[go: up one dir, main page]

WO2025118789A1 - Double-encryption method based on ipsec and quantum key, and encryption gateway - Google Patents

Double-encryption method based on ipsec and quantum key, and encryption gateway Download PDF

Info

Publication number
WO2025118789A1
WO2025118789A1 PCT/CN2024/120830 CN2024120830W WO2025118789A1 WO 2025118789 A1 WO2025118789 A1 WO 2025118789A1 CN 2024120830 W CN2024120830 W CN 2024120830W WO 2025118789 A1 WO2025118789 A1 WO 2025118789A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
encryption
quantum key
decryption
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/120830
Other languages
French (fr)
Chinese (zh)
Inventor
徐凯年
覃洋
龙翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co Ltd
Original Assignee
China Telecom Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co Ltd filed Critical China Telecom Quantum Technology Co Ltd
Publication of WO2025118789A1 publication Critical patent/WO2025118789A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the fields of cryptographic applications and network security, and specifically to a dual encryption method and encryption gateway based on IPsec and quantum key.
  • IPSec Internet Protocol Security
  • VPN Virtual Native Network gateways
  • the Chinese invention patent application document with application publication number CN116405206A discloses a method for data encryption and decryption of a security gateway, in which quantum key encryption is used, and the session ID of the quantum key is used as the spi (Security Parameter Index) in the encapsulated security payload esp to be passed to the other end to realize data decryption.
  • this solution will also add additional data encapsulation on the basis of the payload data, which will increase additional overhead for the user's network bandwidth.
  • the Chinese invention patent application document with application publication number CN115567205A discloses a method for implementing encryption and decryption of network session data streams using quantum key distribution.
  • the main features of this scheme are: (1) a mapping relationship is established between the quantum master key ID and the 5-tuple network session stream through the quantum distribution network, and the master key identifier is placed in the security message header of the encrypted data message to achieve end-to-end encrypted communication. (2) The functions of establishing, aging, and deleting the flow table are realized.
  • This scheme also adds additional data encapsulation, increases the user's network bandwidth overhead, and has complex function implementation.
  • the technical problem to be solved by this application is how to achieve end-to-end encryption of data payloads without adding additional payload encapsulation, thereby improving the confidentiality of data messages while not reducing the use of user bandwidth.
  • the present application proposes a dual encryption method based on IPsec and quantum key for encryption gateway, comprising the following steps:
  • the encryption gateway is registered with the sub-key distribution center through a unique identifier. After successful registration, The quantum key distribution center injects quantum keys into the encryption gateway;
  • the encryption gateway receives the incoming data message and adds an encryption tag or a decryption tag to the data packet of the incoming data message;
  • the quantum key sa is used to encrypt the data encrypted by the security alliance again.
  • the double-encrypted data becomes outbound message data and is sent out from the encryption gateway, or the data is double-decrypted to obtain the original ciphertext.
  • the encryption gateway receives the incoming data message and adds an encryption tag or a decryption tag to the data packet of the incoming data message, including the following steps:
  • the stacked data message enters
  • the incoming data packet is encrypted and the corresponding security association is checked based on the outbound security policy.
  • the security association information is saved in the data message
  • the security association is negotiated through the IKE protocol and the security association information is saved in the data message;
  • the outbound security policy fails to match, the source address and destination address of the incoming data packet are swapped, and the inbound security policy is matched based on the five-tuple information;
  • the incoming data packet is marked with a decryption tag
  • the incoming data packet cannot match the outbound security policy or the inbound security policy and is discarded.
  • the data encrypted by the security alliance is encrypted again using the quantum key sa, and the double-encrypted data becomes the out-of-stack message data and is sent out from the encryption gateway, or the data is double-decrypted to obtain the ciphertext original text, which specifically includes:
  • the data message is encrypted using the security association through the encryption label
  • the data processed by the data encryption and decryption module becomes outbound message data and is sent out from the encryption gateway;
  • the quantum key sa is obtained by decrypting the tag, and the data is decrypted using the quantum key sa;
  • the data message is decrypted using the security association to obtain the original data message.
  • data encryption adopts the CBC+ mode.
  • the encryption tag and the security association are used to encrypt the data message, which specifically includes:
  • the decryption process of using the security association to decrypt the data message to obtain the original data message specifically includes:
  • the remaining length is less than that of an encrypted data packet, take the ciphertext of the previous packet before decryption as the IV value, use the session key K to decrypt the IV, use the decryption algorithm SM4, and the decryption mode ECB to obtain Kiv, truncate Kiv to make its length equal to the ciphertext data length, and then XOR it with the ciphertext data to obtain plaintext data 2;
  • the step of obtaining the quantum key sa and re-encrypting the data encrypted by the security alliance using the quantum key sa specifically includes:
  • the quantum key ID is calculated through the SPI of the initiator and responder in the security alliance.
  • the quantum key ID calculated by SPI is unique.
  • the data encrypted by IPSec sa is encrypted again using the quantum key sa.
  • the encryption method is the same as that of S403.
  • the step of obtaining the quantum key sa by decrypting the tag and decrypting the data by using the quantum key sa specifically includes:
  • the quantum key ID is calculated through the SPI of the initiator and responder in the security alliance.
  • the quantum key ID calculated by SPI is unique.
  • the quantum key sa is used to decrypt the data encrypted by IPSec sa.
  • the decryption method is the same as that of S407.
  • the present application further provides an encryption gateway for executing a dual encryption method based on IPsec and quantum key as described in any of the above technical solutions, including:
  • the quantum key module is used for the encryption gateway to register with the quantum key distribution center through a unique identifier. After successful registration, the quantum key distribution center injects quantum keys into the quantum key module of the encryption gateway;
  • the xfrm module is used to receive the incoming data message and call the encryption and decryption label of the iptables module to add an encryption label or a decryption label to the incoming data message;
  • the iptables module creates encryption labels and decryption labels in advance, sets rules in the POSTROUTING chain of the shaped table, creates a mount node using encryption labels or decryption labels, and sends the data packets marked with encryption labels or decryption labels to the encryption and decryption module;
  • the data encryption and decryption module uses the security alliance to encrypt the data once, and then uses the quantum key sa to encrypt the data encrypted by the security alliance again.
  • the double-encrypted data becomes the outbound message data and is sent out from the encryption gateway, or the data is double-decrypted to obtain the original ciphertext.
  • the xfrm module specifically includes:
  • xfrm module entry unit used to push data packets into the xfrm module
  • Outbound security policy matching unit used to match outbound security policies according to quintuple information
  • the first judgment unit is used to judge whether the matching of the outbound security policy is successful
  • Security association search unit If the outbound security policy is matched successfully, it is used to add an encryption tag to the incoming data message and search for the corresponding security association according to the outbound security policy.
  • Encryption tag unit When a security association exists, the security association information is stored in the data message;
  • Security Association Negotiation Unit When a security association does not exist, it is used to negotiate a security association through the IKE protocol and save the security association information in the data message;
  • Inbound security policy matching unit when outbound security policy matching fails, it is used to swap the source address and destination address of the incoming data packet and match the inbound security policy according to the five-tuple information;
  • Decryption labeling unit If the inbound security policy is successfully matched, the incoming data packet is labeled with a decryption label;
  • Discard unit If the incoming data packet cannot match the outbound security policy or the inbound security policy, it will be discarded.
  • the data encryption and decryption module specifically includes:
  • Data receiving unit receiving data with encryption or decryption tags
  • Direction label judgment unit judges whether it is an outgoing direction label or an incoming direction label
  • the encryption unit if it is an outgoing label, encrypts the data message using the security association through the encryption label;
  • a re-encryption unit used to obtain the quantum key sa, and use the quantum key sa to re-encrypt the data encrypted by the security association;
  • the sending unit is used to convert the re-encrypted data into outbound message data and send it out from the encryption gateway;
  • the decryption unit if it is an incoming tag, obtains the quantum key sa through the decryption tag, and uses the quantum key sa to decrypt the data;
  • the decryption unit decrypts the data message again using the security association to obtain the original data message.
  • the data encryption adopts the CBC+ mode, which specifically includes:
  • the decryption process specifically includes:
  • the remaining length is less than that of an encrypted data packet, take the ciphertext of the previous packet before decryption as the IV value, use the session key K to decrypt the IV, use the decryption algorithm SM4, and the decryption mode ECB to obtain Kiv, truncate Kiv to make its length equal to the ciphertext data length, and then XOR it with the ciphertext data to obtain plaintext data 2;
  • the present application also provides a dual encryption method based on IPsec and quantum key, which is applicable to the transmission of message data from a first encryption gateway to a second encryption gateway, wherein the first encryption gateway and the second encryption gateway adopt the mechanism described in any one of claims 6 to 9, and the encryption method comprises the following steps:
  • the first encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the second encryption gateway. After successful registration, the quantum key distribution center injects the first quantum key into the quantum key module of the first encryption gateway.
  • the second encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the first encryption gateway. After successful registration, the quantum key distribution center injects the second quantum key into the quantum key module of the second encryption gateway.
  • the identifiers registered by the first encryption gateway and the second encryption gateway quantum to the key distribution center are consistent, forming the same quantum key pool, that is, the first quantum key and the second quantum key are the same;
  • the first encryption gateway receives the incoming data message and adds an encryption tag to the data packet of the incoming data message through the xfrm module;
  • the iptables module of the first encryption gateway sends the data packet marked with the encryption label in S2 to the encryption and decryption module through the hook node created by the encryption label;
  • the second encryption gateway After the second encryption gateway receives the ciphertext data from the first encryption gateway, it sends the source address and destination address
  • the five-tuple information is used to match the outbound security policy in the xfrm module, and the security alliance corresponding to the security policy is obtained; at the same time, the incoming data message is marked with a decryption tag;
  • the iptables module of the second encryption gateway uses the hook node created by the decryption label to send the data packet marked with the decryption label in step S5 to the encryption and decryption module;
  • the second encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module and uses the quantum key sa to decrypt the data;
  • the data encryption and decryption module of the second encryption gateway decrypts the data message again by using the security association stored in the data message through the decryption tag to obtain the original text of the data message.
  • the present application proposes a computing processing device, comprising: a memory in which a computer-readable code is stored; and one or more processors.
  • the computing processing device executes the authentication method based on double quantum random number protection as described above.
  • the present application proposes a computer program, which includes a computer-readable code.
  • the computer-readable code When the computer-readable code is run on a computing processing device, it causes the computing processing device to execute any of the authentication methods based on double quantum random number protection as described above.
  • the present application proposes a computer-readable medium in which the computer program described above is stored.
  • This method uses quantum key distribution, xfrm and iptables modules to encrypt the payload data behind the IP header.
  • the main creativity lies in:
  • Data encapsulation does not require additional payload encapsulation and does not change the original structure of the data packet. It is applicable to a wider range of network environments. No matter how complex the intermediate network environment is, the data packet can be transmitted normally in the network and does not generate additional overhead for the user's network bandwidth.
  • This method not only meets the networking environment of traditional VPN, but also provides a data encryption mechanism based on Layer 2 network (data link layer), realizing a safer and more efficient encryption transmission method.
  • the link is completely transparent and the connection is extremely easy to deploy.
  • FIG1 is a block diagram of a data encryption system based on quantum key in an embodiment of the present application
  • FIG2 is a block diagram of the connection structure of the encryption gateway and the quantum key distribution system in an embodiment of the present application
  • FIG3 is a flow chart of data processing of the xfrm module in the encryption gateway in an embodiment of the present application
  • FIG. 4 is a data processing flow chart of a data encryption and decryption module in an encryption gateway in an embodiment of the present application
  • FIG5 is a flowchart of the interaction between encryption gateways in an embodiment of the present application.
  • FIG6 is a schematic diagram of the structure of a computing and processing device proposed in an embodiment of the present application.
  • FIG. 7 is a schematic diagram of a storage unit for program code proposed in an embodiment of the present application. picture.
  • the present application provides a dual encryption method based on IPsec and quantum key, which is used for an encryption gateway, and the encryption gateway includes:
  • Stacked data message the data message received by the encrypted gateway
  • Outbound data message data message after encryption or decryption
  • xfrm module implements the addition, deletion, modification and query of security policies (sp), the negotiation aging of security associations (sa), matches security policies on incoming data packets, and adds encryption and decryption tags according to the direction of the matching policy;
  • xfrm stands for Transform, which is part of the IPsec protocol stack.
  • iptables (firewall) module creates encryption labels and decryption labels, sets rules in the POSTROUTING chain of the shaped table, creates a hook using encryption labels or decryption labels, and sends data matching the encryption and decryption labels to the data encryption and decryption module through the hook mechanism;
  • iptables is a firewall and network address translation tool
  • is used to modify specific fields of the data packet
  • POSTROUTING is used to process the data packet after the routing decision.
  • Data encryption and decryption module Encrypts or decrypts data packets by judging the labels of data packets.
  • the encryption and decryption keys come from IKE key negotiation and quantum key distribution.
  • the double encryption method comprises the following steps:
  • the encryption gateway registers with the quantum key distribution center through a unique identifier. After successful registration, the quantum key distribution center injects quantum keys into the quantum key module of the encryption gateway. The identifiers registered by each communicating encryption gateway to the quantum key distribution center are consistent, forming the same quantum key pool;
  • step S20 The encryption gateway receives the incoming data message, and adds an encryption tag or a decryption tag to the data packet of the incoming data message through the xfrm module.
  • step S20 specifically includes:
  • the xfrm module matches the outbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);
  • S203 Determine whether the matching of the directional security policy (sp) is successful, if successful, proceed to S204, if failed, proceed to S207;
  • S204 The outbound security policy (sp) matches successfully, and the xfrm module calls the encryption label of the iptables module to add an encryption label to the incoming data message.
  • the xfrm module (sp) Check whether the corresponding security association (IPSec sa) exists. If it exists, go to S205. If it fails, go to S206.
  • S205 The security association (IPSec sa) exists, and the information of IPSec sa is saved in the data message;
  • S206 Security association (IPSec sa) does not exist.
  • the xfrm module negotiates the security association (IPSec sa) through the IKE protocol and saves the information of IPSec sa in the data message.
  • the outbound security policy (sp) fails to match, the xfrm module swaps the source address and the destination address of the incoming data message, and uses the xfrm module to match the inbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);
  • S208 Determine whether the match of the inbound security policy (sp) is successful. If successful, proceed to S209. If not, proceed to S210.
  • the iptables module of the encryption gateway creates a mount node using the encryption label or the decryption label, and sends the data packet marked with the encryption label or the decryption label in S204 or S209 to the encryption and decryption module.
  • Step S40 The data encryption and decryption module encrypts the data to convert it into out-of-stack message data, and sends it out from the encryption gateway, or decrypts the data to obtain the ciphertext original.
  • step S40 specifically includes:
  • Step S401 the incoming message data enters the data encryption and decryption module according to the encryption or decryption tag;
  • Step S402 Determine whether it is an outgoing label or an incoming label. If it is an outgoing label, proceed to steps S403 to S405. If it is an incoming label, proceed to step S406.
  • Step S403 The data encryption and decryption module of the encryption gateway encrypts the data message by using the IPSec sa stored in the data message through the encryption tag.
  • the data encryption adopts the CBC+ (CBC, Cipher Block Chaining) mode, which specifically includes:
  • the ciphertext data 1 and the ciphertext data 2 are concatenated to obtain the complete ciphertext, wherein the complete ciphertext does not add additional encapsulation to the original data, thereby achieving the purpose of not changing the original message structure;
  • Step S404 The encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module.
  • the quantum key sa is used to encrypt the data encrypted by IPSec sa again, including:
  • the data encryption and decryption module calculates the quantum key ID through the spi of the initiator and responder in IPSec sa. Since spi (Security Parameter Index) is used to uniquely identify IPSec sa, the quantum key ID calculated using spi is also unique.
  • the data encryption and decryption module obtains the quantum key sa from the quantum key pool through the quantum key ID;
  • the data encryption and decryption module uses the quantum key sa to re-encrypt the data encrypted by IPSec sa, and the encryption method is consistent with the encryption method of S403;
  • Step S405 the data processed by the data encryption and decryption module becomes outbound message data and is sent out from the encryption gateway;
  • Step S406 The data encryption and decryption module of the encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module through the decryption tag, and uses the quantum key sa to decrypt the data.
  • the decryption principle is the same as step S404, specifically including:
  • Step S407 decrypt the data message again using the IPSec sa stored in the data message to obtain the original data message, which specifically includes the following:
  • this embodiment provides a data encryption system based on a quantum key, including: a first encryption gateway, a second encryption gateway, and a quantum key center.
  • the first encryption gateway and the second encryption gateway are both connected to the quantum key center, and the first encryption gateway and the second encryption gateway negotiate a key, and the first encryption gateway and the second encryption gateway submit a registration application to the quantum key distribution center, and the quantum key distribution center distributes quantum keys to the first encryption gateway and the second encryption gateway.
  • the first encryption gateway and the second encryption gateway have the same structure, and adopt the encryption gateway structure and encryption method described in Example 1.
  • Quantum key module obtain batch quantum keys from the quantum key distribution center, and each group of keys has a unique ID.
  • the present application provides a dual encryption method based on IPsec and quantum key, which is applicable to message data transmitted from a first encryption gateway to a second encryption gateway.
  • the dual encryption method includes the following steps:
  • the first encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the second encryption gateway. After the registration is successful, the quantum key distribution center injects the first quantum key into the quantum key module of the first encryption gateway.
  • the second encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the first encryption gateway. After the registration is successful, the quantum key distribution center injects the second quantum key into the quantum key module of the second encryption gateway.
  • the first encryption gateway and the second encryption gateway quantum registered to the key distribution center are consistent, will form the same quantum key pool, that is, the first quantum key and the second quantum key are the same;
  • the first encryption gateway receives the incoming data message, and adds an encryption tag to the data packet of the incoming data message through the xfrm module.
  • the step S2 specifically includes:
  • Step S201 Push data packets into the xfrm module
  • Step S202 the xfrm module matches the outbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);
  • Step S203 Determine whether the match of the outbound security policy (sp) is successful. If the match is successful, the xfrm module calls the encryption label of the iptables module to add an encryption label to the incoming data message, and enter S204;
  • Step S204 The xfrm module searches for the corresponding security association (IPSec sa) according to the outbound security policy (sp). If it exists, it proceeds to S205. If it fails, it proceeds to S206.
  • IPSec sa security association
  • sp outbound security policy
  • Step S205 Save the IPSec sa information in the data message
  • Step S206 the xfrm module negotiates the security association (IPSec sa) through the IKE protocol and saves the information of IPSec sa in the data message;
  • the iptables module of the first encryption gateway uses the hook node created by the encryption label to send the data marked with the encryption label in S2 to the encryption and decryption module;
  • Step S4 The data encryption and decryption module encrypts the data into outbound message data, which is sent out from the encryption gateway.
  • Step S4 specifically includes:
  • Step S401 the incoming message data enters the data encryption and decryption module according to the encryption tag;
  • Step S402 determine whether it is an outbound label or an inbound label. In this embodiment, if it is an outbound label, proceed to step S403.
  • Step S403 Perform data encryption processing.
  • the data encryption and decryption module of the first encryption gateway encrypts the data message through the encryption tag and the IPSec sa stored in the data message.
  • the data encryption adopts the CBC+ mode, which specifically includes:
  • the ciphertext data 1 and the ciphertext data 2 are concatenated to obtain the complete ciphertext, wherein the complete ciphertext does not add additional encapsulation to the original data, thereby achieving the purpose of not changing the original message structure;
  • the first encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module, and uses the quantum key sa to encrypt the data encrypted by IPSec sa again.
  • the step S404 specifically includes:
  • Step S4041 The data encryption and decryption module calculates the quantum key ID through the spi of the initiator and responder in IPSec sa. Since spi (Security Parameter Index) is used to uniquely identify IPSec sa, the quantum key ID calculated using spi is also unique.
  • spi Security Parameter Index
  • Step S4042 The data encryption and decryption module obtains the quantum key sa from the quantum key pool through the quantum key ID;
  • Step S4043 The data encryption and decryption module uses the quantum key sa to encrypt the data encrypted by IPSec sa again, and the encryption method is consistent with the encryption method in S403;
  • Step S405 the data processed by the data encryption and decryption module will become outbound message data and be sent out from the first gateway;
  • the second encryption gateway After receiving the ciphertext data from the first encryption gateway, the second encryption gateway swaps the source address and the destination address, matches the outbound security policy (sp) in the xfrm module through the five-tuple information (source IP address, destination IP address, source port, destination port, protocol), and obtains the IPSec sa corresponding to sp; at the same time, the stacked data message is marked with a decryption tag, which specifically includes the following steps:
  • Step S501 Push data packets into the xfrm module
  • Step S502 the xfrm module matches the outbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);
  • Step S503 determining that the direction security policy (sp) fails to match, and proceeding to step S504;
  • Step S504 the xfrm module swaps the source address and the destination address of the incoming data message, and uses the xfrm module to match the inbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);
  • Step S505 the inbound security policy (sp) is matched successfully
  • Step S506 the xfrm module calls the decryption tag of the iptables module to add a decryption tag to the incoming data message;
  • Step S6 The hook node created by the second encryption gateway using the decryption tag sends the data packet marked with the decryption tag in step S506 to the encryption and decryption module;
  • Step S7 the second encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module, and uses the quantum key sa to decrypt the data.
  • Step S7 specifically includes:
  • Step S701 The data encryption and decryption module calculates the quantum key ID through the spi of the initiator and responder in IPSec sa. Since spi (Security Parameter Index) is used to uniquely identify IPSec sa, the quantum key ID calculated using spi is also unique.
  • spi Security Parameter Index
  • Step S702 The data encryption and decryption module obtains the quantum key sa from the quantum key pool through the quantum key ID;
  • Step S703 The data encryption and decryption module uses the quantum key sa to decrypt the data after IPSec sa Decryption is performed;
  • Step S8 The data encryption and decryption module of the second encryption gateway decrypts the data message again by using the IPSec sa stored in the data message through the decryption tag to obtain the original data message, which specifically includes the following;
  • the device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the scheme of this embodiment. Ordinary technicians in this field can understand and implement it without paying creative labor.
  • the various component embodiments of the present application can be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a microprocessor or digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components in the computing processing device according to the embodiment of the present application.
  • DSP digital signal processor
  • the application can also be implemented as a device or apparatus program (e.g., computer program and computer program product) for executing part or all of the methods described herein.
  • Such a program implementing the present application can be stored on a computer-readable medium, or can have the form of one or more signals. Such a signal can be downloaded from an Internet website, or provided on a carrier signal, or provided in any other form.
  • FIG6 shows a computing processing device that can implement the method according to the present application.
  • the computing processing device conventionally includes a processor 1010 and a computer program product or computer-readable medium in the form of a memory 1020.
  • the memory 1020 can be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read-only memory), an EPROM, a hard disk or a ROM.
  • the memory 1020 has a storage space 1030 for a program code 1031 for executing any method step in the above method.
  • the storage space 1030 for the program code may include individual program codes 1031 for implementing various steps in the above method respectively. These program codes can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as a hard disk, a compact disk (CD), a memory card or a floppy disk.
  • a computer program product is typically a portable or fixed storage unit as described with reference to FIG7.
  • the storage unit may have storage segments, storage spaces, etc. arranged similarly to the memory 1020 in the computing processing device of FIG6.
  • the program code may be, for example, in an appropriate
  • the storage unit includes computer readable code 1031', that is, code that can be read by a processor such as 1010, which, when executed by a computing processing device, causes the computing processing device to perform the various steps in the method described above.
  • one embodiment means that a particular feature, structure or characteristic described in conjunction with the embodiment is included in at least one embodiment of the present application.
  • examples of the term “in one embodiment” here do not necessarily all refer to the same embodiment.
  • any reference signs placed between brackets shall not be construed as limiting the claims.
  • the word “comprising” does not exclude the presence of elements or steps not listed in the claims.
  • the word “a” or “an” preceding an element does not exclude the presence of a plurality of such elements.
  • the present application may be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means may be embodied by the same item of hardware.
  • the use of the words first, second, and third etc. does not indicate any order. These words may be interpreted as names.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided in the present application is a double-encryption method based on IPsec and a quantum key. The method comprises: an encryption gateway registering to a quantum key distribution center by means of a unique identifier, and after the registration is successful, the quantum key distribution center charging a quantum key to the encryption gateway; the encryption gateway receiving a pushed data message, and labeling a data packet of the pushed data message with an encryption tag or a decryption tag; by means of creating the encryption tag and the decryption tag, setting a rule in a POSTROUTING chain of a mangel table, creating a hook node by using the encryption tag or the decryption tag, and sending the data packet labeled with the encryption tag or the decryption tag; and encrypting data to convert same into popped message data, sending the popped message data from the encryption gateway, or decrypting the data to obtain original text of ciphertext. In the present application, no additional load encapsulation is required for data encapsulation, and the original structure of a data packet is not changed, and the present application is applicable to more network environments.

Description

基于IPsec和量子密钥的双重加密方法、加密网关Dual encryption method based on IPsec and quantum key, encryption gateway

本申请要求在2023年12月08日提交中国专利局、申请号为202311694033.6、名称为“基于IPsec和量子密钥的双重加密方法、加密网关”的中国专利公开的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent disclosure with application number 202311694033.6, filed with the China Patent Office on December 8, 2023, and entitled “Dual encryption method and encryption gateway based on IPsec and quantum key”, the entire contents of which are incorporated by reference in this application.

技术领域Technical Field

本申请涉及密码应用、网络安全领域,具体涉及一种基于IPsec和量子密钥的双重加密方法、加密网关。The present application relates to the fields of cryptographic applications and network security, and specifically to a dual encryption method and encryption gateway based on IPsec and quantum key.

背景技术Background Art

一般情况下,不同分支机构之间的数据安全传输都是通过VPN(Virtual Native Network)网关来构建IPSec(Internet Protocol Security,虚拟专用网络)隧道来实现,这样可以保证IP层数据包的机密性、完整性和身份验证。如果不同分支机构的互联采用运营商的专线,那么采用IPSec VPN部署会封装安全载荷esp,改变数据包原本的结构,对网络带宽有限的用户,增加额外的开销,降低传输效率。Generally, data security transmission between different branches is achieved by building IPSec (Internet Protocol Security) tunnels through VPN (Virtual Native Network) gateways, which can ensure the confidentiality, integrity and identity of IP layer data packets. If different branches are interconnected using a dedicated line provided by an operator, then the deployment of IPSec VPN will encapsulate the security payload esp, change the original structure of the data packet, and increase additional overhead and reduce transmission efficiency for users with limited network bandwidth.

同时,随着量子计算能力的提升,传统的密钥交换协议在协商过程中会传递协商素材,协商的会话密钥存在被破译的可能性。At the same time, with the improvement of quantum computing capabilities, traditional key exchange protocols will transmit negotiation materials during the negotiation process, and the negotiated session keys may be deciphered.

相关技术中,申请公布号CN116405206A的中国发明专利申请文献公开了一种安全网关数据加解密的方法,该方案中通过量子密钥加密,并将量子密钥的session id(会话ID)作为封装安全载荷esp中的spi(Security Parameter Index,安全参数索引)传递到对端实现数据的解密。但是该方案也会在载荷数据的基础上增加额外的数据封装,对用户的网络带宽增加额外的开销。In the related art, the Chinese invention patent application document with application publication number CN116405206A discloses a method for data encryption and decryption of a security gateway, in which quantum key encryption is used, and the session ID of the quantum key is used as the spi (Security Parameter Index) in the encapsulated security payload esp to be passed to the other end to realize data decryption. However, this solution will also add additional data encapsulation on the basis of the payload data, which will increase additional overhead for the user's network bandwidth.

相关技术中,申请公布号CN115567205A的中国发明专利申请文献公开了一种采用量子密钥分发实现网络会话数据流加解密方法,该方案中主要特点是(1)通过量子分发网络将量子主密钥的id和5元组网络会话流建立映射关系,并将主密钥标识放入所述加密处理后的数据报文的安全报文头中,实现端到端的加密通讯。(2)实现了流表的建立、老化、删除的功能。该方案同样增加额外的数据封装,增加用户的网络带宽开销,并且功能实现复杂。In the related art, the Chinese invention patent application document with application publication number CN115567205A discloses a method for implementing encryption and decryption of network session data streams using quantum key distribution. The main features of this scheme are: (1) a mapping relationship is established between the quantum master key ID and the 5-tuple network session stream through the quantum distribution network, and the master key identifier is placed in the security message header of the encrypted data message to achieve end-to-end encrypted communication. (2) The functions of establishing, aging, and deleting the flow table are realized. This scheme also adds additional data encapsulation, increases the user's network bandwidth overhead, and has complex function implementation.

发明内容Summary of the invention

本申请所要解决的技术问题在于如何使数据载荷不需要增加额外的载荷封装,就可以实现端到端的加密,提高数据报文的机密性,同时不降低用户带宽的使用。The technical problem to be solved by this application is how to achieve end-to-end encryption of data payloads without adding additional payload encapsulation, thereby improving the confidentiality of data messages while not reducing the use of user bandwidth.

本申请通过以下技术手段实现解决上述技术问题的:This application solves the above technical problems through the following technical means:

第一方面,本申请提出了一种基于IPsec和量子密钥的双重加密方法,用于加密网关,包括下述步骤:In the first aspect, the present application proposes a dual encryption method based on IPsec and quantum key for encryption gateway, comprising the following steps:

加密网关通过唯一标识向量子密钥分发中心进行注册,注册成功后, 量子密钥分发中心向加密网关充注量子密钥;The encryption gateway is registered with the sub-key distribution center through a unique identifier. After successful registration, The quantum key distribution center injects quantum keys into the encryption gateway;

加密网关接收入栈数据报文,并将入栈数据报文的数据包打上加密标签或解密标签;The encryption gateway receives the incoming data message and adds an encryption tag or a decryption tag to the data packet of the incoming data message;

利用加密标签或者解密标签创建挂载节点,将打上加密标签或者解密标签的数据包送出;Use the encryption label or decryption label to create a mount node, and send the data packet with the encryption label or decryption label;

利用安全联盟对数据进行一次加密处理后,再利用量子密钥sa对安全联盟加密后的数据再次进行加密,双重加密后的数据变成出栈报文数据,从加密网关发送出去,或者对数据进行双重解密处理,得到密文原文。After the data is encrypted once using the security alliance, the quantum key sa is used to encrypt the data encrypted by the security alliance again. The double-encrypted data becomes outbound message data and is sent out from the encryption gateway, or the data is double-decrypted to obtain the original ciphertext.

作为进一步的技术方案,所述加密网关接收入栈数据报文,并将入栈数据报文的数据包打上加密标签或解密标签包括下述步骤:As a further technical solution, the encryption gateway receives the incoming data message and adds an encryption tag or a decryption tag to the data packet of the incoming data message, including the following steps:

入栈数据报文进入;The stacked data message enters;

根据五元组信息匹配出方向安全策略;Match the outbound security policy based on the five-tuple information;

判断出方向安全策略的匹配是否成功;Determine whether the matching of the direction security policy is successful;

若出方向安全策略匹配成功,将这条入栈数据报文打上加密标签,根据出方向安全策略查找对应的安全联盟是否存在;If the outbound security policy matches successfully, the incoming data packet is encrypted and the corresponding security association is checked based on the outbound security policy.

若安全联盟存在,将安全联盟的信息保存在数据报文中;If a security association exists, the security association information is saved in the data message;

若安全联盟不存在,通过IKE协议协商安全联盟,并将安全联盟的信息保存在数据报文中;If the security association does not exist, the security association is negotiated through the IKE protocol and the security association information is saved in the data message;

若出方向安全策略匹配失败,将入栈数据报文的源地址和目的地址互换,根据五元组信息匹配入方向安全策略;If the outbound security policy fails to match, the source address and destination address of the incoming data packet are swapped, and the inbound security policy is matched based on the five-tuple information;

判断入方向安全策略的匹配是否成功;Determine whether the inbound security policy matches successfully.

若入方向安全策略的匹配成功,则将这条入栈数据报文打上解密标签;If the inbound security policy matches successfully, the incoming data packet is marked with a decryption tag;

若入方向安全策略的匹配失败,则该条入栈数据报文无法匹配出安全策略也无法匹配入方向安全策略,则被丢弃。If the inbound security policy fails to match, the incoming data packet cannot match the outbound security policy or the inbound security policy and is discarded.

作为进一步的技术方案,所述利用安全联盟对数据进行一次加密处理后,再利用量子密钥sa对安全联盟加密后的数据再次进行加密,双重加密后的数据变成出栈报文数据,从加密网关发送出去,或者对数据进行双重解密处理,得到密文原文具体包括:As a further technical solution, after the data is encrypted once using the security alliance, the data encrypted by the security alliance is encrypted again using the quantum key sa, and the double-encrypted data becomes the out-of-stack message data and is sent out from the encryption gateway, or the data is double-decrypted to obtain the ciphertext original text, which specifically includes:

接收打上加密标签或者解密标签的数据;Receive data with encryption or decryption tags;

判断是出方向标签还是入方向标签;Determine whether it is an outbound label or an inbound label.

若是出方向标签,则通过加密标签,利用安全联盟对数据报文进行加密;If it is an outbound label, the data message is encrypted using the security association through the encryption label;

获取量子密钥sa,并利用量子密钥sa对安全联盟加密后的数据再次进行加密;Obtain the quantum key sa, and use the quantum key sa to encrypt the data encrypted by the security alliance again;

数据加解密模块处理后的数据变成出栈报文数据,从加密网关发送出去;The data processed by the data encryption and decryption module becomes outbound message data and is sent out from the encryption gateway;

若是入方向标签,则通过解密标签,获取量子密钥sa,并利用量子密钥sa对数据进行解密; If it is an incoming tag, the quantum key sa is obtained by decrypting the tag, and the data is decrypted using the quantum key sa;

利用安全联盟对数据报文进行解密处理得到数据报文原文。The data message is decrypted using the security association to obtain the original data message.

作为进一步的技术方案,数据加密采用CBC+的模式,所述通过加密标签,利用安全联盟对数据报文进行加密具体包括:As a further technical solution, data encryption adopts the CBC+ mode. The encryption tag and the security association are used to encrypt the data message, which specifically includes:

对于数据长度大于一个加密分组的,取一个加密分组整数倍的数据做CBC加密,获得密文数据1;For data whose length is greater than one encryption block, take data of an integer multiple of the encryption block for CBC encryption to obtain ciphertext data 1;

剩余长度不够一个加密分组的数据,取上一分组加密后的密文做IV值,使用会话密钥K加密IV,加密算法为SM4,加密模式采用ECB,获得Kiv,截取Kiv,使其长度等于明文数据长度,然后与明文数据做异或,得到密文数据2;If the remaining length is less than one encrypted data block, take the encrypted ciphertext of the previous block as the IV value, encrypt IV with the session key K, use SM4 as the encryption algorithm, use ECB as the encryption mode, obtain Kiv, intercept Kiv to make its length equal to the length of plaintext data, and then XOR it with the plaintext data to obtain ciphertext data 2;

拼接密文数据1和密文数据2,得到完整密文;Concatenate ciphertext data 1 and ciphertext data 2 to obtain the complete ciphertext;

所述利用安全联盟对数据报文进行解密处理得到数据报文原文中解密过程具体包括:The decryption process of using the security association to decrypt the data message to obtain the original data message specifically includes:

对于数据长度大于一个解密分组的,取一个加密分组整数倍的数据做CBC解密,获得明文数据1;For data whose length is greater than one decryption block, take data of an integer multiple of the encryption block for CBC decryption to obtain plaintext data 1;

剩余长度不够一个加密分组的数据,取上一分组解密前的密文做IV值,使用会话密钥K解密IV,解密算法为SM4,解密模式采用ECB,获得Kiv,截取Kiv,使其长度等于密文数据长度,然后与密文数据做异或,得到明文数据2;If the remaining length is less than that of an encrypted data packet, take the ciphertext of the previous packet before decryption as the IV value, use the session key K to decrypt the IV, use the decryption algorithm SM4, and the decryption mode ECB to obtain Kiv, truncate Kiv to make its length equal to the ciphertext data length, and then XOR it with the ciphertext data to obtain plaintext data 2;

拼接明文数据1和明文数据2,得到完整明文。Concatenate plaintext data 1 and plaintext data 2 to obtain the complete plaintext.

作为进一步的技术方案,所述获取量子密钥sa,并利用量子密钥sa对安全联盟加密后的数据再次进行加密具体包括:As a further technical solution, the step of obtaining the quantum key sa and re-encrypting the data encrypted by the security alliance using the quantum key sa specifically includes:

通过安全联盟中发起方和响应方的spi计算量子密钥ID,利用spi计算后的量子密钥ID是唯一的;The quantum key ID is calculated through the SPI of the initiator and responder in the security alliance. The quantum key ID calculated by SPI is unique.

在量子密钥池中通过量子密钥ID获得量子密钥sa;Obtain the quantum key sa through the quantum key ID in the quantum key pool;

利用量子密钥sa对IPSec sa加密后的数据再次进行加密,加密方法和S403的加密方法一致;The data encrypted by IPSec sa is encrypted again using the quantum key sa. The encryption method is the same as that of S403.

所述通过解密标签,获取量子密钥sa,并利用量子密钥sa对数据进行解密具体包括:The step of obtaining the quantum key sa by decrypting the tag and decrypting the data by using the quantum key sa specifically includes:

通过安全联盟中发起方和响应方的spi计算量子密钥ID,利用spi计算后的量子密钥ID是唯一的;The quantum key ID is calculated through the SPI of the initiator and responder in the security alliance. The quantum key ID calculated by SPI is unique.

在量子密钥池中通过量子密钥ID获得量子密钥sa;Obtain the quantum key sa through the quantum key ID in the quantum key pool;

利用量子密钥sa对IPSec sa加密后的数据进行解密,解密方法和S407的解密方法一致。The quantum key sa is used to decrypt the data encrypted by IPSec sa. The decryption method is the same as that of S407.

第二方面,本申请还提供一种执行上述任一技术方案所述的一种基于IPsec和量子密钥的双重加密方法的加密网关,包括:In a second aspect, the present application further provides an encryption gateway for executing a dual encryption method based on IPsec and quantum key as described in any of the above technical solutions, including:

量子密钥模块,用于加密网关通过唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向加密网关的量子密钥模块充注量子密钥; The quantum key module is used for the encryption gateway to register with the quantum key distribution center through a unique identifier. After successful registration, the quantum key distribution center injects quantum keys into the quantum key module of the encryption gateway;

xfrm模块,用于接收入栈数据报文,并将入栈数据报文的数据包调用iptables模块的加解密标签将这条入栈数据报文打上加密标签或解密标签;The xfrm module is used to receive the incoming data message and call the encryption and decryption label of the iptables module to add an encryption label or a decryption label to the incoming data message;

iptables模块,预先创建加密标签和解密标签,在mangel表的POSTROUTING链中设置规则,并利用加密标签或者解密标签创建挂载节点,将打上加密标签或者解密标签的数据包送入加解密模块;The iptables module creates encryption labels and decryption labels in advance, sets rules in the POSTROUTING chain of the mangel table, creates a mount node using encryption labels or decryption labels, and sends the data packets marked with encryption labels or decryption labels to the encryption and decryption module;

数据加解密模块,利用安全联盟对数据进行一次加密处理后,再利用量子密钥sa对安全联盟加密后的数据再次进行加密,双重加密后的数据变成出栈报文数据,从加密网关发送出去,或者对数据进行双重解密处理,得到密文原文。The data encryption and decryption module uses the security alliance to encrypt the data once, and then uses the quantum key sa to encrypt the data encrypted by the security alliance again. The double-encrypted data becomes the outbound message data and is sent out from the encryption gateway, or the data is double-decrypted to obtain the original ciphertext.

作为进一步的技术方案,xfrm模块具体包括:As a further technical solution, the xfrm module specifically includes:

xfrm模块进入单元:用于入栈数据报文进入xfrm模块;xfrm module entry unit: used to push data packets into the xfrm module;

出方向安全策略匹配单元:用于根据五元组信息匹配出方向安全策略;Outbound security policy matching unit: used to match outbound security policies according to quintuple information;

第一判断单元:用于判断出方向安全策略的匹配是否成功;The first judgment unit is used to judge whether the matching of the outbound security policy is successful;

安全联盟查找单元:若出方向安全策略匹配成功,用于将这条入栈数据报文打上加密标签,并根据出方向安全策略查找对应的安全联盟是否存在;Security association search unit: If the outbound security policy is matched successfully, it is used to add an encryption tag to the incoming data message and search for the corresponding security association according to the outbound security policy.

打加密标签单元:安全联盟存在时,将安全联盟的信息保存在数据报文中;Encryption tag unit: When a security association exists, the security association information is stored in the data message;

安全联盟协商单元:安全联盟不存在时,用于通过IKE协议协商安全联盟,并将安全联盟的信息保存在数据报文中;Security Association Negotiation Unit: When a security association does not exist, it is used to negotiate a security association through the IKE protocol and save the security association information in the data message;

入方向安全策略匹配单元:出方向安全策略匹配失败时,用于将入栈数据报文的源地址和目的地址互换,根据五元组信息匹配入方向安全策略;Inbound security policy matching unit: when outbound security policy matching fails, it is used to swap the source address and destination address of the incoming data packet and match the inbound security policy according to the five-tuple information;

第二判断单元:用于判断入方向安全策略的匹配是否成功;The second judgment unit is used to judge whether the matching of the inbound security policy is successful;

打解密标签单元:如果入方向安全策略的匹配成功将这条入栈数据报文打上解密标签;Decryption labeling unit: If the inbound security policy is successfully matched, the incoming data packet is labeled with a decryption label;

丢弃单元:若该条入栈数据报文无法匹配出安全策略也无法匹配入方向安全策略,则被丢弃。Discard unit: If the incoming data packet cannot match the outbound security policy or the inbound security policy, it will be discarded.

作为进一步的技术方案,数据加解密模块具体包括:As a further technical solution, the data encryption and decryption module specifically includes:

数据接收单元:接收打上加密标签或者解密标签的数据;Data receiving unit: receiving data with encryption or decryption tags;

方向标签判断单元:判断是出方向标签还是入方向标签;Direction label judgment unit: judges whether it is an outgoing direction label or an incoming direction label;

加密单元,若是出方向标签,通过加密标签,利用安全联盟对数据报文进行加密;The encryption unit, if it is an outgoing label, encrypts the data message using the security association through the encryption label;

再次加密单元,用于获取量子密钥sa,并利用量子密钥sa对安全联盟加密后的数据再次进行加密;A re-encryption unit, used to obtain the quantum key sa, and use the quantum key sa to re-encrypt the data encrypted by the security association;

发送单元,用于将再次加密的数据变成出栈报文数据,从加密网关发送出去;The sending unit is used to convert the re-encrypted data into outbound message data and send it out from the encryption gateway;

解密单元,若是入方向标签,通过解密标签,获取量子密钥sa,并利用量子密钥sa对数据进行解密; The decryption unit, if it is an incoming tag, obtains the quantum key sa through the decryption tag, and uses the quantum key sa to decrypt the data;

再次解密单元,利用安全联盟对数据报文进行解密处理,得到数据报文原文。The decryption unit decrypts the data message again using the security association to obtain the original data message.

作为进一步的技术方案,所述数据加密采用CBC+的模式,其中具体包括:As a further technical solution, the data encryption adopts the CBC+ mode, which specifically includes:

对于数据长度大于一个加密分组的,取一个加密分组整数倍的数据做CBC加密,获得密文数据1;For data whose length is greater than one encryption block, take data of an integer multiple of the encryption block for CBC encryption to obtain ciphertext data 1;

剩余长度不够一个加密分组的数据,取上一分组加密后的密文做IV值,使用会话密钥K加密IV,加密算法为SM4,加密模式采用ECB,获得Kiv,截取Kiv,使其长度等于明文数据长度,然后与明文数据做异或,得到密文数据2;If the remaining length is less than one encrypted data block, take the encrypted ciphertext of the previous block as the IV value, encrypt IV with the session key K, use SM4 as the encryption algorithm, use ECB as the encryption mode, obtain Kiv, intercept Kiv to make its length equal to the length of plaintext data, and then XOR it with the plaintext data to obtain ciphertext data 2;

拼接密文数据1和密文数据2,得到完整密文;Concatenate ciphertext data 1 and ciphertext data 2 to obtain the complete ciphertext;

所述解密过程具体包括:The decryption process specifically includes:

对于数据长度大于一个解密分组的,取一个加密分组整数倍的数据做CBC解密,获得明文数据1;For data whose length is greater than one decryption block, take data of an integer multiple of the encryption block for CBC decryption to obtain plaintext data 1;

剩余长度不够一个加密分组的数据,取上一分组解密前的密文做IV值,使用会话密钥K解密IV,解密算法为SM4,解密模式采用ECB,获得Kiv,截取Kiv,使其长度等于密文数据长度,然后与密文数据做异或,得到明文数据2;If the remaining length is less than that of an encrypted data packet, take the ciphertext of the previous packet before decryption as the IV value, use the session key K to decrypt the IV, use the decryption algorithm SM4, and the decryption mode ECB to obtain Kiv, truncate Kiv to make its length equal to the ciphertext data length, and then XOR it with the ciphertext data to obtain plaintext data 2;

拼接明文数据1和明文数据2,得到完整明文。Concatenate plaintext data 1 and plaintext data 2 to obtain the complete plaintext.

第三方面,本申请还提供一种基于IPsec和量子密钥的双重加密方法,适用于报文数据通过第一加密网关传入第二加密网关,其中第一加密网关和第二加密网关采用权利要求6-9任一项所述的机构,该加密方法包含以下步骤:In a third aspect, the present application also provides a dual encryption method based on IPsec and quantum key, which is applicable to the transmission of message data from a first encryption gateway to a second encryption gateway, wherein the first encryption gateway and the second encryption gateway adopt the mechanism described in any one of claims 6 to 9, and the encryption method comprises the following steps:

第一加密网关通过唯一标识和第二加密网关的唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向第一加密网关的量子密钥模块充注第一量子密钥,第二加密网关通过唯一标识和第一加密网关的唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向第二加密网关的量子密钥模块充注第二量子密钥,其中第一加密网关和第二加密网关量子向密钥分发中心注册的标识都是一致的,形成相同的量子密钥池,即第一量子密钥和第二量子密钥相同;The first encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the second encryption gateway. After successful registration, the quantum key distribution center injects the first quantum key into the quantum key module of the first encryption gateway. The second encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the first encryption gateway. After successful registration, the quantum key distribution center injects the second quantum key into the quantum key module of the second encryption gateway. The identifiers registered by the first encryption gateway and the second encryption gateway quantum to the key distribution center are consistent, forming the same quantum key pool, that is, the first quantum key and the second quantum key are the same;

第一加密网关接收入栈数据报文,并将入栈数据报文的数据包通过xfrm模块打上加密标签;The first encryption gateway receives the incoming data message and adds an encryption tag to the data packet of the incoming data message through the xfrm module;

第一加密网关的iptables模块通过加密标签创建的hook节点,将S2中打上加密标签数据包送入加解密模块;The iptables module of the first encryption gateway sends the data packet marked with the encryption label in S2 to the encryption and decryption module through the hook node created by the encryption label;

第一加密网关的数据加解密模块通过加密标签,利用数据报文中保存安全联盟对数据报文进行加密,从量子密钥池中获取量子密钥sa,并利用量子密钥sa对安全联盟加密后的数据再次进行加密后发送出去;The data encryption and decryption module of the first encryption gateway encrypts the data message by using the security alliance stored in the data message through the encryption tag, obtains the quantum key sa from the quantum key pool, and uses the quantum key sa to encrypt the data encrypted by the security alliance again before sending it out;

第二加密网关收到第一加密网关的密文数据后,将源地址和目的地址 进行互换,通过五元组信息在xfrm模块中匹配出方向安全策略,并获取安全策略对应的安全联盟;同时,将入栈数据报文打上解密标签;After the second encryption gateway receives the ciphertext data from the first encryption gateway, it sends the source address and destination address The five-tuple information is used to match the outbound security policy in the xfrm module, and the security alliance corresponding to the security policy is obtained; at the same time, the incoming data message is marked with a decryption tag;

第二加密网关的iptables模块利用解密标签创建的hook节点,将步骤S5中打上解密标签的数据包送入加解密模块;The iptables module of the second encryption gateway uses the hook node created by the decryption label to send the data packet marked with the decryption label in step S5 to the encryption and decryption module;

第二加密网关在量子加密模块的量子密钥池中获取量子密钥sa,并利用量子密钥sa对数据进行解密;The second encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module and uses the quantum key sa to decrypt the data;

第二加密网关的数据加解密模块通过解密标签,利用数据报文中保存的安全联盟对数据报文再次解密,得到数据报文原文。The data encryption and decryption module of the second encryption gateway decrypts the data message again by using the security association stored in the data message through the decryption tag to obtain the original text of the data message.

第四方面,本申请提出了一种计算处理设备,所述计算处理设备包括:存储器,其中存储有计算机可读代码;一个或多个处理器,当所述计算机可读代码被所述一个或多个处理器执行时,所述计算处理设备执行如上所述的基于双重量子随机数保护的认证方法。In a fourth aspect, the present application proposes a computing processing device, comprising: a memory in which a computer-readable code is stored; and one or more processors. When the computer-readable code is executed by the one or more processors, the computing processing device executes the authentication method based on double quantum random number protection as described above.

第五方面,本申请提出了一种计算机程序,所述计算机程序包括计算机可读代码,当所述计算机可读代码在计算处理设备上运行时,导致所述计算处理设备执行如上所述的任一项所述的基于双重量子随机数保护的认证方法。In a fifth aspect, the present application proposes a computer program, which includes a computer-readable code. When the computer-readable code is run on a computing processing device, it causes the computing processing device to execute any of the authentication methods based on double quantum random number protection as described above.

第六方面,本申请提出了一种计算机可读介质,其中存储了如上所述的计算机程序。In a sixth aspect, the present application proposes a computer-readable medium in which the computer program described above is stored.

本方法通过量子密钥分发的方式,利用xfrm、iptables模块,实现对IP头后面的载荷数据加密,主要创造性在于:This method uses quantum key distribution, xfrm and iptables modules to encrypt the payload data behind the IP header. The main creativity lies in:

(1)利用IPSec sa和量子sa对数据进行双重加密,安全性得到提高;(1) Using IPSec SA and Quantum SA to double encrypt data, security is improved;

(2)数据封装不需要增加额外的载荷封装,不改变数据包原本的结构,适用的网络环境更加广泛,不管中间层网络环境有多复杂,数据包都可以在网络中正常传输,并且对用户网络带宽不产生额外的开销;(2) Data encapsulation does not require additional payload encapsulation and does not change the original structure of the data packet. It is applicable to a wider range of network environments. No matter how complex the intermediate network environment is, the data packet can be transmitted normally in the network and does not generate additional overhead for the user's network bandwidth.

(3)针对每一条安全策略都有一个量子sa,只要安全策略子网配置到掩码32位,就可以实现一流一密,增加数据的安全性。(3) There is a quantum SA for each security policy. As long as the security policy subnet is configured to a 32-bit mask, one class and one secret can be achieved, increasing data security.

该方法即满足传统VPN的组网环境,也可以提供基于2层网络(数据链路层)的数据加密机制,实现更安全、更高效的加密传输方法,并且链路完全透明,极易部署连接。This method not only meets the networking environment of traditional VPN, but also provides a data encryption mechanism based on Layer 2 network (data link layer), realizing a safer and more efficient encryption transmission method. In addition, the link is completely transparent and the connection is extremely easy to deploy.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本申请实施例中基于量子密钥的一种数据加密系统的结构框图;FIG1 is a block diagram of a data encryption system based on quantum key in an embodiment of the present application;

图2是本申请实施例中的加密网关及量子密钥分发系统的连接结构框图;FIG2 is a block diagram of the connection structure of the encryption gateway and the quantum key distribution system in an embodiment of the present application;

图3是本申请实施例中加密网关中xfrm模块数据处理流程图;FIG3 is a flow chart of data processing of the xfrm module in the encryption gateway in an embodiment of the present application;

图4是本申请实施例中加密网关中数据加解密模块数据处理流程图;4 is a data processing flow chart of a data encryption and decryption module in an encryption gateway in an embodiment of the present application;

图5是本申请实施例中加密网关之间的交互流程图;FIG5 is a flowchart of the interaction between encryption gateways in an embodiment of the present application;

图6是本申请实施例提出的一种计算处理设备的结构示意图;FIG6 is a schematic diagram of the structure of a computing and processing device proposed in an embodiment of the present application;

图7是本申请实施例提出的一种用于程序代码的存储单元的结构示意 图。FIG. 7 is a schematic diagram of a storage unit for program code proposed in an embodiment of the present application. picture.

具体实施方式DETAILED DESCRIPTION

为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical scheme and advantages of the embodiments of the present application clearer, the technical scheme in the embodiments of the present application will be clearly and completely described below in combination with the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

参阅图2和图5,本申请提供一种基于IPsec和量子密钥的双重加密方法,用于加密网关,该加密网关包括:Referring to FIG. 2 and FIG. 5 , the present application provides a dual encryption method based on IPsec and quantum key, which is used for an encryption gateway, and the encryption gateway includes:

入栈数据报文:加密网关接收到的数据报文;Stacked data message: the data message received by the encrypted gateway;

出站数据报文:加密或者解密完成后的数据报文;Outbound data message: data message after encryption or decryption;

xfrm模块:实现安全策略(sp)的增删改查,安全联盟(Security Association,sa)的协商老化,对入栈数据报文进行安全策略匹配,并根据匹配策略的方向打上加密和解密标签;xfrm module: implements the addition, deletion, modification and query of security policies (sp), the negotiation aging of security associations (sa), matches security policies on incoming data packets, and adds encryption and decryption tags according to the direction of the matching policy;

其中,xfrm即Transform(转换),是IPsec协议栈的一部分。Among them, xfrm stands for Transform, which is part of the IPsec protocol stack.

iptables(防火墙)模块:创建加密标签和解密标签,在mangel表的POSTROUTING链中设置规则,利用加密标签或者解密标签创建挂载节点(HOOK),通过HOOK机制,将匹配到加密和解密标签的数据送入数据加解密模块;iptables (firewall) module: creates encryption labels and decryption labels, sets rules in the POSTROUTING chain of the mangel table, creates a hook using encryption labels or decryption labels, and sends data matching the encryption and decryption labels to the data encryption and decryption module through the hook mechanism;

其中,iptables是防火墙和网络地址转换工具,mangel用于修改数据包的特定字段,POSTROUTING用于在路由决策之后处理数据包。Among them, iptables is a firewall and network address translation tool, mangel is used to modify specific fields of the data packet, and POSTROUTING is used to process the data packet after the routing decision.

数据加解密模块:通过判断数据包的标签,对数据报文进行加密或者解密,加密和解密的密钥来自于IKE密钥协商和量子密钥分发。Data encryption and decryption module: Encrypts or decrypts data packets by judging the labels of data packets. The encryption and decryption keys come from IKE key negotiation and quantum key distribution.

所述双重加密方法包含以下步骤:The double encryption method comprises the following steps:

S10:加密网关通过唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向加密网关的量子密钥模块充注量子密钥,各相互通信的加密网关向量子密钥分发中心注册的标识都是一致的,就会形成相同的量子密钥池;S10: The encryption gateway registers with the quantum key distribution center through a unique identifier. After successful registration, the quantum key distribution center injects quantum keys into the quantum key module of the encryption gateway. The identifiers registered by each communicating encryption gateway to the quantum key distribution center are consistent, forming the same quantum key pool;

S20:加密网关接收入栈数据报文,并将入栈数据报文的数据包通过xfrm模块打上加密标签或解密标签,同时参阅图3,为本申请实施例中加密网关中xfrm模块数据处理流程图,该步骤S20具体包括:S20: The encryption gateway receives the incoming data message, and adds an encryption tag or a decryption tag to the data packet of the incoming data message through the xfrm module. Referring to FIG. 3 , which is a data processing flow chart of the xfrm module in the encryption gateway in an embodiment of the present application, step S20 specifically includes:

S201:入栈数据报文进入xfrm模块;S201: The stacked data message enters the xfrm module;

S202:xfrm模块根据五元组信息(源IP地址,目的IP地址,源端口,目的端口,协议)匹配出方向安全策略(sp);S202: the xfrm module matches the outbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);

S203:判断出方向安全策略(sp)的匹配是否成功,如果成功进入S204,如果失败,进入S207;S203: Determine whether the matching of the directional security policy (sp) is successful, if successful, proceed to S204, if failed, proceed to S207;

S204:出方向安全策略(sp)匹配成功,xfrm模块调用iptables模块的加密标签将这条入栈数据报文打上加密标签,xfrm模块根据出方向安全策 略(sp)查找对应的安全联盟(IPSec sa)是否存在,如果存在进入S205,如果失败进入S206;S204: The outbound security policy (sp) matches successfully, and the xfrm module calls the encryption label of the iptables module to add an encryption label to the incoming data message. The xfrm module (sp) Check whether the corresponding security association (IPSec sa) exists. If it exists, go to S205. If it fails, go to S206.

S205:安全联盟(IPSec sa)存在,并将IPSec sa的信息保存在数据报文中;S205: The security association (IPSec sa) exists, and the information of IPSec sa is saved in the data message;

S206:安全联盟(IPSec sa)不存在,xfrm模块通过IKE协议协商安全联盟(IPSec sa),并将IPSec sa的信息保存在数据报文中;S206: Security association (IPSec sa) does not exist. The xfrm module negotiates the security association (IPSec sa) through the IKE protocol and saves the information of IPSec sa in the data message.

S207:出方向安全策略(sp)匹配失败,xfrm模块将入栈数据报文的源地址和目的地址互换,利用xfrm模块根据五元组信息(源IP地址,目的IP地址,源端口,目的端口,协议)匹配入方向安全策略(sp);S207: The outbound security policy (sp) fails to match, the xfrm module swaps the source address and the destination address of the incoming data message, and uses the xfrm module to match the inbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);

S208:判断入方向安全策略(sp)的匹配是否成功,如果成功进入S209,如果失败,进入S210;S208: Determine whether the match of the inbound security policy (sp) is successful. If successful, proceed to S209. If not, proceed to S210.

S209:xfrm模块调用iptables模块的解密标签将这条入栈数据报文打上解密标签;S209: the xfrm module calls the decryption label of the iptables module to add a decryption label to the incoming data message;

S210:若该条入栈数据报文无法匹配出安全策略(sp)也无法匹配入方向安全策略(sp),则被丢弃;S210: If the incoming data message cannot match the outgoing security policy (sp) or the incoming security policy (sp), it is discarded;

S30:加密网关的iptables模块利用加密标签或者解密标签创建挂载节点,将S204或S209中打上加密标签或者解密标签的数据包送入加解密模块。S30: The iptables module of the encryption gateway creates a mount node using the encryption label or the decryption label, and sends the data packet marked with the encryption label or the decryption label in S204 or S209 to the encryption and decryption module.

步骤S40:数据加解密模块对数据进行加密处理变成出栈报文数据,从加密网关发送出去,或者对数据进行解密处理,得到密文原文。参阅图4,为本申请实施例中加密网关中数据加解密模块数据处理流程图,步骤S40具体包括:Step S40: The data encryption and decryption module encrypts the data to convert it into out-of-stack message data, and sends it out from the encryption gateway, or decrypts the data to obtain the ciphertext original. Referring to FIG. 4 , which is a data processing flow chart of the data encryption and decryption module in the encryption gateway in the embodiment of the present application, step S40 specifically includes:

步骤S401:入栈报文数据根据加密或者解密标签进入数据加解密模块;Step S401: the incoming message data enters the data encryption and decryption module according to the encryption or decryption tag;

步骤S402:判断是出方向标签还是入方向标签,如果是出方向标签,则进入步骤S403至步骤S405,如果是入方向标签,则进入步骤S406;Step S402: Determine whether it is an outgoing label or an incoming label. If it is an outgoing label, proceed to steps S403 to S405. If it is an incoming label, proceed to step S406.

步骤S403:加密网关的数据加解密模块通过加密标签,利用数据报文中保存的IPSec sa对数据报文进行加密,数据加密采用CBC+(CBC,Cipher Block Chaining,密码分组链接)的模式,其中具体包括:Step S403: The data encryption and decryption module of the encryption gateway encrypts the data message by using the IPSec sa stored in the data message through the encryption tag. The data encryption adopts the CBC+ (CBC, Cipher Block Chaining) mode, which specifically includes:

对于数据长度大于一个加密分组(16字节)的,取16字节整数倍的数据做CBC加密,获得密文数据1;For data with a length greater than one encryption block (16 bytes), take data that is an integer multiple of 16 bytes and perform CBC encryption to obtain ciphertext data 1;

剩余长度不够16字节的数据,取上一分组加密后的密文做IV值。使用会话密钥K加密IV,加密算法为SM4,加密模式采用ECB(Electronic Codebook,电子密码本),获得Kiv(Key and Initialization Vector,密钥和初始化向量)。截取Kiv,使其长度等于明文数据长度,然后与明文数据做异或,得到密文数据2;For data with a remaining length less than 16 bytes, take the ciphertext of the previous block as the IV value. Use the session key K to encrypt the IV, the encryption algorithm is SM4, and the encryption mode is ECB (Electronic Codebook) to obtain Kiv (Key and Initialization Vector). Intercept Kiv to make its length equal to the length of the plaintext data, and then XOR it with the plaintext data to obtain the ciphertext data 2;

拼接密文数据1和密文数据2,得到完整密文,其中,完整的密文并未在原来的数据上增加额外的封装,达到了不改变原始报文结构的目的;The ciphertext data 1 and the ciphertext data 2 are concatenated to obtain the complete ciphertext, wherein the complete ciphertext does not add additional encapsulation to the original data, thereby achieving the purpose of not changing the original message structure;

步骤S404:加密网关在量子加密模块的量子密钥池中获取量子密钥sa, 并利用量子密钥sa对IPSec sa加密后的数据再次进行加密,其中具体包括:Step S404: The encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module. The quantum key sa is used to encrypt the data encrypted by IPSec sa again, including:

S4041、数据加解密模块通过IPSec sa中发起方和响应方的spi计算量子密钥ID,因为spi(Security Parameter Index)用于唯一标识IPSec sa,所以利用spi计算后的量子密钥ID也是唯一的;S4041. The data encryption and decryption module calculates the quantum key ID through the spi of the initiator and responder in IPSec sa. Since spi (Security Parameter Index) is used to uniquely identify IPSec sa, the quantum key ID calculated using spi is also unique.

S4042、数据加解密模块在量子密钥池中通过量子密钥ID获得量子密钥sa;S4042, the data encryption and decryption module obtains the quantum key sa from the quantum key pool through the quantum key ID;

S4043、数据加解密模块利用量子密钥sa对IPSec sa加密后的数据再次进行加密,加密方法和S403的加密方法一致;S4043, the data encryption and decryption module uses the quantum key sa to re-encrypt the data encrypted by IPSec sa, and the encryption method is consistent with the encryption method of S403;

步骤S405:数据加解密模块处理后的数据变成出栈报文数据,从加密网关发送出去;Step S405: the data processed by the data encryption and decryption module becomes outbound message data and is sent out from the encryption gateway;

步骤S406:加密网关的数据加解密模块通过解密标签,加密网关在量子加密模块的量子密钥池中获取量子密钥sa,并利用量子密钥sa对数据进行解密,解密原理同步骤S404,具体包括:Step S406: The data encryption and decryption module of the encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module through the decryption tag, and uses the quantum key sa to decrypt the data. The decryption principle is the same as step S404, specifically including:

S4061、通过安全联盟中发起方和响应方的spi计算量子密钥ID,利用spi计算后的量子密钥ID是唯一的;S4061. Calculate the quantum key ID using the SPI of the initiator and the responder in the security alliance. The quantum key ID calculated using the SPI is unique.

S4062、在量子密钥池中通过量子密钥ID获得量子密钥sa;S4062. Obtaining a quantum key sa from a quantum key pool through a quantum key ID;

S4063、利用量子密钥sa对IPSec sa加密后的数据进行解密,解密方法和S407的解密方法一致。S4063. Use quantum key sa to decrypt the data encrypted by IPSec sa. The decryption method is the same as that of S407.

步骤S407:利用数据报文中保存的IPSec sa对数据报文再次解密,得到数据报文原文,其中具体包括如下;Step S407: decrypt the data message again using the IPSec sa stored in the data message to obtain the original data message, which specifically includes the following:

对于数据长度大于一个解密分组(16字节)的,取16字节整数倍的数据做CBC解密,获得明文数据1;For data length greater than one decryption packet (16 bytes), take data that is an integer multiple of 16 bytes for CBC decryption to obtain plaintext data 1;

剩余长度不够16字节的数据,取上一分组解密前的密文做IV值。使用会话密钥K解密IV,解密算法为SM4,解密模式采用ECB,获得Kiv。截取Kiv,使其长度等于密文数据长度,然后与密文数据做异或,得到明文数据2;For data with a remaining length less than 16 bytes, take the ciphertext of the previous group before decryption as the IV value. Use the session key K to decrypt the IV, the decryption algorithm is SM4, and the decryption mode is ECB to obtain Kiv. Intercept Kiv to make its length equal to the ciphertext data length, and then XOR it with the ciphertext data to obtain plaintext data 2;

拼接明文数据1和明文数据2,得到完整明文。Concatenate plaintext data 1 and plaintext data 2 to obtain the complete plaintext.

请参阅图1所示,本实施例提供一种基于量子密钥的数据加密系统,包括:第一加密网关、第二加密网关,以及量子密钥中心。第一加密网关和第二加密网关均与量子密钥中心连接,第一加密网关和第二加密网关之间进行密钥协商,第一加密网关和第二加密网关向量子密钥分发中心提出注册申请,量子密钥分发中心向第一加密网关和第二加密网关分发量子密钥。As shown in FIG1 , this embodiment provides a data encryption system based on a quantum key, including: a first encryption gateway, a second encryption gateway, and a quantum key center. The first encryption gateway and the second encryption gateway are both connected to the quantum key center, and the first encryption gateway and the second encryption gateway negotiate a key, and the first encryption gateway and the second encryption gateway submit a registration application to the quantum key distribution center, and the quantum key distribution center distributes quantum keys to the first encryption gateway and the second encryption gateway.

上述第一加密网关、第二加密网关结构相同,采用实施例一所述的加密网关的结构以及加密方法。量子密钥模块:从量子密钥分发中心获取批量量子密钥,每一组密钥都有唯一的ID。The first encryption gateway and the second encryption gateway have the same structure, and adopt the encryption gateway structure and encryption method described in Example 1. Quantum key module: obtain batch quantum keys from the quantum key distribution center, and each group of keys has a unique ID.

本申请提供一种基于IPsec和量子密钥的双重加密方法,适用于报文数据通过第一加密网关传入第二加密网关,则双重加密方法包含以下步骤: The present application provides a dual encryption method based on IPsec and quantum key, which is applicable to message data transmitted from a first encryption gateway to a second encryption gateway. The dual encryption method includes the following steps:

S1:第一加密网关通过唯一标识和第二加密网关的唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向第一加密网关的量子密钥模块充注第一量子密钥,第二加密网关通过唯一标识和第一加密网关的唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向第二加密网关的量子密钥模块充注第二量子密钥;S1: The first encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the second encryption gateway. After the registration is successful, the quantum key distribution center injects the first quantum key into the quantum key module of the first encryption gateway. The second encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the first encryption gateway. After the registration is successful, the quantum key distribution center injects the second quantum key into the quantum key module of the second encryption gateway.

其中,第一加密网关和第二加密网关量子向密钥分发中心注册的标识都是一致的,就会形成相同的量子密钥池,即第一量子密钥和第二量子密钥相同;Among them, the first encryption gateway and the second encryption gateway quantum registered to the key distribution center are consistent, will form the same quantum key pool, that is, the first quantum key and the second quantum key are the same;

S2:第一加密网关接收入栈数据报文,并将入栈数据报文的数据包通过xfrm模块打上加密标签,为本申请实施例中加密网关中xfrm模块数据处理流程图,该步骤S2具体包括:S2: The first encryption gateway receives the incoming data message, and adds an encryption tag to the data packet of the incoming data message through the xfrm module. This is a data processing flow chart of the xfrm module in the encryption gateway in the embodiment of the present application. The step S2 specifically includes:

步骤S201:入栈数据报文进入xfrm模块;Step S201: Push data packets into the xfrm module;

步骤S202:xfrm模块根据五元组信息(源IP地址,目的IP地址,源端口,目的端口,协议)匹配出方向安全策略(sp);Step S202: the xfrm module matches the outbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);

步骤S203:判断出方向安全策略(sp)的匹配是否成功,匹配成功,xfrm模块调用iptables模块的加密标签将这条入栈数据报文打上加密标签,并进入S204;Step S203: Determine whether the match of the outbound security policy (sp) is successful. If the match is successful, the xfrm module calls the encryption label of the iptables module to add an encryption label to the incoming data message, and enter S204;

步骤S204:xfrm模块根据出方向安全策略(sp)查找对应的安全联盟(IPSec sa)是否存在,如果存在进入S205,如果失败进入S206;Step S204: The xfrm module searches for the corresponding security association (IPSec sa) according to the outbound security policy (sp). If it exists, it proceeds to S205. If it fails, it proceeds to S206.

步骤S205:将IPSec sa的信息保存在数据报文中;Step S205: Save the IPSec sa information in the data message;

步骤S206:xfrm模块通过IKE协议协商安全联盟(IPSec sa),并将IPSec sa的信息保存在数据报文中;Step S206: the xfrm module negotiates the security association (IPSec sa) through the IKE protocol and saves the information of IPSec sa in the data message;

S3:第一加密网关的iptables模块利用加密标签创建的hook节点,将S2中打上加密标签数据送入加解密模块;S3: The iptables module of the first encryption gateway uses the hook node created by the encryption label to send the data marked with the encryption label in S2 to the encryption and decryption module;

S4:数据加解密模块对数据进行加密处理变成出栈报文数据,从加密网关发送出去,步骤S4具体包括:S4: The data encryption and decryption module encrypts the data into outbound message data, which is sent out from the encryption gateway. Step S4 specifically includes:

步骤S401:入栈报文数据根据加密标签进入数据加解密模块;Step S401: the incoming message data enters the data encryption and decryption module according to the encryption tag;

步骤S402:判断是出方向标签还是入方向标签,本实施例中是出方向标签,则进入步骤S403;Step S402: determine whether it is an outbound label or an inbound label. In this embodiment, if it is an outbound label, proceed to step S403.

步骤S403:进行数据加密处理,第一加密网关的数据加解密模块通过加密标签,利用数据报文中保存的IPSec sa对数据报文进行加密,数据加密采用CBC+的模式,其中具体包括:Step S403: Perform data encryption processing. The data encryption and decryption module of the first encryption gateway encrypts the data message through the encryption tag and the IPSec sa stored in the data message. The data encryption adopts the CBC+ mode, which specifically includes:

对于数据长度大于一个加密分组(16字节)的,取16字节整数倍的数据做CBC加密,获得密文数据1;For data with a length greater than one encryption block (16 bytes), take data that is an integer multiple of 16 bytes and perform CBC encryption to obtain ciphertext data 1;

剩余长度不够16字节的数据,取上一分组加密后的密文做IV值。使用会话密钥K加密IV,加密算法为SM4,加密模式采用ECB,获得Kiv。截取Kiv,使其长度等于明文数据长度,然后与明文数据做异或,得到密文数据2; For data with a remaining length less than 16 bytes, take the ciphertext of the previous block as the IV value. Use the session key K to encrypt the IV, the encryption algorithm is SM4, and the encryption mode is ECB to obtain Kiv. Intercept Kiv to make its length equal to the length of the plaintext data, and then XOR it with the plaintext data to obtain the ciphertext data 2;

拼接密文数据1和密文数据2,得到完整密文,其中,完整的密文并未在原来的数据上增加额外的封装,达到了不改变原始报文结构的目的;The ciphertext data 1 and the ciphertext data 2 are concatenated to obtain the complete ciphertext, wherein the complete ciphertext does not add additional encapsulation to the original data, thereby achieving the purpose of not changing the original message structure;

S404:第一加密网关在量子加密模块的量子密钥池中获取量子密钥sa,并利用量子密钥sa对IPSec sa加密后的数据再次进行加密,该步骤S404具体包括;S404: The first encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module, and uses the quantum key sa to encrypt the data encrypted by IPSec sa again. The step S404 specifically includes:

步骤S4041:数据加解密模块通过IPSec sa中发起方和响应方的spi计算量子密钥ID,因为spi(Security Parameter Index)用于唯一标识IPSec sa,所以利用spi计算后的量子密钥ID也是唯一的;Step S4041: The data encryption and decryption module calculates the quantum key ID through the spi of the initiator and responder in IPSec sa. Since spi (Security Parameter Index) is used to uniquely identify IPSec sa, the quantum key ID calculated using spi is also unique.

步骤S4042:数据加解密模块在量子密钥池中通过量子密钥ID获得量子密钥sa;Step S4042: The data encryption and decryption module obtains the quantum key sa from the quantum key pool through the quantum key ID;

步骤S4043:数据加解密模块利用量子密钥sa对IPSec sa加密后的数据再次进行加密,加密方法和S403的加密方法一致;Step S4043: The data encryption and decryption module uses the quantum key sa to encrypt the data encrypted by IPSec sa again, and the encryption method is consistent with the encryption method in S403;

步骤S405:数据加解密模块处理后的数据会变成出栈报文数据,从第一网关发送出去;Step S405: the data processed by the data encryption and decryption module will become outbound message data and be sent out from the first gateway;

S5:第二加密网关收到第一加密网关的密文数据后,将源地址和目的地址进行互换,通过五元组信息(源IP地址,目的IP地址,源端口,目的端口,协议)在xfrm模块中匹配出方向安全策略(sp),并获取sp对应的IPSec sa;同时,将入栈数据报文打上解密标签,具体包括如下步骤:S5: After receiving the ciphertext data from the first encryption gateway, the second encryption gateway swaps the source address and the destination address, matches the outbound security policy (sp) in the xfrm module through the five-tuple information (source IP address, destination IP address, source port, destination port, protocol), and obtains the IPSec sa corresponding to sp; at the same time, the stacked data message is marked with a decryption tag, which specifically includes the following steps:

步骤S501:入栈数据报文进入xfrm模块;Step S501: Push data packets into the xfrm module;

步骤S502:xfrm模块根据五元组信息(源IP地址,目的IP地址,源端口,目的端口,协议)匹配出方向安全策略(sp);Step S502: the xfrm module matches the outbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);

步骤S503:判断出方向安全策略(sp)的匹配失败,进入步骤S504;Step S503: determining that the direction security policy (sp) fails to match, and proceeding to step S504;

步骤S504:xfrm模块将入栈数据报文的源地址和目的地址互换,利用xfrm模块根据五元组信息(源IP地址,目的IP地址,源端口,目的端口,协议)匹配入方向安全策略(sp);Step S504: the xfrm module swaps the source address and the destination address of the incoming data message, and uses the xfrm module to match the inbound security policy (sp) according to the five-tuple information (source IP address, destination IP address, source port, destination port, protocol);

步骤S505:入方向安全策略(sp)的匹配成功;Step S505: the inbound security policy (sp) is matched successfully;

步骤S506:xfrm模块将这条入栈数据报文调用iptables模块的解密标签打上解密标签;Step S506: the xfrm module calls the decryption tag of the iptables module to add a decryption tag to the incoming data message;

步骤S6:第二加密网关的利用解密标签创建的hook节点,将步骤S506中打上解密标签的数据包送入加解密模块;Step S6: The hook node created by the second encryption gateway using the decryption tag sends the data packet marked with the decryption tag in step S506 to the encryption and decryption module;

步骤S7:第二加密网关在量子加密模块的量子密钥池中获取量子密钥sa,并利用量子密钥sa对数据进行解密,该步骤S7具体包括;Step S7: the second encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module, and uses the quantum key sa to decrypt the data. Step S7 specifically includes:

步骤S701:数据加解密模块通过IPSec sa中发起方和响应方的spi计算量子密钥ID,因为spi(Security Parameter Index)用于唯一标识IPSec sa,所以利用spi计算后的量子密钥ID也是唯一的;Step S701: The data encryption and decryption module calculates the quantum key ID through the spi of the initiator and responder in IPSec sa. Since spi (Security Parameter Index) is used to uniquely identify IPSec sa, the quantum key ID calculated using spi is also unique.

步骤S702:数据加解密模块在量子密钥池中通过量子密钥ID获得量子密钥sa;Step S702: The data encryption and decryption module obtains the quantum key sa from the quantum key pool through the quantum key ID;

步骤S703:数据加解密模块利用量子密钥sa对IPSec sa解密后的数据 进行解密;Step S703: The data encryption and decryption module uses the quantum key sa to decrypt the data after IPSec sa Decryption is performed;

步骤S8:第二加密网关的数据加解密模块通过解密标签,利用数据报文中保存的IPSec sa对数据报文再次解密,得到数据报文原文,其中具体包括如下;Step S8: The data encryption and decryption module of the second encryption gateway decrypts the data message again by using the IPSec sa stored in the data message through the decryption tag to obtain the original data message, which specifically includes the following;

对于数据长度大于一个解密分组(16字节)的,取16字节整数倍的数据做CBC解密,获得明文数据1;For data length greater than one decryption packet (16 bytes), take data that is an integer multiple of 16 bytes for CBC decryption to obtain plaintext data 1;

剩余长度不够16字节的数据,取上一分组解密前的密文做IV值。使用会话密钥K解密IV,解密算法为SM4,解密模式采用ECB,获得Kiv。截取Kiv,使其长度等于密文数据长度,然后与密文数据做异或,得到明文数据2;For data with a remaining length less than 16 bytes, take the ciphertext of the previous group before decryption as the IV value. Use the session key K to decrypt the IV, the decryption algorithm is SM4, and the decryption mode is ECB to obtain Kiv. Intercept Kiv to make its length equal to the ciphertext data length, and then XOR it with the ciphertext data to obtain plaintext data 2;

拼接明文数据1和明文数据2,得到完整明文。Concatenate plaintext data 1 and plaintext data 2 to obtain the complete plaintext.

以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the scheme of this embodiment. Ordinary technicians in this field can understand and implement it without paying creative labor.

本申请的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本申请实施例的计算处理设备中的一些或者全部部件的一些或者全部功能。本申请还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本申请的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present application can be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a microprocessor or digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components in the computing processing device according to the embodiment of the present application. The application can also be implemented as a device or apparatus program (e.g., computer program and computer program product) for executing part or all of the methods described herein. Such a program implementing the present application can be stored on a computer-readable medium, or can have the form of one or more signals. Such a signal can be downloaded from an Internet website, or provided on a carrier signal, or provided in any other form.

例如,图6示出了可以实现根据本申请的方法的计算处理设备。该计算处理设备传统上包括处理器1010和以存储器1020形式的计算机程序产品或者计算机可读介质。存储器1020可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器1020具有用于执行上述方法中的任何方法步骤的程序代码1031的存储空间1030。例如,用于程序代码的存储空间1030可以包括分别用于实现上面的方法中的各种步骤的各个程序代码1031。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图7所述的便携式或者固定存储单元。该存储单元可以具有与图6的计算处理设备中的存储器1020类似布置的存储段、存储空间等。程序代码可以例如以适当 形式进行压缩。通常,存储单元包括计算机可读代码1031’,即可以由例如诸如1010之类的处理器读取的代码,这些代码当由计算处理设备运行时,导致该计算处理设备执行上面所描述的方法中的各个步骤。For example, FIG6 shows a computing processing device that can implement the method according to the present application. The computing processing device conventionally includes a processor 1010 and a computer program product or computer-readable medium in the form of a memory 1020. The memory 1020 can be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read-only memory), an EPROM, a hard disk or a ROM. The memory 1020 has a storage space 1030 for a program code 1031 for executing any method step in the above method. For example, the storage space 1030 for the program code may include individual program codes 1031 for implementing various steps in the above method respectively. These program codes can be read from or written to one or more computer program products. These computer program products include program code carriers such as a hard disk, a compact disk (CD), a memory card or a floppy disk. Such a computer program product is typically a portable or fixed storage unit as described with reference to FIG7. The storage unit may have storage segments, storage spaces, etc. arranged similarly to the memory 1020 in the computing processing device of FIG6. The program code may be, for example, in an appropriate Typically, the storage unit includes computer readable code 1031', that is, code that can be read by a processor such as 1010, which, when executed by a computing processing device, causes the computing processing device to perform the various steps in the method described above.

本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本申请的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。The term "one embodiment", "embodiment" or "one or more embodiments" herein means that a particular feature, structure or characteristic described in conjunction with the embodiment is included in at least one embodiment of the present application. In addition, please note that the examples of the term "in one embodiment" here do not necessarily all refer to the same embodiment.

在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本申请的实施例可以在没有这些具体细节的情况下被实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, a large number of specific details are described. However, it is understood that the embodiments of the present application can be practiced without these specific details. In some instances, well-known methods, structures and techniques are not shown in detail so as not to obscure the understanding of this description.

在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本申请可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。In the claims, any reference signs placed between brackets shall not be construed as limiting the claims. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The present application may be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means may be embodied by the same item of hardware. The use of the words first, second, and third etc. does not indicate any order. These words may be interpreted as names.

最后应说明的是:以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, rather than to limit it. Although the present application has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or make equivalent replacements for some of the technical features therein. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (13)

一种基于IPsec和量子密钥的双重加密方法,应用于加密网关,其中,所述方法包括下述步骤:A dual encryption method based on IPsec and quantum key, applied to an encryption gateway, wherein the method comprises the following steps: S10:加密网关通过唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向加密网关充注量子密钥;S10: The encryption gateway registers with the quantum key distribution center through the unique identifier. After successful registration, the quantum key distribution center injects quantum keys into the encryption gateway; S20:加密网关接收入栈数据报文,并将入栈数据报文的数据包打上加密标签或解密标签;S20: The encryption gateway receives the incoming data message and adds an encryption tag or a decryption tag to the data packet of the incoming data message; S30:利用加密标签或者解密标签创建挂载节点,将打上加密标签或者解密标签的数据包送出;S30: Create a mounting node using the encryption label or the decryption label, and send out the data packet marked with the encryption label or the decryption label; S40:利用安全联盟对数据进行一次加密处理后,再利用量子密钥sa对安全联盟加密后的数据再次进行加密,双重加密后的数据变成出栈报文数据,从加密网关发送出去,或者对数据进行双重解密处理,得到密文原文。S40: After the data is encrypted once using the security alliance, the data encrypted by the security alliance is encrypted again using the quantum key sa. The double-encrypted data becomes outbound message data and is sent out from the encryption gateway, or the data is double-decrypted to obtain the original ciphertext. 如权利要求1所述的一种基于IPsec和量子密钥的双重加密方法,其中,所述S20包括下述步骤:A dual encryption method based on IPsec and quantum key according to claim 1, wherein S20 comprises the following steps: S201:入栈数据报文进入;S201: the data packet enters the stack; S202:根据五元组信息匹配出方向安全策略;S202: Matching an outbound security policy according to the five-tuple information; S203:判断出方向安全策略的匹配是否成功,如果成功进入S204,如果失败,进入S207;S203: Determine whether the matching of the directional security policy is successful, if successful, proceed to S204, if failed, proceed to S207; S204:出方向安全策略匹配成功,将这条入栈数据报文打上加密标签,根据出方向安全策略查找对应的安全联盟是否存在,如果存在进入S205,如果失败进入步骤S206;S204: If the outbound security policy matches successfully, the incoming data message is encrypted and the corresponding security alliance is checked according to the outbound security policy. If it exists, the process proceeds to S205. If it fails, the process proceeds to S206. S205:安全联盟存在,将安全联盟的信息保存在数据报文中;S205: The security association exists, and the information of the security association is saved in the data message; S206:安全联盟不存在,通过IKE协议协商安全联盟,并将安全联盟的信息保存在数据报文中;S206: If the security association does not exist, the security association is negotiated through the IKE protocol, and the information of the security association is saved in the data message; S207:出方向安全策略匹配失败,将入栈数据报文的源地址和目的地址互换,根据五元组信息匹配入方向安全策略;S207: If the outbound security policy fails to match, the source address and the destination address of the incoming data packet are swapped, and the inbound security policy is matched according to the five-tuple information; S208:判断入方向安全策略的匹配是否成功,如果成功进入步骤S209,如果失败,进入S210;S208: Determine whether the inbound security policy is matched successfully. If successful, proceed to step S209; if not, proceed to step S210; S209:将这条入栈数据报文打上解密标签;S209: Add a decryption tag to the incoming data message; S210:该条入栈数据报文无法匹配出安全策略也无法匹配入方向安全策略,则被丢弃。S210: The incoming data message cannot match the outbound security policy or the inbound security policy, and is discarded. 如权利要求2所述的一种基于IPsec和量子密钥的双重加密方法,其中,步骤S40具体包括:The dual encryption method based on IPsec and quantum key according to claim 2, wherein step S40 specifically comprises: S401:接收打上加密标签或者解密标签的数据;S401: receiving data with an encryption tag or a decryption tag; S402:判断是出方向标签还是入方向标签,如果是出方向标签,则进入步骤S403至步骤S405,如果是入方向标签,则进入步骤S406;S402: Determine whether it is an outbound label or an inbound label. If it is an outbound label, proceed to step S403 to step S405. If it is an inbound label, proceed to step S406. S403:通过加密标签,利用安全联盟对数据报文进行加密; S403: Encrypt the data message using the security association through the encryption tag; S404:获取量子密钥sa,并利用量子密钥sa对安全联盟加密后的数据再次进行加密;S404: Obtain the quantum key sa, and use the quantum key sa to encrypt the data encrypted by the security association again; S405:数据加解密模块处理后的数据变成出栈报文数据,从加密网关发送出去;S405: The data processed by the data encryption and decryption module becomes outbound message data and is sent out from the encryption gateway; S406:通过解密标签,获取量子密钥sa,并利用量子密钥sa对数据进行解密;S406: Obtain the quantum key sa by decrypting the tag, and use the quantum key sa to decrypt the data; S407:利用安全联盟对数据报文进行解密处理得到数据报文原文。S407: Decrypt the data message using the security association to obtain the original data message. 如权利要求3所述的一种基于IPsec和量子密钥的双重加密方法,其中,步骤S403中,数据加密采用CBC+的模式,其中具体包括:A dual encryption method based on IPsec and quantum key as claimed in claim 3, wherein in step S403, data encryption adopts CBC+ mode, which specifically includes: 对于数据长度大于一个加密分组的,取一个加密分组整数倍的数据做CBC加密,获得密文数据1;For data whose length is greater than one encryption block, take data of an integer multiple of the encryption block for CBC encryption to obtain ciphertext data 1; 剩余长度不够一个加密分组的数据,取上一分组加密后的密文做IV值,使用会话密钥K加密IV,加密算法为SM4,加密模式采用ECB,获得Kiv,截取Kiv,使其长度等于明文数据长度,然后与明文数据做异或,得到密文数据2;If the remaining length is less than one encrypted data block, take the encrypted ciphertext of the previous block as the IV value, encrypt IV with the session key K, use SM4 as the encryption algorithm, use ECB as the encryption mode, obtain Kiv, intercept Kiv to make its length equal to the length of plaintext data, and then XOR it with the plaintext data to obtain ciphertext data 2; 拼接密文数据1和密文数据2,得到完整密文;Concatenate ciphertext data 1 and ciphertext data 2 to obtain the complete ciphertext; 步骤S407中解密过程具体包括:The decryption process in step S407 specifically includes: 对于数据长度大于一个解密分组的,取一个加密分组整数倍的数据做CBC解密,获得明文数据1;For data whose length is greater than one decryption block, take data of an integer multiple of the encryption block for CBC decryption to obtain plaintext data 1; 剩余长度不够一个加密分组的数据,取上一分组解密前的密文做IV值,使用会话密钥K解密IV,解密算法为SM4,解密模式采用ECB,获得Kiv,截取Kiv,使其长度等于密文数据长度,然后与密文数据做异或,得到明文数据2;If the remaining length is less than that of an encrypted data packet, take the ciphertext of the previous packet before decryption as the IV value, use the session key K to decrypt the IV, use the decryption algorithm SM4, and the decryption mode ECB to obtain Kiv, truncate Kiv to make its length equal to the ciphertext data length, and then XOR it with the ciphertext data to obtain plaintext data 2; 拼接明文数据1和明文数据2,得到完整明文。Concatenate plaintext data 1 and plaintext data 2 to obtain the complete plaintext. 如权利要求3所述的一种基于IPsec和量子密钥的双重加密方法,其中,步骤S404具体包括:The dual encryption method based on IPsec and quantum key according to claim 3, wherein step S404 specifically comprises: S4041、通过安全联盟中发起方和响应方的spi计算量子密钥ID,利用spi计算后的量子密钥ID是唯一的;S4041. Calculate the quantum key ID using the SPI of the initiator and the responder in the security alliance. The quantum key ID calculated using the SPI is unique. S4042、在量子密钥池中通过量子密钥ID获得量子密钥sa;S4042. Obtaining a quantum key sa from a quantum key pool through a quantum key ID; S4043、利用量子密钥sa对IPSec sa加密后的数据再次进行加密,加密方法和S403的加密方法一致;S4043, using quantum key sa to encrypt the data encrypted by IPSec sa again, the encryption method is the same as that of S403; 步骤S406具体包括:Step S406 specifically includes: S4061、通过安全联盟中发起方和响应方的spi计算量子密钥ID,利用spi计算后的量子密钥ID是唯一的;S4061. Calculate the quantum key ID using the SPI of the initiator and the responder in the security alliance. The quantum key ID calculated using the SPI is unique. S4062、在量子密钥池中通过量子密钥ID获得量子密钥sa;S4062. Obtaining a quantum key sa from a quantum key pool through a quantum key ID; S4063、利用量子密钥sa对IPSec sa加密后的数据进行解密,解密方法和S407的解密方法一致。S4063. Use quantum key sa to decrypt the data encrypted by IPSec sa. The decryption method is the same as that of S407. 执行权利要求1至5任一项所述的一种基于IPsec和量子密钥的双 重加密方法的加密网关,其中,包括:Implementing a dual-mode IPsec and quantum key encryption system as claimed in any one of claims 1 to 5 An encryption gateway of a heavy encryption method, including: 量子密钥模块,用于加密网关通过唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向加密网关的量子密钥模块充注量子密钥;The quantum key module is used for the encryption gateway to register with the quantum key distribution center through a unique identifier. After successful registration, the quantum key distribution center injects quantum keys into the quantum key module of the encryption gateway; xfrm模块,用于接收入栈数据报文,并将入栈数据报文的数据包调用iptables模块的加解密标签将这条入栈数据报文打上加密标签或解密标签;The xfrm module is used to receive the incoming data message and call the encryption and decryption label of the iptables module to add an encryption label or a decryption label to the incoming data message; iptables模块,预先创建加密标签和解密标签,在mangel表的POSTROUTING链中设置规则,并利用加密标签或者解密标签创建挂载节点,将打上加密标签或者解密标签的数据包送入加解密模块;The iptables module creates encryption labels and decryption labels in advance, sets rules in the POSTROUTING chain of the mangel table, creates a mount node using encryption labels or decryption labels, and sends the data packets marked with encryption labels or decryption labels to the encryption and decryption module; 数据加解密模块,利用安全联盟对数据进行一次加密处理后,再利用量子密钥sa对安全联盟加密后的数据再次进行加密,双重加密后的数据变成出栈报文数据,从加密网关发送出去,或者对数据进行双重解密处理,得到密文原文。The data encryption and decryption module uses the security alliance to encrypt the data once, and then uses the quantum key sa to encrypt the data encrypted by the security alliance again. The double-encrypted data becomes the outbound message data and is sent out from the encryption gateway, or the data is double-decrypted to obtain the original ciphertext. 如权利要求6所述的一种基于IPsec和量子密钥的双重加密方法的加密网关,其中,xfrm模块具体包括:An encryption gateway based on a dual encryption method of IPsec and quantum key according to claim 6, wherein the xfrm module specifically comprises: xfrm模块进入单元:用于入栈数据报文进入xfrm模块;xfrm module entry unit: used to push data packets into the xfrm module; 出方向安全策略匹配单元:用于根据五元组信息匹配出方向安全策略;Outbound security policy matching unit: used to match outbound security policies according to quintuple information; 第一判断单元:用于判断出方向安全策略的匹配是否成功;The first judgment unit is used to judge whether the matching of the outbound security policy is successful; 安全联盟查找单元:若出方向安全策略匹配成功,用于将这条入栈数据报文打上加密标签,并根据出方向安全策略查找对应的安全联盟是否存在;Security association search unit: If the outbound security policy is matched successfully, it is used to add an encryption tag to the incoming data message and search for the corresponding security association according to the outbound security policy. 打加密标签单元:安全联盟存在时,将安全联盟的信息保存在数据报文中;Encryption tag unit: When a security association exists, the security association information is stored in the data message; 安全联盟协商单元:安全联盟不存在时,用于通过IKE协议协商安全联盟,并将安全联盟的信息保存在数据报文中;Security Association Negotiation Unit: When a security association does not exist, it is used to negotiate a security association through the IKE protocol and save the security association information in the data message; 入方向安全策略匹配单元:出方向安全策略匹配失败时,用于将入栈数据报文的源地址和目的地址互换,根据五元组信息匹配入方向安全策略;Inbound security policy matching unit: when outbound security policy matching fails, it is used to swap the source address and destination address of the incoming data packet and match the inbound security policy according to the five-tuple information; 第二判断单元:用于判断入方向安全策略的匹配是否成功;The second judgment unit is used to judge whether the matching of the inbound security policy is successful; 打解密标签单元:如果入方向安全策略的匹配成功将这条入栈数据报文打上解密标签;Decryption labeling unit: If the inbound security policy is successfully matched, the incoming data packet is labeled with a decryption label; 丢弃单元:若该条入栈数据报文无法匹配出安全策略也无法匹配入方向安全策略,则被丢弃。Discard unit: If the incoming data packet cannot match the outbound security policy or the inbound security policy, it will be discarded. 如权利要求6所述的一种基于IPsec和量子密钥的双重加密方法的加密网关,其中,An encryption gateway based on a dual encryption method of IPsec and quantum key as claimed in claim 6, wherein: 数据加解密模块具体包括:The data encryption and decryption module specifically includes: 数据接收单元:接收打上加密标签或者解密标签的数据;Data receiving unit: receiving data with encryption or decryption tags; 方向标签判断单元:判断是出方向标签还是入方向标签;Direction label judgment unit: judges whether it is an outgoing direction label or an incoming direction label; 加密单元,若是出方向标签,通过加密标签,利用安全联盟对数据报 文进行加密;Encryption unit, if it is an outgoing label, uses the security association to encrypt the datagram through the encryption label Encrypt the text; 再次加密单元,用于获取量子密钥sa,并利用量子密钥sa对安全联盟加密后的数据再次进行加密;A re-encryption unit, used to obtain the quantum key sa, and use the quantum key sa to re-encrypt the data encrypted by the security association; 发送单元,用于将再次加密的数据变成出栈报文数据,从加密网关发送出去;The sending unit is used to convert the re-encrypted data into outbound message data and send it out from the encryption gateway; 解密单元,若是入方向标签,通过解密标签,获取量子密钥sa,并利用量子密钥sa对数据进行解密;The decryption unit, if it is an incoming tag, obtains the quantum key sa through the decryption tag, and uses the quantum key sa to decrypt the data; 再次解密单元,利用安全联盟对数据报文进行解密处理,得到数据报文原文。The decryption unit decrypts the data message again using the security association to obtain the original data message. 如权利要求8所述的一种基于IPsec和量子密钥的双重加密方法的加密网关,其中,所述数据加密采用CBC+的模式,其中具体包括:An encryption gateway based on a dual encryption method of IPsec and quantum key according to claim 8, wherein the data encryption adopts a CBC+ mode, which specifically includes: 对于数据长度大于一个加密分组的,取一个加密分组整数倍的数据做CBC加密,获得密文数据1;For data whose length is greater than one encryption block, take data of an integer multiple of the encryption block for CBC encryption to obtain ciphertext data 1; 剩余长度不够一个加密分组的数据,取上一分组加密后的密文做IV值,使用会话密钥K加密IV,加密算法为SM4,加密模式采用ECB,获得Kiv,截取Kiv,使其长度等于明文数据长度,然后与明文数据做异或,得到密文数据2;If the remaining length is less than one encrypted data block, take the encrypted ciphertext of the previous block as the IV value, encrypt IV with the session key K, use SM4 as the encryption algorithm, use ECB as the encryption mode, obtain Kiv, intercept Kiv to make its length equal to the length of plaintext data, and then XOR it with the plaintext data to obtain ciphertext data 2; 拼接密文数据1和密文数据2,得到完整密文;Concatenate ciphertext data 1 and ciphertext data 2 to obtain the complete ciphertext; 所述解密过程具体包括:The decryption process specifically includes: 对于数据长度大于一个解密分组的,取一个加密分组整数倍的数据做CBC解密,获得明文数据1;For data whose length is greater than one decryption block, take data of an integer multiple of the encryption block for CBC decryption to obtain plaintext data 1; 剩余长度不够一个加密分组的数据,取上一分组解密前的密文做IV值,使用会话密钥K解密IV,解密算法为SM4,解密模式采用ECB,获得Kiv,截取Kiv,使其长度等于密文数据长度,然后与密文数据做异或,得到明文数据2;If the remaining length is less than that of an encrypted data packet, take the ciphertext of the previous packet before decryption as the IV value, use the session key K to decrypt the IV, use the decryption algorithm SM4, and the decryption mode ECB to obtain Kiv, truncate Kiv to make its length equal to the ciphertext data length, and then XOR it with the ciphertext data to obtain plaintext data 2; 拼接明文数据1和明文数据2,得到完整明文。Concatenate plaintext data 1 and plaintext data 2 to obtain the complete plaintext. 一种基于IPsec和量子密钥的双重加密方法,应用于报文数据通过第一加密网关传入第二加密网关,其中,其中第一加密网关和第二加密网关采用权利要求6-9任一项所述的双重加密网关,所述加密方法包含以下步骤:A dual encryption method based on IPsec and quantum key, applied to the transmission of message data through a first encryption gateway to a second encryption gateway, wherein the first encryption gateway and the second encryption gateway adopt the dual encryption gateway according to any one of claims 6 to 9, and the encryption method comprises the following steps: S1:第一加密网关通过唯一标识和第二加密网关的唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向第一加密网关的量子密钥模块充注第一量子密钥,第二加密网关通过唯一标识和第一加密网关的唯一标识向量子密钥分发中心进行注册,注册成功后,量子密钥分发中心向第二加密网关的量子密钥模块充注第二量子密钥,其中第一加密网关和第二加密网关量子向密钥分发中心注册的标识都是一致的,形成相同的量子密钥池,即第一量子密钥和第二量子密钥相同;S1: The first encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the second encryption gateway. After successful registration, the quantum key distribution center injects the first quantum key into the quantum key module of the first encryption gateway. The second encryption gateway registers with the quantum key distribution center through the unique identifier and the unique identifier of the first encryption gateway. After successful registration, the quantum key distribution center injects the second quantum key into the quantum key module of the second encryption gateway. The identifiers registered by the first encryption gateway and the second encryption gateway quantum to the key distribution center are consistent, forming the same quantum key pool, that is, the first quantum key and the second quantum key are the same; S2:第一加密网关接收入栈数据报文,并将入栈数据报文的数据包通 过xfrm模块打上加密标签;S2: The first encryption gateway receives the incoming data message and sends the data packet of the incoming data message to Add encryption tags through the xfrm module; S3:第一加密网关的iptables模块通过加密标签创建的hook节点,将S2中打上加密标签数据包送入加解密模块;S3: The iptables module of the first encryption gateway sends the data packet with the encryption label in S2 to the encryption and decryption module through the hook node created by the encryption label; S4:第一加密网关的数据加解密模块通过加密标签,利用数据报文中保存安全联盟对数据报文进行加密,从量子密钥池中获取量子密钥sa,并利用量子密钥sa对安全联盟加密后的数据再次进行加密后发送出去;S4: The data encryption and decryption module of the first encryption gateway encrypts the data message by using the security alliance stored in the data message through the encryption tag, obtains the quantum key sa from the quantum key pool, and uses the quantum key sa to encrypt the data encrypted by the security alliance again and sends it out; S5:第二加密网关收到第一加密网关的密文数据后,将源地址和目的地址进行互换,通过五元组信息在xfrm模块中匹配出方向安全策略,并获取安全策略对应的安全联盟;同时,将入栈数据报文打上解密标签;S5: After receiving the ciphertext data from the first encryption gateway, the second encryption gateway swaps the source address and the destination address, matches the outbound security policy in the xfrm module through the five-tuple information, and obtains the security alliance corresponding to the security policy; at the same time, the stacked data message is marked with a decryption tag; S6:第二加密网关的iptables模块利用解密标签创建的hook节点,将步骤S5中打上解密标签的数据包送入加解密模块;S6: The iptables module of the second encryption gateway uses the hook node created by the decryption label to send the data packet marked with the decryption label in step S5 to the encryption and decryption module; S7:第二加密网关在量子加密模块的量子密钥池中获取量子密钥sa,并利用量子密钥sa对数据进行解密;S7: The second encryption gateway obtains the quantum key sa from the quantum key pool of the quantum encryption module, and uses the quantum key sa to decrypt the data; S8:第二加密网关的数据加解密模块通过解密标签,利用数据报文中保存的安全联盟对数据报文再次解密,得到数据报文原文。S8: The data encryption and decryption module of the second encryption gateway decrypts the data message again by using the security association stored in the data message through the decryption tag to obtain the original data message. 一种计算处理设备,其中,包括:A computing and processing device, comprising: 存储器,其中存储有计算机可读代码;a memory having computer readable code stored therein; 一个或多个处理器,当所述计算机可读代码被所述一个或多个处理器执行时,所述计算处理设备执行如权利要求1-5中任一项所述的一种基于IPsec和量子密钥的双重加密方法。One or more processors, when the computer-readable code is executed by the one or more processors, the computing processing device performs a dual encryption method based on IPsec and quantum key as described in any one of claims 1-5. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算处理设备上运行时,导致所述计算处理设备执行根据权利要求1-5中任一项所述的一种基于IPsec和量子密钥的双重加密方法。A computer program comprises a computer readable code, which, when executed on a computing processing device, causes the computing processing device to execute a dual encryption method based on IPsec and quantum key according to any one of claims 1 to 5. 一种计算机可读介质,其中存储了如权利要求12所述的计算机程序。 A computer readable medium having stored therein the computer program as claimed in claim 12.
PCT/CN2024/120830 2023-12-08 2024-09-24 Double-encryption method based on ipsec and quantum key, and encryption gateway Pending WO2025118789A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202311694033.6 2023-12-08
CN202311694033.6A CN117640235A (en) 2023-12-08 2023-12-08 Dual encryption method based on IPsec and quantum key and encryption gateway

Publications (1)

Publication Number Publication Date
WO2025118789A1 true WO2025118789A1 (en) 2025-06-12

Family

ID=90018160

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/120830 Pending WO2025118789A1 (en) 2023-12-08 2024-09-24 Double-encryption method based on ipsec and quantum key, and encryption gateway

Country Status (2)

Country Link
CN (1) CN117640235A (en)
WO (1) WO2025118789A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117640235A (en) * 2023-12-08 2024-03-01 中电信量子科技有限公司 Dual encryption method based on IPsec and quantum key and encryption gateway
CN119583147A (en) * 2024-11-25 2025-03-07 中电信量子科技有限公司 Layer 2 message transmission method and system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104320332A (en) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 Multi-protocol industrial communication safety gateway and communication method with gateway applied
CN108075890A (en) * 2016-11-16 2018-05-25 中兴通讯股份有限公司 Data sending terminal, data receiver, data transmission method and system
CN110190956A (en) * 2019-05-28 2019-08-30 杭州迪普科技股份有限公司 Data transmission method, device, electronic equipment and machine readable storage medium
US20190372936A1 (en) * 2018-05-31 2019-12-05 Cisco Technology, Inc. Encryption for gateway tunnel-based vpns independent of wan transport addresses
CN111147344A (en) * 2019-12-16 2020-05-12 武汉思为同飞网络技术股份有限公司 Virtual private network implementation method, device, equipment and medium
CN115567205A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Method and system for implementing encryption and decryption of network session data streams by using quantum key distribution
CN116886303A (en) * 2023-09-05 2023-10-13 中量科(南京)科技有限公司 Encryption method, device and storage medium for generating session key based on quantum key
CN117640235A (en) * 2023-12-08 2024-03-01 中电信量子科技有限公司 Dual encryption method based on IPsec and quantum key and encryption gateway

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104320332A (en) * 2014-11-13 2015-01-28 济南华汉电气科技有限公司 Multi-protocol industrial communication safety gateway and communication method with gateway applied
CN108075890A (en) * 2016-11-16 2018-05-25 中兴通讯股份有限公司 Data sending terminal, data receiver, data transmission method and system
US20190372936A1 (en) * 2018-05-31 2019-12-05 Cisco Technology, Inc. Encryption for gateway tunnel-based vpns independent of wan transport addresses
CN110190956A (en) * 2019-05-28 2019-08-30 杭州迪普科技股份有限公司 Data transmission method, device, electronic equipment and machine readable storage medium
CN111147344A (en) * 2019-12-16 2020-05-12 武汉思为同飞网络技术股份有限公司 Virtual private network implementation method, device, equipment and medium
CN115567205A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Method and system for implementing encryption and decryption of network session data streams by using quantum key distribution
CN116886303A (en) * 2023-09-05 2023-10-13 中量科(南京)科技有限公司 Encryption method, device and storage medium for generating session key based on quantum key
CN117640235A (en) * 2023-12-08 2024-03-01 中电信量子科技有限公司 Dual encryption method based on IPsec and quantum key and encryption gateway

Also Published As

Publication number Publication date
CN117640235A (en) 2024-03-01

Similar Documents

Publication Publication Date Title
US10673818B2 (en) Method and system for sending a message through a secure connection
US8468337B2 (en) Secure data transfer over a network
US8379638B2 (en) Security encapsulation of ethernet frames
CN109150688B (en) IPSec VPN data transmission method and device
CN109428867B (en) A message encryption and decryption method, network device and system
US20190372948A1 (en) Scalable flow based ipsec processing
WO2025118789A1 (en) Double-encryption method based on ipsec and quantum key, and encryption gateway
CN112491821B (en) IPSec message forwarding method and device
US9473466B2 (en) System and method for internet protocol security processing
CN110912859B (en) Method for sending message, method for receiving message and network device
US9083683B2 (en) Encryption/decryption device for secure communications between a protected network and an unprotected network and associated methods
CN103227742A (en) Method for IPSec (Internet protocol security) tunnel to rapidly process messages
CN106161386B (en) Method and device for realizing IPsec (Internet protocol Security) shunt
Farinacci et al. Locator/ID separation protocol (LISP) data-plane confidentiality
US7564976B2 (en) System and method for performing security operations on network data
CN110832806B (en) ID-Based Data Plane Security for Identity-Oriented Networks
CN117254976B (en) National standard IPsec VPN implementation method, device, system and electronic equipment based on VPP
Navaz et al. Security Aspects of Mobile IP
US20100275008A1 (en) Method and apparatus for secure packet transmission
CN114039812B (en) Data transmission channel establishment method, device, computer equipment and storage medium
Luniya et al. SmartX--Advanced Network Security for Windows Opearating System
CN117201639A (en) Message transmission method, network virtualization edge device and storage medium
Farinacci et al. RFC 8061: Locator/ID Separation Protocol (LISP) Data-Plane Confidentiality
Xirasagar et al. Securing IP networks, part I

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24899433

Country of ref document: EP

Kind code of ref document: A1