[go: up one dir, main page]

CN114765533B - Remote proving method, device and system based on quantum key communication - Google Patents

Remote proving method, device and system based on quantum key communication Download PDF

Info

Publication number
CN114765533B
CN114765533B CN202011609431.XA CN202011609431A CN114765533B CN 114765533 B CN114765533 B CN 114765533B CN 202011609431 A CN202011609431 A CN 202011609431A CN 114765533 B CN114765533 B CN 114765533B
Authority
CN
China
Prior art keywords
random number
ciphertext
challenger
quantum key
attribute information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011609431.XA
Other languages
Chinese (zh)
Other versions
CN114765533A (en
Inventor
郭猛善
于林
王学富
姜胜广
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Institute Of Quantum Science And Technology Co ltd
Quantumctek Co Ltd
Original Assignee
Shandong Institute Of Quantum Science And Technology Co ltd
Quantumctek Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Institute Of Quantum Science And Technology Co ltd, Quantumctek Co Ltd filed Critical Shandong Institute Of Quantum Science And Technology Co ltd
Priority to CN202011609431.XA priority Critical patent/CN114765533B/en
Publication of CN114765533A publication Critical patent/CN114765533A/en
Application granted granted Critical
Publication of CN114765533B publication Critical patent/CN114765533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a remote proving method based on quantum key communication, which is applied to a challenger, wherein the challenger acquires a first quantum key in advance, and the method comprises the following steps: generating a first random number, and encrypting the first random number based on a first quantum key to obtain a first random number ciphertext; the first random number ciphertext is sent to a proving party, so that the proving party generates an identity information ciphertext based on the first random number and sends the identity information ciphertext to a challenger, and when the challenger verifies the identity information ciphertext, the challenger receives an attribute information ciphertext sent by the proving party; decrypting the attribute information ciphertext based on the first random number to obtain attribute information, judging whether the attribute information is legal or not based on a trusted policy, and verifying between the challenger and the proving party by adopting a quantum key and a symmetric encryption mode, so that a third party mechanism is not needed, and the problem that the proving party is easier to attack by an attacker due to the fact that the identity of the proving party is easily leaked in the measurement process is avoided.

Description

Remote proving method, device and system based on quantum key communication
Technical Field
The present invention relates to the field of quantum communications technologies, and in particular, to a remote attestation method, device, and system based on quantum key communications.
Background
The remote attestation technology after the occurrence of trusted computing is widely focused, and is mainly a method for extending the trust of a terminal to a network and transmitting the trust, and the current remote attestation mainly comprises remote attestation based on platform identity and remote attestation based on platform integrity.
Remote attestation based on platform identity includes remote attestation relying on third party certificate authority CA (Certificate Authority) and direct anonymous attestation protocol DAA. Remote authentication is carried out by relying on a PCA (PRIVATE CERTIFICATE authentication) of a private certificate Authority of a third party, a signing key EK (Endorsement Key) is issued by the PCA, an identity authentication key AIK (Attestation IDENTITY KEY) is generated by EK when the remote authentication is initiated, and the legitimacy of the AIK is verified by the PCA, so that remote identity authentication is realized; the direct anonymous attestation protocol DAA (Direct Anonymous Attestation) employs zero knowledge attestation, group signature, and other techniques, so that the attestation party can initiate remote attestation to different verification parties in the network once applying for a certificate. Remote attestation based on platform integrity is primarily binary-based remote attestation and attribute-based remote attestation. The binary-based remote certification is used for packaging and sending own flat dado magnitude and measurement log to a challenger through a certifier, and the challenger compares received information with locally stored information and sequentially judges the legitimacy of the certifier; the platform configuration metric value is mapped to a specific security attribute based on the remote attestation of the attribute, and the challenger only needs to judge whether the attestation party accords with the security attribute.
The remote proving process needs to be based on the distribution of public and private keys or certificates by a third party organization, and the identity of the proving party is easily leaked in the measuring process, so that the proving party is more easily attacked by an attacker.
Disclosure of Invention
In view of the above, the present invention provides a remote attestation method, device and system based on quantum key communication, which are used for solving the problems that in the existing remote attestation process, public and private keys or certificates need to be distributed based on a third party mechanism, and identities of attestations are easily leaked in the measurement process, so that the attestations are more easily attacked by attackers. The specific scheme is as follows:
A remote attestation method based on quantum key communication, applied to a challenger, the challenger acquiring a first quantum key in advance, the method comprising:
generating a first random number, and encrypting the first random number based on the first quantum key to obtain a first random number ciphertext;
The first random number ciphertext is sent to a proving party, so that the proving party decrypts the first random number ciphertext based on the first quantum key to obtain the first random number, encrypts identity information based on the first random number to obtain an identity information ciphertext, and sends the identity information ciphertext to the challenger, wherein the proving party obtains the first quantum key in advance;
receiving the identity information ciphertext, verifying the identity information ciphertext, and receiving the attribute information ciphertext sent by the proving party under the condition that verification is passed;
Decrypting the attribute information ciphertext based on the first random number to obtain attribute information, and judging whether the attribute information is legal or not based on a trusted policy, wherein the trusted policy is added to the challenger based on a preset adding rule.
The method, optionally, verifies the identity information ciphertext, including:
decrypting the identity information based on the first random number to obtain the identity information;
And matching the identity information with corresponding standard identity information in a preset identity information list, and judging whether the identity information is identical with the standard identity information or not.
The above method, optionally, judges whether the attribute information is legal based on a trusted policy, including:
comparing the attribute information with corresponding items in the trusted policy to obtain a comparison result;
And judging whether the comparison result meets a preset judgment rule.
In the above method, optionally, the challenger acquires a second quantum key in advance, and the trusted policy is added to the challenger based on a preset adding rule, including:
generating a second random number, and encrypting the second random number based on the second quantum key to obtain a second random number ciphertext;
The second random number ciphertext is sent to a trusted configuration server to enable the trusted configuration server to decrypt the second random number ciphertext based on the second quantum key to obtain the second random number, encrypt a trusted policy based on the second random number to obtain a trusted policy ciphertext, and send the trusted policy ciphertext to the challenger, wherein the trusted configuration server obtains the second quantum key in advance;
And receiving the trusted policy ciphertext, decrypting the trusted policy ciphertext based on the second random number, and storing the trusted policy.
The method, optionally, further comprises:
Before the challenger and the trusted configuration server are started, acquiring first standard hash values of corresponding components in the challenger and the trusted configuration server;
After the challenger and the trusted configuration server are started, acquiring first current hash values of corresponding parts in the challenger and the trusted configuration server;
Comparing the first standard hash value with the first current hash value.
A remote attestation method based on quantum key communication, applied to an attestation party, the attestation party pre-acquiring a first quantum key, the method comprising:
receiving a first random number ciphertext, and decrypting the first random number ciphertext based on the first quantum key to obtain a first random number;
Encrypting the identity information based on the first random number to obtain an identity information ciphertext;
sending the identity information ciphertext to the challenger for verification;
and when receiving a verification passing instruction sent by the challenger, encrypting attribute information based on the first random number to obtain an attribute information ciphertext, and sending the attribute information ciphertext to the challenger so that the challenger can remotely prove the proving party based on the attribute information ciphertext.
The method, optionally, further comprises:
before the proving party starts, acquiring a second standard hash value of a corresponding part in the proving party;
After the proving party starts, acquiring a second current hash value of a corresponding component in the proving party;
And comparing the second standard hash value with the second current hash value.
A remote attestation device based on quantum key communication applied to a challenger who pre-obtains a first quantum key, the device comprising:
the generation and encryption module is used for generating a first random number, encrypting the first random number based on the first quantum key and obtaining a first random number ciphertext;
The first sending module is used for sending the first random number ciphertext to a proving party so that the proving party decrypts the first random number ciphertext based on the first quantum key to obtain the first random number, encrypts identity information based on the first random number to obtain an identity information ciphertext, and sends the identity information ciphertext to the challenger, wherein the proving party acquires the first quantum key in advance;
the receiving and verifying module is used for receiving the identity information ciphertext, verifying the identity information ciphertext and receiving the attribute information ciphertext sent by the proving party under the condition that verification passes;
And the decryption and judgment module is used for decrypting the attribute information ciphertext based on the first random number to obtain attribute information and judging whether the attribute information is legal or not based on a trusted policy, wherein the trusted policy is added to the challenger based on a preset adding rule.
A remote attestation device based on quantum key communication, for application to an attestation party, the attestation party pre-fetching a first quantum key, the device comprising:
The receiving and decrypting module is used for receiving a first random number ciphertext, decrypting the first random number ciphertext based on the first quantum key and obtaining a first random number;
the encryption module is used for encrypting the identity information based on the first random number to obtain an identity information ciphertext;
The second sending module is used for sending the identity information ciphertext to the challenger for verification;
and the encryption and transmission module is used for encrypting the attribute information based on the first random number to obtain an attribute information ciphertext when receiving a verification passing instruction sent by the challenger, and sending the attribute information ciphertext to the challenger so that the challenger can remotely prove the proving party based on the attribute information ciphertext.
A remote attestation system based on quantum key communication, comprising: a challenger and a prover, the challenger and prover pre-fetching a first quantum key, the system comprising:
the challenger is used for executing the remote proving method based on quantum key communication for the challenger;
the proving party is used for executing the remote proving method based on quantum key communication for the proving party.
Compared with the prior art, the invention has the following advantages:
The invention discloses a remote proving method based on quantum key communication, which is applied to a challenger, wherein the challenger acquires a first quantum key in advance, and the method comprises the following steps: generating a first random number, and encrypting the first random number based on a first quantum key to obtain a first random number ciphertext; the first random number ciphertext is sent to a proving party, so that the proving party generates an identity information ciphertext based on the first random number and sends the identity information ciphertext to a challenger, and when the challenger verifies the identity information ciphertext, the challenger receives an attribute information ciphertext sent by the proving party; decrypting the attribute information ciphertext based on the first random number to obtain attribute information, judging whether the attribute information is legal or not based on a trusted policy, and verifying between the challenger and the proving party by adopting a quantum key and a symmetric encryption mode, so that a third party mechanism is not needed, and the problem that the proving party is easier to attack by an attacker due to the fact that the identity of the proving party is easily leaked in the measurement process is avoided.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a remote attestation method based on quantum key communication according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a trusted policy adding process according to an embodiment of the present application;
FIG. 3 is a further flowchart of a remote attestation method based on quantum key communication according to an embodiment of the present application;
fig. 4 is a block diagram of a remote attestation device based on quantum key communication according to an embodiment of the present application;
fig. 5 is a block diagram of a remote attestation device based on quantum key communication according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The invention discloses a remote proving method, a device and a system based on quantum key communication, which are applied to a remote proving process, wherein in the prior art, based on remote proving of the identity of a PCA platform, a challenger needs to verify the validity of a certificate when verifying, the PCA completely grasps the verification certificate, and once the PCA and the challenger collude, the identity of the platform is leaked; the remote certification based on the DAA is suitable for a single-domain network environment with smaller network and determined boundary comparison, and moreover, the certification party is very easy to disguise and causes man-in-the-middle attack due to identity anonymity based on the DAA; based on binary remote attestation, the trusted platform module TPM (Trusted Platform Module) digitally signs the platform configuration register PCR (Platform Configuration Register) value during attestation, and then sends the signed platform integrity measure to a remote challenger, which exposes the platform configuration information of the attestation, thereby making the attestation more vulnerable to various attacks by an attacker; based on the above-mentioned problems, the present invention provides a remote attestation method based on quantum key communication, where the attestation method is applied to a challenger, and obtains a first quantum key from a quantum communication network in advance based on a secure communication protocol, preferably, an attestation party corresponding to the challenger obtains the first quantum key from the quantum communication network based on the secure communication protocol, and uses the first quantum key as a key encryption key, and an execution flow of the attestation method is shown in fig. 1, where the method includes:
S101, generating a first random number, and encrypting the first random number based on the first quantum key to obtain a first random number ciphertext;
In the embodiment of the invention, under the condition that the challenge initiates the challenge to the proving party, the challenger generates the first random number, and the generation process and the existence form of the first random number are not limited, and the first random number is encrypted based on the first quantum key to obtain the first random number ciphertext.
S102, sending the first random number ciphertext to a proving party, so that the proving party decrypts the first random number ciphertext based on the first quantum key to obtain the first random number, encrypts identity information based on the first random number to obtain an identity information ciphertext, and sends the identity information ciphertext to the challenger, wherein the proving party acquires the first quantum key in advance;
In the embodiment of the present invention, the first random number ciphertext is sent to the proving party, and since the proving party and the challenger adopt a symmetric encryption mode for encryption protection, the proving party decrypts the first random number ciphertext based on the first quantum key to obtain the first random number, the first random number is used as a first session key, a secure channel is established based on the first session key and the challenger, identity information of the proving party is encrypted based on the first random number to obtain an identity information ciphertext, and the identity information ciphertext is sent to the challenger through the secure channel, wherein the identity information can be set based on specific conditions or experiences, and the identity information can include: IP address, number or name, etc., the embodiment of the invention is not particularly limited; preferably, standard identity information corresponding to the identity information in the proving party is stored in the challenger in advance; preferably, the challenger exists the standard identity information in the form of a preset identity information list, so that the challenger verifies the identity information ciphertext based on the standard identity information.
S103, receiving the identity information ciphertext, verifying the identity information ciphertext, and receiving the attribute information ciphertext sent by the proving party under the condition that verification is passed;
In the embodiment of the invention, the challenger receives the identity information ciphertext, verifies the identity information ciphertext, specifically, the verification process is as follows, the identity information ciphertext is decrypted based on the first random number to obtain the identity information, the identity information is matched with the standard identity information corresponding to the identity information list, wherein preferably, each identity information and the standard identity information corresponding to the identity information are associated with each other in advance based on the identification, the identification corresponding to each identity information is acquired in the matching process, the standard identity information corresponding to the identity information list is determined based on the identification, whether the identity information is identical to the standard identity information corresponding to the identity information list is judged, and if the identity information is identical to the standard identity information corresponding to the identity information list, the identity information verification is judged to pass, otherwise, the identity information verification is judged to fail, and under the condition that the identity information verification fails, the remote verification process is stopped, and the reason of the verification failure is prompted.
Further, under the condition that verification is passed, a verification passing instruction is sent to the proving party, so that the proving party sends an attribute information ciphertext, wherein the attribute information ciphertext is used for remotely proving the proving party.
S104, decrypting the attribute information ciphertext based on the first random number to obtain attribute information, and judging whether the attribute information is legal or not based on a trusted policy, wherein the trusted policy is added to the challenger based on a preset adding rule.
In the embodiment of the present invention, the challenger receives the attribute information ciphertext, decrypts the attribute information ciphertext based on the first random number to obtain the attribute information, and determines whether the attribute information is legal based on a trusted policy, where the selection of the attribute information is related to the trusted policy, and the trusted policy may be set based on experience or specific conditions, and in the embodiment of the present invention, the trusted policy includes, for example, but not limited to: the security attribute set of the proving party, such as whether a certain software is installed, whether running, etc. Judging whether the attribute information is legal or not based on the trusted policy, wherein the execution flow of judging whether each attribute information is legal or not is as follows, comparing each attribute information with a corresponding item in the trusted policy to obtain a comparison result, wherein the result can be a set formed by matching, mismatching, identical, different or other comparison results, judging whether the attribute information is legal or not based on whether the comparison result meets a preset judging rule or not when the comparison result meets the preset judging rule, otherwise judging that the attribute information is illegal, wherein the preset judging rule can be set based on experience or specific conditions, and the embodiment of the invention is not limited, for example, the preset judging rule can be that all matching or the matching percentage meets a corresponding percentage threshold value and the like.
The invention discloses a remote proving method based on quantum key communication, which is applied to a challenger, wherein the challenger acquires a first quantum key in advance, and the method comprises the following steps: generating a first random number, and encrypting the first random number based on a first quantum key to obtain a first random number ciphertext; the first random number ciphertext is sent to a proving party, so that the proving party generates an identity information ciphertext based on the first random number and sends the identity information ciphertext to a challenger, and when the challenger verifies the identity information ciphertext, the challenger receives an attribute information ciphertext sent by the proving party; decrypting the attribute information ciphertext based on the first random number to obtain attribute information, judging whether the attribute information is legal or not based on a trusted policy, and verifying between the challenger and the proving party by adopting a quantum key and a symmetric encryption mode, so that a third party mechanism is not needed, and the problem that the proving party is easier to attack by an attacker due to the fact that the identity of the proving party is easily leaked in the measurement process is avoided.
In the embodiment of the invention, the trusted policy may be directly added to the challenger after being acquired at a designated location, or may be added to the challenger based on a trusted configuration server, an execution process of adding the trusted policy based on the trusted configuration server is shown in fig. 2, the challenger and the trusted configuration server acquire a second quantum key from a quantum communication network node a and a quantum communication network node B respectively through a secure communication protocol, the challenger generates a second random number, in the embodiment of the invention, a generation process and a existence form of the second random number are not limited, the second random number is encrypted based on the second quantum key to obtain a second random number ciphertext, the second random number ciphertext is sent to the trusted configuration server based on the trusted configuration server, the trusted configuration server decrypts the second random number ciphertext based on the second quantum key ciphertext to obtain the second random number, the second random number is used as a session key, after negotiating the session key, a classical channel is adopted, and the trusted configuration policy is sent to the trusted configuration server based on the second random number ciphertext, and the trusted configuration server is encrypted based on the second random number policy. Further, when the session key negotiated after completion of one challenge procedure fails, renegotiation is performed at the next challenge.
Preferably, the challenger and the trusted configuration server are respectively internally provided with a TPM trusted chip, and the integrity measurement of the local platform is completed through an integrity measurement mechanism; the integrity measurement procedure is as follows:
Firstly, a computer BIOS calls a hash interface provided by a device TPM chip to carry out first standard hash values of key components such as a device hardware ROM, an operating system kernel and the like as expected values, and in the subsequent starting process, the first current hash values of the components are collected and compared with the first standard hash values, if the first current hash values are inconsistent, the integrity measurement is considered to be failed, otherwise, the integrity measurement is considered to be passed; and secondly, after the operating system is started, the operating system kernel module compares hash values of the operating system application program and the key configuration file, and the integrity measurement is completed.
The embodiment of the invention provides a remote proving method based on quantum key communication, which is applied to a proving party, and the proving party and the challenger acquire a first quantum key in a quantum communication network node C and a quantum communication network node A in advance through a secure communication protocol on the premise that the proving party performs remote proving based on the challenger, wherein the execution flow of the method is shown in a figure 3, and the method comprises the following steps:
S201, receiving a first random number ciphertext, and decrypting the first random number ciphertext based on the first quantum key to obtain a first random number;
In the embodiment of the invention, the proving party receives the first random number ciphertext, and decrypts the first random number ciphertext based on the first quantum key to obtain the first random number.
S202, encrypting the identity information based on the first random number to obtain an identity information ciphertext;
s203, sending the identity information ciphertext to the challenger for verification;
In the embodiment of the present invention, the authentication process of the challenge party for the identity information is described in S103, which is not described herein.
And S204, when a verification passing instruction sent by the challenger is received, encrypting attribute information based on the first random number to obtain an attribute information ciphertext, and sending the attribute information ciphertext to the challenger so that the challenger can remotely prove the proving party based on the attribute information ciphertext.
In the embodiment of the present invention, when receiving the verification passing instruction sent by the challenger, the attribute information is obtained, where the attribute information is encrypted based on the first random number to obtain an attribute information ciphertext, where the selection of the attribute information is related to a trusted policy, and the trusted policy may be set based on experience or a specific situation.
The invention discloses a remote proving method based on quantum communication, which is applied to proving parties, and comprises the following steps: receiving a first random number ciphertext, and decrypting the first random number ciphertext based on the first quantum key to obtain a first random number; encrypting the identity information based on the first random number to obtain an identity information ciphertext; sending the identity information ciphertext to the challenger for verification; and when receiving a verification passing instruction sent by the challenger, encrypting attribute information based on the first random number to obtain an attribute information ciphertext, and sending the attribute information ciphertext to the challenger so that the challenger can remotely prove the proving party based on the attribute information ciphertext. According to the process, the quantum key is adopted and verification is carried out between the challenger and the proving party based on the symmetrical encryption mode, a third party mechanism is not needed, and the problem that the proving party is easier to attack by an attacker due to the fact that the identity of the proving party is easy to leak in the measurement process is avoided.
Preferably, the proving party is internally provided with a TPM trusted chip and completes the integrity measurement of the local platform through an integrity measurement mechanism; the integrity measurement procedure is as follows:
Firstly, a computer BIOS calls a hash interface provided by a device TPM chip to carry out second standard hash values of key components such as a device hardware ROM, an operating system kernel and the like as expected values, and in the subsequent starting process, second current hash values of the components are collected and compared with the expected values, if the second current hash values are inconsistent, the integrity measurement is not passed, otherwise, the integrity measurement is passed; and secondly, after the operating system is started, the operating system kernel module compares hash values of the operating system application program and the key configuration file, and the integrity measurement is completed.
The invention is mainly based on a quantum communication remote proving method, adopts a symmetric encryption and decryption mode to encrypt and decrypt a remote proving process, distributes and updates a symmetric key through a quantum communication network, solves the problems of key effectiveness, remote key distribution, multi-to-multi key distribution and the like, and can better protect the privacy of both sides of remote proving; the quantum communication network supports star network, ring network and mixed structure deployment, and remote proving can be realized from single domain to multi-domain expansion based on the quantum communication network, so that various complex application scenes are satisfied.
Based on the above-mentioned remote proving method based on quantum key communication, which is applied to a challenger, the embodiment of the invention also provides a remote proving device based on quantum key communication, which is applied to the challenger, wherein the challenger obtains a first quantum key in advance, and the structure block diagram of the device is shown in fig. 4, and the device comprises:
a generation and encryption module 301, a first transmission module 302, a receiving and verification module 303, and a decryption and judgment module 304.
Wherein,
The generating and encrypting module 301 is configured to generate a first random number, encrypt the first random number based on the first quantum key, and obtain a first random number ciphertext;
The first sending module 302 is configured to send the first random number ciphertext to a proving party, so that the proving party decrypts the first random number ciphertext based on the first quantum key to obtain the first random number, encrypts identity information based on the first random number to obtain an identity information ciphertext, and sends the identity information ciphertext to the challenger, where the proving party obtains the first quantum key in advance;
The receiving and verifying module 303 is configured to receive the identity information ciphertext, verify the identity information ciphertext, and receive an attribute information ciphertext sent by the proving party if the identity information ciphertext passes the verification;
The decryption and judging module 304 is configured to decrypt the attribute information ciphertext based on the first random number to obtain attribute information, and judge whether the attribute information is legal based on a trusted policy, where the trusted policy is added to the challenger based on a preset addition rule.
The invention discloses a remote proving device based on quantum key communication, which is applied to a challenger, wherein the challenger acquires a first quantum key in advance, and the device comprises: the generation and encryption module is used for generating a first random number, and encrypting the first random number based on a first quantum key to obtain a first random number ciphertext; the first sending module is used for sending the first random number ciphertext to the proving party so that the proving party generates an identity information ciphertext based on the first random number and sends the identity information ciphertext to the challenger; the receiving and verifying module is used for receiving the attribute information ciphertext sent by the proving party under the condition that the identity information ciphertext passes verification; and the decryption and judgment module is used for decrypting the attribute information ciphertext based on the first random number to obtain attribute information, and judging whether the attribute information is legal or not based on a trusted policy. According to the process, the quantum key is adopted and verification is carried out between the challenger and the proving party based on the symmetrical encryption mode, a third party mechanism is not needed, and the problem that the proving party is easier to attack by an attacker due to the fact that the identity of the proving party is easy to leak in the measurement process is avoided.
The embodiment of the invention also provides a remote proving device based on quantum key communication, which is applied to a proving party, wherein the proving party acquires a first quantum key in advance, and the device has a structure block diagram shown in fig. 5 and comprises:
A receiving and decrypting module 401, an encrypting module 402, a second transmitting module 403 and an encrypting and transmitting module 404.
Wherein,
The receiving and decrypting module 401 is configured to receive a first random number ciphertext, and decrypt the first random number ciphertext based on the first quantum key to obtain a first random number;
The encryption module 402 is configured to encrypt the identity information based on the first random number to obtain an identity information ciphertext;
The second sending module 403 is configured to send the identity information ciphertext to the challenger for verification;
The encryption and transmission module 404 is configured to encrypt attribute information based on the first random number to obtain an attribute information ciphertext when receiving a verification passing instruction sent by the challenger, and send the attribute information ciphertext to the challenger, so that the challenger remotely proves the prover based on the attribute information ciphertext.
The invention discloses a remote proving device based on quantum communication, which is applied to proving parties, and comprises: the receiving and decrypting module is used for receiving a first random number ciphertext, decrypting the first random number ciphertext based on the first quantum key and obtaining a first random number; the encryption module is used for encrypting the identity information based on the first random number to obtain an identity information ciphertext; the second sending module is used for sending the identity information ciphertext to the challenger for verification; and the encryption and transmission module is used for encrypting the attribute information based on the first random number to obtain an attribute information ciphertext when receiving a verification passing instruction sent by the challenger, and sending the attribute information ciphertext to the challenger so that the challenger can remotely prove the proving party based on the attribute information ciphertext. According to the process, the quantum key is adopted and verification is carried out between the challenger and the proving party based on the symmetrical encryption mode, a third party mechanism is not needed, and the problem that the proving party is easier to attack by an attacker due to the fact that the identity of the proving party is easy to leak in the measurement process is avoided.
The invention discloses a remote proving system based on quantum key communication, which comprises: the system comprises a challenge party and a proving party, wherein the challenge party and the proving party acquire a first quantum key through a secure communication protocol in advance, a quantum communication network in the proving system mainly realizes quantum key distribution, and symmetric encryption and decryption of information in a remote proving process are realized by means of the quantum key. By the method, the remote proving participant can be simplified into a proving party and a challenger, and attribute information, identity information and the like in all remote proving processes are only transferred between the proving party and the challenger. Typical remote attestation systems also include trusted configuration servers through which trusted policies are issued to challengers. The remote proving method based on quantum communication has the following specific technical scheme:
(1) The challenger, the proving party and the trusted configuration server are respectively internally provided with a TPM trusted chip, and the integrity measurement of the local platform is completed through an integrity measurement mechanism; the integrity measurement procedure is as follows:
Firstly, a computer BIOS calls a hash interface provided by a device TPM chip to carry out hash values of key components such as a device hardware ROM, an operating system kernel and the like as expected values, the hash values of the components are collected in the subsequent starting process and compared with the expected values, if the hash values are inconsistent, the integrity measurement is considered to be failed, otherwise, the integrity measurement is considered to be passed; and secondly, after the operating system is started, the operating system kernel module compares hash values of the operating system application program and the key configuration file, and the integrity measurement is completed.
(2) The challenge party and the trusted configuration server respectively acquire a first quantum key from a quantum communication network through a secure communication protocol, and encrypt a session key negotiation process by taking the first quantum key as a key encryption key; the trusted configuration server encrypts and issues a trusted policy to a challenger through a session key, and the challenger decrypts and stores the decrypted trusted policy to a local;
(3) The challenge direction proving party initiates a challenge, two ends respectively acquire a first quantum key from the quantum communication network through a secure communication protocol, and the first quantum key is used as a key encryption key to encrypt a session key negotiation process; the proving party establishes a secure channel with the challenger by using the session key, encrypts identity authentication information of the local end by using the session key and then sends the encrypted identity authentication information to the challenger through the secure channel, and the challenger decrypts and authenticates the platform identity of the proving party;
(4) After the identity authentication is passed, the proving party collects local attribute information, encrypts the attribute information by using a session key, sends the attribute information to the challenger through the established secure channel, receives the decrypted attribute information by the challenger, performs matching detection with a trusted policy, and judges whether the attribute of the proving party is legal or not, thereby completing remote proving;
further, repeating (2) - (4) after the challenge party or the proof party changes.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other. For the apparatus class embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference is made to the description of the method embodiments for relevant points.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
From the above description of embodiments, it will be apparent to those skilled in the art that the present invention may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present invention.
The above detailed description of the remote attestation method, device and system based on quantum key communication provided by the invention applies specific examples to illustrate the principle and implementation of the invention, and the above examples are only used to help understand the method and core idea of the invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims (10)

1. A remote attestation method based on quantum key communication, characterized by being applied to a challenger, the challenger acquiring a first quantum key in advance, the method comprising:
generating a first random number, and encrypting the first random number based on the first quantum key to obtain a first random number ciphertext;
The first random number ciphertext is sent to a proving party, so that the proving party decrypts the first random number ciphertext based on the first quantum key to obtain the first random number, encrypts identity information based on the first random number to obtain an identity information ciphertext, and sends the identity information ciphertext to the challenger, wherein the proving party obtains the first quantum key in advance;
Receiving the identity information ciphertext, verifying the identity information ciphertext, and sending a verification passing instruction to the proving party under the condition that the verification passes, so that the proving party encrypts attribute information based on the first random number to obtain attribute information ciphertext after receiving the verification passing instruction, and receives the attribute information ciphertext returned by the proving party;
Decrypting the attribute information ciphertext based on the first random number to obtain attribute information, and judging whether the attribute information is legal or not based on a trusted policy, wherein the trusted policy is added to the challenger based on a preset adding rule.
2. The method of claim 1, wherein verifying the identity information ciphertext comprises:
decrypting the identity information based on the first random number to obtain the identity information;
And matching the identity information with corresponding standard identity information in a preset identity information list, and judging whether the identity information is identical with the standard identity information or not.
3. The method of claim 1, wherein determining whether the attribute information is legitimate based on a trusted policy comprises:
comparing the attribute information with corresponding items in the trusted policy to obtain a comparison result;
And judging whether the comparison result meets a preset judgment rule.
4. The method of claim 1, wherein the challenger pre-obtains a second quantum key, wherein the trusted policy is added to the challenger based on a preset addition rule, comprising:
generating a second random number, and encrypting the second random number based on the second quantum key to obtain a second random number ciphertext;
the second random number ciphertext is sent to a trusted configuration server to enable the trusted configuration server to decrypt the second random number ciphertext based on the second quantum key to obtain the second random number, encrypt a trusted policy based on the second random number to obtain a trusted policy ciphertext, and send the trusted policy ciphertext to the challenger, wherein the trusted configuration server obtains the second quantum key in advance;
And receiving the trusted policy ciphertext, decrypting the trusted policy ciphertext based on the second random number, and storing the trusted policy.
5. The method as recited in claim 4, further comprising:
Before the challenger and the trusted configuration server are started, acquiring first standard hash values of corresponding components in the challenger and the trusted configuration server;
After the challenger and the trusted configuration server are started, acquiring first current hash values of corresponding parts in the challenger and the trusted configuration server;
Comparing the first standard hash value with the first current hash value, if not, considering that the integrity measure does not pass, otherwise, considering that the integrity measure passes; after the operating system is started, the operating system kernel module compares hash values of the operating system application program and the key configuration files to finish integrity measurement.
6. A remote attestation method based on quantum key communication, applied to an attestation party, the attestation party previously acquiring a first quantum key, the method comprising:
Receiving a first random number ciphertext, decrypting the first random number ciphertext based on the first quantum key to obtain a first random number, wherein the first random number ciphertext is obtained by generating a first random number for a challenger and encrypting the first random number based on the first quantum key;
Encrypting the identity information based on the first random number to obtain an identity information ciphertext;
sending the identity information ciphertext to the challenger for verification;
And when a verification passing instruction sent by the challenger is received, encrypting attribute information based on the first random number to obtain an attribute information ciphertext, sending the attribute information ciphertext to the challenger, decrypting the attribute information ciphertext based on the first random number after the challenger receives the attribute information ciphertext to obtain attribute information, and judging whether the attribute information is legal or not based on a trusted policy to realize remote proving of the proving party, wherein the trusted policy is added to the challenger based on a preset adding rule.
7. The method as recited in claim 6, further comprising:
before the proving party starts, acquiring a second standard hash value of a corresponding part in the proving party;
After the proving party starts, acquiring a second current hash value of a corresponding component in the proving party;
Comparing the second standard hash value with the second current hash value, if not, considering that the integrity measure does not pass, otherwise, considering that the integrity measure passes; after the operating system is started, the operating system kernel module compares hash values of the operating system application program and the key configuration files to finish integrity measurement.
8. A remote attestation device based on quantum key communication, for use with a challenger that pre-obtains a first quantum key, the device comprising:
the generation and encryption module is used for generating a first random number, encrypting the first random number based on the first quantum key and obtaining a first random number ciphertext;
The first sending module is used for sending the first random number ciphertext to a proving party so that the proving party decrypts the first random number ciphertext based on the first quantum key to obtain the first random number, encrypts identity information based on the first random number to obtain an identity information ciphertext, and sends the identity information ciphertext to the challenger, wherein the proving party acquires the first quantum key in advance;
the receiving and verifying module is used for receiving the identity information ciphertext, verifying the identity information ciphertext, sending a verification passing instruction to the proving party under the condition that verification passes, enabling the proving party to encrypt attribute information based on the first random number to obtain attribute information ciphertext after receiving the verification passing instruction, and receiving the attribute information ciphertext returned by the proving party;
And the decryption and judgment module is used for decrypting the attribute information ciphertext based on the first random number to obtain attribute information and judging whether the attribute information is legal or not based on a trusted policy, wherein the trusted policy is added to the challenger based on a preset adding rule.
9. A remote attestation device based on quantum key communication, for application to an attestation party, the attestation party having previously acquired a first quantum key, the device comprising:
The receiving and decrypting module is used for receiving a first random number ciphertext, decrypting the first random number ciphertext based on the first quantum key to obtain a first random number, generating the first random number for a challenger by the first random number ciphertext, and encrypting the first random number based on the first quantum key;
the encryption module is used for encrypting the identity information based on the first random number to obtain an identity information ciphertext;
The second sending module is used for sending the identity information ciphertext to the challenger for verification;
And the encryption and transmission module is used for encrypting the attribute information based on the first random number to obtain an attribute information ciphertext when receiving a verification passing instruction sent by the challenger, sending the attribute information ciphertext to the challenger so that the challenger can decrypt the attribute information ciphertext based on the first random number after receiving the attribute information ciphertext to obtain attribute information, judging whether the attribute information is legal based on a trusted policy, and realizing remote proving of the proving party, wherein the trusted policy is added to the challenger based on a preset adding rule.
10. A remote attestation system based on quantum key communication, comprising: a challenger and a prover, the challenger and prover pre-fetching a first quantum key, the system comprising:
the challenger for performing a remote attestation method for quantum key based communication of the challenger of any one of claims 1-5;
the proving party for performing a remote proving method for quantum key based communication of a proving party as claimed in any of claims 6-7.
CN202011609431.XA 2020-12-30 2020-12-30 Remote proving method, device and system based on quantum key communication Active CN114765533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011609431.XA CN114765533B (en) 2020-12-30 2020-12-30 Remote proving method, device and system based on quantum key communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011609431.XA CN114765533B (en) 2020-12-30 2020-12-30 Remote proving method, device and system based on quantum key communication

Publications (2)

Publication Number Publication Date
CN114765533A CN114765533A (en) 2022-07-19
CN114765533B true CN114765533B (en) 2024-07-19

Family

ID=82364332

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011609431.XA Active CN114765533B (en) 2020-12-30 2020-12-30 Remote proving method, device and system based on quantum key communication

Country Status (1)

Country Link
CN (1) CN114765533B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115913566B (en) * 2022-10-28 2025-08-19 深圳前海微众银行股份有限公司 Storage proving method and device
CN118473648B (en) * 2024-07-12 2024-10-01 国网安徽省电力有限公司信息通信分公司 A quantum encryption method and device suitable for AES encryption algorithm

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951388A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Remote attestation method in credible computing environment
CN109714168A (en) * 2017-10-25 2019-05-03 阿里巴巴集团控股有限公司 Trusted remote method of proof, device and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3595109B2 (en) * 1997-05-28 2004-12-02 日本ユニシス株式会社 Authentication device, terminal device, authentication method in those devices, and storage medium
KR101701226B1 (en) * 2015-08-28 2017-02-01 고려대학교 산학협력단 An improved fuzzy attribute-based authentication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101951388A (en) * 2010-10-14 2011-01-19 中国电子科技集团公司第三十研究所 Remote attestation method in credible computing environment
CN109714168A (en) * 2017-10-25 2019-05-03 阿里巴巴集团控股有限公司 Trusted remote method of proof, device and system

Also Published As

Publication number Publication date
CN114765533A (en) 2022-07-19

Similar Documents

Publication Publication Date Title
CN109309565B (en) Security authentication method and device
WO2020087805A1 (en) Trusted authentication method employing two cryptographic values and chaotic encryption in measurement and control network
CN112235235B (en) SDP authentication protocol implementation method based on cryptographic algorithm
KR100843081B1 (en) Security provision system and method
US7840806B2 (en) System and method of non-centralized zero knowledge authentication for a computer network
CN108111301A (en) The method and its system for realizing SSH agreements are exchanged based on rear quantum key
WO2019085531A1 (en) Method and device for network connection authentication
CN112565205B (en) Credible authentication and measurement method, server, terminal and readable storage medium
CN106878016A (en) Data is activation, method of reseptance and device
JP2008545353A (en) Establishing a reliable relationship between unknown communicating parties
CN112351037B (en) Information processing method and device for secure communication
CN102164033A (en) Method, device and system for preventing services from being attacked
CN101296083A (en) An encrypted data transmission method and system
Sucasas et al. A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications
CN111224784B (en) Role separation distributed authentication and authorization method based on hardware trusted root
CN112910627A (en) Key updating method, data decryption method and digital signature verification method
CN114765533B (en) Remote proving method, device and system based on quantum key communication
CN116707983A (en) Authorization authentication method and device, access authentication method and device, equipment and medium
CN118316707A (en) Cross-domain identity authentication method, system, equipment and storage medium based on blockchain
CN111245611B (en) Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment
KR20080005344A (en) System where authentication server authenticates user terminal
JP2004274134A (en) Communication method and communication system, server and client using this communication method
CN108768958B (en) Verification method for data integrity and source based on no leakage of verified information by third party
CN117118706A (en) Single sign-on transparentization method and system supporting bill privacy protection
CN109981289A (en) Batch authentication method of elliptic curve digital signature algorithm under implicit certificate

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant