CN106330434B

CN106330434B - First quantum node, second quantum node, secure communication architecture system and method

Info

Publication number: CN106330434B
Application number: CN201510350028.2A
Authority: CN
Inventors: 孙翼舟; 黄兵; 江华
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2015-06-23
Filing date: 2015-06-23
Publication date: 2021-05-04
Anticipated expiration: 2035-06-23
Also published as: CN106330434A; WO2016206498A1

Abstract

The invention discloses a first quantum node, a second quantum node, a secure communication network architecture system, a service key transmission method and a route switching method, wherein the first quantum node is used for generating a quantum key pair through quantum channel negotiation with the adjacent second quantum node so as to encrypt and decrypt a service key accessed to user service data according to the quantum key pair to obtain a processed data packet; and transmitting the processed data packet to an adjacent second quantum node through a classical channel according to a routing protocol.

Description

First quantum node, second quantum node, secure communication architecture system and method

Technical Field

The invention relates to a secure communication technology in the technical field of quantum secret communication and communication, in particular to a first quantum node, a second quantum node, a secure communication network architecture system, a service key transmission method and a route switching method.

Background

In the process of implementing the technical solution of the embodiment of the present application, the inventor of the present application finds at least the following technical problems in the related art:

in a conventional encryption system, whether a symmetric key or an asymmetric key, the security of a ciphertext completely depends on the secrecy of the key. The key must be composed of a sufficiently long random binary string, and once a key pair is established between the transmitter and the receiver, a cipher text encoded by the key can be transmitted over the public channel. However, in order to establish a key pair, the sender and the receiver must select a secure and reliable communication channel, but due to the existence of the interceptor, the real security is technically difficult to guarantee, and the distribution of the key is passively monitored without the awareness of the legitimate user.

In recent years, quantum cryptography has emerged due to the combination of quantum mechanics and cryptography, which can complete a perfect security system that cannot be accomplished by traditional mathematics alone. Quantum cryptography provides a brand-new secure communication system on the basis of quantum theory, and utilizes the quantum characteristic that the quantum characteristic is not reproducible in principle. What plays a key role in quantum cryptography is the "heisenberg inaccuracy principle", i.e. the principle of measuring a quantum system that is usually disturbed by the system, and any effort to monitor the quantum channel will disturb the information transmitted in the channel in some way, and the "single quantum irreproducible theorem", which is the inference of heisenberg inaccuracy principle that it is impossible to copy a single quantum without knowing the state of the quantum, because the measurement can only be done first to copy a single quantum, which interferes with the system and generates incomplete information about the pre-measurement state of the system. Therefore, eavesdropping on a quantum communication channel will cause unavoidable interference, and both legitimate parties can thereby perceive the eavesdropping. Quantum cryptography uses this principle to establish a communication key between two communicating parties who never see the secret information shared in advance, and then uses a mathematically absolutely secure one-time-pad cryptographic communication to ensure that the secret of the two communicating parties is not leaked.

The best-known application of quantum cryptography is Quantum Key Distribution (QKD). In 1984, Bennett and Brassard proposed the first quantum key distribution scheme, using single-photon polarization state encoding, now known as the BB84 protocol, and came into the new phase of quantum key distribution. In 1992, Bennett proposed a simpler, but halved-efficiency, scheme similar to the BB84 protocol, hereinafter referred to as the B92 protocol. Based on another quantum phenomenon, namely Einstein-Podolsky-rosen (EPR), paradox, Ekert proposed in 1991 to implement quantum cryptography with dual-quantum entangled states, which is called the EPR protocol. Many other protocols have emerged since then, but all can be generalized to the above three types. In recent years, with the development of single-photon devices, quantum key distribution techniques based on protocols such as BB84, B92, ERP, and the like have been in practical use. At present, two types of quantum channels are available, namely an optical fiber channel and a development space channel, which are used for transmitting quantum bits and generating quantum keys, and a classical channel, namely a traditional network, is also available in a QKD prototype system, and is used for protocol interaction during quantum key generation and encrypted ciphertext transmission.

In 1993, the british national defense research department firstly realizes the BB84-QKD scheme by using a phase encoding method in an optical fiber, and the transmission length of the optical fiber reaches 10 kilometers. In 2002, german and british research institutes successfully utilized lasers to transmit photonic keys between two mountains 23.4km apart, confirming the possibility of transmitting quantum keys through open space, particularly near-earth satellites. In 2004, BNN company in usa established the first quantum cryptography communication experimental network in cambridge city, massachusetts; in the same year, the Guo Brilliant research group successfully achieved point-to-point quantum key distribution over 125km of fiber. In 2008, the 7-node secret communication demonstration built in the European Union verifies the successful trial operation of the network. In the same year, the Panjianwei group of the Chinese science and technology university has constructed a first optical quantum experimental network in the fertilizer market and demonstrated the voice call function with quantum secret communication.

The problems existing in the prior art are as follows: the quantum key distribution systems are experimental systems, and have a plurality of defects: for example, quantum keys can only be distributed between two nodes, or a limited number of nodes, lacking the necessary routing mechanism for large-scale deployment; the necessary rerouting mechanism is absent when a channel outage occurs. Clearly, to deploy a QKD network nationwide or even globally requires the integration of QKD devices with traditional route switching devices and carrier-grade modifications to the QKD network.

Disclosure of Invention

In view of the above, embodiments of the present invention are intended to provide a first quantum node, a second quantum node, a secure communication network architecture system, a service key transmission method, and a route switching method, which at least solve the problems in the prior art.

The technical scheme of the embodiment of the invention is realized as follows:

the first quantum node is used for generating a quantum key pair through negotiation of a quantum channel with an adjacent second quantum node, so as to encrypt and decrypt a service key accessed to user service data according to the quantum key pair, and obtain a processed data packet; and transmitting the processed data packet to an adjacent second quantum node through a classical channel according to a routing protocol.

In the foregoing solution, the first quantum node includes:

the quantum communication module is used for selecting the same random number sequences at two ends through negotiation of a quantum channel with the quantum communication module in the adjacent second quantum node respectively to be used as the quantum key pair;

the key management module is used for storing and managing the quantum key pair;

the encryption and decryption module is used for carrying out encryption and decryption processing on a service key to be accessed into user service data according to the quantum key to obtain a processed data packet;

and the access and routing module is used for acquiring service data of an access user after access authentication of the user is passed, sending the service key corresponding to the service data to the encryption and decryption module for encryption, selecting a routing path of a next-hop quantum node to transmit a first encrypted data packet obtained through encryption to the second quantum node serving as the next-hop quantum node, sending a second encrypted data packet obtained through encryption and sent by a receiving opposite end to the encryption and decryption module for decryption, and returning the second encrypted data packet to the user.

In the above solution, the quantum communication module is further configured to generate a first quantum key K1 through negotiation of a quantum channel with a quantum communication module in an adjacent second quantum node, and the second quantum node negotiates with a next-hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

In the above scheme, the encryption and decryption module is further configured to encrypt the service key S according to the first quantum key K1, so as to obtain the first encrypted data packet sa Λ K1;

the access and routing module is further configured to obtain a routing path of a next-hop quantum node according to the routing protocol, and send the sa K1 to the second quantum node serving as the next-hop quantum node.

The second quantum node is used for generating a quantum key pair through negotiation of a quantum channel with the adjacent first quantum node or the next-hop quantum node adjacent to the second quantum node, so as to encrypt and decrypt a service key accessed to user service data according to the quantum key pair to obtain a processed data packet; and transmitting the processed data packet to the next-hop quantum node adjacent to the second quantum node through a classical channel according to a routing protocol.

In the foregoing solution, the second quantum node includes:

the quantum communication module is used for selecting the same random number sequences at two ends respectively through negotiation of a quantum channel with a quantum communication module in a next-hop quantum node adjacent to the first quantum node or the second quantum node, and taking the random number sequences as the quantum key pair;

the routing module is used for obtaining the first quantum node serving as a previous-hop quantum node and the next-hop quantum node adjacent to the second quantum node according to a routing protocol; sending the encrypted first data packet sent by the first quantum node and obtained through encryption to the encryption and decryption module for decryption, encrypting the encrypted first data packet to obtain a third encrypted data packet, and transmitting the third encrypted data packet to the next-hop quantum node adjacent to the second quantum node; and sending the fourth encrypted data packet which is sent by the receiving opposite terminal and is obtained through encryption processing to the encryption and decryption module for decryption processing.

In the above solution, the quantum communication module is further configured to generate a first quantum key K1 through negotiation of a quantum channel with a quantum communication module in an adjacent first quantum node, and the second quantum node negotiates with a next-hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

In the above scheme, the encryption and decryption module is further configured to receive a first encrypted data packet sda K1 sent by the first quantum node; decrypting the S Λ K1 according to the first quantum key K1 and then encrypting the decrypted S Λ K1 by using a second quantum key K2 to obtain a third encrypted data packet S Λ K2;

the access and routing module is further configured to obtain a routing path of a next-hop quantum node according to the routing protocol, and send the sa K2 to the next-hop quantum node adjacent to the second quantum node.

A secure communication architecture system according to an embodiment of the present invention includes a first quantum node according to any one of the above schemes, and a second quantum node according to any one of the above schemes;

the system further comprises: a route switching node;

and the route switching node is used as a transmission medium transparent transmission light path between the first quantum node and the second quantum node.

The method for transmitting the service key is applied to a first quantum node and comprises the following steps:

the first quantum node and an adjacent second quantum node generate a quantum key pair through negotiation of a quantum channel;

encrypting and decrypting a service key to be accessed to user service data according to the quantum key to obtain a processed data packet;

and transmitting the processed data packet to an adjacent second quantum node through a classical channel according to a routing protocol.

The method for transmitting the service key is applied to a second quantum node, and comprises the following steps:

the second quantum node and the adjacent first quantum node or the next-hop quantum node adjacent to the second quantum node generate a quantum key pair through negotiation of a quantum channel;

and transmitting the processed data packet to the next-hop quantum node adjacent to the second quantum node through a classical channel according to a routing protocol.

The invention provides a service key transmission method, which is based on the secure communication architecture system and comprises the following steps:

a quantum key pair is generated between every two adjacent quantum nodes through negotiation of a quantum channel;

every two adjacent quantum nodes comprise a quantum node of a previous hop and a quantum node of a next hop, and the types of the quantum nodes comprise a first quantum node and a second quantum node;

and encrypting and decrypting the service key accessed to the user service data according to the quantum key to obtain a processed data packet, and transmitting the processed data packet through a classical channel according to a routing protocol.

In the above solution, the quantum key pair generated by negotiation of quantum channels between every two adjacent quantum nodes at least includes: a first quantum key K1;

the encrypting and decrypting the service key to be accessed to the user service data according to the quantum key to obtain a processed data packet, and transmitting the processed data packet through a classical channel according to a routing protocol, comprises the following steps:

accessing the service key S sent by the user;

acquiring the first quantum key K1, and encrypting the service key S according to the first quantum key K1 to obtain a first encrypted data packet SA Λ K1;

and calculating the route of the next-hop quantum node according to a routing protocol, and sending the S Λ K1 to the next-hop quantum node.

In the foregoing solution, the quantum key pair generated by negotiation between every two adjacent quantum nodes through a quantum channel further includes: a second quantum key K2 and a third quantum key K3;

the encrypting and decrypting the service key to be accessed to the user service data according to the quantum key to obtain a processed data packet, and transmitting the processed data packet through a classical channel according to a routing protocol, further comprising:

receiving the S Λ K1 by the quantum node of the next hop;

obtaining the first quantum key K1 and a second quantum key K2;

decrypting the S Λ K1 according to the first quantum key K1 and then encrypting the decrypted S Λ K1 by using a second quantum key K2 to obtain a third encrypted data packet S Λ K2;

calculating the route of the next-hop quantum node according to a routing protocol, and sending the S Λ K2 to the next-hop quantum node;

obtaining the second quantum key K2 and a third quantum key K3;

decrypting the S Λ K2 according to the second quantum key K2 and then encrypting the S Λ K2 by using a third quantum key K3 to obtain a fifth encrypted data packet S Λ K3;

and calculating the route of the next-hop quantum node according to a routing protocol, sending the S Λ K3 to the next-hop quantum node, decrypting the S Λ K3 by using the third quantum key K3 to obtain a service key S, and distributing the service key S to the user.

The embodiment of the invention provides a route switching method, which is based on the secure communication architecture system and comprises the following steps:

encrypting and decrypting a service key to be accessed into user service data according to the quantum key to obtain a processed data packet, wherein the data format of the processed data packet is destination address | source address | first quantum node | second quantum node |.

And carrying out route switching on every two adjacent quantum nodes according to a data format obtained by analyzing the processed data packet.

In the above solution, when the secure communication architecture system is composed of a destination user a, a source user B, a first quantum node QAG1, and a second quantum node QRR1, the data format specifically is: b | a | QAG1| QRR1| S Λ K2.

In the foregoing solution, the performing route switching on every two adjacent quantum nodes according to a data format obtained by analyzing the processed data packet includes:

when a user A has a service key S to send to a user B, the format of the data packet sent out is as follows: b | A | S;

the current quantum node QAG1 receives the data packet, analyzes the data format of the data packet to be B | A | S, calculates a route aiming at a destination address B, obtains the address of a next-hop quantum node to be QRR1, queries that a first quantum key between QAG1 and QRR1 is K1, performs encryption operation on S by using K1 to obtain a first encrypted data packet S Λ K1, obtains the data format of B | A | QAG1| S Λ K1, and sends the S Λ K1 to the next-hop quantum node QRR1 by QAG 1;

receiving the S Λ K1 by the QRR1, analyzing that the data format is B | A | QAG1| S Λ K1, inquiring that a first quantum key of a previous-hop quantum node QAG1 and a QRR1 is K1, calculating a route aiming at a destination address B, obtaining that the address of a next-hop quantum node is QRR2, inquiring that a second quantum key between QRR1 and QRR2 is K2, decrypting the S Λ K1 by using K1 and encrypting the S Λ K6356 by using K2, obtaining a third encrypted data packet S Λ K2, wherein the data format is B | A | QAG1| QRR1| S Λ K2, and sending the S Λ K2 to a next-hop quantum node QRR2 by QRR 1;

QRR2 receives the said S Λ K2, resolves the data format to be B | A | QAG1| QRR1| S Λ K2,

inquiring a second quantum key of previous-hop quantum nodes QRR1 and QRR2 to be K2, calculating a route aiming at a destination address B, obtaining an address of a next-hop quantum node to be QAG2, inquiring a third quantum key between QRR2 and QAG2 to be K3, decrypting an S Λ K2 by using K2 and encrypting the decrypted data by using K3 to obtain an fifth encrypted data packet S Λ K3, wherein the data format of the fifth encrypted data packet is B | A | QAG1| QRR1| QRR2| S Λ K3, and sending the S Λ K3 to a next-hop quantum node G2 by QAR 2;

and the QAG2 receives the S Λ K3, analyzes that the data format of the data is B | A | QAG1| QRR1| QRR2| S Λ K3, queries the third quantum key of the previous-hop quantum node QRR2 and QAG2 as K3, decrypts the S Λ K3 by using K3 to obtain an initial service key S, and distributes the S to the user B.

The first quantum node is used for generating a quantum key pair through negotiation of a quantum channel with an adjacent second quantum node, so as to encrypt and decrypt a service key accessed to user service data according to the quantum key pair to obtain a processed data packet; and transmitting the processed data packet to an adjacent second quantum node through a classical channel according to a routing protocol.

By adopting the embodiment of the invention, the first quantum node and the adjacent second quantum node generate a quantum key pair through negotiation of a quantum channel, so as to encrypt and decrypt the service key accessed to the user service data according to the quantum key pair to obtain a processed data packet; and transmitting the processed data packet to an adjacent second quantum node through a classical channel according to a routing protocol, and combining a quantum cryptography and a routing exchange technology which are negotiated through a quantum channel between the adjacent quantum nodes, so that the security is improved, and the method is also suitable for large-scale QKD network deployment.

Drawings

Fig. 1 is a schematic diagram of a module composition structure when a first quantum node is a QAG in the embodiment of the present invention;

fig. 2 is a schematic diagram of a module structure when a second quantum node is a QRR in the embodiment of the present invention;

FIG. 3 is a schematic diagram of a network architecture of carrier QKD in the embodiment of the present invention;

fig. 4 is a schematic flow chart of an access and relay service key in the embodiment of the present invention;

fig. 5 is a schematic flow chart of relaying and distributing service keys in the embodiment of the present invention;

fig. 6 is a flow chart illustrating routing and switching in the embodiment of the present invention.

Detailed Description

The following describes the embodiments in further detail with reference to the accompanying drawings.

In an embodiment of the present invention, the first quantum node includes:

In an embodiment of the present invention, the quantum communication module is further configured to generate a first quantum key K1 through negotiation of a quantum channel with a quantum communication module in an adjacent second quantum node, and the second quantum node negotiates with a next-hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

In an embodiment of the present invention, the encryption/decryption module is further configured to encrypt the service key S according to the first quantum key K1, so as to obtain the first encrypted data packet sa K1;

In an embodiment of the present invention, the second quantum node includes:

In an embodiment of the present invention, the quantum communication module is further configured to generate a first quantum key K1 through negotiation of a quantum channel with a quantum communication module in an adjacent first quantum node, and the second quantum node negotiates with a next-hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

In an implementation manner of the embodiment of the present invention, the encryption and decryption module is further configured to receive a first encrypted data packet sa Λ K1 sent by the first quantum node; decrypting the S Λ K1 according to the first quantum key K1 and then encrypting the decrypted S Λ K1 by using a second quantum key K2 to obtain a third encrypted data packet S Λ K2;

The secure communication architecture system of the embodiment of the present invention includes a first quantum node according to any one of the above schemes, and a second quantum node according to any one of the above schemes;

the system further comprises: a route switching node;

In an embodiment of the present invention, the quantum key pair generated by negotiation between every two adjacent quantum nodes through a quantum channel at least includes: a first quantum key K1;

accessing the service key S sent by the user;

In an embodiment of the present invention, the quantum key pair generated by negotiation between every two adjacent quantum nodes through a quantum channel further includes: a second quantum key K2 and a third quantum key K3;

receiving the S Λ K1 by the quantum node of the next hop;

obtaining the first quantum key K1 and a second quantum key K2;

obtaining the second quantum key K2 and a third quantum key K3;

In an embodiment of the present invention, when the secure communication architecture system is composed of a destination user a, a source user B, a first quantum node QAG1, and a second quantum node QRR1, the data format specifically includes: b | a | QAG1| QRR1| S Λ K2.

In an embodiment of the present invention, the performing, by the two adjacent quantum nodes, route switching according to a data format obtained by analyzing the processed data packet includes:

The embodiment of the invention is explained by taking a practical application scene as an example as follows:

the application scene is specifically as follows: the first quantum node is QAG, the second quantum node is QRR, the route switching node is OSR, the secure communication network architecture system and the secure access, relay and distribution service key based on the secure communication network architecture system are formed together, and based on a data packet format formed by "destination address | source address | first quantum node | second quantum node |.. | current quantum node | encryption information", a route switching process is performed according to a result of analyzing the data packet format, which is described below:

the application scenario adopts the embodiment of the invention, and mainly defines the network architecture (hereinafter referred to as the architecture) of the carrier QKD network. Three typical devices of the present architecture are defined: quantum Access Gateway (QAG), Optical port Switch Router (OSR), and Quantum Relay Router (QRR) describe the service flow of the QKD network using the present architecture. The architecture solves the following problems:

1. routing addressing problems. Quantum secure communication is point-to-point, quantum communication across one or a plurality of nodes becomes necessary in a large network on the whole country, a quantum system is combined with routing switching equipment, the existing routing protocol is modified, addressing and routing are carried out on the quantum communication by utilizing the processing capacity of a router or a switch, and the requirements of high throughput and high forwarding rate of large network deployment are met.

2. Link protection problems. The physical medium of quantum communication is optical fiber or open space, which is very vulnerable to natural disasters or war, but cannot cause interruption of the national QKD network service due to damage of a certain part of the link. Networking in the form of mesh networks, using routing protocols for circuit breaking switching and link protection, is essential.

For the three main devices (QAG, OSR and QRR) in the above-mentioned carrier QKD network, QAG and QRR are devices performing quantum communication and are called quantum nodes, and OSR does not process quantum information and only performs optical switching, not quantum nodes. The three devices are described as follows:

first, QAG

The QAG is functionally divided into four parts, namely a quantum communication module 11, a key management module 12, an encryption and decryption module 13, and an access and routing module 14, as shown in fig. 1.

The quantum communication module is physically composed of devices such as a light source, an optical modulator, a channel (optical fiber or open space), a measurement basis vector, a photon detector and the like, and the quantum communication module at the home end is used for negotiating and generating the same random number sequence with the quantum communication module at the opposite end through a quantum channel according to a BB84 protocol. This sequence of random numbers is a true random number, which is a relative concept to a pseudo random number, being a random number generated by a physical process rather than a computer program. The generation of the random number sequence is a continuous process, two communication ends select a section of same random number sequence (such as 512bit) through negotiation to be used as a secret key, the secret key is a quantum secret key, and the process of generating the quantum secret key is called secret key preparation.

As for the key management module, the key management module is also called a code box or a code book, and is a device for storing, outputting and managing keys. The key management module has extremely high security and confidentiality requirements, and once leakage occurs or the key management module is broken by others, the whole system is not safe any more. The keys prepared by the quantum communication module are all stored in the key management module.

As for the encryption and decryption module, the encryption and decryption module is a module for performing encryption and decryption operations on service data by using some symmetric or asymmetric algorithms, such as AES, RSA, MD5, and the like. The encryption and decryption process needs to use a key, the key is provided by a key management module, and the process is called key providing.

As far as the access and routing module is concerned, it has mainly three functions: firstly, access authentication is carried out on a user; secondly, accessing service data of a user, sending the user data to an encryption and decryption module for encryption operation, or conversely, sending an encrypted data packet to the encryption and decryption module for decryption operation, and then distributing the encrypted data packet to the user; and thirdly, executing a routing protocol, selecting a path of the next-hop quantum node, and routing the encrypted data packet to the next-hop quantum node.

There are two types of channels connected to the QAG, quantum channels and classical channels. Quantum channels have two physical forms, namely optical fibers and open space. What goes through in the quantum channel is a single photon quantum signal or a continuously variable quantum signal. Classical channels are relative to quantum channels, i.e., various wired and wireless networks that are currently widely deployed. The QAG is connected with another quantum node (QAG or QRR) through a quantum channel, a quantum key is generated between every two QAGs, the QAG accesses user data through a classical channel, and then the encrypted data is uploaded to a classical network through the classical channel.

Two, OSR

The OSR mainly has the functions of convergence, exchange and the like of the optical ports. The OSR does not participate in a quantum communication protocol and a key generation process, only serves as a transmission medium transparent transmission light path, is transparent to two ends of quantum communication and is not sensed, so that the OSR does not calculate quantum nodes. In QKD networks, OSR is used to build different network topologies, mainly depending on the actual situation.

Three, QRRs

Similar to the QAG, the QRR is functionally divided into four parts, namely a quantum communication module 21, a key management module 22, an encryption/decryption module 23, and a routing module 24, as shown in fig. 2.

The QRR routing module mainly executes a routing protocol, calculates a previous-hop quantum node and a next-hop quantum node, and routes an encrypted data packet sent by the previous-hop quantum node to the next-hop quantum node after encryption and decryption processing.

Connected to the QRR are two channels, the quantum channel and the classical channel. The QRRs respectively prepare a batch of quantum keys for encryption and decryption by using quantum channels and the quantum nodes of the previous hop and the quantum nodes of the next hop, and the process is called quantum relay. The QRRs are connected with a classical network by using a classical channel to forward service data.

Fourth, architecture of carrier QKD network

As shown in fig. 3, the carrier QKD network is divided into 3 layers, namely an access layer, a convergence layer, and a core layer. QAG is deployed at access layer, OSR is deployed at convergence layer, QRR is deployed at core layer. QAG, OSR and QRRs are connected by both classical channels and quantum channels. If the quantum channel is a fiber quantum channel, there is a distance limit between two quantum nodes, such as not to exceed 70km, depending on the level of current quantum communication technology. In addition, the OSR is only transparent to the quantum signal, so the OSR is not necessary for carrier QKD networks.

The QAG is an access router with quantum communication function, is deployed at an access layer, and is consistent with the position of the access router of the existing public network architecture. The QAG performs both classical communication functions and quantum communication functions. The QAG may decide whether to enable quantum communication or not according to the nature of each service it accesses.

The classical communication function of the QAG is mainly to authenticate a user, access service data of the user, such as voice, short message, mail, data, etc., execute a routing algorithm, route the service data of the user to other routing switching devices such as a metropolitan area network or a core network, etc., and switch data communication to other links when some parts of the network fail, etc., and these functions are not different from the conventional access router and are not described herein. The classical communication function of the QAG described herein is a part related to the quantum communication function, i.e., the calculation of the next hop route of the quantum communication, and will be described in detail later.

The quantum communication function of the QAG is mainly to distribute service keys, and will be described in detail later in an embodiment.

The OSR is a router including a port-level optical switching function, is deployed in a convergence layer, mainly performs functions of convergence, switching, and the like of optical ports, and is consistent with a convergence router or a metropolitan area router of an existing public network architecture in position. The OSR executes the classical communication function and transmits quantum communication. For classical communication, OSR is a common aggregation layer router or aggregation layer switch. For quantum communication, the OSR mainly performs a port-level optical path switching function, does not participate in a quantum communication protocol, does not participate in a key generation process, and is only used as a transmission medium to transparently transmit optical quantum signals.

The QRRs are convergence or core routers with quantum communication functions, are deployed in a core layer, and are consistent with a metropolitan area router or a backbone router of an existing public network architecture in position. The QRR performs both classical and quantum communication functions. The QRR may decide whether to enable quantum communication or not according to the nature of each service.

The classical communication function of QRR is mainly to execute a routing algorithm, route data to other route switching devices such as a metropolitan area network or a core network, and switch data communication to other links when some parts of the network fail, and these functions are not different from the conventional metropolitan area router and backbone router and are not described herein. The classical communication function of QRR described herein is a part related to quantum communication function, i.e. calculating the route of the next hop of quantum communication, and will be described in detail later.

The quantum communication function of the QRR is mainly to relay a service key, and will be described in detail later in some embodiments.

Application examples of different method flows based on the secure communication network architecture system are as follows:

application example one: access, relay and distribution of traffic keys.

Carrier QKD networks can perform both classical and quantum traffic. The classical service includes voice, short message, mail, data, etc., and the process of performing the classical service is not different from the current technology and method, which is not described. Quantum traffic is primarily a distributed key, where the key is a traffic key that for QKD networks can be simply understood as a string of numbers that need to be transferred. Quantum key pairs are generated between every two quantum nodes of the QKD network, each quantum node of the QKD network uses the quantum key to perform encryption and decryption operation on the service key and then sends the service key to the next node, and the process is the access, relay and distribution process of the service key.

Fig. 4 is a flowchart illustrating access and relay of a service key in a first application example, including:

and step 41, the QAG and the adjacent quantum nodes prepare a batch of quantum keys in advance and store the quantum keys in respective key management modules, and the keys prepared by the two adjacent quantum nodes are completely consistent. For example, the QAG and neighboring QRRs each generate a batch of quantum keys, one of which is K1, and the QRRs and next-hop quantum nodes each generate a batch of quantum keys, one of which is K2.

Step 42, the QAG accesses the service key S sent from the user a.

Step 43, the key management module of the QAG provides the K1 to the encryption and decryption module.

And step 44, the encryption and decryption module of the QAG encrypts S by using K1 to obtain an encrypted data packet SA _ K1.

And step 45, the access and routing module of the QAG executes a routing protocol, calculates the route of the next-hop quantum node and sends the S Λ K1 to the next-hop quantum node. The sa K1 may be transmitted over a public network.

Step 46, the next-hop quantum node (here, QRR is used for illustration) receives sa K1.

Step 47, the key management module of the QRR provides two quantum keys, K1 and K2, to the encryption and decryption module.

And step 48, the encryption and decryption module of the QRRs performs encryption and decryption operation on the SA/K1 by using K1 and K2. The simplest method is to decrypt the S Lambda K1 by using K1 to obtain S, and encrypt the S by using K2 to obtain the S Lambda K2. The complicated method is that the exclusive OR operation is firstly carried out on K1 and K2 to obtain K1 Lambda K2, and then K1 Lambda K2 is used for encrypting the S Lambda K1. The method of encryption and decryption operation does not belong to the invention point of the patent. The first method is described here, i.e., decryption of sa K1 with K1 and encryption of S with K2, resulting in sa K2.

And 49, executing a routing protocol by the access and routing module of the QRRs, calculating the route of the next-hop quantum node, and sending the S Λ K2 to the next-hop quantum node. The sa K2 may be transmitted over a public network.

Fig. 5 is a flowchart illustrating relaying and distributing of a service key in a first application example, including:

and step 51, preparing a batch of quantum keys in advance by the QRRs and the adjacent quantum nodes, and storing the batch of quantum keys in respective key management modules. The keys prepared by two adjacent quantum nodes are completely consistent. For example, the QRR and previous hop quantum nodes each generate a batch of quantum keys, one of which is K2, and the QRR and QAG each generate a batch of quantum keys, one of which is K3.

And step 52, receiving the S Λ K2 transmitted by the previous quantum node by the QRRs.

Step 53, the key management module of the QRR provides two quantum keys K2 and K3 to the encryption and decryption module.

And step 54, the encryption and decryption module of the QRRs performs encryption and decryption operation on the S Λ K2 by using K2 and K3 to obtain S Λ K3.

And step 55, the access and routing module of the QRRs executes a routing protocol, calculates the routing of the next-hop quantum node, and sends the S Λ K3 to the next-hop quantum node. The sa K3 may be transmitted over a public network.

Step 56, the QAG receives the sa K3 from the previous QRR.

Step 57, the key management module of the QAG provides the quantum key K3 to the encryption/decryption module.

And step 58, the encryption and decryption module of the QAG decrypts the S Λ K3 by using the K3 to obtain the service key S.

Step 59, the access and routing module of the QAG executes the routing protocol and distributes S to the users.

Application example two: routing and handover situations.

Quantum communication is point-to-point, i.e., each quantum node quantum communicates only with its neighboring fixed quantum nodes. The distribution of traffic keys from one user to another is an end-to-end process, which passes through many quantum nodes in the middle and requires computation of paths. In the existing experiment system, the number of nodes is small, and the path is preset by an experimenter. For a large-scale deployed QKD network, each node needs to automatically calculate a route by using a routing protocol, and can automatically switch to other paths when a local network fails.

Fig. 6 shows a simplified model of a carrier QKD network, A, B two users, QAG1, QAG2 access service keys, and a minimum network of 3 QRRs relaying the keys on the path of QAG1 and QAG 2. The OSR is omitted from the model shown in FIG. 6 because it does not participate in the quantum communication process. And between every two adjacent quantum nodes, the classical channel and the quantum channel are interconnected, and the adjacent quantum nodes respectively generate quantum key pairs through the quantum channels, which are represented by K1, K2, K3, K4 and K5. Service key in the process of transferring from a to B, the format of the encrypted data packet is:

destination address | source address | first quantum node | second quantum node |

And each quantum node carries out routing according to the content of the data packet. The routing process comprises the following steps:

step 61, user a has a service key S to send to user B, and the format of the sent data packet is: b | A | S.

Step 62, QAG1 receives B | a | S, calculates a route for destination address B, obtains the address of the next-hop quantum node as QRR1, queries the quantum key between QAG1 and QRR1 as K1, performs encryption operation on S with K1 to obtain sa K1, and QAG1 sends a new encrypted data packet B | a | QAG1| S Λ K1 to the next-hop quantum node QRR 1.

Step 63, receiving B | A | QAG1| S Λ K1 by QRR1, inquiring that the quantum key of QAG1 and QRR1 of the previous hop is K1, calculating a route aiming at a target address B, obtaining the address of the next hop quantum node as QRR2, inquiring that the quantum key between QRR1 and QRR2 is K2, decrypting S Λ K1 by K1 and encrypting by K2 to obtain S Λ K2, and sending a new encryption data packet B | A | QAG1| QRR1| S Λ K2 to the next hop quantum node QRR2 by QRR 1.

In step 64, QRR2 receives B | a | QAG1| QRR1| S Λ K2, and sends a new encrypted data packet B | a | QAG1| QRR1| QRR2| S Λ K3 to the next hop QAG2 by the same processing procedure as 63.

Step 65, the QAG2 receives B | a | QAG1| QRR1| QRR2| S Λ K3, queries that the quantum key of the previous-hop quantum node QRR2 and QAG2 is K3, decrypts the S Λ K3 by using K3 to obtain an initial service key S, and distributes S to the user B.

It should be noted here that when some channels in the network have problems, for example, the channel between the QRR1 and the QRR2, the link switching is required. The handover procedure further comprises the steps of:

wherein the first two

steps

61, 62 of the process, as in the routing process described above, remain unchanged.

Step 66, receiving B | a | QAG1| S Λ K1 by the QRR1, querying that the quantum key of the previous-hop quantum node QAG1 and the QRR1 is K1, calculating a route aiming at a destination address B, finding that the QRR1 and the QRR2 are not communicated, recalculating the route to obtain a new next-hop quantum node address of QRR3, querying that the quantum key between the QRR1 and the QRR3 is K4, decrypting the S Λ K1 by using K1 and encrypting the decrypted data by using K4 to obtain S Λ K4, and sending the new encrypted data packet B | a | QAG1| QRR1| S Λ K4 to the next-hop quantum node r3 by the QRR 1.

In step 67, QRR3 receives B | a | QAG1| QRR1| S Λ K4, and sends a new encrypted data packet B | a | QAG1| QRR1| QRR3| S Λ K5 to the next hop QAG2 by the same processing procedure as 63.

And 68, receiving B | A | QAG1| QRR1| QRR3| S Λ K5 by the QAG2, inquiring that the quantum key of the previous-hop quantum node QRR3 and QAG2 is K5, decrypting the S Λ K5 by using K5 to obtain an initial service key S, and distributing the S to the user B.

The integrated module according to the embodiment of the present invention may also be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as an independent product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.

Correspondingly, the embodiment of the present invention further provides a computer storage medium, in which a computer program is stored, where the computer program is used to execute the service key distribution method and the route switching method in the embodiment of the present invention.

The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims

1. A first quantum node, comprising:

the quantum communication module is used for generating a quantum key pair through negotiation of a quantum channel with an adjacent second quantum node, so as to encrypt and decrypt a service key accessed to user service data according to the quantum key pair to obtain a processed data packet, and the data format of the processed data packet is destination address | source address | first quantum node | second quantum node | the.

The access and routing module is used for transmitting the processed data packet to an adjacent second quantum node through a classical channel according to a routing protocol;

the first quantum node is a Quantum Access Gateway (QAG), and the second quantum node is a Quantum Relay Router (QRR); the first quantum node is deployed at an access layer of the carrier-class quantum key distribution QKD network; the second quantum node is deployed in a core layer of the carrier QKD network; the carrier QKD network is divided into 3 layers, namely an access layer, a convergence layer and a core layer, wherein the convergence layer is provided with an optical port switching router OSR;

the access and routing module is further configured to perform routing switching on every two adjacent quantum nodes according to a data format obtained by analyzing the processed data packet, and includes:

when a user A has a service key S to be sent to a user B, the format of a sent data packet is as follows: b | A | S;

the current quantum node QAG1 receives the data packet, analyzes the data format of the data packet to be B | A | S, calculates a route aiming at a destination address B, obtains the address of a next-hop quantum node to be QRR1, queries that a first quantum key between QAG1 and QRR1 is K1, performs encryption operation on S by using K1 to obtain a first encrypted data packet S ʌ K1, has the data format of B | A | QAG1| S ʌ K1, and sends S ʌ K1 to the next-hop quantum node QRR1 by QAG 1;

the QRR1 receives the S ʌ K1, analyzes that the data format is B | A | QAG1| S ʌ K1, queries that the first quantum key of the QAG1 and QRR1 of the previous hop is K1, calculates a route aiming at a destination address B, obtains the address of the next hop quantum node is QRR2, queries that the second quantum key between QRR1 and QRR2 is K2, decrypts the S ʌ K1 by using K1 and encrypts by using K2 to obtain a third encrypted data packet S ʌ K2, the data format is B | A | QAG1| QRR1| S ʌ K2, and QRR1 sends the S ʌ K2 to the next hop quantum node QRR 2;

QRR2 receives S ʌ K2, resolves the data format to B | A | QAG1| QRR1| S ʌ K2,

inquiring a second quantum key of previous-hop quantum nodes QRR1 and QRR2 to be K2, calculating a route aiming at a destination address B, obtaining an address of a next-hop quantum node QAG2, inquiring a third quantum key between QRR2 and QAG2 to be K3, decrypting S ʌ K2 by using K2 and encrypting by using K3 to obtain an fifth encrypted data packet S ʌ K3, wherein the data format of the fifth encrypted data packet is B | A | QAG1| QRR1| QRR2| S ʌ K3, and QAR 2 sends S ʌ K3 to a next-hop quantum node G2;

the QAG2 receives the S ʌ K3, analyzes that the data format is B | A | QAG1| QRR1| QRR2| S ʌ K3, inquires that the third quantum key of the previous hop quantum node QRR2 and QAG2 is K3, decrypts the S ʌ K3 by K3 to obtain an initial service key S, and distributes the S to the user B;

the access and routing module is further used for carrying out link switching when a problem occurs in a channel between quantum nodes in the network, and recalculating a route to obtain a new next-hop quantum node.

2. The first quantum node of claim 1, wherein the first quantum node comprises:

the quantum communication module is further configured to select the same random number sequences at two ends of the quantum communication module in the adjacent second quantum node through negotiation of a quantum channel, and use the random number sequences as the quantum key pair;

the access and routing module is further configured to obtain service data of an access user after access authentication of the user is passed, send a service key corresponding to the service data to the encryption and decryption module for encryption, select a routing path of a next-hop quantum node to transmit a first encrypted data packet obtained through encryption to the second quantum node serving as the next-hop quantum node, and send a second encrypted data packet obtained through encryption and sent by a receiving opposite end to the encryption and decryption module for decryption and then return the second encrypted data packet to the user.

3. The first quantum node of claim 2, wherein the quantum communication module is further configured to generate a first quantum key K1 through quantum channel negotiation with a quantum communication module in a second adjacent quantum node, and the second quantum node negotiates with a next-hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

4. The first quantum node of claim 3, wherein the encryption/decryption module is further configured to encrypt the service key S according to the first quantum key K1 to obtain the first encrypted data packet S ʌ K1;

the access and routing module is further configured to obtain a routing path of a next-hop quantum node according to the routing protocol, and send the S ʌ K1 to the second quantum node serving as the next-hop quantum node.

5. A second quantum node, comprising:

the quantum communication module is used for generating a quantum key pair through negotiation of a quantum channel with an adjacent first quantum node or a next-hop quantum node adjacent to a second quantum node, so as to encrypt and decrypt a service key accessed to user service data according to the quantum key pair to obtain a processed data packet, and the data format of the processed data packet is destination address | source address | first quantum node | second quantum node | the.

The routing module is used for transmitting the processed data packet to the next-hop quantum node adjacent to the second quantum node through a classical channel according to a routing protocol;

the routing module is further configured to perform routing switching on every two adjacent quantum nodes according to a data format obtained by analyzing the processed data packet, and includes:

QRR2 receives S ʌ K2, resolves the data format to B | A | QAG1| QRR1| S ʌ K2,

the routing module is further used for carrying out link switching when a problem occurs in a channel between quantum nodes in the network, and recalculating a route to obtain a new next-hop quantum node.

6. The second quantum node of claim 5, wherein the second quantum node comprises:

the quantum communication module is further configured to select the same random number sequences at two ends of the quantum communication module in the next-hop quantum node adjacent to the first quantum node or the second quantum node through negotiation of a quantum channel, and use the random number sequences as the quantum key pair;

the routing module is further configured to obtain the first quantum node serving as a previous-hop quantum node and the next-hop quantum node adjacent to the second quantum node according to a routing protocol; sending the encrypted first data packet sent by the first quantum node and obtained through encryption to the encryption and decryption module for decryption, encrypting the encrypted first data packet to obtain a third encrypted data packet, and transmitting the third encrypted data packet to the next-hop quantum node adjacent to the second quantum node; and sending the fourth encrypted data packet which is sent by the receiving opposite terminal and is obtained through encryption processing to the encryption and decryption module for decryption processing.

7. The second quantum node of claim 6, wherein the quantum communication module is further configured to generate a first quantum key K1 through quantum channel negotiation with a quantum communication module in an adjacent first quantum node, and the second quantum node negotiates with a next-hop quantum node adjacent to the second quantum node to generate a second quantum key K2.

8. The second quantum node of claim 7, wherein the encryption/decryption module is further configured to receive a first encrypted data packet S ʌ K1 sent by the first quantum node; decrypting the S ʌ K1 according to the first quantum key K1 and then encrypting the decrypted S ʌ K1 by using a second quantum key K2 to obtain a third encrypted data packet S ʌ K2;

the access and routing module is further configured to obtain a routing path of a next-hop quantum node according to the routing protocol, and send the S ʌ K2 to the next-hop quantum node adjacent to the second quantum node.

9. A secure communications architecture system, characterized in that the system comprises a first quantum node according to any of claims 1-4, and a second quantum node according to any of claims 5-8;

the system further comprises: a route switching node;

10. A service key transmission method is applied to a first quantum node, and comprises the following steps:

Transmitting the processed data packet to an adjacent second quantum node through a classical channel according to a routing protocol;

and each two adjacent quantum nodes perform route switching according to a data format obtained by analyzing the processed data packet, and the route switching comprises the following steps:

QRR2 receives S ʌ K2, resolves the data format to B | A | QAG1| QRR1| S ʌ K2,

when the channel between the quantum nodes in the network has a problem, the link switching is needed, and the routing is recalculated to obtain a new next-hop quantum node.

11. A service key transmission method is applied to a second quantum node, and the method comprises the following steps:

Transmitting the processed data packet to the next-hop quantum node adjacent to the second quantum node through a classical channel according to a routing protocol;

QRR2 receives S ʌ K2, resolves the data format to B | A | QAG1| QRR1| S ʌ K2,

12. A traffic key transmission method, characterized in that the method is based on the secure communication architecture system according to claim 9, the method comprising:

encrypting and decrypting a service key to be accessed into user service data according to the quantum key to obtain a processed data packet, and transmitting the processed data packet through a classical channel according to a routing protocol;

QRR2 receives S ʌ K2, resolves the data format to B | A | QAG1| QRR1| S ʌ K2,

13. The method of claim 12, wherein the quantum key pair generated by negotiation of quantum channels for every two adjacent quantum nodes at least comprises: a first quantum key K1;

accessing the service key S sent by the user;

obtaining the first quantum key K1, and encrypting the service key S according to the first quantum key K1 to obtain a first encrypted data packet S ʌ K1;

and calculating the route of the quantum node of the next hop according to a routing protocol, and sending the S ʌ K1 to the quantum node of the next hop.

14. The method of claim 13, wherein the quantum key pair generated by negotiation of quantum channels by every two adjacent quantum nodes further comprises: a second quantum key K2 and a third quantum key K3;

receiving the S ʌ K1 by the quantum node of the next hop;

obtaining the first quantum key K1 and a second quantum key K2;

decrypting the S ʌ K1 according to the first quantum key K1 and then encrypting the decrypted S ʌ K1 by using a second quantum key K2 to obtain a third encrypted data packet S ʌ K2;

calculating the route of the quantum node of the next hop according to a routing protocol, and sending the S ʌ K2 to the quantum node of the next hop;

obtaining the second quantum key K2 and a third quantum key K3;

decrypting the S ʌ K2 according to the second quantum key K2 and then encrypting the decrypted S ʌ K2 by using a third quantum key K3 to obtain a fifth encrypted data packet S ʌ K3;

and calculating the route of the quantum node of the next hop according to a routing protocol, and after the S ʌ K3 is sent to the quantum node of the next hop, decrypting the S ʌ K3 by using the third quantum key K3 to obtain a service key S and distributing the service key S to the user.

15. A method of route switching, the method being based on the secure communication architecture system of claim 9, the method comprising:

Every two adjacent quantum nodes carry out route switching according to a data format obtained by analyzing the processed data packet;

and the route switching is carried out on every two adjacent quantum nodes according to a data format obtained by analyzing the processed data packet, and the route switching comprises the following steps:

QRR2 receives S ʌ K2, resolves the data format to B | A | QAG1| QRR1| S ʌ K2,

16. The method as claimed in claim 15, wherein when the secure communication architecture system is composed of a destination user a, a source user B, a first quantum node QAG1, and a second quantum node QRR1, the data format is specifically: b | A | QAG1| QRR1| S ʌ K2.