the security of the encryption process.
  • random numbers play a crucial role in key exchange and protocol handshakes; in cryptographic hash functions, hash functions map random number inputs of arbitrary length to fixed-length outputs, possessing collision resistance and irreversibility.
  • hash functions and random numbers work together to ensure data security.
  • Random numbers can be generated by random number generators, such as true random number generators, which can ensure that the generated random numbers are highly random and unpredictable.
  • the aforementioned quantum-resistant cryptography also known as post-quantum cryptography, is a new generation of cryptographic algorithms capable of resisting quantum computing attacks on existing cryptographic algorithms. It ensures the security of cryptographic algorithms in a quantum environment.
  • PQC primarily focuses on asymmetric cryptographic algorithms, which can run on classical computers but cannot be broken by quantum computers.
  • Currently released PQC algorithms awaiting standardization include public-key encryption and key exchange algorithms (CRYSTALS-KYBER) and digital signature algorithms (CRYSTALS-Dilithium, FALCON, SPHINCS+).
  • the public key mentioned above can be the non-secret half of a key pair, which can be used to encrypt information.
  • a public key and a private key are a key pair (i.e., a public key and a private key) obtained through an algorithm. One of them is made public and is called the public key; the other is kept secret and is called the private key.
  • the key pair obtained through this algorithm is guaranteed to be unique worldwide.
  • the terminal generates random numbers and encrypts them using the platform's (server's) Kyber public key.
  • the above methods for determining the session key can include XOR, concatenation, alternating merging, misalignment rearrangement, etc.
  • the terminal generates a terminal public key, calculates a first shared key through a key negotiation algorithm, and performs an XOR operation on the first shared key and a random number to generate a session key.
  • signaling data can be encrypted using a session key to obtain encrypted signaling data.
  • a signaling message is sent to the server so that the server can verify the signaling message.
  • the signaling message includes encrypted signaling data and an encrypted random number.
  • server-side verification of signaling messages is a process of decrypting the encrypted data in the signaling messages and comparing it with the pre-stored data.
  • This disclosure by processing the key generated by the traditional key negotiation algorithm with the key encapsulated in a quantum-resistant algorithm, can resist quantum computing attacks and ensure information security.
  • the information verification method provided in this embodiment can register the terminal on the server through the following steps before generating a random number and encrypting it according to a quantum-resistant public key, and determining the encrypted random number, so that the server can verify the user's login information in the future:
  • S306 sends the user's encrypted login information and terminal public key to the server for user registration.
  • the login information for the aforementioned users includes their account and password information.
  • Each user's encrypted login information corresponds one-to-one with the terminal's public key.
  • the aforementioned signaling message also includes: terminal login information and a hash message authentication code, wherein the hash message authentication code is generated based on the session key.
  • Figure 4 shows a flowchart of an information verification method applied to the server in an embodiment of this disclosure.
  • the information verification method applied to the server provided in this embodiment of the disclosure includes the following steps:
  • the aforementioned encrypted random number is a random number generated by the terminal and encrypted using a quantum-resistant public key.
  • the aforementioned encrypted signaling data is encrypted signaling data determined by the terminal based on the session key and the signaling data.
  • the session key is determined based on the first shared key and the random number (using XOR, concatenation, alternating merging, and misalignment rearrangement).
  • the first shared key is determined based on the server's public key and the terminal's public key.
  • S404 Decrypt the encrypted random number using the quantum-resistant private key to determine the random number.
  • the aforementioned quantum-resistant cryptography also known as post-quantum cryptography, is a new generation of cryptographic algorithms capable of resisting quantum computing attacks on existing cryptographic algorithms. It ensures the security of cryptographic algorithms in a quantum environment.
  • PQC primarily focuses on asymmetric cryptographic algorithms, which can run on classical computers but cannot be cracked by quantum computers.
  • the aforementioned private key can be the secret half of the key pair and can be used to encrypt information.
  • the quantum-resistant encryption algorithm is deployed on the server side, and the quantum-resistant public key is made public.
  • the quantum-resistant private key is kept on the server side.
  • the key pair obtained through this algorithm is guaranteed to be unique worldwide.
  • this key pair if a piece of data is encrypted with one key, it must be decrypted with the other key. That is, if data is encrypted with the public key, it must be decrypted with the private key, and vice versa. Otherwise, decryption will fail.
  • S406 determine the session key based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key.
  • the server constructs a first shared key based on the client's public key using a key negotiation algorithm, and then performs an XOR operation on the first shared key and a random number to generate a session key.
  • S408 decrypts encrypted signaling data based on the session key.
  • the server uses the session key to decrypt the plaintext signaling data and then uses the session key for subsequent secure data communication.
  • This application processes the key generated by the traditional key negotiation algorithm with the key encapsulated with quantum-resistant algorithms, which can resist quantum computing attacks and ensure information security.
  • the signaling message in the information verification method provided in this embodiment further includes: terminal login information and hash message authentication code, wherein the hash message authentication code is generated based on the session key.
  • this disclosure can verify the user's login information securely through the following steps:
  • the server looks up the terminal public key based on the user account.
  • Figure 6 shows a schematic flowchart of an information verification method between a terminal and a server according to an embodiment of this disclosure.
  • the information verification method between a terminal and a server provided in this embodiment of the disclosure includes the following steps:
  • S601 Install the application client on the terminal and complete the initialization, and configure the server (management platform) public key and Kyber public key (or transmit public key information over the network);
  • the terminal generates a terminal public key, calculates a shared key K1 (equivalent to the first shared key mentioned above) through a key negotiation algorithm, uses K1 to encrypt the user account password information, and uploads the encrypted account password and client public key to the server to complete device registration;
  • the server stores the terminal's public key, calculates the shared key K1 based on the terminal's public key and the server's public key, decrypts the account information, and stores it;
  • the signaling message contains the user account, the signaling ciphertext, the K2 ciphertext, and the authentication information (Hmac) generated using K.
  • S601-S603 are for device registration
  • S604-S606 are for signaling communication.
  • the key K1 generated by the key negotiation algorithm remains unchanged each time, posing a risk of replay attacks.
  • a random number K2 is generated for each signaling communication, ensuring the randomness of the session key K (K1 ⁇ K2) for each session.
  • This disclosure addresses the security challenges posed by quantum computing to traditional key exchange algorithms by combining a quantum-resistant key encapsulation algorithm (using CRYSTALS-Kyber as an example) with a traditional key negotiation algorithm to improve the quantum-resistant security of information exchange during registration and login between communicating parties.
  • a quantum-resistant key encapsulation algorithm using CRYSTALS-Kyber as an example
  • the login process uses a traditional key negotiation (DH) algorithm. Based on the original registration and login process, a PQC algorithm is added to enhance quantum security.
  • the terminal is configured with the platform's PQC public key, which is used to encrypt a random number K2.
  • this disclosure also provides an information verification device for a terminal, as described in the following embodiments. Since the principle by which this device embodiment solves the problem is similar to that of the above-described method embodiments, the implementation of this device embodiment can refer to the implementation of the above-described method embodiments, and repeated details will not be elaborated further.
  • Figure 7 shows a schematic diagram of an information verification device applied to a terminal in an embodiment of the present disclosure.
  • the device includes: an encrypted random number determination module 71, a session key first determination module 72, an encrypted signaling data determination module 73, a signaling message sending module 74, a first shared key determination module 75, a login information encryption module 76, and a registration module 77.
  • the encrypted random number determination module 71 is used to generate a random number and encrypt it according to the quantum-resistant public key to determine the encrypted random number;
  • the session key first determination module 72 is used to determine the session key based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key;
  • the encrypted signaling data determination module 73 is used to determine the encrypted signaling data based on the session key and the signaling data;
  • the signaling message sending module 74 is used to send signaling messages to the server so that the server can verify the signaling messages.
  • the signaling messages include the encrypted signaling data and the encrypted random number.
  • the aforementioned information verification device applied to the terminal further includes a first shared key determination module 75, used to determine a first shared key based on the server public key and the terminal public key.
  • the aforementioned information verification device applied to the terminal further includes a login information encryption module 76, used to encrypt the user's login information according to the first shared key, and to determine the user's encrypted login information.
  • a login information encryption module 76 used to encrypt the user's login information according to the first shared key, and to determine the user's encrypted login information.
  • the aforementioned information verification device applied to the terminal further includes a registration module 77, used to send the user's encrypted login information and the terminal's public key to the server for user registration.
  • the aforementioned encrypted random number determination module 71, session key first determination module 72, encrypted signaling data determination module 73, and signaling message sending module 74 correspond to S202 to S208 in the method embodiment.
  • the examples and application scenarios implemented by these modules and their corresponding steps are the same, but they are not limited to the content disclosed in the above method embodiment.
  • these modules, as part of the apparatus, can be executed in a computer system such as a set of computer-executable instructions.
  • Figure 8 shows a schematic diagram of an information verification device applied to a server in an embodiment of the present disclosure.
  • the device includes: a signaling message acquisition module 81, a random number determination module 82, a session key second determination module 83, a signaling data decryption module 84, and a hash message authentication code verification module 85.
  • the signaling message acquisition module 81 is used to acquire the signaling message sent by the terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data;
  • the random number determination module 82 is used to decrypt the encrypted random number based on the quantum-resistant private key and determine the random number.
  • the second session key determination module 83 is used to determine the session key based on the first shared key and a random number, wherein the first shared key is determined based on the server public key and the terminal public key;
  • the signaling data decryption module 84 is used to decrypt encrypted signaling data based on the session key.
  • the aforementioned information verification device applied to the server further includes a hash message authentication code verification module 85, used to verify the hash message authentication code based on the session key.
  • the signaling message acquisition module 81, random number determination module 82, session key second determination module 83, and signaling data decryption module 84 mentioned above correspond to S402 to S408 in the method embodiment.
  • the examples and application scenarios implemented by the above modules and corresponding steps are the same, but are not limited to the content disclosed in the above method embodiment.
  • the above modules, as part of the apparatus can be executed in a computer system such as a set of computer-executable instructions.
  • the electronic device 900 according to this embodiment of the present disclosure will now be described with reference to FIG9.
  • the electronic device 900 shown in FIG9 is merely an example and should not be construed as limiting the functionality and scope of the embodiments of the present disclosure.
  • the electronic device 900 is presented in the form of a general-purpose computing device.
  • the components of the electronic device 900 may include, but are not limited to: at least one processing unit 910, at least one storage unit 920, and a bus 930 connecting different system components (including the storage unit 920 and the processing unit 910).
  • the storage unit stores program code that can be executed by the processing unit 910, causing the processing unit 910 to perform the steps described in the "Exemplary Methods" section above according to various exemplary embodiments of this disclosure.
  • processing unit 910 can perform the following steps in the above method embodiment:
  • the session key is determined based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key;
  • the encrypted signaling data is determined
  • the signaling message is sent to the server so that the server can verify the signaling message.
  • the signaling message includes encrypted signaling data and encrypted random number.
  • processing unit 910 can perform the following steps in the above method embodiment:
  • the first shared key is determined based on the server's public key and the terminal's public key;
  • the user's login information is encrypted using the first shared key to determine the user's encrypted login information
  • the user's encrypted login information and terminal public key are sent to the server for user registration.
  • processing unit 910 can perform the following steps in the above method embodiment:
  • the signaling message includes an encrypted random number and encrypted signaling data
  • the encrypted random number is decrypted using a quantum-resistant private key to determine the random number
  • the session key is determined based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key;
  • processing unit 910 can perform the following steps in the above method embodiment:
  • the encrypted signaling data is decrypted based on the session key.
  • the signaling message also includes: terminal login information and hash message authentication code, whereby the hash message authentication code is generated based on the session key.
  • Storage unit 920 may include readable media in the form of volatile storage units, such as random access memory (RAM) 9201 and/or cache memory 9202, and may further include read-only memory (ROM) 9203.
  • RAM random access memory
  • ROM read-only memory
  • Storage unit 920 may also include a program/utility 9204 having a set (at least one) program module 9205, such program module 9205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.
  • program module 9205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.
  • Bus 930 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.
  • Electronic device 900 can also communicate with one or more external devices 940 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 900, and/or with any device that enables electronic device 900 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input/output (I/O) interface 950.
  • electronic device 900 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and/or public networks, such as the Internet) via network adapter 960. As shown, network adapter 960 communicates with other modules of electronic device 900 via bus 930.
  • network adapter 960 communicates with other modules of electronic device 900 via bus 930.
  • electronic device 900 can be used in conjunction with electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.
  • the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
  • a non-volatile storage medium such as a CD-ROM, USB flash drive, external hard drive, etc.
  • a computing device such as a personal computer, server, terminal device, or network device, etc.
  • the process described above with reference to the flowchart can be implemented as a computer program product, which includes a computer program that, when executed by a processor, implements the above-described information verification method.
  • a computer-readable storage medium is also provided, which may be a readable signal medium or a readable storage medium.
  • a program product capable of implementing the methods described above is stored thereon.
  • various aspects of this disclosure may also be implemented as a program product including program code, which, when run on a terminal device, causes the terminal device to perform the steps described in the "Exemplary Methods" section of this specification according to various exemplary embodiments of this disclosure.
  • Computer-readable storage media in this disclosure may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
  • RAM random access memory
  • ROM read-only memory
  • EPROM or flash memory erasable programmable read-only memory
  • CD-ROM compact disk read-only memory
  • magnetic storage devices or any suitable combination of the foregoing.
  • a computer-readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof.
  • a readable signal medium may also be any readable medium other than a readable storage medium, capable of transmitting, propagating, or transmitting a program for use by or in connection with an instruction execution system, apparatus, or device.
  • the program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.
  • program code for performing the operations of this disclosure can be written in any combination of one or more programming languages, including object-oriented programming languages such as Java and C++, and conventional procedural programming languages such as C or similar languages.
  • the program code can execute entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server.
  • the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
  • LAN local area network
  • WAN wide area network
  • Internet service provider e.g., via the Internet using an Internet service provider
  • the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
  • a non-volatile storage medium such as a CD-ROM, USB flash drive, external hard drive, etc.
  • a computing device such as a personal computer, server, mobile terminal, or network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

An information verification method, applied to a terminal, and comprising: generating a random number, and encrypting same on the basis of a post-quantum public key to determine an encrypted random number; determining a session key on the basis of a first shared key and the random number, wherein the first shared key is determined on the basis of a server public key and a terminal public key; determining encrypted signaling data on the basis of the session key and the signaling data; and sending a signaling packet to a server, so that the server verifies the signaling packet, wherein the signaling packet comprises the encrypted signaling data and the encrypted random number.

Description

信息验证方法及相关设备Information verification methods and related equipment

本公开基于申请号为202410594835.8、申请日为2024年05月14日、发明名称为《信息验证方法及相关设备》的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本公开作为参考。This disclosure is based on and claims priority to Chinese Patent Application No. 202410594835.8, filed on May 14, 2024, entitled "Information Verification Method and Related Equipment", the entire contents of which are incorporated herein by reference.

技术领域Technical Field

本公开涉及信息安全技术领域,尤其涉及一种信息验证方法及相关设备。This disclosure relates to the field of information security technology, and in particular to an information verification method and related equipment.

背景技术Background Technology

迅速发展的Internet给人们的生活、工作带来了巨大的方便,人们可以坐在家里通过Internet收发电子邮件、打电话、进行网上购物、银行转账等活动。同时网络信息安全也逐渐成为一个潜在的巨大问题。一般来说网络信息面临着以下几种安全隐患:网络信息被窃取、信息被篡改、攻击者假冒信息、恶意破坏等。其中信息验证是其中一种保护人们网络信息的一种手段,能够保证系统和数据的安全,以及授权访问者的合法利益。而当前信息验证主要是依靠密码技术,而在如今的密码学领域中,主要有两种密码系统,一是对称密钥密码系统,即加密密钥和解密密钥使用同一个。另一个是公开密钥密码系统,即加密密钥和解密密钥不同,其中一个可以公开。目前大部分的信息验证使用算法的主要依靠公钥密码体系。The rapidly developing Internet has brought tremendous convenience to people's lives and work, allowing them to send and receive emails, make phone calls, shop online, and transfer money via bank transfer from the comfort of their homes. However, network information security has also gradually become a potentially significant problem. Generally, network information faces several security risks: theft, tampering, impersonation, and malicious damage. Information verification is one means of protecting people's network information, ensuring the security of systems and data, and safeguarding the legitimate interests of authorized users. Currently, information verification primarily relies on cryptographic techniques. In the field of cryptography today, there are two main types of cryptographic systems: symmetric-key cryptography, where the encryption and decryption keys are the same, and public-key cryptography, where the encryption and decryption keys are different, with one being publicly disclosed. Most information verification algorithms currently rely on public-key cryptography.

但是随着量子计算机的发展,经典非对称密钥加密算法将不再安全,无论加解密还是密钥交换方法,量子计算机都可以通过公钥计算得到私钥,因此目前常用的非对称密钥将在量子时代变得不堪一击。因此单单依靠非对称算法很难保证信息验证过程的安全。However, with the development of quantum computers, classical asymmetric key encryption algorithms will no longer be secure. Regardless of encryption/decryption or key exchange methods, quantum computers can calculate the private key from the public key. Therefore, commonly used asymmetric keys will become extremely vulnerable in the quantum era. Thus, relying solely on asymmetric algorithms is insufficient to guarantee the security of information verification processes.

发明内容Summary of the Invention

本公开提供一种信息验证方法及相关设备,至少在一定程度上克服由于相关技术中非对称算法无法保证信息验证过程安全的问题。This disclosure provides an information verification method and related equipment, which at least to some extent overcomes the problem that asymmetric algorithms in related technologies cannot guarantee the security of the information verification process.

根据本公开的一个方面,提供了一种信息验证方法,应用于终端,包括:生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;根据所述会话密钥和信令数据,确定加密信令数据;将信令报文发送到服务端,以使服务端对所述信令报文进行验证,其中,所述信令报文包括所述加密信令数据和所述加密随机数。According to one aspect of this disclosure, an information verification method is provided, applied to a terminal, comprising: generating a random number and encrypting it using a quantum-resistant public key to determine an encrypted random number; determining a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; determining encrypted signaling data based on the session key and signaling data; and sending a signaling message to a server to enable the server to verify the signaling message, wherein the signaling message includes the encrypted signaling data and the encrypted random number.

在一些实施例中,所述生成一随机数,并根据抗量子公钥进行加密,确定加密随机数之前,所述方法还包括:根据所述服务端公钥与所述终端公钥,确定第一共享密钥;根据所述第一共享密钥对用户的登录信息进行加密,确定用户的加密登录信息;将所述用户的加密登录信息和所述终端公钥发送到服务端进行用户注册。In some embodiments, before generating a random number and encrypting it using a quantum-resistant public key to determine the encrypted random number, the method further includes: determining a first shared key based on the server public key and the terminal public key; encrypting the user's login information using the first shared key to determine the user's encrypted login information; and sending the user's encrypted login information and the terminal public key to the server for user registration.

在一些实施例中,所述信令报文还包括:所述终端登录信息和哈希消息认证码,其中,所述哈希消息认证码根据会话密钥生成。In some embodiments, the signaling message further includes: the terminal login information and a hash message authentication code, wherein the hash message authentication code is generated based on the session key.

根据本公开的一个方面,提供了一种信息验证方法,应用于服务端,包括:获取终端发送的信令报文,其中,所述信令报文包括加密随机数和加密信令数据;根据抗量子私钥对所述加密随机数进行解密,确定随机数;根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;根据所述会话密钥对所述加密信令数据进行解密。According to one aspect of this disclosure, an information verification method is provided, applied to a server, comprising: acquiring a signaling message sent by a terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data; decrypting the encrypted random number using a quantum-resistant private key to determine a random number; determining a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; and decrypting the encrypted signaling data using the session key.

在一些实施例中,所述信令报文还包括:所述终端登录信息和哈希消息认证码,其中,所述哈希消息认证码根据会话密钥生成;在所述根据所述会话密钥对所述加密信令数据进行解密之前,所述方法还包括:根据会话密钥验证哈希消息认证码;若验证通过,根据所述会话密钥对所述加密信令数据进行解密。In some embodiments, the signaling message further includes: the terminal login information and a hash message authentication code, wherein the hash message authentication code is generated based on a session key; before decrypting the encrypted signaling data based on the session key, the method further includes: verifying the hash message authentication code based on the session key; if the verification is successful, decrypting the encrypted signaling data based on the session key.

根据本公开的一个方面,提供了一种信息验证装置,应用于终端,包括:加密随机数确定模块,用于生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;会话密钥第一确定模块,用于根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;加密信令数据确定模块,用于根据所述会话密钥和信令数据,确定加密信令数据;信令报文发送模块,用于将信令报文发送到服务端,以使服务端对所述信令报文进行验证,其中,所述信令报文包括所述加密信令数据和所述加密随机数。According to one aspect of this disclosure, an information verification device is provided, applied to a terminal, comprising: an encrypted random number determination module, configured to generate a random number and encrypt it using a quantum-resistant public key to determine the encrypted random number; a session key first determination module, configured to determine a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; an encrypted signaling data determination module, configured to determine encrypted signaling data based on the session key and the signaling data; and a signaling message sending module, configured to send a signaling message to a server so that the server can verify the signaling message, wherein the signaling message includes the encrypted signaling data and the encrypted random number.

根据本公开的一个方面,提供了一种信息验证装置,应用于服务端,包括:信令报文获取模块,用于获取终端发送的信令报文,其中,所述信令报文包括加密随机数和加密信令数据;随机数确定模块,用于根据抗量子私钥对所述加密随机数进行解密,确定随机数;会话密钥第二确定模块,用于根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;信令数据解密模块,用于根据所述会话密钥对所述加密信令数据进行解密。According to one aspect of this disclosure, an information verification device is provided, applied to a server, comprising: a signaling message acquisition module, configured to acquire a signaling message sent by a terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data; a random number determination module, configured to decrypt the encrypted random number using a quantum-resistant private key to determine a random number; a session key second determination module, configured to determine a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; and a signaling data decryption module, configured to decrypt the encrypted signaling data using the session key.

根据本公开的一个方面,提供了一种信息验证系统,包括:终端生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;终端根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;终端根据所述会话密钥和信令数据,确定加密信令数据;终端将信令报文发送到服务端,其中,所述信令报文包括所述加密信令数据和所述加密随机数;服务端获取所述终端发送的所述信令报文;服务端根据抗量子私钥对所述加密随机数进行解密,确定随机数;服务端根据所述第一共享密钥和所述随机数,确定会话密钥;服务端根据所述会话密钥对所述加密信令数据进行解密。According to one aspect of this disclosure, an information verification system is provided, comprising: a terminal generating a random number and encrypting it using a quantum-resistant public key to determine an encrypted random number; the terminal determining a session key based on a first shared key and the random number, wherein the first shared key is determined based on a server public key and a terminal public key; the terminal determining encrypted signaling data based on the session key and signaling data; the terminal sending a signaling message to a server, wherein the signaling message includes the encrypted signaling data and the encrypted random number; the server acquiring the signaling message sent by the terminal; the server decrypting the encrypted random number using a quantum-resistant private key to determine a random number; the server determining a session key based on the first shared key and the random number; and the server decrypting the encrypted signaling data using the session key.

根据本公开的另一个方面,还提供了一种电子设备,该电子设备包括:处理器;以及存储器,用于存储所述处理器的可执行指令;其中,所述处理器配置为经由执行所述可执行指令来执行上述任意一项所述的信息验证方法。According to another aspect of this disclosure, an electronic device is also provided, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the information verification method described in any one of the preceding claims by executing the executable instructions.

根据本公开的另一个方面,还提供了一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述任意一项所述的信息验证方法。According to another aspect of this disclosure, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed by a processor, implements the information verification method described in any one of the preceding claims.

根据本公开的另一个方面,还提供了一种计算机程序产品,包括计算机程序,所述计算机程序被处理器执行时实现上述任意一项的信息验证方法。According to another aspect of this disclosure, a computer program product is also provided, including a computer program that, when executed by a processor, implements the information verification method described above.

本公开通过将传统密钥协商算法生成的密钥与抗量子算法封装的密钥进行操作处理,能够抵抗量子计算攻击,保证信息的安全。This disclosure, by processing the key generated by the traditional key negotiation algorithm with the key encapsulated in a quantum-resistant algorithm, can resist quantum computing attacks and ensure information security.

参照后文的说明和附图,详细公开了本发明的特定实施方式,指明了本发明的原理可以被采用的方式。应该理解,本发明的实施方式在范围上并不因而受到限制。在所附权利要求的精神和条款的范围内,本发明的实施方式包括许多改变、修改和等同。Specific embodiments of the invention are disclosed in detail with reference to the following description and accompanying drawings, indicating how the principles of the invention can be employed. It should be understood that the embodiments of the invention are not therefore limited in scope. Within the spirit and scope of the appended claims, embodiments of the invention include many changes, modifications, and equivalents.

针对一种实施方式描述和/或示出的特征可以以相同或类似的方式在一个或更多个其它实施方式中使用,与其它实施方式中的特征相组合,或替代其它实施方式中的特征。Features described and/or illustrated for one embodiment may be used in the same or similar manner in one or more other embodiments, combined with features in other embodiments, or substituted for features in other embodiments.

应该强调,术语“包括/包含”在本文使用时指特征、整件、步骤或组件的存在,但并不排除一个或更多个其它特征、整件、步骤或组件的存在或附加。It should be emphasized that the term "including/comprises" as used herein refers to the presence of a feature, whole, step, or component, but does not exclude the presence or addition of one or more other features, wholes, steps, or components.

附图说明Attached Figure Description

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本公开的实施例,并与说明书一起用于解释本公开的原理。显而易见地,下面描述中的附图仅仅是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure. It is obvious that the drawings described below are merely some embodiments of this disclosure, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.

图1示出本公开实施例中一种信息验证系统结构的示意图;Figure 1 shows a schematic diagram of an information verification system structure according to an embodiment of the present disclosure;

图2示出本公开实施例中一种应用于终端的信息验证方法流程图;Figure 2 shows a flowchart of an information verification method applied to a terminal according to an embodiment of the present disclosure;

图3示出本公开实施例中一种应用于终端的信息验证方法一具体实例的流程图;Figure 3 shows a flowchart of a specific example of an information verification method applied to a terminal according to an embodiment of the present disclosure;

图4示出本公开实施例中一种应用于服务端的信息验证方法流程图;Figure 4 shows a flowchart of an information verification method applied to the server in an embodiment of this disclosure;

图5示出本公开实施例中一种应用于服务端的信息验证方法一具体实例的流程图;Figure 5 shows a flowchart of a specific example of an information verification method applied to a server in this disclosure embodiment;

图6示出本公开实施例中一种应用于终端与服务端之间的信息验证方法流程示意图;Figure 6 shows a schematic flowchart of an information verification method applied between a terminal and a server in an embodiment of this disclosure.

图7示出本公开实施例中一种应用于终端的信息验证装置示意图;Figure 7 shows a schematic diagram of an information verification device applied to a terminal in an embodiment of the present disclosure;

图8示出本公开实施例中一种应用于服务端的信息验证装置示意图;Figure 8 shows a schematic diagram of an information verification device applied to a server in an embodiment of this disclosure;

图9示出本公开实施例中一种计算机设备的结构框图。Figure 9 shows a structural block diagram of a computer device according to an embodiment of the present disclosure.

具体实施方式Detailed Implementation

现在将参考附图更全面地描述示例实施方式。然而,示例实施方式能够以多种形式实施,且不应被理解为限于在此阐述的范例;相反,提供这些实施方式使得本公开将更加全面和完整,并将示例实施方式的构思全面地传达给本领域的技术人员。所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施方式中。Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, they are provided so that this disclosure will be more comprehensive and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

此外,附图仅为本公开的示意性图解,并非一定是按比例绘制。图中相同的附图标记表示相同或类似的部分,因而将省略对它们的重复描述。附图中所示的一些方框图是功能实体,不一定必须与物理或逻辑上独立的实体相对应。可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。Furthermore, the accompanying drawings are merely illustrative of this disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted. Some block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in software, in one or more hardware modules or integrated circuits, or in different network and/or processor devices and/or microcontroller devices.

为便于理解,在介绍本公开实施例之前,首先对本公开实施例中涉及到的几个名词进行解释如下:To facilitate understanding, before introducing the embodiments of this disclosure, the following explanations are provided for several terms involved in the embodiments of this disclosure:

抗量子密码:PQC,Post-Quantum cryptography;Quantum-resistant cryptography: PQC, Post-Quantum cryptography;

哈希运算消息认证码:Hash-based Message Authentication Code,Hmac。Hash-based Message Authentication Code (Hmac).

下面结合附图,对本公开实施例的具体实施方式进行详细说明。The specific implementation methods of the embodiments of this disclosure will now be described in detail with reference to the accompanying drawings.

图1示出了可以应用本公开实施例中信息验证方法的示例性应用系统架构示意图。如图1所示,该系统架构可以包括终端设备101、网络102和服务器103。Figure 1 illustrates an exemplary application system architecture for which the information verification method of this disclosure can be applied. As shown in Figure 1, the system architecture may include a terminal device 101, a network 102, and a server 103.

网络102用以在终端设备101和服务器103之间提供通信链路的介质,可以是有线网络,也可以是无线网络。Network 102 is a medium used to provide a communication link between terminal device 101 and server 103, and can be a wired network or a wireless network.

可选地,上述的无线网络或有线网络使用标准通信技术和/或协议。网络通常为因特网、但也可以是任何网络,包括但不限于局域网(Local Area Network,LAN)、城域网(Metropolitan Area Network,MAN)、广域网(Wide Area Network,WAN)、移动、有线或者无线网络、专用网络或者虚拟专用网络的任何组合)。在一些实施例中,使用包括超文本标记语言(Hyper Text Mark-up Language,HTML)、可扩展标记语言(Extensible MarkupLanguage,XML)等的技术和/或格式来代表通过网络交换的数据。此外还可以使用诸如安全套接字层(Secure Socket Layer,SSL)、传输层安全(Transport Layer Security,TLS)、虚拟专用网络(Virtual Private Network,VPN)、互联网安全协议(Internet Protocol Security,IPSec)等常规加密技术来加密所有或者一些链路。在另一些实施例中,还可以使用定制和/或专用数据通信技术取代或者补充上述数据通信技术。Optionally, the aforementioned wireless or wired networks use standard communication technologies and/or protocols. The network is typically the Internet, but can also be any network, including but not limited to Local Area Network (LAN), Metropolitan Area Network (MAN), Wide Area Network (WAN), mobile, wired or wireless networks, private networks, or any combination of virtual private networks. In some embodiments, technologies and/or formats including Hypertext Markup Language (HTML), Extensible Markup Language (XML), etc., are used to represent data exchanged over the network. Furthermore, conventional encryption technologies such as Secure Socket Layer (SSL), Transport Layer Security (TLS), Virtual Private Network (VPN), and Internet Protocol Security (IPSec) can be used to encrypt all or some links. In other embodiments, customized and/or dedicated data communication technologies may be used to replace or supplement the aforementioned data communication technologies.

终端设备101可以是各种电子设备,包括但不限于智能手机、平板电脑、膝上型便携计算机、台式计算机、智能音箱、智能手表、可穿戴设备、增强现实设备、虚拟现实设备等。Terminal device 101 can be various electronic devices, including but not limited to smartphones, tablets, laptops, desktop computers, smart speakers, smartwatches, wearable devices, augmented reality devices, virtual reality devices, etc.

可选地,不同的终端设备101中安装的应用程序的客户端是相同的,或基于不同操作系统的同一类型应用程序的客户端。基于终端平台的不同,该应用程序的客户端的具体形态也可以不同,比如,该应用程序客户端可以是手机客户端、PC客户端等。Optionally, the client of the application installed on different terminal devices 101 may be the same, or the client of the same type of application based on different operating systems. Depending on the terminal platform, the specific form of the application client may also be different; for example, the application client may be a mobile client, a PC client, etc.

服务器103可以是提供各种服务的服务器,例如对用户利用终端设备101所进行操作的装置提供支持的后台管理服务器。后台管理服务器可以对接收到的请求等数据进行分析等处理,并将处理结果反馈给终端设备。Server 103 can be a server that provides various services, such as a backend management server that supports the device operated by the user using terminal device 101. The backend management server can analyze and process received requests and other data, and feed the processing results back to the terminal device.

可选地,服务器可以是独立的物理服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、CDN(Content Delivery Network,内容分发网络)、以及大数据和人工智能平台等基础云计算服务的云服务器。Optionally, the server can be a standalone physical server, a server cluster or distributed system consisting of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms.

在本公开的一个实施例中,终端生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;终端根据第一共享密钥和随机数,确定会话密钥,其中,第一共享密钥根据服务端公钥与终端公钥确定;终端根据会话密钥和信令数据,确定加密信令数据;终端将信令报文发送到服务端,其中,信令报文包括加密信令数据和加密随机数;服务端获取终端发送的信令报文;服务端根据抗量子私钥对加密随机数进行解密,确定随机数;服务端根据第一共享密钥和随机数,确定会话密钥;服务端根据会话密钥对加密信令数据进行解密。In one embodiment of this disclosure, the terminal generates a random number and encrypts it using a quantum-resistant public key to determine an encrypted random number; the terminal determines a session key based on a first shared key and the random number, wherein the first shared key is determined based on the server's public key and the terminal's public key; the terminal determines encrypted signaling data based on the session key and signaling data; the terminal sends a signaling message to the server, wherein the signaling message includes encrypted signaling data and an encrypted random number; the server receives the signaling message sent by the terminal; the server decrypts the encrypted random number using a quantum-resistant private key to determine a random number; the server determines a session key based on the first shared key and the random number; and the server decrypts the encrypted signaling data using the session key.

本领域技术人员可以知晓,图1中的终端设备、网络和服务器的数量仅仅是示意性的,根据实际需要,可以具有任意数目的终端设备、网络和服务器。本公开实施例对此不作限定。Those skilled in the art will understand that the number of terminal devices, networks, and servers shown in Figure 1 is merely illustrative, and any number of terminal devices, networks, and servers can be used as needed. This disclosure does not limit the scope of the embodiments.

图2示出本公开实施例中一种应用于终端的信息验证方法流程图,如图2所示,本公开实施例中提供的应用于终端的信息验证方法包括如下步骤:Figure 2 shows a flowchart of an information verification method applied to a terminal according to an embodiment of the present disclosure. As shown in Figure 2, the information verification method applied to a terminal provided in this embodiment of the present disclosure includes the following steps:

S202,生成一随机数,并根据抗量子公钥进行加密,确定加密随机数。S202, generate a random number and encrypt it using a quantum-resistant public key to determine the encrypted random number.

需要说明的是,上述随机数可以是在一定范围内具有随机性、不可预测的数字。例如,产生的后面的数与前面的数毫无关系。在加密算法中,随机数可以用于生成密钥、初始化向量等关键参数,保证加密过程的安全性。例如,在安全通信中,随机数在密钥交换和协议握手的过程中发挥关键作用;在密码学哈希函数中,哈希函数将任意长度的随机数输入映射到固定长度的输出,具有抗碰撞性和不可逆性,在加密存储和数字签名等场景中,哈希函数与随机数共同保证数据的安全性。随机数可以由随机密码生成器生成,例如,真随机数生成器,可以确保生成的随机数具有高度随机性和不可预测性。It should be noted that the aforementioned random numbers can be numbers that are random and unpredictable within a certain range. For example, the generated numbers may be completely unrelated to the preceding numbers. In encryption algorithms, random numbers can be used to generate key parameters such as keys and initialization vectors to ensure the security of the encryption process. For example, in secure communication, random numbers play a crucial role in key exchange and protocol handshakes; in cryptographic hash functions, hash functions map random number inputs of arbitrary length to fixed-length outputs, possessing collision resistance and irreversibility. In scenarios such as encrypted storage and digital signatures, hash functions and random numbers work together to ensure data security. Random numbers can be generated by random number generators, such as true random number generators, which can ensure that the generated random numbers are highly random and unpredictable.

上述抗量子可以是抗量子密码,也称后量子密码,是能够抵抗量子计算对现有密码算法攻击的新一代密码算法,能够保证密码算法在量子环境下的安全,PQC的主要研究对象为非对称密码算法,可在经典计算机上运行,但使用量子计算机无法破解。目前已发布的待标准化的PQC算法包括公钥加密与密钥交换算法(CRYSTALS-KYBER)和数字签名算法(CRYSTALS-Dilithium、FALCON、SPHINCS+)。The aforementioned quantum-resistant cryptography, also known as post-quantum cryptography, is a new generation of cryptographic algorithms capable of resisting quantum computing attacks on existing cryptographic algorithms. It ensures the security of cryptographic algorithms in a quantum environment. PQC primarily focuses on asymmetric cryptographic algorithms, which can run on classical computers but cannot be broken by quantum computers. Currently released PQC algorithms awaiting standardization include public-key encryption and key exchange algorithms (CRYSTALS-KYBER) and digital signature algorithms (CRYSTALS-Dilithium, FALCON, SPHINCS+).

上述公钥可以是密钥对的非秘密一半,能够用于给信息加密。具体的,公钥和私钥是通过一种算法得到的一个密钥对(即一个公钥和一个私钥),其中的一个向外界公开,称为公钥;另一个自己保留,称为私钥,通过这种算法得到的密钥对能保证在世界范围内是唯一的,使用这个密钥对的时候,如果用其中一个密钥加密一段数据,必须用另一个密钥解密,即,如用公钥加密数据就必须用私钥解密,如果用私钥加密也必须用公钥解密,否则解密将不会成功。The public key mentioned above can be the non-secret half of a key pair, which can be used to encrypt information. Specifically, a public key and a private key are a key pair (i.e., a public key and a private key) obtained through an algorithm. One of them is made public and is called the public key; the other is kept secret and is called the private key. The key pair obtained through this algorithm is guaranteed to be unique worldwide. When using this key pair, if data is encrypted with one key, it must be decrypted with the other key. That is, if data is encrypted with the public key, it must be decrypted with the private key, and vice versa; otherwise, decryption will fail.

例如,终端生成随机数,使用平台(服务端)Kyber公钥进行加密。For example, the terminal generates random numbers and encrypts them using the platform's (server's) Kyber public key.

S204,根据第一共享密钥和随机数,确定会话密钥,其中,第一共享密钥根据服务端公钥与终端公钥确定。S204, determine the session key based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key.

需要说明的是,上述确定会话密钥的方式可以是异或、拼接、交替合并、错位重排等方式。It should be noted that the above methods for determining the session key can include XOR, concatenation, alternating merging, misalignment rearrangement, etc.

例如,终端生成终端公钥,通过密钥协商算法计算出第一共享密钥,将第一共享密钥和随机数进行异或操作,生成会话密钥。For example, the terminal generates a terminal public key, calculates a first shared key through a key negotiation algorithm, and performs an XOR operation on the first shared key and a random number to generate a session key.

S206,根据会话密钥和信令数据,确定加密信令数据。S206, Determine the encrypted signaling data based on the session key and signaling data.

例如,根据会话密钥对信令数据进行加密,得到加密信令数据。For example, signaling data can be encrypted using a session key to obtain encrypted signaling data.

S208,将信令报文发送到服务端,以使服务端对信令报文进行验证,其中,信令报文包括加密信令数据和加密随机数。S208, a signaling message is sent to the server so that the server can verify the signaling message. The signaling message includes encrypted signaling data and an encrypted random number.

需要说明的是,上述服务端对信令报文进行验证是对信令报文中的加密的数据进行解密后与预先存储的数据进行验证对比的过程。It should be noted that the above-mentioned server-side verification of signaling messages is a process of decrypting the encrypted data in the signaling messages and comparing it with the pre-stored data.

本公开通过将传统密钥协商算法生成的密钥与抗量子算法封装的密钥进行操作处理,能够抵抗量子计算攻击,保证信息的安全。This disclosure, by processing the key generated by the traditional key negotiation algorithm with the key encapsulated in a quantum-resistant algorithm, can resist quantum computing attacks and ensure information security.

在本公开的一个实施例中,如图3所示,本公开实施例中提供的信息验证方法在生成一随机数,并根据抗量子公钥进行加密,确定加密随机数之前,可以通过如下步骤来在服务端对终端进行注册,使得服务端对用户以后的登录信息进行验证:In one embodiment of this disclosure, as shown in FIG3, the information verification method provided in this embodiment can register the terminal on the server through the following steps before generating a random number and encrypting it according to a quantum-resistant public key, and determining the encrypted random number, so that the server can verify the user's login information in the future:

S302,根据服务端公钥与终端公钥,确定第一共享密钥;S302, determine the first shared key based on the server public key and the terminal public key;

S304,根据第一共享密钥对用户的登录信息进行加密,确定用户的加密登录信息;S304, encrypt the user's login information according to the first shared key, and determine the user's encrypted login information;

S306,将用户的加密登录信息和终端公钥发送到服务端进行用户注册。S306 sends the user's encrypted login information and terminal public key to the server for user registration.

需要说明的是,上述用户的登录信息包括用户帐号密码信息。用户的加密登录信息与终端公钥一一对应。It should be noted that the login information for the aforementioned users includes their account and password information. Each user's encrypted login information corresponds one-to-one with the terminal's public key.

在本公开的一个实例中,上述信令报文还包括:终端登录信息和哈希消息认证码,其中,哈希消息认证码根据会话密钥生成。In one example of this disclosure, the aforementioned signaling message also includes: terminal login information and a hash message authentication code, wherein the hash message authentication code is generated based on the session key.

图4示出本公开实施例中一种应用于服务端的信息验证方法流程图,如图4所示,本公开实施例中提供的应用于服务端的信息验证方法包括如下步骤:Figure 4 shows a flowchart of an information verification method applied to the server in an embodiment of this disclosure. As shown in Figure 4, the information verification method applied to the server provided in this embodiment of the disclosure includes the following steps:

S402,获取终端发送的信令报文,其中,信令报文包括加密随机数和加密信令数据。S402, Obtain the signaling message sent by the terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data.

需要说明的是,上述加密随机数是终端生成一随机数,并根据抗量子公钥进行加密,确定的加密随机数。上述加密信令数据是终端根据会话密钥和信令数据,确定的加密信令数据,其中,会话密钥根据第一共享密钥和随机数确定(异或、拼接、交替合并、错位重排),第一共享密钥根据服务端公钥与终端公钥确定。It should be noted that the aforementioned encrypted random number is a random number generated by the terminal and encrypted using a quantum-resistant public key. The aforementioned encrypted signaling data is encrypted signaling data determined by the terminal based on the session key and the signaling data. The session key is determined based on the first shared key and the random number (using XOR, concatenation, alternating merging, and misalignment rearrangement). The first shared key is determined based on the server's public key and the terminal's public key.

S404,根据抗量子私钥对加密随机数进行解密,确定随机数。S404: Decrypt the encrypted random number using the quantum-resistant private key to determine the random number.

需要说明的是,上述抗量子可以是抗量子密码,也称后量子密码,是能够抵抗量子计算对现有密码算法攻击的新一代密码算法,能够保证密码算法在量子环境下的安全,PQC的主要研究对象为非对称密码算法,可在经典计算机上运行,但使用量子计算机无法破解。上述私钥可以是密钥对的秘密一半,能够用于给信息加密。It should be noted that the aforementioned quantum-resistant cryptography, also known as post-quantum cryptography, is a new generation of cryptographic algorithms capable of resisting quantum computing attacks on existing cryptographic algorithms. It ensures the security of cryptographic algorithms in a quantum environment. PQC primarily focuses on asymmetric cryptographic algorithms, which can run on classical computers but cannot be cracked by quantum computers. The aforementioned private key can be the secret half of the key pair and can be used to encrypt information.

具体的,抗量子加密算法部署在服务端,抗量子公钥向外界公开;抗量子私钥服务端保留,通过这种算法得到的密钥对能保证在世界范围内是唯一的,使用这个密钥对的时候,如果用其中一个密钥加密一段数据,必须用另一个密钥解密,即,如用公钥加密数据就必须用私钥解密,如果用私钥加密也必须用公钥解密,否则解密将不会成功。Specifically, the quantum-resistant encryption algorithm is deployed on the server side, and the quantum-resistant public key is made public. The quantum-resistant private key is kept on the server side. The key pair obtained through this algorithm is guaranteed to be unique worldwide. When using this key pair, if a piece of data is encrypted with one key, it must be decrypted with the other key. That is, if data is encrypted with the public key, it must be decrypted with the private key, and vice versa. Otherwise, decryption will fail.

例如,使用服务端的Kyber私钥解密加密随机数得到随机数。For example, use the server's Kyber private key to decrypt encrypted random numbers to obtain random numbers.

S406,根据第一共享密钥和随机数,确定会话密钥,其中,第一共享密钥根据服务端公钥与终端公钥确定。S406, determine the session key based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key.

例如,服务端根据客户端公钥,通过密钥协商算法构建第一共享密钥,将第一共享密钥和随机数进行异或操作,生成会话密钥。For example, the server constructs a first shared key based on the client's public key using a key negotiation algorithm, and then performs an XOR operation on the first shared key and a random number to generate a session key.

S408,根据会话密钥对加密信令数据进行解密。S408, decrypts encrypted signaling data based on the session key.

例如,服务端使用会话密钥解密出信令明文数据,基于会话密钥进行后续数据安全通信。For example, the server uses the session key to decrypt the plaintext signaling data and then uses the session key for subsequent secure data communication.

本申请将传统密钥协商算法生成的密钥与抗量子算法封装的密钥进行处理,能够抵抗量子计算攻击,保证信息的安全。This application processes the key generated by the traditional key negotiation algorithm with the key encapsulated with quantum-resistant algorithms, which can resist quantum computing attacks and ensure information security.

在本公开的一个实施例中,如图5所示,本公开实施例中提供的信息验证方法中的信令报文还包括:终端登录信息和哈希消息认证码,其中,哈希消息认证码根据会话密钥生成在生成,在根据会话密钥对加密信令数据进行解密之前,本公开可以通过如下步骤来验证,能够对用户的登录信息进行安全的验证:In one embodiment of this disclosure, as shown in FIG5, the signaling message in the information verification method provided in this embodiment further includes: terminal login information and hash message authentication code, wherein the hash message authentication code is generated based on the session key. Before decrypting the encrypted signaling data based on the session key, this disclosure can verify the user's login information securely through the following steps:

S502,根据会话密钥验证哈希消息认证码;S502, verify the hash message authentication code based on the session key;

S504,若验证通过,根据会话密钥对加密信令数据进行解密。S504 If the verification is successful, the encrypted signaling data is decrypted according to the session key.

在本公开的一个实例中,服务端根据用户帐号查找终端公钥。In one example of this disclosure, the server looks up the terminal public key based on the user account.

图6示出本公开实施例中一种应用于终端与服务端之间的信息验证方法流程示意图,如图6所示,本公开实施例中提供的终端与服务端之间的信息验证方法包括如下步骤:Figure 6 shows a schematic flowchart of an information verification method between a terminal and a server according to an embodiment of this disclosure. As shown in Figure 6, the information verification method between a terminal and a server provided in this embodiment of the disclosure includes the following steps:

S601,在终端上安装应用客户端,并完成初始化,配置服务端(管控平台)公钥和Kyber公钥(或通过网络传输公钥信息);S601: Install the application client on the terminal and complete the initialization, and configure the server (management platform) public key and Kyber public key (or transmit public key information over the network);

S602,终端生成终端公钥,通过密钥协商算法计算出共享密钥K1(相当于上述第一共享密钥),使用K1加密用户帐号密码信息,并将加密后帐密、客户端公钥上传至服务端,完成设备注册;S602, the terminal generates a terminal public key, calculates a shared key K1 (equivalent to the first shared key mentioned above) through a key negotiation algorithm, uses K1 to encrypt the user account password information, and uploads the encrypted account password and client public key to the server to complete device registration;

S603,服务端存储终端公钥,并根据终端公钥和服务端公钥计算共享密钥K1,解密帐密信息并存储;S603, the server stores the terminal's public key, calculates the shared key K1 based on the terminal's public key and the server's public key, decrypts the account information, and stores it;

S604,终端生成随机数K2,使用服务端Kyber公钥进行加密,计算会话密钥K=K1⊕K2,使用K加密信令数据,发送信令报文,信令报文中包含用户帐号、信令密文、K2密文和使用K生成的验证信息(Hmac);S604, the terminal generates a random number K2, encrypts it using the server's Kyber public key, calculates the session key K = K1 ⊕ K2, encrypts the signaling data using K, and sends a signaling message. The signaling message contains the user account, the signaling ciphertext, the K2 ciphertext, and the authentication information (Hmac) generated using K.

S605,服务端根据用户帐号查找终端公钥,通过密钥协商算法构建共享密钥K1,使用平台Kyber私钥解密出随机数K2,计算会话密钥K=K1⊕K2,使用K验证消息验证码;S605: The server finds the terminal public key based on the user account, constructs a shared key K1 through a key negotiation algorithm, decrypts the random number K2 using the platform's Kyber private key, calculates the session key K = K1 ⊕ K2, and uses K to verify the message verification code.

S606,若验证通过,使用K解密出信令明文数据,基于K进行后续数据安全通信,若验证不通过则终止会话。S606: If the verification is successful, use K to decrypt the plaintext signaling data and proceed with subsequent secure data communication based on K; if the verification fails, terminate the session.

其中,S601-S603为设备注册,S604-S606为信令通信。Among them, S601-S603 are for device registration, and S604-S606 are for signaling communication.

需要说明的是,原始的密钥协商如果服务端公钥以预置的形式分发,每次密钥协商算法生成的密钥K1是不变的,存在重放攻击的风险,加入PQC算法后,每次信令通信时会产生随机数K2,保证每次会话密钥K(K1⊕K2)的随机性。其中,符号"⊕"表示异或运算,其运算规则为:0⊕0=00同0异或,结果为00⊕1=10同1异或,结果为11⊕0=11同0异或,结果为11⊕1=01同1异或,结果为0即两个逻辑变量相异,输出才为1。It should be noted that in the original key negotiation, if the server's public key is distributed in a pre-defined form, the key K1 generated by the key negotiation algorithm remains unchanged each time, posing a risk of replay attacks. With the addition of the PQC algorithm, a random number K2 is generated for each signaling communication, ensuring the randomness of the session key K (K1⊕K2) for each session. The symbol "⊕" represents the XOR operation, with the following rules: 0⊕0 = 00 XOR, 00⊕1 = 10 XOR, 11⊕0 = 11 XOR, 11⊕1 = 01 XOR. A result of 0 indicates that the two logical variables are different, and only then will the output be 1.

用户的登录注册使用的传统的密码算法,量子计算机能够加速破解其底层依赖的数学困难问题,算法本身的安全性受到严重威胁,进而影响到登录注册过程的安全性。The traditional cryptographic algorithms used for user login and registration are vulnerable to cracking by quantum computers, which can rapidly solve the underlying mathematical problems upon which they rely. This severely threatens the security of the algorithms themselves, thereby affecting the security of the login and registration process.

本公开针对量子计算对传统密钥交换算法带来的安全冲击,使用能够抵抗量子计算的抗量子密钥封装算法(以CRYSTALS-Kyber为例)与传统的密钥协商算法相结合,提高通信双方在注册登录过程中信息交换过程的抗量子安全性。This disclosure addresses the security challenges posed by quantum computing to traditional key exchange algorithms by combining a quantum-resistant key encapsulation algorithm (using CRYSTALS-Kyber as an example) with a traditional key negotiation algorithm to improve the quantum-resistant security of information exchange during registration and login between communicating parties.

本公开关注终端至平台的注册登录过程,登录过程中使用到传统的密钥协商算法(DH),在原始注册登录过程的基础上,添加PQC算法增强抗量子安全能力。终端侧配置平台PQC公钥,利用公钥加密随机数K2。This disclosure focuses on the registration and login process from the terminal to the platform. The login process uses a traditional key negotiation (DH) algorithm. Based on the original registration and login process, a PQC algorithm is added to enhance quantum security. The terminal is configured with the platform's PQC public key, which is used to encrypt a random number K2.

需要说明的是,本公开中以Kyber算法为例进行说明,具体使用何种PQC密钥协商算法可根据系统需求进行选择。It should be noted that this disclosure uses the Kyber algorithm as an example, and the specific PQC key negotiation algorithm to be used can be selected according to the system requirements.

基于同一发明构思,本公开实施例中还提供了一种应用于终端的信息验证装置,如下面的实施例所述。由于该装置实施例解决问题的原理与上述方法实施例相似,因此该装置实施例的实施可以参见上述方法实施例的实施,重复之处不再赘述。Based on the same inventive concept, this disclosure also provides an information verification device for a terminal, as described in the following embodiments. Since the principle by which this device embodiment solves the problem is similar to that of the above-described method embodiments, the implementation of this device embodiment can refer to the implementation of the above-described method embodiments, and repeated details will not be elaborated further.

图7示出本公开实施例中一种应用于终端的信息验证装置示意图,如图7所示,该装置包括:加密随机数确定模块71,会话密钥第一确定模块72,加密信令数据确定模块73,信令报文发送模块74,第一共享密钥确定模块75,登录信息加密模块76和注册模块77。Figure 7 shows a schematic diagram of an information verification device applied to a terminal in an embodiment of the present disclosure. As shown in Figure 7, the device includes: an encrypted random number determination module 71, a session key first determination module 72, an encrypted signaling data determination module 73, a signaling message sending module 74, a first shared key determination module 75, a login information encryption module 76, and a registration module 77.

其中,加密随机数确定模块71,用于生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;Among them, the encrypted random number determination module 71 is used to generate a random number and encrypt it according to the quantum-resistant public key to determine the encrypted random number;

会话密钥第一确定模块72,用于根据第一共享密钥和所述随机数,确定会话密钥,其中,第一共享密钥根据服务端公钥与终端公钥确定;The session key first determination module 72 is used to determine the session key based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key;

加密信令数据确定模块73,用于根据会话密钥和信令数据,确定加密信令数据;The encrypted signaling data determination module 73 is used to determine the encrypted signaling data based on the session key and the signaling data;

信令报文发送模块74,用于将信令报文发送到服务端,以使服务端对信令报文进行验证,其中,信令报文包括所述加密信令数据和所述加密随机数。The signaling message sending module 74 is used to send signaling messages to the server so that the server can verify the signaling messages. The signaling messages include the encrypted signaling data and the encrypted random number.

在本公开的一个实例中,上述应用于终端的信息验证装置还包括第一共享密钥确定模块75,用于根据所述服务端公钥与所述终端公钥,确定第一共享密钥。In one example of this disclosure, the aforementioned information verification device applied to the terminal further includes a first shared key determination module 75, used to determine a first shared key based on the server public key and the terminal public key.

在本公开的一个实例中,上述应用于终端的信息验证装置还包括登录信息加密模块76,用于根据第一共享密钥对用户的登录信息进行加密,确定用户的加密登录信息。In one example of this disclosure, the aforementioned information verification device applied to the terminal further includes a login information encryption module 76, used to encrypt the user's login information according to the first shared key, and to determine the user's encrypted login information.

在本公开的一个实例中,上述应用于终端的信息验证装置还包括注册模块77,用于将用户的加密登录信息和所述终端公钥发送到服务端进行用户注册。In one example of this disclosure, the aforementioned information verification device applied to the terminal further includes a registration module 77, used to send the user's encrypted login information and the terminal's public key to the server for user registration.

此处需要说明的是,上述加密随机数确定模块71,会话密钥第一确定模块72,加密信令数据确定模块73,信令报文发送模块74对应于方法实施例中的S202~S208,上述模块与对应的步骤所实现的示例和应用场景相同,但不限于上述方法实施例所公开的内容。需要说明的是,上述模块作为装置的一部分可以在诸如一组计算机可执行指令的计算机系统中执行。It should be noted that the aforementioned encrypted random number determination module 71, session key first determination module 72, encrypted signaling data determination module 73, and signaling message sending module 74 correspond to S202 to S208 in the method embodiment. The examples and application scenarios implemented by these modules and their corresponding steps are the same, but they are not limited to the content disclosed in the above method embodiment. It should also be noted that these modules, as part of the apparatus, can be executed in a computer system such as a set of computer-executable instructions.

图8示出本公开实施例中一种应用于服务端的信息验证装置示意图,如图8所示,该装置包括:信令报文获取模块81,随机数确定模块82,会话密钥第二确定模块83,信令数据解密模块84和哈希消息认证码验证模块85。Figure 8 shows a schematic diagram of an information verification device applied to a server in an embodiment of the present disclosure. As shown in Figure 8, the device includes: a signaling message acquisition module 81, a random number determination module 82, a session key second determination module 83, a signaling data decryption module 84, and a hash message authentication code verification module 85.

其中,信令报文获取模块81,用于获取终端发送的信令报文,其中,信令报文包括加密随机数和加密信令数据;The signaling message acquisition module 81 is used to acquire the signaling message sent by the terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data;

随机数确定模块82,用于根据抗量子私钥对加密随机数进行解密,确定随机数;The random number determination module 82 is used to decrypt the encrypted random number based on the quantum-resistant private key and determine the random number.

会话密钥第二确定模块83,用于根据第一共享密钥和随机数,确定会话密钥,其中,第一共享密钥根据服务端公钥与终端公钥确定;The second session key determination module 83 is used to determine the session key based on the first shared key and a random number, wherein the first shared key is determined based on the server public key and the terminal public key;

信令数据解密模块84,用于根据会话密钥对加密信令数据进行解密。The signaling data decryption module 84 is used to decrypt encrypted signaling data based on the session key.

在本公开的一个实例中,上述应用于服务端的信息验证装置还包括哈希消息认证码验证模块85,用于根据会话密钥验证哈希消息认证码。In one example of this disclosure, the aforementioned information verification device applied to the server further includes a hash message authentication code verification module 85, used to verify the hash message authentication code based on the session key.

此处需要说明的是,上述信令报文获取模块81,随机数确定模块82,会话密钥第二确定模块83,信令数据解密模块84对应于方法实施例中的S402~S408,上述模块与对应的步骤所实现的示例和应用场景相同,但不限于上述方法实施例所公开的内容。需要说明的是,上述模块作为装置的一部分可以在诸如一组计算机可执行指令的计算机系统中执行。It should be noted that the signaling message acquisition module 81, random number determination module 82, session key second determination module 83, and signaling data decryption module 84 mentioned above correspond to S402 to S408 in the method embodiment. The examples and application scenarios implemented by the above modules and corresponding steps are the same, but are not limited to the content disclosed in the above method embodiment. It should be noted that the above modules, as part of the apparatus, can be executed in a computer system such as a set of computer-executable instructions.

所属技术领域的技术人员能够理解,本公开的各个方面可以实现为系统、方法或程序产品。因此,本公开的各个方面可以具体实现为以下形式,即:完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等),或硬件和软件方面结合的实施方式,这里可以统称为“电路”、“模块”或“系统”。Those skilled in the art will understand that various aspects of this disclosure can be implemented as a system, method, or program product. Therefore, various aspects of this disclosure can be specifically implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software aspects, collectively referred to herein as a "circuit," "module," or "system."

下面参照图9来描述根据本公开的这种实施方式的电子设备900。图9显示的电子设备900仅仅是一个示例,不应对本公开实施例的功能和使用范围带来任何限制。The electronic device 900 according to this embodiment of the present disclosure will now be described with reference to FIG9. The electronic device 900 shown in FIG9 is merely an example and should not be construed as limiting the functionality and scope of the embodiments of the present disclosure.

如图9所示,电子设备900以通用计算设备的形式表现。电子设备900的组件可以包括但不限于:上述至少一个处理单元910、上述至少一个存储单元920、连接不同系统组件(包括存储单元920和处理单元910)的总线930。As shown in Figure 9, the electronic device 900 is presented in the form of a general-purpose computing device. The components of the electronic device 900 may include, but are not limited to: at least one processing unit 910, at least one storage unit 920, and a bus 930 connecting different system components (including the storage unit 920 and the processing unit 910).

其中,所述存储单元存储有程序代码,所述程序代码可以被所述处理单元910执行,使得所述处理单元910执行本说明书上述“示例性方法”部分中描述的根据本公开各种示例性实施方式的步骤。The storage unit stores program code that can be executed by the processing unit 910, causing the processing unit 910 to perform the steps described in the "Exemplary Methods" section above according to various exemplary embodiments of this disclosure.

例如,所述处理单元910可以执行上述方法实施例的如下步骤:For example, the processing unit 910 can perform the following steps in the above method embodiment:

生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;Generate a random number and encrypt it using a quantum-resistant public key to determine the encrypted random number;

根据第一共享密钥和随机数,确定会话密钥,其中,第一共享密钥根据服务端公钥与终端公钥确定;The session key is determined based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key;

根据会话密钥和信令数据,确定加密信令数据;Based on the session key and signaling data, the encrypted signaling data is determined;

将信令报文发送到服务端,以使服务端对信令报文进行验证,其中,信令报文包括加密信令数据和加密随机数。The signaling message is sent to the server so that the server can verify the signaling message. The signaling message includes encrypted signaling data and encrypted random number.

例如,所述处理单元910可以执行上述方法实施例的如下步骤:For example, the processing unit 910 can perform the following steps in the above method embodiment:

根据服务端公钥与终端公钥,确定第一共享密钥;The first shared key is determined based on the server's public key and the terminal's public key;

根据第一共享密钥对用户的登录信息进行加密,确定用户的加密登录信息;The user's login information is encrypted using the first shared key to determine the user's encrypted login information;

将用户的加密登录信息和终端公钥发送到服务端进行用户注册。The user's encrypted login information and terminal public key are sent to the server for user registration.

例如,所述处理单元910可以执行上述方法实施例的如下步骤:For example, the processing unit 910 can perform the following steps in the above method embodiment:

获取终端发送的信令报文,其中,信令报文包括加密随机数和加密信令数据;Acquire the signaling message sent by the terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data;

根据抗量子私钥对加密随机数进行解密,确定随机数;The encrypted random number is decrypted using a quantum-resistant private key to determine the random number;

根据第一共享密钥和随机数,确定会话密钥,其中,第一共享密钥根据服务端公钥与终端公钥确定;The session key is determined based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key;

根据会话密钥对加密信令数据进行解密。Decrypt the encrypted signaling data based on the session key.

例如,所述处理单元910可以执行上述方法实施例的如下步骤:For example, the processing unit 910 can perform the following steps in the above method embodiment:

根据会话密钥验证哈希消息认证码;Verify the hash message authentication code using the session key;

若验证通过,根据会话密钥对加密信令数据进行解密,其中信令报文还包括:终端登录信息和哈希消息认证码,其中,哈希消息认证码根据会话密钥生成。If the verification is successful, the encrypted signaling data is decrypted based on the session key. The signaling message also includes: terminal login information and hash message authentication code, whereby the hash message authentication code is generated based on the session key.

存储单元920可以包括易失性存储单元形式的可读介质,例如随机存取存储单元(RAM)9201和/或高速缓存存储单元9202,还可以进一步包括只读存储单元(ROM)9203。Storage unit 920 may include readable media in the form of volatile storage units, such as random access memory (RAM) 9201 and/or cache memory 9202, and may further include read-only memory (ROM) 9203.

存储单元920还可以包括具有一组(至少一个)程序模块9205的程序/实用工具9204,这样的程序模块9205包括但不限于:操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。Storage unit 920 may also include a program/utility 9204 having a set (at least one) program module 9205, such program module 9205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.

总线930可以为表示几类总线结构中的一种或多种,包括存储单元总线或者存储单元控制器、外围总线、图形加速端口、处理单元或者使用多种总线结构中的任意总线结构的局域总线。Bus 930 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.

电子设备900也可以与一个或多个外部设备940(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得用户能与该电子设备900交互的设备通信,和/或与使得该电子设备900能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口950进行。并且,电子设备900还可以通过网络适配器960与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。如图所示,网络适配器960通过总线930与电子设备900的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备900使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。Electronic device 900 can also communicate with one or more external devices 940 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 900, and/or with any device that enables electronic device 900 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input/output (I/O) interface 950. Furthermore, electronic device 900 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and/or public networks, such as the Internet) via network adapter 960. As shown, network adapter 960 communicates with other modules of electronic device 900 via bus 930. It should be understood that, although not shown in the figures, other hardware and/or software modules can be used in conjunction with electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.

通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、终端装置、或者网络设备等)执行根据本公开实施方式的方法。From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

特别地,根据本公开的实施例,上文参考流程图描述的过程可以被实现为计算机程序产品,该计算机程序产品包括:计算机程序,所述计算机程序被处理器执行时实现上述信息验证方法。In particular, according to embodiments of this disclosure, the process described above with reference to the flowchart can be implemented as a computer program product, which includes a computer program that, when executed by a processor, implements the above-described information verification method.

在本公开的示例性实施例中,还提供了一种计算机可读存储介质,该计算机可读存储介质可以是可读信号介质或者可读存储介质。其上存储有能够实现本公开上述方法的程序产品。在一些可能的实施方式中,本公开的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当所述程序产品在终端设备上运行时,所述程序代码用于使所述终端设备执行本说明书上述“示例性方法”部分中描述的根据本公开各种示例性实施方式的步骤。In exemplary embodiments of this disclosure, a computer-readable storage medium is also provided, which may be a readable signal medium or a readable storage medium. A program product capable of implementing the methods described above is stored thereon. In some possible implementations, various aspects of this disclosure may also be implemented as a program product including program code, which, when run on a terminal device, causes the terminal device to perform the steps described in the "Exemplary Methods" section of this specification according to various exemplary embodiments of this disclosure.

本公开中的计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。More specific examples of computer-readable storage media in this disclosure may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

在本公开中,计算机可读存储介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。In this disclosure, a computer-readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of transmitting, propagating, or transmitting a program for use by or in connection with an instruction execution system, apparatus, or device.

可选地,计算机可读存储介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。Optionally, the program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

在具体实施时,可以以一种或多种程序设计语言的任意组合来编写用于执行本公开操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到用户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。In practical implementation, program code for performing the operations of this disclosure can be written in any combination of one or more programming languages, including object-oriented programming languages such as Java and C++, and conventional procedural programming languages such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本公开的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.

此外,尽管在附图中以特定顺序描述了本公开中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and/or a step may be broken down into multiple steps.

通过以上实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本公开实施方式的方法。From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本公开的其它实施方案。本公开旨在涵盖本公开的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本公开的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本公开的真正范围和精神由所附的权利要求指出。Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the appended claims.

Claims (10)

一种信息验证方法,其特征在于,应用于终端,包括:An information verification method, characterized in that it is applied to a terminal and includes: 生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;Generate a random number and encrypt it using a quantum-resistant public key to determine the encrypted random number; 根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;The session key is determined based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key; 根据所述会话密钥和信令数据,确定加密信令数据;Based on the session key and signaling data, the encrypted signaling data is determined; 将信令报文发送到服务端,以使服务端对所述信令报文进行验证,其中,所述信令报文包括所述加密信令数据和所述加密随机数。The signaling message is sent to the server so that the server can verify the signaling message, wherein the signaling message includes the encrypted signaling data and the encrypted random number. 根据权利要求1所述的信息验证方法,其特征在于,所述生成一随机数,并根据抗量子公钥进行加密,确定加密随机数之前,所述方法还包括:The information verification method according to claim 1, characterized in that, before generating a random number and encrypting it according to a quantum-resistant public key to determine the encrypted random number, the method further includes: 根据所述服务端公钥与所述终端公钥,确定第一共享密钥;The first shared key is determined based on the server public key and the terminal public key; 根据所述第一共享密钥对用户的登录信息进行加密,确定用户的加密登录信息;The user's login information is encrypted using the first shared key to determine the user's encrypted login information; 将所述用户的加密登录信息和所述终端公钥发送到服务端进行用户注册。The user's encrypted login information and the terminal's public key are sent to the server for user registration. 根据权利要求1所述的信息验证方法,其特征在于,所述信令报文还包括:所述终端登录信息和哈希消息认证码,其中,所述哈希消息认证码根据会话密钥生成。According to the information verification method of claim 1, the signaling message further includes: the terminal login information and the hash message authentication code, wherein the hash message authentication code is generated based on the session key. 一种信息验证方法,其特征在于,应用于服务端,包括:An information verification method, characterized in that it is applied to a server and includes: 获取终端发送的信令报文,其中,所述信令报文包括加密随机数和加密信令数据;Acquire signaling messages sent by the terminal, wherein the signaling messages include encrypted random numbers and encrypted signaling data; 根据抗量子私钥对所述加密随机数进行解密,确定随机数;The encrypted random number is decrypted using the quantum-resistant private key to determine the random number; 根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;The session key is determined based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key; 根据所述会话密钥对所述加密信令数据进行解密。The encrypted signaling data is decrypted using the session key. 根据权利要求4所述的信息验证方法,其特征在于,所述信令报文还包括:所述终端登录信息和哈希消息认证码,其中,所述哈希消息认证码根据会话密钥生成;According to the information verification method of claim 4, the signaling message further includes: the terminal login information and the hash message authentication code, wherein the hash message authentication code is generated based on the session key; 在所述根据所述会话密钥对所述加密信令数据进行解密之前,所述方法还包括:Before decrypting the encrypted signaling data according to the session key, the method further includes: 根据会话密钥验证哈希消息认证码;Verify the hash message authentication code using the session key; 若验证通过,根据所述会话密钥对所述加密信令数据进行解密。If the verification is successful, the encrypted signaling data is decrypted using the session key. 一种信息验证装置,其特征在于,应用于终端,包括:An information verification device, characterized in that it is applied to a terminal and includes: 加密随机数确定模块,用于生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;The encrypted random number determination module is used to generate a random number and encrypt it using a quantum-resistant public key to determine the encrypted random number. 会话密钥第一确定模块,用于根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;The first session key determination module is used to determine the session key based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key; 加密信令数据确定模块,用于根据所述会话密钥和信令数据,确定加密信令数据;An encrypted signaling data determination module is used to determine encrypted signaling data based on the session key and the signaling data; 信令报文发送模块,用于将信令报文发送到服务端,以使服务端对所述信令报文进行验证,其中,所述信令报文包括所述加密信令数据和所述加密随机数。The signaling message sending module is used to send signaling messages to the server so that the server can verify the signaling messages, wherein the signaling messages include the encrypted signaling data and the encrypted random number. 一种信息验证装置,其特征在于,应用于服务端,包括:An information verification device, characterized in that it is applied to a server and includes: 信令报文获取模块,用于获取终端发送的信令报文,其中,所述信令报文包括加密随机数和加密信令数据;The signaling message acquisition module is used to acquire the signaling message sent by the terminal, wherein the signaling message includes an encrypted random number and encrypted signaling data; 随机数确定模块,用于根据抗量子私钥对所述加密随机数进行解密,确定随机数;The random number determination module is used to decrypt the encrypted random number based on the quantum-resistant private key to determine the random number; 会话密钥第二确定模块,用于根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;The second session key determination module is used to determine the session key based on the first shared key and the random number, wherein the first shared key is determined based on the server public key and the terminal public key; 信令数据解密模块,用于根据所述会话密钥对所述加密信令数据进行解密。The signaling data decryption module is used to decrypt the encrypted signaling data according to the session key. 一种信息验证系统,其特征在于,包括:An information verification system, characterized in that it comprises: 终端生成一随机数,并根据抗量子公钥进行加密,确定加密随机数;The terminal generates a random number and encrypts it using a quantum-resistant public key to determine the encrypted random number; 终端根据第一共享密钥和所述随机数,确定会话密钥,其中,所述第一共享密钥根据服务端公钥与终端公钥确定;The terminal determines a session key based on a first shared key and the random number, wherein the first shared key is determined based on the server's public key and the terminal's public key; 终端根据所述会话密钥和信令数据,确定加密信令数据;The terminal determines the encrypted signaling data based on the session key and signaling data; 终端将信令报文发送到服务端,其中,所述信令报文包括所述加密信令数据和所述加密随机数;The terminal sends a signaling message to the server, wherein the signaling message includes the encrypted signaling data and the encrypted random number; 服务端获取所述终端发送的所述信令报文;The server obtains the signaling message sent by the terminal; 服务端根据抗量子私钥对所述加密随机数进行解密,确定随机数;The server decrypts the encrypted random number using the quantum-resistant private key to determine the random number; 服务端根据所述第一共享密钥和所述随机数,确定会话密钥;The server determines the session key based on the first shared key and the random number; 服务端根据所述会话密钥对所述加密信令数据进行解密。The server decrypts the encrypted signaling data based on the session key. 一种电子设备,其特征在于,包括:An electronic device, characterized in that it comprises: 处理器;以及Processor; and 存储器,用于存储所述处理器的可执行指令;Memory for storing the executable instructions of the processor; 其中,所述处理器配置为经由执行所述可执行指令来执行权利要求1~7中任意一项所述的信息验证方法。The processor is configured to execute the information verification method according to any one of claims 1 to 7 by executing the executable instructions. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1~7中任意一项所述的信息验证方法。A computer-readable storage medium having a computer program stored thereon, characterized in that, when the computer program is executed by a processor, it implements the information verification method according to any one of claims 1 to 7.
PCT/CN2024/135341 2024-05-14 2024-11-28 Information verification method and related device Pending WO2025236608A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202410594835.8 2024-05-14
CN202410594835.8A CN118174967B (en) 2024-05-14 2024-05-14 Information verification method and related equipment

Publications (1)

Publication Number Publication Date
WO2025236608A1 true WO2025236608A1 (en) 2025-11-20

Family

ID=91355032

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/135341 Pending WO2025236608A1 (en) 2024-05-14 2024-11-28 Information verification method and related device

Country Status (2)

Country Link
CN (1) CN118174967B (en)
WO (1) WO2025236608A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118174967B (en) * 2024-05-14 2024-08-06 中国电信股份有限公司 Information verification method and related equipment
CN119299101B (en) * 2024-09-26 2025-10-10 中国电信股份有限公司 Device authentication method, system, device and non-volatile storage medium
CN119483934B (en) * 2024-10-31 2025-09-19 本源量子计算科技(合肥)股份有限公司 Mixed key packaging method and system
CN119420552B (en) * 2024-11-04 2025-09-30 中电信量子科技有限公司 A session key distribution method and system
CN119603065B (en) * 2024-12-18 2025-12-19 中电科网络安全科技股份有限公司 Digital certificate authentication method, device, equipment and medium based on post quantum algorithm
CN119544216B (en) * 2025-01-21 2025-04-29 北京握奇数据股份有限公司 Key exchange method, system, equipment and storage medium
CN120128322A (en) * 2025-02-24 2025-06-10 本源量子计算科技(合肥)股份有限公司 A method, system and electronic device for generating a key between two terminals
CN120186605A (en) * 2025-05-20 2025-06-20 中国电信股份有限公司 Authentication methods and related equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210226782A1 (en) * 2020-01-22 2021-07-22 Cisco Technology, Inc. Quantum computer resistant pre-shared key distribution for large scale wide area network solutions
CN114629651A (en) * 2020-12-14 2022-06-14 南京如般量子科技有限公司 A CA-based anti-quantum computing communication method and system
CN117176340A (en) * 2023-09-05 2023-12-05 之江实验室 A communication method based on MQTT protocol and resistant to quantum attacks
CN117527202A (en) * 2022-08-05 2024-02-06 华为技术有限公司 Systems, methods and equipment for quantum key agreement
CN118174967A (en) * 2024-05-14 2024-06-11 中国电信股份有限公司 Information verification method and related equipment

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710605A (en) * 2012-05-08 2012-10-03 重庆大学 Information security management and control method under cloud manufacturing environment
CN110932870B (en) * 2019-12-12 2023-03-31 南京如般量子科技有限公司 Quantum communication service station key negotiation system and method
CN111586685B (en) * 2020-04-26 2022-05-03 重庆邮电大学 A Lattice-based Anonymous Roaming Authentication Method
CN114070549B (en) * 2020-07-31 2024-07-19 马上消费金融股份有限公司 Key generation method, device, equipment and storage medium
CN114070550B (en) * 2020-07-31 2024-07-02 马上消费金融股份有限公司 Information processing method, device, equipment and storage medium
CN114978481B (en) * 2021-02-24 2025-06-13 南京如般量子科技有限公司 Anti-quantum computing communication system based on post-quantum cryptography CA
JP2023181554A (en) * 2022-06-12 2023-12-22 広海 大谷 internet and security

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210226782A1 (en) * 2020-01-22 2021-07-22 Cisco Technology, Inc. Quantum computer resistant pre-shared key distribution for large scale wide area network solutions
CN114629651A (en) * 2020-12-14 2022-06-14 南京如般量子科技有限公司 A CA-based anti-quantum computing communication method and system
CN117527202A (en) * 2022-08-05 2024-02-06 华为技术有限公司 Systems, methods and equipment for quantum key agreement
CN117176340A (en) * 2023-09-05 2023-12-05 之江实验室 A communication method based on MQTT protocol and resistant to quantum attacks
CN118174967A (en) * 2024-05-14 2024-06-11 中国电信股份有限公司 Information verification method and related equipment

Also Published As

Publication number Publication date
CN118174967A (en) 2024-06-11
CN118174967B (en) 2024-08-06

Similar Documents

Publication Publication Date Title
CN118174967B (en) Information verification method and related equipment
CN108111301B (en) Method and system for implementing SSH protocol based on post-quantum key exchange
CN111371549B (en) Message data transmission method, device and system
WO2022206349A1 (en) Information verification method, related apparatus, device, and storage medium
US10419223B2 (en) Method of using symmetric cryptography for both data encryption and sign-on authentication
KR101130415B1 (en) A method and system for recovering password protected private data via a communication network without exposing the private data
US10142107B2 (en) Token binding using trust module protected keys
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN111835774B (en) Data processing method, apparatus, equipment and storage medium
US12184780B1 (en) Secure data communication using elliptic-curve diffie-hellman (ECDHE) key agreement
EP4096160A1 (en) Shared secret implementation of proxied cryptographic keys
WO2023151427A1 (en) Quantum key transmission method, device and system
CN116633530A (en) Quantum key transmission method, device and system
CN119483934B (en) Mixed key packaging method and system
CN116961973A (en) Data transmission methods, devices, electronic equipment and computer-readable storage media
CN116915488A (en) A method and device for encrypted data transmission
CN116633521A (en) A data transmission method, device, equipment, and storage medium of an intelligent network card
CN119766502A (en) Method, system and electronic device for secure transmission of short messages based on post-quantum algorithm
CN114389860A (en) Voice communication method and device thereof
CN114139176A (en) A national secret-based protection method and system for industrial Internet core data
CN118316608A (en) Data encryption method, data decryption method and related equipment
CN117375814A (en) Data storage method, device, system, equipment and storage medium
CN115801286A (en) Calling method, device, equipment and storage medium of microservice
Srikanth et al. Proxy-Based Re-Encryption Design for the IoT Ecosystem
CN120639294B (en) Key negotiation method, device and related equipment