Quantum key management method, device, equipment, system and storage medium

By introducing key service identifiers and policy management into the QKD network, QKD nodes determine key service identifiers based on application information and provide differentiated policies, which solves the problem of poor flexibility in key service modes in existing technologies and improves the efficiency and flexibility of encryption services.

CN120342605BActive Publication Date: 2026-06-23CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD TECHNOLOGY INNOVATION CENTER
Filing Date
2025-05-26
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing key service models are inflexible and inefficient, and cannot effectively meet the diverse encryption business needs.

Method used

By introducing a key service identifier and policy management mechanism into the QKD network, the key manager of the QKD node determines the key service identifier based on the application's key application information, and provides differentiated key services according to the application's key service policy based on the correspondence provided by the QKD network controller.

Benefits of technology

It enables the perception and differentiated key services for different encryption businesses, improving the efficiency and flexibility of key services and meeting diverse encryption business needs.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120342605B_ABST
    Figure CN120342605B_ABST
Patent Text Reader

Abstract

The present disclosure provides a quantum key management method, device, equipment, system and storage medium, and relates to the technical field of communication. The method comprises: determining, by a key manager of a QKD node, an applied key service identifier, wherein the key service identifier is determined by key application information sent by an application; determining, according to the key service identifier of the application, a key service strategy of the application based on a first correspondence relationship, wherein the first correspondence relationship comprises a correspondence relationship between the key service identifier and the key service strategy, and the first correspondence relationship is determined by a QKD network controller based on QKD network state information and the key service identifier; and providing a key service according to the key service strategy of the application. Different encryption services are perceived, and differentiated key services are provided for different encryption services, thereby improving service efficiency.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of communication technology, and in particular to a quantum key management method, apparatus, device, system and storage medium. Background Technology

[0002] With the large-scale deployment of QKD (Quantum Key Distribution) networks, QKD networks can serve as a cryptographic infrastructure, allowing third parties to utilize the QKD networks deployed by operators to encrypt their business data and thus achieve corresponding confidential business functions.

[0003] The QKD network supports an increasing variety of encrypted services, such as quantum-secure video conferencing, quantum-secure voice calls, quantum-secure email, and quantum-secure file transfer.

[0004] The current key service model is inflexible and inefficient. Summary of the Invention

[0005] This disclosure provides a quantum key management method, apparatus, device, system, and storage medium, which at least to some extent overcomes the problem of low efficiency in related technologies.

[0006] Other features and advantages of this disclosure will become apparent from the following detailed description, or may be learned in part by practice of this disclosure.

[0007] According to one aspect of this disclosure, a quantum key management method is provided, which is applied to the key manager of each QKD node in a QKD network, comprising: determining a key service identifier, wherein the key service identifier is determined by key application information sent by an application; determining a key service policy of an application based on the key service identifier of the application and a first correspondence relationship, wherein the first correspondence relationship includes a correspondence relationship between the key service identifier and the key service policy, and the first correspondence relationship is determined by a QKD network controller based on QKD network state information and the key service identifier; and providing key services according to the key service policy of the application.

[0008] In some possible embodiments of this disclosure, when the QKD node is an edge node, determining the key service identifier of the application includes: receiving key application information sent by the application; and generating a key service identifier based on the key application information.

[0009] In some possible embodiments of this disclosure, when the QKD node is a relay node or an access node, determining the key service identifier of the application includes: receiving a key relay packet sent by the edge node; and reading the key service identifier encapsulated in the header portion of the key relay packet.

[0010] In some possible embodiments of this disclosure, providing key services according to the application's key service policy includes: processing key relay packets according to the key service policy, providing key relay services, generating end-to-end keys for the application, and sending end-to-end keys to the application.

[0011] In some possible embodiments of this disclosure, providing key services based on an application's key service policy includes: generating a key relay packet for the application based on the application's key service identifier; processing the key relay packet based on the key service policy to provide key relay services and generate an end-to-end key for the application; and sending the end-to-end key to the application.

[0012] In some possible embodiments of this disclosure, the key service strategy includes at least one of the following: key transmission priority, key relay transmission path, and key management layer slicing.

[0013] In some possible embodiments of this disclosure, the first correspondence is periodically sent by the QKD network controller to the key manager of the QKD node, wherein the QKD node includes one of the following: edge node, access node, and relay node.

[0014] In some possible embodiments of this disclosure, the method further includes: sending a key service policy distribution request to the QKD network controller, so that the QKD network controller sends a first correspondence to the key manager of the QKD node based on the key service policy distribution request; and receiving the first correspondence sent by the QKD network controller.

[0015] In some possible embodiments of this disclosure, key application information includes an application identifier and / or a device identifier on which the application is deployed.

[0016] According to another aspect of this disclosure, a quantum key management method is also provided, which is applied to a QKD network controller, comprising: acquiring QKD network state information and key service identifiers; determining a first correspondence based on the QKD network state information, wherein the first correspondence includes a correspondence between key service identifiers and key service policies; and sending the first correspondence to the key manager of each QKD node, so that the key manager of each QKD node determines the applied key service policy from the first correspondence and provides key services according to the applied key service policy.

[0017] In some possible embodiments of this disclosure, obtaining the key service identifier includes: obtaining a second correspondence sent by the QKD network management system, wherein the second correspondence includes a correspondence between the key service identifier and the cryptographic application requirement information; determining the first correspondence based on the QKD network status information includes: determining the key service policy corresponding to each key service identifier based on the QKD network status information and the cryptographic application requirement information corresponding to each key service identifier.

[0018] In some possible embodiments of this disclosure, obtaining QKD network status information includes: periodically sending network status requests to the QKD network management system, wherein the network status requests are used to instruct the QKD network management system to send QKD network status information to the QKD network controller; and receiving QKD network status information sent by the QKD network management system.

[0019] According to another aspect of this disclosure, a quantum key management system is also provided, comprising: a key manager for each QKD node in a QKD network and a QKD network controller; wherein the QKD network controller is configured to acquire QKD network status information and key service identifiers; determine a first correspondence based on the QKD network status information, wherein the first correspondence includes a correspondence between key service identifiers and key service policies; send the first correspondence to the key managers of each QKD node; the key managers of each QKD node are configured to determine a key service identifier for an application, wherein the key service identifier is determined by key application information sent by the application; determine a key service policy for the application based on the key service identifier and the first correspondence, wherein the first correspondence includes a correspondence between key service identifiers and key service policies, and the first correspondence is determined by the QKD network controller based on the QKD network status information and the key service identifiers; and provide key services according to the key service policy of the application.

[0020] In some possible embodiments of this disclosure, the system further includes: a QKD network management system; the QKD network management system being used to send QKD network status information and key service identifier to the QKD network controller.

[0021] According to another aspect of this disclosure, a quantum key management device is also provided, which is configured in the key manager of a QKD node in a QKD network, comprising: a key service identifier determination module, configured to determine a key service identifier of an application, wherein the key service identifier is determined by key application information sent by the application; a key service policy determination module, configured to determine a key service policy of the application based on the key service identifier of the application and a first correspondence relationship, wherein the first correspondence relationship includes a correspondence relationship between the key service identifier and the key service policy, and the first correspondence relationship is determined by the QKD network controller based on QKD network status information and the key service identifier; and a key service provision module, configured to provide key services according to the key service policy of the application.

[0022] According to another aspect of this disclosure, a quantum key management device is also provided, configured in a QKD network controller, comprising: an acquisition module for acquiring QKD network status information and key service identifiers; a first correspondence determination module for determining a first correspondence based on the QKD network status information, wherein the first correspondence includes a correspondence between key service identifiers and key service policies; and a first correspondence sending module for sending the first correspondence to the key managers of each QKD node, so that the key managers of each QKD node determine the applied key service policy from the first correspondence and provide key services according to the applied key service policy.

[0023] According to another aspect of this disclosure, an electronic device is also provided, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the quantum key management method of any one of the above by executing the executable instructions.

[0024] According to another aspect of this disclosure, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed by a processor, implements the quantum key management method of any one of the above.

[0025] According to another aspect of this disclosure, a computer program product is also provided, comprising: a computer program or instructions that, when executed by a processor, implement a quantum key management method for any of the above.

[0026] The technical solutions provided by the embodiments of this disclosure may include the following beneficial effects:

[0027] The quantum key management method provided in the embodiments of this disclosure involves a QKD node determining the key service identifier of an application, wherein the key service identifier is determined by the key application information sent by the application. Then, based on the key service identifier of the application, the key service policy of the application is determined in the correspondence between the key service identifier and the key service policy. Key services are provided according to the key service policy of the application, thereby realizing the perception of different encryption services and providing differentiated key services for different encryption services, thus improving service efficiency.

[0028] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description

[0029] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure. It is obvious that the drawings described below are merely some embodiments of this disclosure, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.

[0030] Figure 1 This illustration shows a flowchart of a quantum key management method executed by the key manager of a QKD node in an embodiment of this disclosure;

[0031] Figure 2 This illustration shows a flowchart of another quantum key management method performed by a key manager at an edge node, as shown in an embodiment of this disclosure.

[0032] Figure 3 This illustration shows a flowchart of another quantum key management method executed by a key manager, which is performed by an access node or a relay node, in an embodiment of this disclosure.

[0033] Figure 4 This illustration shows a flowchart of another quantum key management method executed by the key manager of a QKD node in an embodiment of this disclosure;

[0034] Figure 5 This illustration shows a flowchart of a quantum key management method executed by a QKD network controller according to an embodiment of the present disclosure;

[0035] Figure 6 This diagram illustrates another quantum key management method executed by a QKD network controller in an embodiment of this disclosure.

[0036] Figure 7 This diagram illustrates the structural block diagram of the quantum key management system in an embodiment of the present disclosure;

[0037] Figure 8 A flowchart illustrating the quantum key management interaction method in an embodiment of this disclosure is shown;

[0038] Figure 9 A schematic diagram illustrating a quantum key management scenario in an embodiment of this disclosure is shown;

[0039] Figure 10 This diagram illustrates a key distribution flowchart for a quantum key management scenario as described in an embodiment of this disclosure.

[0040] Figure 11 This diagram illustrates a quantum key management device according to an embodiment of the present disclosure;

[0041] Figure 12 This diagram illustrates another quantum key management device according to an embodiment of the present disclosure;

[0042] Figure 13 A structural block diagram of an electronic device according to an embodiment of the present disclosure is shown. Detailed Implementation

[0043] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, they are provided so that this disclosure will be more comprehensive and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

[0044] Furthermore, the accompanying drawings are merely illustrative of this disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted. Some block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.

[0045] To facilitate understanding, before introducing the embodiments of this disclosure, the following explanations are provided for several terms involved in the embodiments of this disclosure:

[0046] QKD: A technology that uses the principles of quantum mechanics to ensure that two communicating parties can securely share encryption keys. The core of QKD is based on the fundamental principles of quantum mechanics to ensure that the two communicating parties can generate a string of identical random numbers that attackers cannot obtain, which can be used as a shared key to achieve secure information exchange.

[0047] A QKD network is a system that connects multiple QKD devices to form a larger QKD system that can cover a wider area and serve more users. A QKD network allows users in different geographical locations to securely exchange keys and supports various encrypted applications, such as quantum-secure video conferencing, quantum-secure voice calls, quantum-secure email, and quantum-secure file transfer.

[0048] Figure 1 This illustration shows a flowchart of a quantum key management method according to an embodiment of the present disclosure. This embodiment provides a quantum key management method that can be executed by the key manager of any QKD node with computational processing capabilities. Figure 1 As shown in the embodiments of this disclosure, the quantum key management method includes the following steps.

[0049] The aforementioned QKD nodes include edge nodes, access nodes, and relay nodes. Edge nodes can be understood as QKD devices located at the edge of the QKD network, close to the user terminal. Edge nodes can be physical devices, typically including QKD modules and key managers. Access nodes and relay nodes can be understood as core network devices of the QKD network; they can also be physical devices, typically including QKD modules and key managers.

[0050] S102. Determine the key service identifier of the application, wherein the key service identifier is determined by the key application information sent by the application.

[0051] In this context, "application" can be understood as an application that uses QKD technology to encrypt data. These applications include, but are not limited to: quantum-secure video conferencing, quantum-secure voice calls, quantum-secure email, and quantum-secure file transfer.

[0052] Key application information can be understood as information that distinguishes different applications or the devices on which applications reside. Key application information includes, but is not limited to: application identifiers using QKD technology or device identifiers using QKD technology.

[0053] Each key service identifier corresponds to a different key service requirement, which includes quality of service requirements related to the key service, including but not limited to: key response latency, key response latency jitter, throughput, key transmission loss rate, etc. Each key service identifier is determined by the key application information sent by the application according to the set rules. Specifically, the application's key service identifier is determined according to the application's application identifier and / or the device identifier on which the application is deployed.

[0054] S104. Determine the application's key service policy based on the first correspondence relationship according to the application's key service identifier, wherein the first correspondence relationship includes the correspondence relationship between the key service identifier and the key service policy, and the first correspondence relationship is determined by the QKD network controller based on the QKD network status information and the key service identifier.

[0055] The first correspondence refers to the mapping relationship between key service identifiers and key service policies. Each key service identifier is associated with a specific set of key management and service policies. The key service policies define the specific methods and processes for providing quantum key distribution services for different types of applications. The first correspondence is sent by the QKD network controller to the key managers of each QKD node in the QKD network. QKD includes edge nodes, access nodes, relay nodes, etc.

[0056] Key service policies can be understood as a series of rules or parameter configurations formulated for cryptographic application requirements, including but not limited to: key transmission priority, key relay transmission path, and key management layer slicing.

[0057] The QKD network controller manages and updates the first mappings and periodically or as needed sends the latest first mappings to the key manager of each QKD node in the QKD network.

[0058] Each QKD node searches its local storage for a key service policy that matches the application's key service identifier in the first mapping. If a match is found, the corresponding key management operation is performed according to the key service policy recorded in the record. If no match is found, the default policy can be used, or an error can be reported to the administrator for manual intervention.

[0059] In one possible implementation, the third party has three applications: video conferencing, file transfer, and email. The key service identifier for video conferencing is APP_VIDEO_CONF_01, and its corresponding key service policy is "high key transmission priority, key relay transmission path is Node 1-Application, real-time encryption layer". The key service identifier for file transfer is APP_FILE_XFER_02, and its key service policy is "medium key transmission priority, key relay transmission path is Node 1-Node 2-Application, batch management layer". The key service identifier for email is APP_EMAIL_SEC_03, and its key service policy is "low key transmission priority, key relay transmission path is Node 1-Node 2-Application, batch management layer".

[0060] Each QKD node's key manager searches for APP_VIDEO_CONF_01 in the first correspondence stored locally to find the corresponding key service policy: "High priority for key transmission, key relay transmission path is node 1-node 2-application, real-time encryption layer".

[0061] S106. Provide key services in accordance with the application's key service policy.

[0062] Providing key services can be understood as performing operations related to quantum key relay transmission, including but not limited to: quantum key relay, update, etc.

[0063] Performing key services includes, but is not limited to: prioritizing key requests from high-priority applications; performing key relay transmission using the transmission path specified in the key service policy; and performing key relay tasks on designated key management layer slices.

[0064] Each QKD node's key manager adjusts operations related to quantum key distribution based on the found key service policy to meet the specific needs of the application.

[0065] In a business scenario involving Application 1 and Application 2, Application 1's key service strategy, determined using the above method, is: "High priority for key transmission, key relay transmission path is Node 1-Application, real-time encryption layer." Application 2's key service strategy, determined using the same method, is: "Medium priority for key transmission, key transmission path is Node 1-Node 2-Application, batch management layer." When an edge node receives a key request from Application 1, it will process it first and quickly form an end-to-end key through the relay transmission path Node 1-Application. Key generation and management tasks are then performed in the real-time encryption layer. When an edge node receives a key request from Application 2, it will not be given the highest priority. Instead, it will transmit the key through the relay transmission path Node 1-Node 2-Application, performing key generation and management tasks in the batch management layer.

[0066] The quantum key management method provided in the embodiments of this disclosure involves the key manager of a QKD node determining the key service identifier of an application, wherein the key service identifier is determined by the key application information sent by the application; determining the key service policy of the application based on the key service identifier of the application and a first correspondence relationship, wherein the first correspondence relationship includes the correspondence between the key service identifier and the key service policy, and the first correspondence relationship is determined by the QKD network controller based on QKD network status information and the key service identifier; and providing key services according to the key service policy of the application, thereby realizing the awareness of different encryption services and providing differentiated key services for different encryption services, improving service efficiency.

[0067] Based on the above embodiments, this disclosure further optimizes the quantum key management method, wherein the optimized quantum key management method is executed by edge nodes. For example... Figure 2 As shown, the optimized quantum key management method mainly includes the following steps.

[0068] S202. The edge node obtains the key application information sent by the application, wherein the key application information includes the application identifier and / or the device identifier on which the application is deployed.

[0069] An application identifier is an identifier used to uniquely identify an application, including but not limited to strings, numbers, or other forms of identifiers. Application identifiers are used to clearly distinguish different applications. A device identifier is an identifier used to uniquely identify the device on which the application is deployed. Device identifiers include, but are not limited to, hardware serial numbers, MAC addresses, IMEI numbers, or other types of unique codes. Device identifiers are used to identify and track the specific device using the QKD service. The device on which the application is deployed refers to the actual physical or virtual device on which the application is installed or running, including but not limited to personal computers, smartphones, tablets, servers, etc.

[0070] For example, if an employee of a company uses their own mobile phone (with a unique Device ID) to participate in a quantum-secure video conference provided by the company (with a unique Application ID), then the employee's mobile phone is the user device on which the video conferencing application is deployed.

[0071] Receive a key request sent by an application deployed on a user device, wherein the key request carries an application identifier and / or a device identifier on which the application is deployed.

[0072] S204. Edge nodes determine the key service identifier of the application based on key application information.

[0073] In one possible implementation, the application identifier is used as the key service identifier, or the device identifier on which the application is deployed is used as the corresponding key service identifier, or a combination of the application identifier and the device identifier on which the application is deployed is used as the key service identifier.

[0074] The key service identifier of an application is determined according to the set rules based on the key application information, including: determining the key service identifier of an application according to the application identifier and / or the device identifier on which the application is deployed.

[0075] In one possible implementation, the application identifier is used as the key service identifier. For example, an enterprise uses a QKD network for data encryption, including two applications: quantum-secure video conferencing and quantum-secure email. The application identifier for video conferencing is APP_VIDEO_CONF_01; the application identifier for email is APP_EMAIL_SEC_02. In this case, the application identifier is directly used as the key service identifier. For example, the key service identifier for video conferencing is KEY_SERVICE_APP_VIDEO_CONF_01; and the key service identifier for email is KEY_SERVICE_APP_EMAIL_SEC_02.

[0076] In one possible implementation, the device identifier of the deployed application is used as the corresponding key service identifier. For example, a company has multiple offices, each with its own independent encrypted router for local network security. Each router has a unique device identifier. The router identifier for office A is DEVICE_ROUTER_A_001; the router identifier for office B is DEVICE_ROUTER_B_002. The device identifier of the deployed application can be used as the key service identifier, with the key service identifier corresponding to the router in office A being KEY_SERVICE_DEVICE_ROUTER_A_001; and the key service identifier corresponding to the router in office B being KEY_SERVICE_DEVICE_ROUTER_B_002.

[0077] In one possible implementation, when the key application information includes both the application identifier and the device identifier on which the application is deployed, the application identifier and the device identifier on which the application is deployed are combined as the key service identifier. For example, for video conferencing in the router of office A, the key service identifier is KEY_SERVICE_APP_VIDEO_CONF_01_DEVICE_ROUTER_A_001; for email in the router of office B, the key service identifier is KEY_SERVICE_APP_EMAIL_SEC_02_DEVICE_ROUTER_B_002.

[0078] In one possible implementation, when the key application information includes key service requirements, these requirements can be quantified. The quantized key service requirements, along with the application identifier and / or the device identifier deploying the application, determine the application's key service identifier. For example, the key service requirements for quantum secure video conferencing include: low latency, high bandwidth, very high security level, and a key update frequency of once per hour. The key service requirements for quantum secure video conferencing are quantified as follows: DELAY = LOW, BANDWIDTH = HIGH, SECURITY_LEVEL = VERY_HIGH, KEY_UPDATE_FREQ = HOURLY. The quantized key service requirements are then combined with the application identifier and the device identifier deploying the application to form the final key service identifier: KEY_SERVICE_APP_VIDEO_CONF_01_DEVICE_ROUTER_A_001_DELAY_LOW_BANDWIDTH_HIGH_SECURITY_VERY_HIGH_KEYUPDATE_HOURLY.

[0079] In practical applications, to facilitate management and identification, encoding methods or abbreviations can be used to simplify key service identification while retaining enough information to distinguish different key service configurations.

[0080] It should be noted that this embodiment is only an example of how to determine the key service identifier, and is not a limitation thereof.

[0081] Different applications, deployed on different devices, may have different key service requirements. By using identifiers individually or in combination, key service strategies can be customized according to specific key service needs to meet the key service requirements of different business scenarios.

[0082] S206. The edge node determines the application's key service policy based on the first correspondence relationship according to the application's key service identifier. The key service policy includes at least one of the following: key transmission priority; key relay transmission path; and key management layer slicing. The first correspondence relationship is periodically sent by the QKD network controller to each QKD node in the QKD network. The QKD node includes one of the following: edge node, access node, and relay node.

[0083] The first mapping relationship is defined by the QKD network controller based on the cryptographic application requirements. It defines the detailed key service policy corresponding to each key service identifier and periodically updates the key service policy corresponding to each key service identifier according to the QKD network. The updated first mapping relationship is then periodically pushed to the key manager of all QKD nodes.

[0084] Through a periodic synchronization mechanism, the QKD network controller adjusts the key service policy based on the latest QKD network status information, ensuring that the key service policy is adapted to the latest QKD network status information and improving the efficiency and quality of key services.

[0085] Key transmission priority refers to the order in which different application key requests are processed in a QKD network. High-priority applications will be given priority in resource contention. For applications with extremely high real-time and security requirements, a higher key transmission priority is set to quickly obtain the latest key, thereby ensuring the security and timeliness of communication.

[0086] A key relay transmission path refers to the specific key relay transmission route used to establish an end-to-end key between communicating parties. The selection of a key relay transmission path is based on several factors, including but not limited to latency, security, and cost. Choosing an appropriate key relay transmission path helps optimize the efficiency and security of key relay. For example, for applications requiring low latency, a direct path with fewer nodes can be selected.

[0087] Key relay slicing can be understood as selecting appropriate layers or modules within a multi-layered network architecture to perform key relay tasks. Different layers may offer different qualities of service; for example, some layers focus on fast response, while others emphasize high encryption. By selecting the most suitable key relay layer, the optimal quality of service can be provided based on the specific needs of the application.

[0088] In this embodiment, by setting key service strategies from different dimensions such as transmission priority, key relay transmission path, and key management layer slicing, resource utilization is improved while ensuring security, thereby improving the efficiency of key services.

[0089] S208. Generate a key relay packet, wherein the header of the key relay packet encapsulates a key service identifier.

[0090] A key relay packet is a structured data packet that includes the key to be relayed and metadata associated with that key, including but not limited to: the application's key service identifier, key validity timestamp, encryption algorithm identifier, checksum, destination address or routing information, etc., so as to securely relay it in a QKD network to form an end-to-end key.

[0091] S210. Provide key services in accordance with the application's key service policy.

[0092] When the key service policy allows direct delivery to the application, the edge node processes the key relay packet according to the key service policy, provides key relay service, generates the application's end-to-end key, and sends the end-to-end key to the application.

[0093] When the key service policy requires relaying, the edge node sends the relay packet to the corresponding access node or relay node according to the key service policy, so that the access node or relay node can execute the quantum key management process based on the key service identifier in the relay packet.

[0094] In this embodiment, abstract key application information is converted into quantized key service identifiers to facilitate the transmission of key service identifiers throughout the QKD network and improve the efficiency of quantum key management.

[0095] Based on the above embodiments, this disclosure further optimizes the quantum key management method, wherein the optimized quantum key management method is executed by a relay node or an access node. For example... Figure 3 As shown, the optimized quantum key management method mainly includes the following steps.

[0096] S302, Receive the key relay packet sent by the edge node.

[0097] A key relay packet is a structured data packet that includes the key to be relayed and metadata associated with that key, including but not limited to: the application's key service identifier, key validity timestamp, encryption algorithm identifier, checksum, destination address or routing information, etc.

[0098] The key relay packet is encapsulated and generated by the edge node, and the edge node determines the relay node or access node to receive the key relay packet according to the relay transmission path in the key service policy. After the edge node sends the key relay packet, the relay node or access node receives the key relay packet.

[0099] S304. Read the key service identifier encapsulated in the header of the key relay packet.

[0100] Key Relay packets typically consist of two parts: a header and a payload. The header includes the application's key service identifier, key validity timestamp, encryption algorithm identifier, checksum, destination address or routing information, etc., guiding the packet's transmission and processing. The payload contains the actual data content (such as keys, business data, etc.). Reading the header is the first step in parsing a Key Relay packet, used to identify the packet's type and purpose.

[0101] Relay nodes or access nodes locate the identifier field in the packet header according to a custom protocol or standard key management protocol. The value of this field is extracted, which is the key service identifier.

[0102] S306. Determine the key service policy of the application based on the key service identifier of the application and a first correspondence relationship, wherein the first correspondence relationship includes the correspondence relationship between the key service identifier and the key service policy, and the first correspondence relationship is determined by the QKD network controller based on the QKD network status information and the key service identifier.

[0103] S308. Process the key relay packet according to the key service policy, provide key relay service, and generate the end-to-end key for the application.

[0104] In one possible implementation, the edge node sends a key relay packet to the access node or relay node according to the key service policy. The key manager on the access node or relay node reads the key service identifier in the header of the key relay packet, queries the first mapping relationship in its local cache based on the key service identifier, and obtains the corresponding key service policy.

[0105] The following operations are performed according to the key service policy: priority queue selection, key relay transmission path selection, and security layer slice scheduling. For example, the key relay packet is placed in a high-priority queue for fast forwarding, the key is transmitted according to the key relay transmission path in the key service policy, and the key relay packet is guided into the designated security layer for further processing.

[0106] For example, the key service strategy of an online payment application is as follows: high priority, key relay transmission path 1, and real-time encryption layer; the key relay packet is immediately placed in the high priority queue, key relay transmission path 1 is selected for key relay, and the real-time encryption layer is selected for fast key distribution, so as to ensure the security and timeliness of high-frequency transactions.

[0107] S310, Send the end-to-end key to the application.

[0108] In this embodiment, by adding key service identifiers to the key relay packet and having access nodes and relay nodes perform corresponding routing and slice selection operations based on these identifiers, fine-grained management of the key stream is achieved, thereby improving the efficiency of key services.

[0109] Based on the above embodiments, the present disclosure further optimizes the quantum key management method, such as... Figure 4 As shown, the optimized quantum key management method mainly includes the following steps.

[0110] S402. Send a key service policy distribution request to the QKD network controller so that the QKD network controller sends the first correspondence to the key manager of the QKD node based on the key service policy distribution request.

[0111] A key service policy issuance request can be understood as a request instruction sent by one or more QKD nodes to the QKD network controller, requesting the QKD network controller to issue the latest key service policy. The key service policy issuance request may include the QKD node's authentication information, ensuring that only authorized nodes can request policy updates.

[0112] Sending a key service policy distribution request to the QKD network controller includes: sending a key service policy distribution request to the QKD network controller in response to a new application being added to the QKD network, or sending a key service policy distribution request to the QKD network controller when the security or performance requirements of an existing application change, or periodically sending a key service policy distribution request to the QKD network controller.

[0113] After receiving the key service policy distribution request, the QKD network controller sends the most recent first correspondence to the key manager of each QKD node. The first correspondence includes the correspondence between each key service identifier, cryptographic application requirement information, and key service policies.

[0114] S404, Receive the first correspondence sent by the QKD network controller.

[0115] After receiving the initial mapping from the QKD network controller, each QKD node performs an integrity check to ensure the data has not been tampered with. It verifies the authenticity of the source, confirming that the information indeed originates from the QKD network controller and is not a forged data packet.

[0116] Each QKD node stores the first received mapping in its local database or cache for quick subsequent lookups. It also updates its local key service policy configuration so that new or changed policies take effect immediately. For example, if the key transmission priority of application 1 changes from low to high, the corresponding key request will be placed in a higher-priority queue for processing.

[0117] S406. Determine the key service identifier of the application, wherein the key service identifier is determined by the key application information sent by the application.

[0118] S408. Determine the key service policy of the application based on the key service identifier of the application and a first correspondence relationship, wherein the first correspondence relationship includes the correspondence relationship between the key service identifier and the key service policy, and the first correspondence relationship is determined by the QKD network controller based on the QKD network status information and the key service identifier.

[0119] S410. Provide key services in accordance with the key service policy of the application.

[0120] In this embodiment, the QKD network controller issues the first correspondence only after the edge node initiates the request, avoiding the problem of outdated or redundant policies that may occur in the "full broadcast" policy issuance, reducing the communication overhead between the QKD network controller and the edge node, and reducing bandwidth usage.

[0121] Figure 5 This diagram illustrates a flowchart of a quantum key management method according to an embodiment of the present disclosure. This embodiment provides a quantum key management method that can be executed by any QKD network controller with computational processing capabilities. Figure 5 As shown in the embodiments of this disclosure, the quantum key management method includes the following steps.

[0122] S502, Obtain QKD network status information and key service identifier.

[0123] The QKD network status information can be understood as the current operating status and technical parameters of the entire QKD network, including but not limited to: the availability of each QKD link, the key generation rate of the link, channel loss, bit error rate, current link load, available relay nodes, secret management layer slice resources, remaining key quantity, key consumption rate, etc.

[0124] Obtaining QKD network status information includes: obtaining QKD network status information issued by the QKD network management system. The QKD network management system is a centralized management platform used to monitor and manage the operation of the entire QKD network, providing comprehensive monitoring of QKD devices, network status, and the overall network topology.

[0125] The QKD network controller obtains QKD network status information from the QKD network management system, dynamically adjusts the key service policy based on the QKD network status information, and coordinates the key distribution work among edge nodes, access nodes, and relay nodes.

[0126] Obtaining the key service identifier includes: obtaining the key service identifier issued by the QKD network management system. Each key service identifier corresponds to different cryptographic application requirement information. The cryptographic application requirement information includes the application identifier, the device identifier of the deployed application, and the key service requirement. The key service requirement includes the service quality related to the key service, including but not limited to: key response latency, key response latency jitter, throughput, key transmission loss rate, etc.

[0127] S504. Determine the first correspondence based on the QKD network status information, wherein the first correspondence includes the correspondence between the key service identifier and the key service policy.

[0128] The key service policy includes a series of rules and parameters used to provide personalized key services for applications. The key service policy includes, but is not limited to: key transmission priority, key relay transmission path selection, and security layer slicing configuration. Key transmission priority includes: high, medium, and low. Key relay transmission paths include: shortest path, low-latency path, and cost-effective path. Security layer slicing configuration includes: real-time encryption layer, batch processing layer, etc.

[0129] In one possible implementation, each key service identifier corresponds to a key service request. The key service strategy corresponding to that key service identifier is determined based on the QKD network status information and the key service request. For example, when the QKD network status information indicates an idle state, for high-priority voice call encryption, an idle or optimal path is determined for key relay, thereby providing end-to-end key service. For low-priority email encryption, a suboptimal path can be determined for key relay, thus providing end-to-end key service. If the obtained QKD network status information indicates a busy state, or if key requests or key relays are congested, a degraded key service strategy may be proposed based on the QKD network status information.

[0130] S506. The first correspondence is sent to the key manager of each QKD node, so that the key manager of each QKD node can determine the key service policy of the application from the first correspondence and provide key service according to the key service policy of the application.

[0131] After determining the initial mapping, the QKD network controller distributes the updated mapping to the relevant edge nodes, access nodes, and relay nodes. Upon receiving the initial mapping, the edge nodes, access nodes, and relay nodes immediately perform key relay, encapsulation, and forwarding tasks according to the key service policy in the updated mapping.

[0132] In this embodiment, the first correspondence is dynamically adjusted based on QKD network state information, which enables flexible response to changes in the network environment and ensures that each application can obtain the key service strategy most suitable for its own needs, thereby improving key security and key service efficiency.

[0133] Based on the above embodiments, the present disclosure further optimizes the quantum key management method, such as... Figure 6 As shown, the optimized quantum key management method mainly includes the following steps.

[0134] S602. Obtain the second correspondence relationship sent by the QKD network management system, wherein the second correspondence relationship includes the correspondence between the key service identifier and the cryptographic application requirement information.

[0135] Cryptographic application requirements information includes the application identifier that uses the key, the device identifier that deploys the application, and key service requirements.

[0136] The QKD network management system obtains cryptographic application requirement information from the user's network system. Then, based on the application identifier and / or the device identifier where the application is deployed in the key application requirement information, it determines the corresponding key service identifier. After determining the key service identifier, a correspondence is established between the key service identifier and the cryptographic application requirement information; this is the second correspondence. The QKD network management system periodically sends this second correspondence to the QKD network controller.

[0137] The method for determining the key service identifier based on the application identifier and / or the device identifier on which the application is deployed can be referred to the description in the above embodiments, and will not be repeated in this embodiment.

[0138] S604. Periodically send network status requests to the QKD network management system, wherein the network status request is used to instruct the QKD network management system to send QKD network status information to the QKD network controller.

[0139] A network status request is a query sent by the QKD network controller to the QKD network management system to obtain the latest QKD network status information. The network status request includes network status information requirements or query conditions so that the QKD network management system can provide the necessary data accordingly.

[0140] A timer is set up inside the QKD network controller to trigger a network status request at preset time intervals (e.g., every 5 minutes). When the QKD network management system receives the network status request, it collects and organizes the current QKD network status information and returns it to the QKD network controller through the same communication channel.

[0141] S606. Receive QKD network status information sent by the QKD network management system.

[0142] Upon receiving the response, the QKD network controller parses and verifies the returned data to ensure its integrity and accuracy. If the data format is JSON, it can be converted into operable objects or structures using a suitable parsing library. The parsed QKD network status information is stored in a local database or cache for subsequent decision-making. The QKD network controller can adjust key service policies, select the optimal path, and optimize resource allocation based on the QKD network status information.

[0143] By periodically sending network status requests to the QKD network management system, the QKD network controller can obtain the latest network status information in a timely manner, thereby making more accurate decisions and improving the efficiency of key services.

[0144] S608. Based on the QKD network status information and the cryptographic application requirement information corresponding to each key service identifier, determine the key service strategy corresponding to each key service identifier. The key service strategy includes at least one of the following: key transmission priority, key relay transmission path, and key management layer slicing.

[0145] Key transmission priority refers to the order in which different application key requests are processed in a QKD network. Higher-priority applications will be given priority in resource contention. For applications with extremely high real-time and security requirements, a higher key transmission priority is set to quickly obtain the latest key, thereby ensuring the security and timeliness of communication.

[0146] A key relay transmission path refers to the specific key relay route from the source edge node to the destination edge node to form an end-to-end key. The selection of a key relay transmission path is based on multiple factors, including but not limited to latency, security, and cost. Choosing an appropriate transmission path helps optimize key relay efficiency. For example, for applications requiring low latency, a direct path with fewer nodes can be selected.

[0147] Key management layer slicing can be understood as dividing the key management layer into different layers for key relay transmission tasks. Different layers may provide different qualities of service; for example, some layers focus on fast response, while others provide best-effort key relay transmission. By selecting the most appropriate key management layer slice, the best quality of service can be provided according to the specific needs of the application.

[0148] In this embodiment, by setting key service strategies from different dimensions such as transmission priority, key relay transmission path, and key management layer slicing, resource utilization is improved while ensuring security, thereby improving the efficiency of key services.

[0149] Based on the QKD network state information and the cryptographic application requirements information corresponding to each key service identifier, the key service strategy corresponding to each key service identifier is determined. The key service strategy includes at least one of the following: key transmission priority, key relay transmission path, and key management layer slicing.

[0150] The QKD network controller dynamically formulates or adjusts the key service policy for each key service identifier based on the collected QKD network status information and the cryptographic application requirements information corresponding to each key service identifier.

[0151] In one possible implementation, different priorities are assigned to different applications based on their importance, real-time requirements, and other quality needs. For example, online payment applications could be prioritized as high, while email applications could be prioritized as medium.

[0152] In one possible implementation, the optimal transmission path is selected for each application based on network conditions such as link quality and load. For example, if the QBER of a link is too high, that link should be avoided; for latency-sensitive applications, a low-latency path is selected.

[0153] In one possible implementation, the key stream is distributed to different cryptographic layer slices based on the application's quality of service (QoS) and security requirements. For example, high-security applications are assigned to a dedicated real-time encryption layer, while applications with lower security requirements can use a batch processing layer.

[0154] In one possible implementation, the key service policy corresponding to the aforementioned key service identifier can be a specific execution operation of the key service. For example, the key service policy corresponding to key service identifier 1 includes: high key transmission priority, key relay transmission path: node 1-node 2-application, and the management layer slice is a real-time encryption layer.

[0155] In this embodiment, the key service strategy is dynamically determined based on the QKD network status information and the cryptographic application requirement information corresponding to each key service identifier. This enables flexible response to changes in the network environment and ensures that each application can obtain the key service strategy most suitable for its own needs, thereby improving the efficiency of key services.

[0156] S610. The first correspondence is sent to the key manager of each QKD node, so that the key manager of each QKD node can determine the key service policy of the application from the first correspondence and provide key service according to the key service policy of the application.

[0157] In this embodiment, the first correspondence includes the correspondence between the key service identifier, cryptographic application requirement information, and key service policy.

[0158] After determining the initial mapping, the QKD network controller distributes the updated mapping to the relevant edge nodes, access nodes, and relay nodes. Upon receiving the initial mapping, these nodes perform key relay, encapsulation, and forwarding tasks according to the key service policy included in the updated mapping. For example, edge nodes may arrange the processing order of key requests according to a new priority queue, or perform key transmission according to a new transmission path.

[0159] This disclosure provides a quantum key management system. The quantum key management system mainly includes: a QKD network controller, key managers for each node in the QKD network (including edge nodes, access nodes, and relay nodes), and devices for deploying applications. Based on this quantum key management system, this disclosure provides an interactive method for quantum key management. For example... Figure 7 As shown in the embodiments of this disclosure, the quantum key management method includes the following steps.

[0160] S702, the QKD network controller obtains QKD network status information and key service identifier.

[0161] The QKD network controller obtains QKD network status information, including: obtaining QKD network status information issued by the QKD network management system.

[0162] The QKD network controller obtains key service identifiers, including: obtaining key service identifiers issued by the QKD network management system. Each key service identifier corresponds to different cryptographic application requirements, including application identifier, device identifier for deploying the application, and key service requirements. Key service requirements include quality of service requirements related to the key service. These quality of service requirements include, but are not limited to: key response latency, key response latency jitter, throughput, key transmission loss rate, etc.

[0163] S704, the QKD network controller determines the first correspondence based on the QKD network status information, wherein the first correspondence includes the correspondence between the key service identifier and the key service policy.

[0164] The QKD network controller is responsible for dynamically adjusting the key service policy based on the QKD network status information obtained from the QKD network management system, and coordinating the key distribution among edge nodes, access nodes, and relay nodes.

[0165] The key service strategy corresponding to the key service identifier is determined based on the QKD network status information and key service requirements. For example, when the QKD network status information indicates an idle state, for high-priority voice call encryption, an idle or optimal path is determined for key relay, thereby providing end-to-end key service. For low-priority email encryption, a suboptimal path can be determined for key relay, thus providing end-to-end key service. If the obtained QKD network status information indicates a busy state, or if key requests or key relays are congested, a degraded key service strategy may be proposed based on the QKD network status information.

[0166] S706, the QKD network controller sends the first mapping relationship to the key manager of each QKD node.

[0167] Edge nodes acquire key application information sent by applications, including: receiving key requests sent by applications deployed in user devices, wherein the key requests carry key application information of the applications.

[0168] In one possible implementation, the application identifier is used as the key service identifier; or, the device identifier on which the application is deployed is used as the corresponding key service identifier; or, the application identifier and the device identifier on which the application is deployed are combined as the key service identifier.

[0169] S708. Each QKD node on the key relay path determines the key service identifier of the application.

[0170] S710. The key service policy of the application is determined in the first correspondence based on the application's key service identifier.

[0171] S712. Each node provides key services according to the application's key service policy.

[0172] Each node searches its local storage for a key service policy that matches the application's key service identifier in the first mapping. If a match is found, the corresponding key management operation is performed according to the key service policy recorded in the record. If no match is found, the default policy can be used, or an error can be reported to the administrator for manual intervention.

[0173] This disclosure provides a quantum key management system, comprising: a key manager for each QKD node (including edge nodes, access nodes, and relay nodes) in a QKD network and a QKD network controller; wherein the QKD network controller is configured to acquire QKD network status information and key service identifiers; determine a first correspondence based on the QKD network status information, wherein the first correspondence includes a correspondence between key service identifiers and key service policies; and send the first correspondence to the key managers of each node; the key managers of the edge nodes are configured to acquire key application information sent by an application; determine the key service identifier of the application based on the key application information, and encapsulate the identifier into the header of a key relay packet; and the key managers of each node determine the key service policy of the application based on the key service identifier of the application in the first correspondence, and provide key services according to the key service policy of the application.

[0174] Based on the above embodiments, this disclosure optimizes the quantum key management system. The optimized quantum key management system mainly includes: a QKD network controller, key managers for each node, and the QKD network management system itself. Based on this quantum key management system, this disclosure provides an interactive method for quantum key management. For example... Figure 8 As shown in the embodiments of this disclosure, the quantum key management method includes the following steps.

[0175] S802, the QKD network management system sends QKD network status information and key service identifier to the QKD network controller.

[0176] The QKD network management system is a centralized management platform used to monitor and manage the operation of the entire QKD network, providing comprehensive monitoring of QKD devices, network status, and the overall network topology.

[0177] In one possible implementation, the user network management system collects cryptographic application requirement information and sends it to the QKD network management system. The user network management system collects this requirement information to provide a data foundation for subsequent processes.

[0178] Based on the acquired cryptographic application requirement information, the QKD network management system determines the key service identifier and establishes a second correspondence between the key service identifier and the cryptographic application requirement information, and sends the second correspondence to the QKD network control.

[0179] The QKD network management system periodically sends QKD network status information to the QKD network controller.

[0180] The QKD network management system enables the QKD controller to understand the operating status of various devices and links in the network in a timely manner by sending network status information periodically or in real time, and to flexibly adjust the key distribution and management methods according to specific business needs.

[0181] S804, the QKD network controller determines the first correspondence based on the QKD network status information, wherein the first correspondence includes the correspondence between the key service identifier and the key service policy.

[0182] The S806 QKD network controller sends the first correspondence to the key manager of each QKD node (including edge nodes, access nodes, and relay nodes).

[0183] S808, Edge nodes obtain application information for the key sent by the application.

[0184] S810: The edge node determines the key service identifier of the application based on the key application information and encapsulates the identifier into the packet header of the key relay packet.

[0185] S812, The edge node sends the key relay packet to the relay node or access node. The relay node or access node receives the key relay packet sent by the edge node.

[0186] S814. The relay node or access node reads the key service identifier encapsulated in the header of the key relay packet, and determines the key service policy of the application based on the key service identifier of the application in the first correspondence.

[0187] S816. Process the key relay packet according to the key service policy, provide key relay service, and generate the end-to-end key for the application.

[0188] S818. Send the end-to-end key to the application.

[0189] In one possible application scenario, a schematic diagram of a quantum key management scenario is provided, such as... Figure 9As shown, this quantum key management scenario includes: user equipment A910, user equipment B920, user network management system 930, QKD network management system 940, QKD network controller 950, edge node A960, edge node B970, access node A980, access node B990, relay node A9100, and relay node B9110. Edge node A960 includes a key manager 961 and a QKD module 962; edge node B970 includes a key manager 971 and a QKD module 972; access node A980 includes a key manager 981 and a QKD module 982; access node B990 includes a key manager 991 and a QKD module 992; relay node A9100 includes a key manager 9101 and a QKD module 9102; and relay node B9110 includes a key manager 9111 and a QKD module 9112.

[0190] Among them, user equipment refers to the equipment used by end users, which runs cryptographic application 1 and cryptographic application 2. The cryptographic applications use QKD technology to perform security operations such as data encryption and decryption to ensure the security of user business data.

[0191] The QKD network controller is the control center of a QKD network, ensuring its secure, stable, efficient, and robust operation. The QKD network controller primarily includes functions such as session control, routing control, configuration control, policy control, and access control.

[0192] The QKD network management system is used to manage the QKD network, including collecting network status information and sending it to the QKD network controller.

[0193] Edge nodes are located at the edge of the QKD network, connecting user equipment and the QKD core network. They include: a key manager for managing local keys, and QKD modules for generating and distributing quantum keys, providing secure keys for user equipment.

[0194] Access nodes are used to connect edge nodes and other devices to the QKD core network. They also include a key manager and QKD modules; the key manager is responsible for key relay, and the QKD modules are responsible for segmented key distribution.

[0195] Relay nodes are used to extend the distance of quantum key distribution. They consist of a key manager and a QKD module. Similarly, the key manager is responsible for key relay, and the QKD module is responsible for segmented key distribution.

[0196] The key manager is responsible for the entire lifecycle management of keys, including storage, distribution, updating, and destruction, across all nodes, ensuring the security and compliance of key usage. The QKD module is used to generate and distribute secure keys based on quantum key distribution technology, utilizing the properties of quantum states (such as quantum entanglement and quantum superposition), and is a key component for realizing quantum secure communication.

[0197] based on Figure 9 Application scenarios, providing a quantum key service process, such as Figure 10 As shown, the quantum key distribution process provided in this embodiment includes the following steps.

[0198] S1002. The user network management system collects password application requirement information and sends the password application requirement information to the QKD network management system.

[0199] The user network management system is responsible for collecting information on the requirements of password applications, providing a data foundation for subsequent processes.

[0200] S1004 and QKD network management systems determine key service identifiers based on the collected cryptographic application requirement information and establish a correspondence between key service identifiers and cryptographic application requirement information.

[0201] S1006, the QKD network management system sends the mapping relationship between key service identifiers and cryptographic application requirement information to the QKD network controller.

[0202] S1008, the QKD network controller sends a QKD network status information request to the QKDN network management system.

[0203] S1010, the QKDN network management system sends QKD network status information to the QKD network controller.

[0204] S1012, the QKD network controller determines the key service policy related to the key service identifier based on the QKD network status information.

[0205] S1014, the QKD network controller sends the mapping table of key service identifier, cryptographic application requirement information, and key service policy to the key manager.

[0206] It should be noted that S1008-S1014 can be executed periodically, and this embodiment does not specifically limit the period or the number of executions.

[0207] S1016, Cryptographic Application 1 sends a key request to the key manager.

[0208] S1018. The key manager reads the password application information and determines the corresponding key service identifier and key service policy.

[0209] S1020: The key manager generates end-to-end keys according to the key service policy.

[0210] S1022, The key manager provides the generated key to the cryptographic application 1.

[0211] The key manager is deployed in edge nodes, access nodes, or relay nodes.

[0212] In this embodiment, service awareness capability is introduced into the QKD network. The method and workflow for sensing encrypted services and providing differentiated key services in the QKD network enable the QKD network to accurately sense the key service needs of various cryptographic applications or users and provide differentiated key services.

[0213] It should be noted that the acquisition, storage, use, and processing of data in this disclosed technical solution comply with the relevant provisions of national laws and regulations. The various types of data, such as personal identity data, operational data, and behavioral data related to individuals, customers, and groups, obtained in the embodiments of this disclosure have all been authorized.

[0214] Based on the same inventive concept, this disclosure also provides a quantum key management device, as described in the following embodiments. Since the principle by which this device solves the problem is similar to that of the method embodiments described above, the implementation of this device embodiment can refer to the implementation of the method embodiments described above, and repeated details will not be repeated.

[0215] Figure 11 This diagram illustrates a quantum key management device according to an embodiment of the present disclosure, such as... Figure 11 As shown, the device is configured in a QKD node and includes: a key service identifier determination module 1110, a key service policy determination module 1120, and a key service provision module 1130.

[0216] The key service identifier determination module 1110 is used to determine the key service identifier of the application, wherein the key service identifier is determined by the key application information sent by the application; the key service policy determination module 1120 is used to determine the key service policy of the application based on the key service identifier of the application and a first correspondence relationship, wherein the first correspondence relationship includes the correspondence relationship between the key service identifier and the key service policy, and the first correspondence relationship is determined by the QKD network controller based on the QKD network status information and the key service identifier; the key service provision module 1130 is used to provide key services according to the key service policy of the application.

[0217] In some possible embodiments of this disclosure, when the QKD node is an edge node, the key service identifier determination module 1110 is specifically used to receive key application information sent by the application and generate a key service identifier based on the key application information.

[0218] In some possible embodiments of this disclosure, when the QKD node is a relay node or an access node, the key service identifier determination module 1110 is specifically used to receive the key relay packet sent by the edge node and read the key service identifier encapsulated in the header of the key relay packet.

[0219] In some possible embodiments of this disclosure, providing key services according to the application's key service policy includes: processing key relay packets according to the key service policy, providing key relay services, generating end-to-end keys for the application, and sending end-to-end keys to the application.

[0220] In some possible embodiments of this disclosure, the key service providing module 1130 is specifically used to generate a key relay packet for the application based on the application's key service identifier; process the key relay packet based on the key service policy to provide key relay service, generate an end-to-end key for the application; and send the end-to-end key to the application.

[0221] In some possible embodiments of this disclosure, the key service strategy includes at least one of the following: key transmission priority, key relay transmission path, and key management layer slicing.

[0222] In some possible embodiments of this disclosure, the first correspondence is periodically sent by the QKD network controller to the key manager of the QKD node, wherein the QKD node includes one of the following: edge node, access node, and relay node.

[0223] In some possible embodiments of this disclosure, it further includes: a request module, configured to send a key service policy issuance request to the QKD network controller, so that the QKD network controller sends a first correspondence to the key manager of the QKD node based on the key service policy issuance request; and to receive the first correspondence sent by the QKD network controller.

[0224] In some possible embodiments of this disclosure, key application information includes an application identifier and / or a device identifier on which the application is deployed.

[0225] Figure 12 This diagram illustrates a quantum key management device according to an embodiment of the present disclosure, such as... Figure 12 As shown, the device is configured in the QKD network controller and includes: an acquisition module 1210, a first correspondence determination module 1220 and a first correspondence sending module 1230.

[0226] The acquisition module 1210 is used to acquire QKD network status information and key service identifier; the first correspondence determination module 1220 is used to determine the first correspondence based on the QKD network status information, wherein the first correspondence includes the correspondence between the key service identifier and the key service policy; the first correspondence sending module 1230 is used to send the first correspondence to the key manager of each QKD node, so that the key manager of each node can determine the key service policy of the application from the first correspondence and provide key service according to the key service policy of the application.

[0227] In some possible embodiments of this disclosure, the acquisition module 1210 is specifically used to acquire the second correspondence relationship sent by the QKD network management system, wherein the second correspondence relationship includes the correspondence relationship between key service identifiers and cryptographic application requirement information; the first correspondence relationship determination module 1220 is specifically used to determine the key service policy corresponding to each key service identifier based on the QKD network status information and the cryptographic application requirement information corresponding to each key service identifier.

[0228] In some possible embodiments of this disclosure, the acquisition module 1210 is specifically used to periodically send network status requests to the QKD network management system, wherein the network status request is used to instruct the QKD network management system to send QKD network status information to the QKD network controller; and to receive QKD network status information sent by the QKD network management system.

[0229] It should be noted that the examples and application scenarios implemented by the modules in the above device embodiments and the corresponding steps in the method embodiments are the same, but are not limited to the content disclosed in the above method embodiments. It should also be noted that the above modules, as part of the device, can be executed in a computer system such as a set of computer-executable instructions.

[0230] Those skilled in the art will understand that various aspects of this disclosure can be implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, which can be collectively referred to herein as a "circuit", "module" or "system".

[0231] According to the same inventive concept, this disclosure also provides an electronic device, which includes: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the quantum key management method described above by executing the executable instructions. Since the principle by which this electronic device solves the problem is similar to that of the above method embodiments, the implementation of this electronic device embodiment can refer to the implementation of the above method embodiments, and repeated details will not be described again.

[0232] The following reference Figure 13 To describe an electronic device 1300 according to such an embodiment of the present disclosure. Figure 13 The electronic device 1300 shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments disclosed herein.

[0233] like Figure 13 As shown, the electronic device 1300 is manifested in the form of a general-purpose computing device. The components of the electronic device 1300 may include, but are not limited to: the aforementioned processing unit 1310, the aforementioned storage unit 1320, and a bus 1330 connecting different system components (including the storage unit 1320 and the processing unit 1310).

[0234] The storage unit stores program code that can be executed by the processing unit 1310, causing the processing unit 1310 to perform the steps described in the "Exemplary Methods" section above according to various exemplary embodiments of this disclosure.

[0235] Storage unit 1320 may include readable media in the form of volatile storage units, such as random access memory (RAM) 13201 and / or cache memory 13202, and may further include read-only memory (ROM) 13203.

[0236] Storage unit 1320 may also include a program / utility 13204 having a set (at least one) of program modules 13205, such program modules 13205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.

[0237] Bus 1330 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.

[0238] Electronic device 1300 can also communicate with one or more external devices 1340 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 1300, and / or with any device that enables electronic device 1300 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 1350. Furthermore, electronic device 1300 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 1360. As shown, network adapter 1360 communicates with other modules of electronic device 1300 via bus 1330. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 1300, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.

[0239] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

[0240] Based on the same inventive concept, this disclosure also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements any of the above-described quantum key management methods. Since the principle by which this computer-readable storage medium embodiment solves the problem is similar to that of the above-described method embodiments, the implementation of this computer-readable storage medium embodiment can refer to the implementation of the above-described method embodiments, and repeated details will not be elaborated further.

[0241] More specific examples of computer-readable storage media in this disclosure may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

[0242] In this disclosure, a computer-readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of transmitting, propagating, or transmitting a program for use by or in connection with an instruction execution system, apparatus, or device.

[0243] Optionally, the program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

[0244] In practical implementation, program code for performing the operations of this disclosure can be written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Java and C++, and conventional procedural programming languages ​​such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0245] Based on the same inventive concept, this disclosure also provides a computer program product, comprising: a computer program or instructions, wherein the computer program or instructions, when executed by a processor, implement the quantum key management method of any one of the above method embodiments. Since the principle by which this computer program product embodiment solves the problem is similar to that of the above method embodiments, the implementation of this computer program product embodiment can refer to the implementation of the above method embodiments, and repeated details will not be elaborated further.

[0246] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.

[0247] Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and / or a step may be broken down into multiple steps.

[0248] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

[0249] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the appended claims.

Claims

1. A quantum key management method, characterized in that, The method is applied to the key manager of a QKD node in a quantum key distribution (QKD) network, wherein the QKD node includes edge nodes, access nodes, or relay nodes, and includes: The key service identifier of an application is determined, wherein the key service identifier is determined by key application information sent by the application; the determination of the key service identifier of the application includes: the edge node receiving the key application information sent by the application; generating a key service identifier based on the key application information, and encapsulating the key service identifier into a key relay packet; or, the access node or the relay node receiving a key relay packet sent by the edge node, and reading the key service identifier encapsulated in the header of the key relay packet, wherein the transmission path of the key relay packet is determined by a key service policy; The key service policy of the application is determined based on the key service identifier of the application and a first correspondence relationship. The first correspondence relationship includes the correspondence between the key service identifier and the key service policy. This first correspondence relationship is determined by the QKD network controller based on QKD network status information and the key service identifier, and then distributed to each QKD node. The key service policy is determined by the QKD network controller based on QKD network status information and the cryptographic application requirement information corresponding to the key service identifier. The key service policy includes at least one of the following: key transmission priority, key relay transmission path, and cryptographic management layer slicing. The network status information includes at least one of the following: availability of each QKD link, current link load, available relay nodes, and cryptographic management layer slicing resources of each QKD network controller. The QKD network status information and the cryptographic application requirement information corresponding to the key service identifier are sent by the QKD network management system. Key services are provided in accordance with the key service policy of the application.

2. The quantum key management method according to claim 1, characterized in that, Providing key services according to the application's key service policy includes: The key relay packet is processed according to the key service policy to provide key relay service and generate the end-to-end key for the application. Send an end-to-end key to the application.

3. The quantum key management method according to claim 1 or 2, characterized in that, The first correspondence is periodically sent by the QKD network controller to the key manager of each QKD node.

4. The quantum key management method according to claim 1 or 2, characterized in that, Also includes: Send a key service policy distribution request to the QKD network controller, so that the QKD network controller sends the first correspondence to the key manager of the QKD node based on the key service policy distribution request; Receive the first correspondence sent by the QKD network controller.

5. The quantum key management method according to claim 1, characterized in that, The key application information includes the application identifier of the application and / or the device identifier on which the application is deployed.

6. A quantum key management method, characterized in that, The method is applied to a quantum key distribution (QKD) network controller, including: Obtain QKD network status information and key service identifier; A first correspondence is determined based on the QKD network status information, wherein the first correspondence includes the correspondence between the key service identifier and the key service policy. The key service policy is determined based on the QKD network status information and the cryptographic application requirement information corresponding to the key service identifier. The key service policy includes at least one of the following: key transmission priority, key relay transmission path, and cryptographic management layer slice. The network status information includes at least one of the following: availability of each QKD link, current link load, available relay nodes, and cryptographic management layer slice resources of each QKD network controller. The QKD network status information and the cryptographic application requirement information corresponding to the key service identifier are sent by the QKD network management system. The first correspondence is sent to the key manager of each QKD node, so that the key manager of each QKD node determines the key service identifier of the application, determines the key service policy of the application based on the key service identifier of the application and the first correspondence, and provides key services according to the key service policy of the application. The QKD node includes edge node, access node or relay node. Determining the key service identifier of the application includes: the edge node receiving key application information sent by the application; generating a key service identifier based on the key application information and encapsulating the key service identifier into a key relay packet; or, the access node or the relay node receiving a key relay packet sent by the edge node and reading the key service identifier encapsulated in the header of the key relay packet. The transmission path of the key relay packet is determined by the key service policy.

7. The quantum key management method according to claim 6, characterized in that, The key acquisition service identifier includes: Obtain the second correspondence relationship sent by the QKD network management system, wherein the second correspondence relationship includes the correspondence between the key service identifier and the cryptographic application requirement information; Determining the first correspondence based on the QKD network state information includes: Based on the QKD network status information and the cryptographic application requirement information corresponding to each key service identifier, the key service strategy corresponding to each key service identifier is determined.

8. The quantum key management method according to claim 7, characterized in that, The acquisition of QKD network status information includes: The system periodically sends network status requests to the QKD network management system, wherein the network status requests are used to instruct the QKD network management system to send the QKD network status information to the QKD network controller; Receive the QKD network status information sent by the QKD network management system.

9. A quantum key management system, characterized in that, The system includes: a key manager and a QKD network controller for each QKD node in the quantum key distribution (QKD) network; the QKD nodes include edge nodes, access nodes, or relay nodes; The QKD network controller is configured to acquire QKD network status information and key service identifier; determine a first correspondence based on the QKD network status information and the key service identifier, wherein the first correspondence includes the correspondence between the key service identifier and the key service policy; and send the first correspondence to the key manager of each QKD node. The key manager of each QKD node is used to determine the key service identifier of the application, and to determine the key service policy of the application based on the key service identifier and a first correspondence relationship. The first correspondence relationship includes the correspondence between the key service identifier and the key service policy. The key service policy is determined by the QKD network controller based on QKD network status information and the key service identifier to determine the corresponding cryptographic application requirement information. Key services are provided according to the key service policy of the application. The key service policy includes at least one of the following: key transmission priority, key relay transmission path, and cryptographic layer slicing. The network status information includes at least one of the following: availability of each QKD link. The QKD network status information, including current link load, available relay nodes, and cryptographic application requirement information corresponding to the key service identifier, is sent by the QKD network management system. The key service identifier for determining the application includes: edge nodes receiving key application information sent by the application; generating a key service identifier based on the key application information and encapsulating the key service identifier into a key relay packet; or, access nodes or the relay nodes receiving a key relay packet sent by the edge nodes and reading the key service identifier encapsulated in the header of the key relay packet, with the transmission path of the key relay packet determined by the key service policy.

10. The quantum key management system according to claim 9, characterized in that, Also includes: QKD Network Management System; The QKD network management system is used to send the QKD network status information and key service identifier to the QKD network controller.

11. A quantum key management device, characterized in that, The device is configured in the key manager of a QKD node in a quantum key distribution (QKD) network. The QKD node includes edge nodes, access nodes, or relay nodes, and includes: A key service identifier determination module is used to determine the key service identifier of an application. The key service identifier is determined by key application information sent by the application. Determining the key service identifier includes: an edge node receiving the key application information sent by the application; generating a key service identifier based on the key application information; and encapsulating the key service identifier into a key relay packet; or, an access node or the relay node receiving a key relay packet sent by the edge node and reading the key service identifier encapsulated in the header of the key relay packet, wherein the transmission path of the key relay packet is determined by a key service policy. A key service policy determination module is used to determine the key service policy of the application based on the key service identifier of the application and a first correspondence relationship. The first correspondence relationship includes a correspondence between the key service identifier and the key service policy. This first correspondence relationship is determined by the QKD network controller based on QKD network status information and the key service identifier, and then distributed to each QKD node. The key service policy is determined by the QKD network controller based on QKD network status information and cryptographic application requirement information corresponding to the key service identifier. The key service policy includes at least one of the following: key transmission priority, key relay transmission path, and cryptographic management layer slicing. The network status information includes at least one of the following: availability of each QKD link, current link load, available relay nodes, and cryptographic management layer slicing resources of each QKD network controller. The QKD network status information and the cryptographic application requirement information corresponding to the key service identifier are sent by the QKD network management system. A key service providing module is used to provide key services in accordance with the key service policy of the application.

12. A quantum key management device, characterized in that, The device is configured in a quantum key distribution (QKD) network controller and includes: The acquisition module is used to acquire QKD network status information and key service identifier; The first correspondence determination module is used to determine a first correspondence based on the QKD network status information. The first correspondence includes the correspondence between the key service identifier and the key service policy. The key service policy is determined based on the QKD network status information and the cryptographic application requirement information corresponding to the key service identifier. The key service policy includes at least one of the following: key transmission priority, key relay transmission path, and cryptographic management layer slicing. The network status information includes at least one of the following: availability of each QKD link, current link load, available relay nodes, and cryptographic management layer slicing resources of each QKD network controller. The QKD network status information and the cryptographic application requirement information corresponding to the key service identifier are sent by the QKD network management system. The first mapping relationship sending module is used to send the first mapping relationship to the key manager of each QKD node, so that the key manager of each QKD node determines the key service identifier of the application, determines the key service policy of the application based on the key service identifier of the application in the first mapping relationship, and provides key services according to the key service policy of the application. The QKD node includes edge node, access node or relay node. Determining the key service identifier of the application includes: the edge node receiving key application information sent by the application; generating a key service identifier based on the key application information, and encapsulating the key service identifier into a key relay packet; or, the access node or the relay node receiving a key relay packet sent by the edge node and reading the key service identifier encapsulated in the header of the key relay packet, the transmission path of the key relay packet being determined by the key service policy.

13. An electronic device, characterized in that, include: processor; as well as Memory for storing the executable instructions of the processor; The processor is configured to execute the quantum key management method of any one of claims 1 to 8 by executing the executable instructions.

14. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the quantum key management method according to any one of claims 1 to 8.

15. A computer program product comprising: A computer program or instruction, characterized in that, when executed by a processor, the computer program or instruction implements the quantum key management method according to any one of claims 1 to 8.