CN117640087A - IPSec VPN security gateway system integrating quantum key distribution network technology - Google Patents
IPSec VPN security gateway system integrating quantum key distribution network technology Download PDFInfo
- Publication number
- CN117640087A CN117640087A CN202311713204.5A CN202311713204A CN117640087A CN 117640087 A CN117640087 A CN 117640087A CN 202311713204 A CN202311713204 A CN 202311713204A CN 117640087 A CN117640087 A CN 117640087A
- Authority
- CN
- China
- Prior art keywords
- quantum key
- distribution network
- module
- key distribution
- security gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005516 engineering process Methods 0.000 title claims abstract description 25
- 230000005540 biological transmission Effects 0.000 claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 7
- 238000007726 management method Methods 0.000 claims description 53
- 238000000034 method Methods 0.000 claims description 17
- 239000003999 initiator Substances 0.000 claims description 12
- 238000004891 communication Methods 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 6
- 230000003068 static effect Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000012550 audit Methods 0.000 claims description 4
- 230000003993 interaction Effects 0.000 claims description 3
- 238000011084 recovery Methods 0.000 claims description 3
- 230000009466 transformation Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 6
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an IPSec VPN security gateway system integrating a quantum key distribution network technology, which comprises a quantum key distribution network access authentication module, a password module, a quantum key application acquisition module, equipment management services respectively connected with the output ends of the quantum key distribution network access authentication module and the password module, an IKE key negotiation module respectively connected with the output ends of the password module and the quantum key application acquisition module, and an IPSec ESP processing module respectively connected with the output ends of the IKE key negotiation module and the password module. The invention defines the form and the scene of the IPSec VPN security gateway accessing the quantum key distribution network and the mode of using the quantum key, can reduce the transformation complexity of the IPSec VPN security gateway accessing the quantum key distribution network to the maximum extent and improve the security of the IPSec VPN security gateway data transmission.
Description
Technical Field
The invention relates to the technical field of quantum information and passwords, in particular to an IPSec VPN security gateway system integrating quantum key distribution network technology.
Background
An IPSec VPN (Internet Protocol SecurityVirtual Private Network) security gateway system is an IP network layer standardized password device based on PKI (Public Key Infrastructure ) technology system in the field of information security in China. The device is taken as a IP (Internet Protocol) network layer encryption special device and is used for providing tunnel transmission and encryption functions at a network layer of a TCP/IP system, providing two-way identity authentication based on digital certificates for two communication parties, guaranteeing the identity authenticity of the two communication parties and ensuring the integrity and confidentiality of transmission data; the device provides IP data transmission protection capability for both protected subnets through IP data links, the device is already deployed and applied in various IP network security protection systems, the IPSec VPN security gateway at two ends carries out IP data packet screening encryption or decryption through an IP five-tuple strategy, and the application scene has universality and is shown in a typical application scene in figure 1.
After the IPSec VPN security gateway is deployed as a network device in an IP network, the information systems or devices within the network where both ends are protected are not aware.
The domestic IPSec VPN security gateway products are mostly developed with reference to GM/T0022-2014 IPSec VPN technical Specification and GM/T0023-2014 IPSec VPN gateway product Specification, the technical Specification is designed and supports SM1, SM2, SM3 and SM4 algorithms according to a digital certificate system of China, wherein the SM2 cryptographic algorithm is used for identity authentication and key negotiation of network entities at two ends, the SM3 algorithm is used for data digest operation, and the SM1 and SM4 algorithms are used for data encryption and decryption.
Quantum key distribution (Quantum Key Distribution, QKD for short) is a quantum information technology for guaranteeing point-to-point communication safety by utilizing quantum mechanical characteristics, and is an unconditional safety communication mode; the quantum key distribution network built based on the QKD technology in China is verified through experiments, and the trend of quantum key distribution service is realized.
With the rapid development of quantum computing, the existing elliptic curve cryptography algorithm (Elliptic Curve Cryptography, abbreviated as ECC, SM2 algorithm is an ECC system) is at risk of being attacked, researchers have proved through mathematics that a quantum computer can easily crack an ECC key, and then identity authentication and key negotiation in the existing IKE protocol based on the SM2 algorithm are at security risk.
The essence of the quantum key distribution network is that the symmetric key secure transmission and distribution under the unconditional security can be realized, the main purpose of the IKE (Internet Key Exchange) protocol in the IPSec VPN technology is identity authentication and key negotiation, the result is that a consistent data encryption key is generated for both communication ends, and how to upgrade the identity authentication and key negotiation based on the SM2 cryptographic algorithm into the IPSec VPN technology of the fusion quantum key distribution network is a real problem which needs to be solved urgently.
The method and system for expanding the usage of the quantum key in the IPSec VPN (invention patent publication number: CN 104660603A) already provides a method for expanding the usage of the quantum key by the IPSec VPN, and the method is mainly to open a quantum key synchronous channel in an asynchronous parallel mode on the basis of a standard IPSec VPN gateway, so that the problem of IP data encryption key source is solved. Further, the method takes over the work of quantum key consistency verification by a key negotiation IKE module in the IPSec VPN security gateway, establishes a mutually independent quantum key pool and a key pool formed by classical IKE protocol negotiation in an asynchronous mode, does not expand or modify the original standard protocol in the IPSec VPN, does not multiplex the key negotiation channel and port number of the IKE, and deduces that the related function of quantum key consistency verification can be completed only by newly establishing an IP network channel; secondly, whether the initiating end or the responding end IPSec VPN gateway is, the quantum key is acquired from the quantum key management terminal, and a corresponding tunnel cache is established by the cache module according to the tunnel identifier.
Disclosure of Invention
The invention aims to solve the technical problem of providing an IPSec VPN security gateway system integrating a quantum key distribution network technology, which can improve the security of a data encryption key depending on the quantum key distribution network technology on the basis of reducing the influence on an IKE protocol to the greatest extent.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows.
An IPSec VPN security gateway system integrating a quantum key distribution network technology comprises a quantum key distribution network access authentication module, a password module, a quantum key application acquisition module, equipment management services respectively connected with the output ends of the quantum key distribution network access authentication module and the password module, an IKE key negotiation module respectively connected with the output ends of the password module and the quantum key application acquisition module, and an IPSec ESP processing module respectively connected with the output ends of the IKE key negotiation module and the password module;
the quantum key distribution network access authentication module is used for realizing identity authentication and authorized access of the IPSec VPN security gateway according to the access specification and standard of the quantum key distribution network;
the quantum key application acquisition module is used for acquiring a quantum key and quantum key description information from the quantum key distribution network access device;
the cryptographic module is used for static key management and cryptographic algorithm logic realization functions;
the device management service is used for realizing man-machine interaction for managing self parameters, function enabling and authority roles of the IPSec VPN security gateway;
the IKE key negotiation module is a module for adding a module for identifying whether to start the function of acquiring and using the quantum key from the quantum secret communication network in the original configuration strategy of each tunnel in the IPSec VPN at two ends, if the identification exists, the response party applies for the quantum key with 96 bytes length through the quantum key distribution network access device after receiving the first packet message of the initiator and analyzing successfully in the IKE second stage, and the quantum key distribution network access device takes out the quantum key with the appointed length from the received key pool and returns the key description information to the request end; the first 48 byte secret keys of the 96 byte quantum secret keys are used for data encryption and integrity protection of a responder, and the last 48 byte secret keys are used for data decryption and integrity verification of the responder;
the IPSec ESP processing module is used for providing a part of an IPSec protocol for encrypting and authenticating transmission data, protecting confidentiality and integrity of an IP data packet and protecting the security of data transmission through encryption and authentication; the keys for ESP encryption and authentication are typically generated by the IKE phase, with the encryption policies set into the configuration file by the device management service.
Preferably, the common physical forms of the cryptographic module include, but are not limited to: PCI/PCI-E cipher board card, USB cipher module, SATA cipher module and Mini PCI-E cipher module.
Preferably, the device management service includes, but is not limited to, the following functions: user login identity authentication, user role authority management, IP interface parameter management, security audit management, password service capability management, quantum key distribution network access management, password module management, classical key management, backup recovery, quantum key record management, IKE key negotiation management, IP static routing management and IP encryption policy management.
Preferably, the IKE includes a primary mode in the first stage and a fast mode in the second stage, and a quantum key description payload is added to the rear of the message tail of the second packet in the fast mode in the second stage of IKE, and is used for transmitting 96 bytes of quantum key description information acquired from the quantum key distribution network access device, and the calculation content of the message digest in the hash payload also includes a newly added quantum key description information payload.
Preferably, the payload type value of the quantum key description information is: 127, quantum key description information includes, but is not limited to, the following: key pool identification, key pool offset, key length, token data, quantum key distribution network access device identification and IPSec VPN security gateway identification,
preferably, after receiving the payload data packet containing the quantum key description information, the initiator of the IKE protocol applies for the quantum key from the quantum key distribution network access device of the initiator by using the quantum key description information, and the quantum key distribution network access device returns the quantum key data with 96 bytes length to the requester after verifying the quantum key description information; the initiator uses the first 48 bytes for decryption and integrity verification of the received data and the second 48 bytes for data encryption and integrity protection of the transmitted data.
Preferably, before the IPSec VPN security gateway starts IKE key negotiation, the IPSec VPN security gateway needs to configure related information of an access device of the access local quantum key distribution network through a device management service, including: the method comprises the steps of service application user name, IP address and port number of a quantum key distribution network access device, length of a quantum key obtained in a single time, identification of an opposite-end quantum key distribution network access device and opposite-end service application user name.
Preferably, before the IPSec VPN security gateway starts IKE key negotiation, the IPSec VPN security gateway at any end needs to configure a tunnel name, a home IP address, a home digital certificate, a peer IP address, an algorithm set of IKE phases, an algorithm set of IPSec ESP phases, an IP packet policy to be encrypted (each policy includes a source address, a source port, a destination address, a destination port, a protocol number) and whether to enable the quantum key distribution network through a device management service; the algorithm suite of the IKE stage comprises a public key cryptographic algorithm, a digest algorithm and a symmetric encryption algorithm; the algorithm suite of the IPSec ESP stage comprises a digest algorithm and a symmetric encryption algorithm; each of the IP packet policies to be encrypted includes: source address, source port, destination address, destination port, and protocol number.
By adopting the technical scheme, the invention has the following technical progress.
The invention defines the form and the scene of the IPSec VPN security gateway accessing the quantum key distribution network and the mode of using the quantum key, can reduce the transformation complexity of the IPSec VPN security gateway accessing the quantum key distribution network to the maximum extent and improve the security of the IPSec VPN security gateway data transmission.
Drawings
Fig. 1 is a schematic diagram of a typical application scenario of a conventional universal IPSec VPN security gateway;
FIG. 2 is a block diagram of the structure of the present invention;
FIG. 3 is a schematic view of an application scenario of the present invention;
fig. 4 is a main flow chart of a service application access quantum key distribution network access device of the present invention;
fig. 5 is a schematic diagram of a local service application of the present invention obtaining a quantum key from a local quantum key distribution network access device by a first application quantum key method;
fig. 6 is a schematic diagram of obtaining a quantum key by the opposite terminal service application according to the present invention from an opposite terminal quantum key distribution network access device through a second application quantum key method;
FIG. 7 is a definition diagram of a generic payload header of the present invention;
fig. 8 is a schematic diagram of a quantum key description information payload structure of the present invention.
Detailed Description
The invention will be described in further detail with reference to the drawings and the detailed description.
An IPSec VPN security gateway system integrating quantum key distribution network technology is based on the existing IPSec VPN technical specification and gateway product specification by integrating the quantum key distribution network technology, comprising the technologies of adding quantum key related components, utilizing an IKE protocol expansion mechanism and the like, and can improve the security of a data encryption key depending on the quantum key distribution network technology on the basis of reducing the influence on an IKE protocol to the greatest extent.
As shown in fig. 2 to 3, the IPSec VPN security gateway system incorporating the quantum key distribution network technology includes: the system comprises a quantum key distribution network access authentication module, a password module, a quantum key application acquisition module, equipment management services respectively connected with the output ends of the quantum key distribution network access authentication module and the password module, an IKE key negotiation module respectively connected with the output ends of the password module and the quantum key application acquisition module, and an IPSec ESP (Encapsulating Security Payload) processing module respectively connected with the output ends of the IKE key negotiation module and the password module.
The quantum key distribution network access authentication module is mainly used for realizing identity authentication and authorized access of the IPSec VPN security gateway according to the access specification and standard of the quantum key distribution network.
The quantum key application acquisition module is mainly used for acquiring the quantum key and the quantum key description information from the quantum key distribution network access device.
The cryptographic module is mainly used for static key management, cryptographic algorithm logic implementation and other functions, and common physical forms include but are not limited to: PCI/PCI-E cipher board card, USB cipher module, SATA cipher module, mini PCI-E cipher module, etc.
The device management service is mainly a man-machine interaction module for managing self parameters, function enabling, authority roles and the like of the IPSec VPN security gateway, and the module comprises: user login identity authentication, user role authority management, IP interface parameter management, security audit management, password service capability management, quantum key distribution network access management, password module management, classical key management, backup recovery, quantum key record management, IKE key negotiation management, IP static route management, IP encryption policy management and other functions.
The IPSec ESP processing module is a part of an IPSec protocol for providing encryption and authentication of transmission data, is used for protecting confidentiality and integrity of IP data packets, and protects the security of data transmission through encryption and authentication; the keys for ESP encryption and authentication are typically generated by the IKE phase, with the encryption policies set into the configuration file by the device management service.
The quantum key distribution network access device is a quantum network access device provided with a quantum key service (Quantum Key Service, abbreviated as QKS) in a quantum communication system (invention patent publication number: CN 112422284A), the device is mainly used for being in butt joint with each service application, key sharing and synchronization can be realized between the devices at any two ends through a quantum communication network, and the distribution of a quantum key to the service application is completed, and the device is provided with a unique device identifier of the quantum key distribution network: QKS _ID.
The main flow of the service application accessing the quantum key distribution network access device is shown in fig. 4, the service application first applies for application identity credentials to the quantum key distribution network access device, and the application user name needs to be provided when applying: usr_uri (the user name needs to guarantee network uniqueness) and service application temporary credentials: TMP_Credential (this field is a random number of 32 bytes in length); after the manager of the quantum key distribution network access device verifies and audits the USR_URI, recording the USR_URI and TMP_Credential; the business application then uses the usr_uri and tmp_Crendenal to retrieve the formal identity Credential from the quantum key distribution network access device: usr_Credential, which is a random number of 32 bytes in length randomly generated by a quantum key distribution network access device, is used to replace a temporary identity Credential corresponding to a usr_URI in the device: TMP_Credential.
The quantum key distribution network access device may provide end-to-end key service capability, which refers to a service that provides a shared key between two quantum key distribution network access devices. Further, the two devices are respectively provided with a first key pool and a second key pool, and the key pools between the two devices are mutually sending and receiving key pools, namely, the first key pool at the home terminal corresponds to the second key pool at the opposite terminal, and the key data in the first key pool at the home terminal is generated by the home terminal and is synchronized to the second key pool at the opposite terminal; the second key pool of the home terminal corresponds to the first key pool of the opposite terminal, and the second key pool of the home terminal is generated and synchronized by the opposite terminal.
Further, as shown in fig. 5, when the local service application obtains the quantum key from the local quantum key distribution network access device through the first application method, the method needs to provide: the method comprises the steps that a home terminal service application user name (S_USR_URI), a home terminal service application certificate (S_USR_Credential), an opposite terminal quantum Key distribution network access device identifier (D_ QKS _ID), an opposite terminal service application user name (D_USR_URI) and a quantum Key Length (Key_Length), and the home terminal quantum Key distribution network access device returns quantum Key Data (Key_Data) with a specified Length and quantum Key description information; the quantum key description information includes: the local terminal second key Pool identifier (pool_id), key Offset position (pool_offset) and retrieval certificate (Token)), and the local terminal service application sends the quantum key description information to the opposite terminal service application through the classical communication network. The calculation method of the retrieval certificate Token is as follows:
Token=Hash(S_QKS_ID+S_USR_URI+D_QKS_ID+D_USR_URI+Pool_ID+Pool_Offset+Key_Length+Key_Data)。
further, as shown in fig. 6, when the peer service application obtains the quantum key from the peer quantum key distribution network access device through the second application method, the method needs to provide: the method comprises the steps of (1) a peer service application user name (D_USR_URI), a peer service application certificate (D_USR_Credential), a home service application user name (S_USR_URI), a home service application certificate (S_USR_Credential), a home second key Pool identifier (pool_ID), a key Offset position (pool_offset) and a retrieval certificate (Token); the opposite-end quantum Key distribution network access device acquires a quantum Key with a designated position and a designated length from the first Key pool, performs the same operation according to the calculation mode of the Token, compares the result obtained by the operation with a retrieval certificate Token submitted by an opposite-end service application, and returns quantum Key Data (Key_Data) to the opposite-end service application if the result is consistent; so far, the service application at both ends obtains the completely consistent quantum key.
The IKE in the general IPSec VPN technical specification comprises 2 stages, namely a main mode in a first stage and a fast mode in a second stage, and the invention mainly carries out upgrading and reconstruction in a fast mode protocol in the second stage through an IKE key negotiation module.
Firstly, adding 1 item for marking whether to start the function of acquiring and using the quantum key from the quantum secret communication network in the original configuration strategy of each tunnel in the IPSec VPN at two ends, if the item of marking exists, then in the IKE second stage, after the response party receives the 1 st packet information of the initiator and analyzes the 1 st packet information successfully, the response party applies for the quantum key with 96 bytes length through the quantum key distribution network access device, and the quantum key distribution network access device takes the quantum key with the appointed length from the received key pool and returns the key description information to the request end. The first 48 byte key is used for the encryption and the integrity protection of the data of the response party, and the second 48 byte key is used for the decryption and the integrity verification of the data of the response party.
According to the payload format of the GM/T0022-2014 IPSec VPN technical Specification section 5.1.4 key exchange, each payload is started by a generic payload header, which defines the boundaries of the payload, so that different payloads can be concatenated, the definition of the generic payload header is shown in figure 7.
The following load: the length is 1 byte, identifying the type of the next payload after the present payload. If the current load is the last, this field will be set to 0.
And (3) reserving: the length is 1 byte and its value is 0.
Load length: the length is 2 bytes, and the length of the entire load including the universal load head is indicated in bytes.
The invention adds the quantum key description load to the message tail (i.e. the back of IDcr load) of the second packet (i.e. the data packet sent by the responder) of the existing IKE second stage fast mode, which is used for transmitting 96 bytes quantum key description information acquired from a quantum key distribution network access device, and the invention sets the load type value of the quantum key description information as follows: 127, a quantum key description information payload structure schematic is shown in fig. 8; at this time, the calculation content of the message digest in the hash payload also includes the newly added quantum key description information payload.
When an initiator of the IKE protocol receives a payload data packet (namely a 2 nd data packet of a fast mode) containing quantum key description information, the quantum key description information is used for applying a quantum key to a quantum key distribution network access device of the initiator, and the quantum key distribution network access device returns quantum key data (96 bytes in length) to a requester after verifying the quantum key description information; the initiator uses the first 48 bytes for decryption and integrity verification of the received data and the second 48 bytes for data encryption and integrity protection of the transmitted data.
The quantum key description information described in the present invention includes, but is not limited to, the following: (1) a key pool identifier, (2) a key pool offset, (3) a key length, (4) token data, (5) a quantum key distribution network access device identifier, and (6) an ipsec VPN security gateway identifier.
Since the IPSec VPN specifications require periodic updates of session keys, the key update protocol is handled in a manner similar to the new payload mode in the fast mode.
Before the IPSec VPN security gateway starts IKE key negotiation, the IPSec VPN security gateway needs to access relevant information of a local quantum key distribution network access device through equipment management service configuration, which comprises the following steps: the method comprises the steps of service application user name, IP address and port number of a quantum key distribution network access device, length of a quantum key obtained in a single time, identification of an opposite-end quantum key distribution network access device and opposite-end service application user name.
Further, before the IPSec VPN security gateway starts IKE key negotiation, the IPSec VPN security gateway at any end needs to configure a tunnel name, a home IP address, a home digital certificate, a peer IP address, an IKE phase algorithm set (the IKE phase algorithm set includes a public key cryptography algorithm, a digest algorithm, and a symmetric encryption algorithm), an IPSec ESP phase algorithm set (the IPSec ESP phase algorithm set includes a digest algorithm and a symmetric encryption algorithm), an IP packet policy to be encrypted (each policy includes a source address, a source port, a destination address, a destination port, and a protocol number), and whether to enable the quantum key distribution network.
When the IPSec VPN security gateway access quantum key distribution method is used, compared with the existing IPSec VPN security gateway structure, the form and the scene of the IPSec VPN security gateway accessing the quantum key distribution network and the manner of using the quantum key are defined, the modification complexity of the IPSec VPN security gateway accessing the quantum key distribution network can be reduced to the greatest extent, and the security of the data transmission of the IPSec VPN security gateway can be improved.
Claims (8)
1. An IPSec VPN security gateway system integrating quantum key distribution network technology, characterized in that: the system comprises a quantum key distribution network access authentication module, a password module, a quantum key application acquisition module, equipment management service respectively connected with the output ends of the quantum key distribution network access authentication module and the password module, an IKE key negotiation module respectively connected with the output ends of the password module and the quantum key application acquisition module, and an IPSec ESP processing module respectively connected with the output ends of the IKE key negotiation module and the password module;
the quantum key distribution network access authentication module is used for realizing identity authentication and authorized access of the IPSec VPN security gateway according to the access specification and standard of the quantum key distribution network;
the quantum key application acquisition module is used for acquiring a quantum key and quantum key description information from the quantum key distribution network access device;
the cryptographic module is used for static key management and cryptographic algorithm logic realization functions;
the device management service is used for realizing man-machine interaction for managing self parameters, function enabling and authority roles of the IPSec VPN security gateway;
the IKE key negotiation module is a module for adding a module for identifying whether to start the function of acquiring and using the quantum key from the quantum secret communication network in the original configuration strategy of each tunnel in the IPSec VPN at two ends, if the identification exists, the response party applies for the quantum key with 96 bytes length through the quantum key distribution network access device after receiving the first packet message of the initiator and analyzing successfully in the IKE second stage, and the quantum key distribution network access device takes out the quantum key with the appointed length from the received key pool and returns the key description information to the request end; the first 48 byte secret keys of the 96 byte quantum secret keys are used for data encryption and integrity protection of a responder, and the last 48 byte secret keys are used for data decryption and integrity verification of the responder;
the IPSec ESP processing module is used for providing a part of an IPSec protocol for encrypting and authenticating transmission data, protecting confidentiality and integrity of an IP data packet and protecting the security of data transmission through encryption and authentication; the keys for ESP encryption and authentication are typically generated by the IKE phase, with the encryption policies set into the configuration file by the device management service.
2. The IPSec VPN security gateway system incorporating quantum key distribution network technology according to claim 1, wherein: common physical modalities for such cryptographic modules include, but are not limited to: PCI/PCI-E cipher board card, USB cipher module, SATA cipher module and Mini PCI-E cipher module.
3. The IPSec VPN security gateway system incorporating quantum key distribution network technology according to claim 1, wherein: the device management services include, but are not limited to, the following functions: user login identity authentication, user role authority management, IP interface parameter management, security audit management, password service capability management, quantum key distribution network access management, password module management, classical key management, backup recovery, quantum key record management, IKE key negotiation management, IP static routing management and IP encryption policy management.
4. The IPSec VPN security gateway system incorporating quantum key distribution network technology according to claim 1, wherein: the IKE comprises a main mode of the first stage and a quick mode of the second stage, wherein a quantum key description load is added at the back of the message tail of the second packet of the quick mode of the IKE, and the quantum key description load is used for transmitting 96-byte quantum key description information acquired from a quantum key distribution network access device, and the calculation content of the message digest in the hash load also comprises the added quantum key description information load.
5. The IPSec VPN security gateway system according to claim 4, wherein the quantum key distribution network technology is integrated with: the load type value of the quantum key description information is as follows: 127, quantum key description information includes, but is not limited to, the following: key pool identification, key pool offset, key length, token data, quantum key distribution network access device identification, and IPSec VPN security gateway identification.
6. The IPSec VPN security gateway system according to claim 4, wherein the quantum key distribution network technology is integrated with: when an initiator of the IKE protocol receives a payload data packet containing quantum key description information, the quantum key description information is used for applying a quantum key to a quantum key distribution network access device of the initiator, and the quantum key distribution network access device returns quantum key data with 96 bytes in length to a requester after verifying the quantum key description information; the initiator uses the first 48 bytes for decryption and integrity verification of the received data and the second 48 bytes for data encryption and integrity protection of the transmitted data.
7. The IPSec VPN security gateway system according to claim 4, wherein the quantum key distribution network technology is integrated with: before the IPSec VPN security gateway starts IKE key negotiation, the IPSec VPN security gateway needs to access relevant information of a local quantum key distribution network access device through equipment management service configuration, and the method comprises the following steps: the method comprises the steps of service application user name, IP address and port number of a quantum key distribution network access device, length of a quantum key obtained in a single time, identification of an opposite-end quantum key distribution network access device and opposite-end service application user name.
8. The IPSec VPN security gateway system incorporating quantum key distribution network technology according to claim 7, wherein: before the IPSec VPN security gateway starts IKE key negotiation, the IPSec VPN security gateway at any end needs to configure a tunnel name, a local end IP address, a local end digital certificate, an opposite end IP address, an algorithm suite of an IKE stage, an algorithm suite of an IPSec ESP stage, IP data packet strategies to be encrypted (each strategy comprises a source address, a source port, a destination address, a destination port and a protocol number) and whether a quantum key distribution network is started or not through equipment management service; the algorithm suite of the IKE stage comprises a public key cryptographic algorithm, a digest algorithm and a symmetric encryption algorithm; the algorithm suite of the IPSec ESP stage comprises a digest algorithm and a symmetric encryption algorithm; each of the IP packet policies to be encrypted includes: source address, source port, destination address, destination port, and protocol number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311713204.5A CN117640087A (en) | 2023-12-14 | 2023-12-14 | IPSec VPN security gateway system integrating quantum key distribution network technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311713204.5A CN117640087A (en) | 2023-12-14 | 2023-12-14 | IPSec VPN security gateway system integrating quantum key distribution network technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117640087A true CN117640087A (en) | 2024-03-01 |
Family
ID=90037600
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311713204.5A Pending CN117640087A (en) | 2023-12-14 | 2023-12-14 | IPSec VPN security gateway system integrating quantum key distribution network technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117640087A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118381609A (en) * | 2024-06-21 | 2024-07-23 | 正则量子(北京)技术有限公司 | Method and device for providing multi-type quantum security key |
-
2023
- 2023-12-14 CN CN202311713204.5A patent/CN117640087A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118381609A (en) * | 2024-06-21 | 2024-07-23 | 正则量子(北京)技术有限公司 | Method and device for providing multi-type quantum security key |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1883176B (en) | System and method for provisioning and authenticating via a network | |
| EP3073668B1 (en) | Apparatus and method for authenticating network devices | |
| US7039713B1 (en) | System and method of user authentication for network communication through a policy agent | |
| CN110995414B (en) | Method for establishing channel in TLS1_3 protocol based on cryptographic algorithm | |
| CN100591003C (en) | Implementing stateless server based pre-shared secrets | |
| US7584505B2 (en) | Inspected secure communication protocol | |
| Frankel et al. | Guide to IPsec VPNs:. | |
| US12316619B2 (en) | Methods and systems for internet key exchange re-authentication optimization | |
| CN104219217B (en) | Security association negotiation method, device and system | |
| US7240202B1 (en) | Security context sharing | |
| CN111935213B (en) | Distributed trusted authentication-based virtual networking system and method | |
| CN110752921A (en) | A security reinforcement method for communication links | |
| CA3066728A1 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| CN113746861B (en) | Data transmission encryption and decryption method and encryption and decryption system based on national encryption technology | |
| CN101282208A (en) | Method for updating master key associated with secure connection, server and network system | |
| CN113973002A (en) | Data key updating method and device | |
| US8046820B2 (en) | Transporting keys between security protocols | |
| CN117640087A (en) | IPSec VPN security gateway system integrating quantum key distribution network technology | |
| CN105591748B (en) | A kind of authentication method and device | |
| Hall-Andersen et al. | nQUIC: Noise-based QUIC packet protection | |
| Cisco | Configuring IPSec | |
| CN117650951B (en) | IKE authentication and negotiation method based on identification cipher algorithm | |
| Feng | Enhancing TLS Handshake Security: A Novel Mutual Cryptographic Scheme | |
| Perugini et al. | Integrating the Self-sovereign Identity in the TCP/IP Stack While Preserving Interoperability with Existing Identity Models | |
| Cam-Winget et al. | Dynamic Provisioning Using Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP-FAST) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |