A dual stack authentication quantum key coordination processing method and device

By performing dual-stack authentication in the communication system and generating a collaborative key, the problem of fragmentation between different cryptographic algorithm systems is solved, and collaborative processing of identity authentication and key generation is realized, thereby improving the security and compatibility of the communication system.

CN122053067BActive Publication Date: 2026-06-23SICHUAN LIANGSHANSHUILUOHE ELECTRICITY DEV CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SICHUAN LIANGSHANSHUILUOHE ELECTRICITY DEV CO LTD
Filing Date
2026-04-17
Publication Date
2026-06-23

Smart Images

  • Figure CN122053067B_ABST
    Figure CN122053067B_ABST
Patent Text Reader

Abstract

Embodiments of the present application provide a kind of quantum key coordination processing method and equipment of dual stack authentication, belong to information security technical field.The method comprises: obtaining the certificate information of communication equipment under different cryptographic algorithm system, and the corresponding authentication processing of each certificate information is executed, obtains dual stack authentication result;When the dual stack authentication result meets preset authentication condition, obtain quantum key and the negotiation key generated by key negotiation;Based on the quantum key and the negotiation key, execute coordination processing, generate the coordination key for communication session;Based on the coordination key, generate communication session key, and based on the communication session key, execute the encryption transmission processing of communication data.The present application generates communication session key by dual stack authentication and fuses quantum key and negotiation key, improves communication authentication reliability and anti quantum attack ability.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of information security technology, and specifically to a dual-stack authentication quantum key collaborative processing method and device. Background Technology

[0002] In the current communication network environment, with the continuous improvement of information security requirements, various cryptographic authentication and data encryption mechanisms are widely used. For example, in traditional network communication systems, public-key cryptography algorithms such as RSA (Rivest-Shamir-Adleman algorithm), ECC (Elliptic curve cryptography), or SM2, combined with digital certificates, are typically used to complete device authentication. After authentication, a session key is generated through key negotiation for subsequent encrypted transmission of communication data. This type of mechanism has formed a relatively mature technical system in existing Internet and dedicated communication networks. However, with the development of quantum computing technology, existing public-key cryptography algorithms based on large integer factorization or elliptic curve discrete logarithm problems theoretically face the risk of being cracked by quantum computing. Therefore, the industry has begun to gradually explore the application of post-quantum cryptography algorithms and quantum key distribution technology in communication security systems.

[0003] In some novel secure communication systems, there is a desire to enhance resistance to quantum attacks through post-quantum cryptography algorithms, while simultaneously leveraging quantum key distribution systems to generate highly secure random keys to improve the security level of key materials. However, in practical engineering deployments, existing systems often still rely on traditional certificate authentication systems, while post-quantum cryptography algorithms and quantum key mechanisms typically exist as independent modules, lacking effective coordination with existing authentication processes. For example, some systems only introduce quantum keys during the communication encryption phase, while the authentication process still relies entirely on traditional public-key cryptography algorithms, or authentication processes are performed separately across different cryptographic algorithm systems, lacking a unified coordination strategy. This results in a disconnect between the authentication process and the key generation process, making it difficult to fully leverage the combined security advantages of different cryptographic mechanisms.

[0004] Therefore, in practical communication systems, how to enable traditional public-key cryptography algorithms, post-quantum cryptography algorithms, and quantum key resources to work collaboratively in the same authentication and key generation process, while ensuring the compatibility of device authentication and fully utilizing the security features of quantum keys and negotiated keys during the key generation stage, has become a pressing technical problem in current engineering implementations. To address this, it is necessary to propose a novel dual-stack authentication quantum key collaborative processing method to achieve the collaborative application of multiple cryptographic mechanisms in the authentication and key generation processes. Summary of the Invention

[0005] The purpose of this invention is to provide a dual-stack authentication quantum key collaborative processing method to at least solve the problems of lack of collaborative authentication mechanism between different cryptographic algorithm systems in existing communication systems, and the disconnect between the authentication process and the key generation process.

[0006] To achieve the above objectives, the first aspect of the present invention provides a quantum key collaborative processing method for dual-stack authentication. The method includes: acquiring certificate information of a communication device under different cryptographic algorithm systems, and performing corresponding authentication processing on each certificate information to obtain a dual-stack authentication result; when the dual-stack authentication result meets preset authentication conditions, acquiring a quantum key and a negotiation key generated through key negotiation; performing collaborative processing based on the quantum key and the negotiation key to generate a collaborative key for a communication session; generating a communication session key based on the collaborative key, and performing encrypted transmission processing of communication data based on the communication session key.

[0007] Preferably, the different cryptographic algorithm systems include classical public-key cryptographic algorithms and post-quantum cryptographic algorithms; among them, classical public-key cryptographic algorithms include any one or more of the following: RSA algorithm, elliptic curve cryptography algorithm ECC, and SM2 algorithm.

[0008] Preferably, the rules for performing authentication processing on certificate information corresponding to the classic public-key cryptography algorithm system are as follows: obtain the digital certificate of the communication device under the corresponding classic public-key cryptography algorithm system, and extract the public key information from the digital certificate; perform digital signature verification processing on the authentication data submitted by the communication device based on the public key information in the digital certificate; if the digital signature verification is successful, confirm that the authentication processing result corresponding to the classic public-key cryptography algorithm system is successful, otherwise determine that the authentication has failed.

[0009] Preferably, the rules for performing authentication processing on certificate information corresponding to the post-quantum cryptography algorithm system are as follows: obtain the digital certificate of the communication device under the post-quantum cryptography algorithm system, and extract the post-quantum public key information from the digital certificate; obtain the quantum key and generate an authentication challenge value based on the quantum key; send the authentication challenge value to the communication device, so that the communication device performs a signature operation on the authentication challenge value based on its post-quantum private key and returns authentication signature data; perform post-quantum signature verification processing on the authentication signature data based on the post-quantum public key information, and confirm that the authentication processing result corresponding to the post-quantum cryptography algorithm system is successful when the verification is successful, otherwise determine that the authentication has failed.

[0010] Preferably, when the dual-stack authentication result meets the preset authentication conditions, obtaining the quantum key and the negotiation key generated through key negotiation includes: determining that the dual-stack authentication result meets the preset authentication conditions when both the authentication status identifier of the classical public-key cryptography algorithm system and the authentication status identifier of the post-quantum cryptography algorithm system are authenticated as passed; responding to the trigger signal that the dual-stack authentication result meets the preset authentication conditions, generating a session identifier corresponding to the current authentication session based on the dual-stack authentication result; extracting a quantum key fragment matching the session identifier from the quantum key cache pool according to the session identifier as the quantum key; and performing key negotiation processing based on the public key information in the digital certificate of the communication device to generate a negotiation key.

[0011] Preferably, the collaborative processing based on the quantum key and the negotiated key to generate a collaborative key for the communication session includes: acquiring the quantum key and the negotiated key, and generating session binding parameters based on the session identifier; performing key quality evaluation processing on the quantum key and the negotiated key respectively to obtain quantum key quality parameters and negotiated key quality parameters; determining a key fusion strategy based on the quantum key quality parameters and the negotiated key quality parameters, and performing key derivation processing on the quantum key, the negotiated key, and the session binding parameters based on the key fusion strategy to generate a collaborative key for the communication session.

[0012] Preferably, key quality evaluation processing is performed on the quantum key and the negotiated key respectively to obtain quantum key quality parameters and negotiated key quality parameters, including: performing randomness detection processing on the quantum key and the negotiated key respectively to obtain corresponding randomness indices; performing entropy estimation processing on the quantum key and the negotiated key respectively to obtain corresponding entropy indices; and generating quantum key quality parameters and negotiated key quality parameters based on the randomness indices and the entropy indices respectively.

[0013] Preferably, determining the key fusion strategy based on the quantum key quality parameter and the negotiated key quality parameter includes: comparing the quantum key quality parameter with a preset quantum key quality threshold to determine a quantum key availability status identifier; comparing the negotiated key quality parameter with a preset negotiated key quality threshold to determine a negotiated key availability status identifier; and determining a key fusion mode based on the quantum key availability status identifier and the negotiated key availability status identifier; wherein the key fusion mode includes: a quantum key-dominated fusion mode, a negotiated key-dominated fusion mode, and a dual-key collaborative fusion mode.

[0014] Preferably, generating a communication session key based on the collaborative key and performing encrypted transmission processing of communication data based on the communication session key includes: performing key derivation processing based on the collaborative key and the session identifier to generate the communication session key; establishing a binding relationship between the communication session key and the current communication session, and performing encryption processing on the communication data based on the communication session key; and performing destruction processing on the communication session key when the communication session ends.

[0015] A second aspect of the present invention provides a dual-stack authentication quantum key collaborative processing device, the device comprising: a data acquisition module, configured to acquire certificate information of a communication device under different cryptographic algorithm systems, and perform corresponding authentication processing on each certificate information to obtain a dual-stack authentication result; a key extraction module, configured to acquire a quantum key and a negotiation key generated through key negotiation when the dual-stack authentication result meets preset authentication conditions; a key collaboration module, configured to perform collaborative processing based on the quantum key and the negotiation key to generate a collaboration key for a communication session; and a data encryption module, configured to generate a communication session key based on the collaboration key, and perform encrypted transmission processing of communication data based on the communication session key.

[0016] This invention introduces certificate authentication mechanisms from different cryptographic algorithm systems simultaneously during the authentication process of communication devices. After dual-stack authentication is successful, it combines quantum keys and negotiated keys for collaborative processing to generate a collaborative key, which is then used to derive a communication session key for encrypted transmission of communication data. This approach ensures compatibility with existing authentication systems while enabling the collaborative application of multiple cryptographic mechanisms, improving the reliability of identity authentication and the security of session keys during communication, and enhancing the overall security protection capabilities of the communication system. Attached Figure Description

[0017] Figure 1 This is a flowchart illustrating the dual-stack authentication quantum key collaborative processing method provided by the present invention;

[0018] Figure 2 This is a schematic diagram of the structure of the dual-stack certified quantum key collaborative processing device provided by the present invention. Detailed Implementation

[0019] Figure 1 This is a schematic diagram of a dual-stack authenticated quantum key collaborative processing method according to an embodiment of the present invention. The method includes:

[0020] S1: Obtain the certificate information of the communication device under different cryptographic algorithm systems, and perform corresponding authentication processing on each certificate information to obtain the dual-stack authentication result.

[0021] S2: When the dual-stack authentication result meets the preset authentication conditions, obtain the quantum key and the negotiation key generated through key negotiation.

[0022] S3: Perform collaborative processing based on the quantum key and the negotiated key to generate a collaborative key for the communication session.

[0023] S4: Generate a communication session key based on the collaborative key, and perform encrypted transmission processing of communication data based on the communication session key.

[0024] This invention achieves dual-stack authentication by simultaneously acquiring certificate information from different cryptographic algorithm systems when a communication device accesses a communication system, and performing corresponding authentication processing on each certificate information to obtain a dual-stack authentication result. This allows for joint authentication of multiple cryptographic algorithm systems within the same authentication process. When the dual-stack authentication result meets preset authentication conditions, a quantum key and a negotiation key generated through key negotiation are further acquired. Based on the quantum key and the negotiation key, collaborative processing is performed to generate a collaborative key for the communication session. Furthermore, a communication session key is generated using the collaborative key, and encrypted transmission processing is performed on the communication data based on the communication session key. This ensures the reliability of the communication device's identity authentication while enabling the quantum key and the negotiation key to work synergistically during communication encryption, thereby improving key security and data transmission security during communication.

[0025] In step S1, the different cryptographic algorithm systems include classical public-key cryptography and post-quantum cryptography; among them, classical public-key cryptography includes any one or more of the following: RSA algorithm, elliptic curve cryptography (ECC) algorithm, and SM2 algorithm.

[0026] In this embodiment of the invention, when a communication device accesses a communication system, it can configure corresponding digital certificate information based on different cryptographic algorithm systems for subsequent identity authentication processing. To ensure compatibility with existing communication networks and resistance to quantum attacks, the different cryptographic algorithm systems mentioned in this solution can include classical public-key cryptography and post-quantum cryptography.

[0027] Classic public-key cryptography algorithms are typically the cryptographic systems widely deployed in current communication networks, such as RSA, Elliptic Curve Cryptography (ECC), and SM2. These algorithms have formed relatively mature engineering application systems in application scenarios such as certificate authentication, digital signatures, and key negotiation.

[0028] In actual deployment, communication devices can select any one or more algorithms to generate corresponding digital certificates based on system configuration, and use the public key information in the certificate to complete identity verification during the authentication phase. For example, in some existing network environments, servers or gateway devices still use RSA or ECC algorithms as the primary authentication method, while in domestic commercial cryptography application scenarios, the SM2 algorithm can also be used to build a certificate authentication system.

[0029] The aforementioned algorithms can be flexibly combined and used in this scheme according to the actual system deployment, and participate in the dual-stack authentication process as a classic public-key cryptography algorithm system. By simultaneously introducing classic public-key cryptography algorithms and post-quantum cryptography algorithms in the authentication phase, a higher level of security foundation can be provided for subsequent communication security mechanisms while maintaining the compatibility of the existing system.

[0030] Specifically, the rules for performing authentication processing on certificate information corresponding to the classic public-key cryptography algorithm system are as follows: obtain the digital certificate of the communication device under the corresponding classic public-key cryptography algorithm system, and extract the public key information from the digital certificate; perform digital signature verification processing on the authentication data submitted by the communication device based on the public key information in the digital certificate; if the digital signature verification is successful, confirm that the authentication processing result corresponding to the classic public-key cryptography algorithm system is successful; otherwise, determine that the authentication has failed.

[0031] In this embodiment of the invention, the certificate information corresponding to the classic public-key cryptography algorithm can be authenticated according to the existing Public Key Infrastructure (PKI) authentication process. When a communication device accesses a communication network or establishes a communication session, it typically carries digital certificate information bound to its identity. This digital certificate can be pre-configured by the system or issued and distributed to the communication device by a certificate authority for storage. When the communication device initiates a connection request to the authentication node, the authentication node can obtain the communication device's digital certificate under the corresponding classic public-key cryptography algorithm and parse the public key information used for authentication and related certificate fields from the digital certificate. For example, in scenarios using the RSA algorithm or the Elliptic Curve Cryptography (ECC) algorithm, the digital certificate typically contains the device's public key, certificate identifier, and issuing authority information.

[0032] After obtaining the digital certificate, the communication device submits authentication data to the authentication node according to the current authentication process. This authentication data is typically a data structure generated by the communication device signing the authentication request content using its own private key. Upon receiving the authentication data, the authentication node performs digital signature verification processing based on the public key information extracted from the digital certificate to verify whether the authentication data was indeed generated by the corresponding communication device.

[0033] When the signature verification result is successful, it confirms that the private key held by the communication device matches the public key information in the digital certificate, thus determining the validity of the communication device's identity and marking the authentication processing result corresponding to the classic public-key cryptography algorithm as successful. When the signature verification result fails, it indicates that the authentication data does not match the certificate's public key, and the authentication processing result is determined to be authentication failure. Through the above processing method, device authentication under the classic public-key cryptography algorithm is completed in the dual-stack authentication process, providing a basis for the comprehensive judgment of subsequent authentication results.

[0034] Further rules stipulate that the authentication process for certificate information corresponding to the post-quantum cryptography algorithm system is as follows: Obtain the digital certificate of the communication device under the post-quantum cryptography algorithm system and extract the post-quantum public key information from the digital certificate; obtain the quantum key and generate an authentication challenge value based on the quantum key; send the authentication challenge value to the communication device, so that the communication device performs a signature operation on the authentication challenge value based on its post-quantum private key and returns authentication signature data; perform post-quantum signature verification processing on the authentication signature data based on the post-quantum public key information; if the verification passes, confirm that the authentication processing result corresponding to the post-quantum cryptography algorithm system is successful; otherwise, determine that the authentication has failed.

[0035] In this embodiment of the invention, the certificate information corresponding to the post-quantum cryptography algorithm also participates in the authentication process of the communication device, but the corresponding authentication processing method differs somewhat from that of the traditional public-key cryptography algorithm. When the communication device accesses the communication system, it pre-configures or obtains digital certificate information generated based on the post-quantum cryptography algorithm. This digital certificate contains the post-quantum public key corresponding to the communication device and certificate identification information, etc. After receiving the access request from the communication device, the authentication node obtains the digital certificate of the communication device under the post-quantum cryptography algorithm and extracts the post-quantum public key information from the digital certificate for subsequent authentication data verification processing. The post-quantum cryptography algorithm is constructed in the form of lattice cryptography, multivariate cryptography, or hash structure-based signature algorithms. For example, Dilithium (a post-quantum digital signature algorithm based on lattice cryptography), Falcon (a post-quantum digital signature algorithm based on NTRU lattice structure), or SPHINCS+ (a post-quantum digital signature algorithm based on hash function) are all post-quantum signature algorithms used as implementation methods.

[0036] In the specific authentication process, to enable the authentication process to coordinate with quantum key resources, this invention introduces a quantum key as a random source when generating the authentication challenge value. The authentication node obtains quantum key data from the quantum key generation module or the quantum key cache area and generates the authentication challenge value based on the quantum key. Since the quantum key originates from the quantum key distribution process, its randomness and unpredictability are high. Using it as the basis for challenge value generation enhances the randomness of the authentication interaction process, thereby reducing the risk of the authentication process being predicted or replayed. Subsequently, the authentication node sends the authentication challenge value to the communication device. Upon receiving the authentication challenge value, the communication device performs a signature operation on the challenge value using its stored post-quantum private key and generates corresponding authentication signature data, which is then returned to the authentication node.

[0037] After receiving the authentication signature data, the authentication node performs post-quantum signature verification processing based on the post-quantum public key information extracted from the digital certificate to verify whether the data returned by the communication device matches the sent authentication challenge value. When the signature verification passes, it confirms that the communication device possesses the post-quantum private key corresponding to the digital certificate, thus determining the authentication processing result corresponding to the post-quantum cryptographic algorithm system as successful; when the signature verification fails, authentication is deemed unsuccessful. By introducing quantum keys in the authentication challenge value generation stage and combining them with the post-quantum signature verification mechanism, the authentication process is associated with quantum key resources, thereby forming an authentication mode in the dual-stack authentication process where traditional authentication mechanisms and quantum security mechanisms work together.

[0038] In step S2, when the dual-stack authentication result meets the preset authentication conditions, the quantum key and the negotiation key generated through key negotiation are obtained, including: when both the authentication status identifier of the classical public-key cryptography algorithm system and the authentication status identifier of the post-quantum cryptography algorithm system are authenticated as passed, it is determined that the dual-stack authentication result meets the preset authentication conditions; in response to the trigger signal that the dual-stack authentication result meets the preset authentication conditions, a session identifier corresponding to the current authentication session is generated based on the dual-stack authentication result; a quantum key fragment matching the session identifier is extracted from the quantum key cache pool according to the session identifier as the quantum key; and key negotiation processing is performed based on the public key information in the digital certificate of the communication device to generate a negotiation key.

[0039] In this embodiment of the invention, after a communication device completes authentication processing under different cryptographic algorithm systems, it can obtain corresponding dual-stack authentication results. These dual-stack authentication results typically include the authentication status of both the classical public-key cryptography algorithm system and the post-quantum cryptography algorithm system. Before subsequent key processing, the authentication results are uniformly determined based on these authentication statuses. For example, when both the classical public-key cryptography algorithm system authentication status identifier and the post-quantum cryptography algorithm system authentication status identifier are confirmed to be in an authenticated state, it is determined that the current communication device simultaneously meets the authentication requirements of both cryptographic algorithm systems, thus considering the dual-stack authentication result to meet the preset authentication conditions. In actual engineering deployments, this determination method avoids relying solely on a single cryptographic system for authentication, thereby improving the overall security and reliability of the authentication mechanism while maintaining existing compatibility.

[0040] After confirming that the dual-stack authentication result meets the preset authentication conditions, a session identifier corresponding to the current authentication process is generated. This session identifier is generated by combining data such as the dual-stack authentication result, the communication device identifier, and the current session time information, and is used to identify the communication session instance corresponding to the current authentication. By introducing the session identifier, an association between the key and the specific communication session is established during subsequent key processing, enabling the generated key materials to be managed at the session level, thereby preventing key misuse between different communication sessions.

[0041] After obtaining the session identifier, a matching quantum key fragment is retrieved from the quantum key cache pool based on the session identifier. The quantum key cache pool is typically used to store quantum key data generated through quantum key distribution and transmitted locally. Since keys generated during quantum key distribution are usually cached and stored as contiguous data blocks, in practical applications, the corresponding key fragment is selected as the quantum key source for the current communication session based on the current session identifier. By employing a matching mechanism between session identifiers and quantum key fragments, ordered scheduling of quantum key resources is achieved internally, enabling quantum keys to be allocated on demand between different communication sessions, thereby improving the utilization efficiency of quantum key resources.

[0042] Simultaneously, after the quantum key extraction is completed, key negotiation is performed based on the public key information in the communication device's digital certificate to generate a corresponding negotiation key. This key negotiation process employs existing key exchange protocols, such as elliptic curve-based key negotiation algorithms or other negotiation mechanisms suitable for current cryptographic systems. In this way, both quantum keys and negotiation keys are obtained simultaneously within the same communication session, providing the foundation for subsequent collaborative processing of quantum keys and negotiation keys, thereby improving the overall security of the communication key system while ensuring compatibility.

[0043] In one application example, a secure communication connection needs to be established between an edge gateway device and a central control server in an industrial control network. When initiating a communication request, the edge gateway device simultaneously submits a digital certificate generated based on the RSA algorithm and a digital certificate generated based on the Dilithium post-quantum signature algorithm. Upon receiving the communication request, the authentication server performs authentication processing on the digital certificates according to both the classical public-key cryptography algorithm and the post-quantum cryptography algorithm, and obtains the corresponding authentication status identifier. Let the authentication status identifier of the classical public-key cryptography algorithm be... The authentication status identifier of the post-quantum cryptography algorithm system is .when and When the value is 0, it indicates that authentication under both cryptographic systems has passed, and the dual-stack authentication result is determined to meet the preset authentication conditions.

[0044] After determining that the preset authentication conditions are met, the authentication server generates a session identifier based on the current authentication result. For example, based on the device identifier. Authentication timestamp And the authentication result identifier generates a session identifier. Its generation method is represented as:

[0045]

[0046] in, This represents a hash operation. This indicates a data concatenation operation. The generated session identifier. Used to uniquely identify the current authentication session.

[0047] Subsequently, based on the session identifier Retrieve the corresponding quantum key fragment from the quantum key buffer pool. For example, the quantum key buffer pool stores consecutive quantum key sequences. Calculate the corresponding index value based on the session identifier. And select quantum key fragments This serves as the quantum key for this communication session.

[0048] Meanwhile, the authentication server also performs key negotiation based on the public key information in the communication device's digital certificate. For example, when using an elliptic curve key negotiation mechanism, the communication device and the server each generate a temporary key pair. and And obtain the shared key through negotiation. ,Right now:

[0049]

[0050] Through the above process, quantum keys can be obtained simultaneously in the same authentication session. and negotiation key This provides the foundation for the subsequent collaborative processing of quantum keys and negotiated keys, thereby enabling the joint use of dual-stack authentication mechanisms and quantum key resources in specific engineering application scenarios.

[0051] In step S3, collaborative processing is performed based on the quantum key and the negotiated key to generate a collaborative key for the communication session. This includes: obtaining the quantum key and the negotiated key, and generating session binding parameters based on the session identifier; performing key quality evaluation processing on the quantum key and the negotiated key respectively to obtain quantum key quality parameters and negotiated key quality parameters; determining a key fusion strategy based on the quantum key quality parameters and the negotiated key quality parameters, and performing key derivation processing on the quantum key, the negotiated key, and the session binding parameters based on the key fusion strategy to generate a collaborative key for the communication session.

[0052] Specifically, key quality evaluation processing is performed on the quantum key and the negotiated key respectively to obtain quantum key quality parameters and negotiated key quality parameters, including: performing randomness detection processing on the quantum key and the negotiated key respectively to obtain corresponding randomness indices; performing entropy estimation processing on the quantum key and the negotiated key respectively to obtain corresponding entropy indices; and generating quantum key quality parameters and negotiated key quality parameters based on the randomness indices and the entropy indices respectively.

[0053] Specifically, determining the key fusion strategy based on the quantum key quality parameters and the negotiated key quality parameters includes: comparing the quantum key quality parameters with a preset quantum key quality threshold to determine the quantum key availability status identifier; comparing the negotiated key quality parameters with a preset negotiated key quality threshold to determine the negotiated key availability status identifier; and determining the key fusion mode based on the quantum key availability status identifier and the negotiated key availability status identifier; wherein the key fusion mode includes: a quantum key-dominated fusion mode, a negotiated key-dominated fusion mode, and a dual-key collaborative fusion mode.

[0054] In this embodiment of the invention, after obtaining the quantum key and the negotiation key generated through key negotiation, the two types of key materials are further processed collaboratively to generate a collaborative key for communication sessions. Considering that quantum keys typically originate from quantum key distribution and their randomness stems from the quantum state measurement process, they theoretically possess high information entropy. However, in practical engineering environments, due to factors such as quantum channel noise, detector error rate, and key purification processes, the quality of quantum keys generated at different times may fluctuate.

[0055] On the other hand, negotiation keys generated through key exchange mechanisms in classical cryptography typically originate from key exchange protocols constructed from mathematically difficult problems. While their generation process is highly stable, their security relies on computational complexity assumptions. If only one type of key material is used to generate the communication session key, insufficient key quality or reduced security may occur in certain network environments. Therefore, this scheme introduces a key quality evaluation mechanism and an adaptive key fusion strategy during the key generation stage, enabling quantum keys and negotiation keys to form a collaborative relationship within the same processing flow. This improves the stability and security of the key generation process while ensuring key randomness.

[0056] In the specific implementation process, the quantum key and negotiation key corresponding to the current communication session are obtained, and session binding parameters are constructed based on the session identifier generated during the authentication phase. The session identifier is generated during the authentication process based on data such as the communication device identifier, authentication time information, and authentication result; its main function is to identify the current communication session instance. By introducing session binding parameters, a clear association is established between the generated collaborative key and the specific communication session. Let the communication session identifier be... The communication equipment is identified as The authentication timestamp is Then the session binding parameters Represented as:

[0057]

[0058] in, Indicates session binding parameters, Represents the hash operation function. This represents the data concatenation operator. Indicates the communication session identifier. Indicates communication device identification information, This represents the timestamp when authentication was completed. The above calculation method ensures the uniqueness of the generated session binding parameters across different communication sessions.

[0059] After obtaining the session binding parameters, key quality evaluation is performed on both the quantum key and the negotiated key. Let the quantum key sequence be represented as:

[0060]

[0061] in, Represents a quantum key sequence. Represents the first in the quantum key sequence One key bit, This represents the length of the quantum key. The negotiated key is represented as:

[0062]

[0063] in, Represents the negotiated key sequence. Represents the first in the negotiated key sequence One key bit, Indicates the length of the negotiated key.

[0064] In the randomness detection process, a randomness index is obtained by statistically analyzing the distribution of bit values ​​in the key sequence. Quantum key randomness index. Represented as:

[0065]

[0066] in, This represents the number of bits with a value of 1 in the quantum key sequence. It is also a measure of the randomness of the negotiated key. This is represented as:

[0067]

[0068] in, This indicates the number of bits with a value of 1 in the negotiated key sequence. This metric reflects the uniformity of the distribution of 0s and 1s in the key sequence; the closer the randomness metric is to 1, the higher the randomness of the key sequence.

[0069] Building upon this, the information uncertainty of the key sequence is also assessed using the information entropy estimation method. The entropy value of a quantum key. Represented as:

[0070]

[0071] in, This indicates that the bits in the quantum key sequence have values ​​of 10 ... The probability of [something]. Similarly, the entropy value of the negotiated key. Represented as:

[0072]

[0073] After obtaining the randomness and entropy indices, the corresponding key quality parameters are generated. Quantum key quality parameters. Represented as:

[0074]

[0075] in, A variance index representing a quantum key sequence. , , Represents the weighting coefficients. Negotiated key quality parameters. Represented as:

[0076]

[0077] in, A variance index representing the negotiated key sequence.

[0078] Subsequently, the quantum key quality parameters are compared with a preset quantum key quality threshold. The comparison is performed, and the negotiated key quality parameters are compared with the preset negotiated key quality threshold. A comparison is made to determine the key availability state. Let the quantum key availability state be identified as... The negotiated key is available as a status identifier. Then it is represented as:

[0079]

[0080] Based on the aforementioned status indicators, the key fusion mode is further determined. When and When, a dual-key collaborative fusion mode is adopted; when and At that time, a quantum key-based fusion mode is adopted; when and In this case, the negotiated key-driven fusion mode is adopted.

[0081] After determining the fusion mode, a collaborative key is generated based on the quantum key, the negotiated key, and the session binding parameters. Represented as:

[0082]

[0083] in, Represents the collaboration key. This represents the bitwise XOR operator. This represents hash function operations. This represents the session binding parameters. Through the above calculation method, the generated collaborative key simultaneously incorporates quantum key randomness, negotiated key stability, and session binding information, thereby improving the overall security of the communication key system.

[0084] Through the aforementioned collaborative key generation mechanism, quantum key resources and negotiation keys in traditional cryptographic systems can be adaptively fused in the same key generation process. This enables the key fusion strategy to be dynamically adjusted according to the quality of different key materials, thereby improving the stability and security of the session key generation process in communication while ensuring key randomness.

[0085] Further explanations are provided for the quantum key-driven fusion mode, the negotiated key-driven fusion mode, and the dual-key collaborative fusion mode:

[0086] 1) Quantum key-based fusion mode:

[0087] In generating the collaborative key, the quantum key is used as the primary key material, while the negotiated key is used as auxiliary perturbation information in the key derivation process. When the key quality assessment results indicate that the quantum key quality parameter is higher than a preset quantum key quality threshold, while the negotiated key quality parameter is lower than the corresponding negotiated key quality threshold, the quantum key is determined as the primary key source. At this point, the quantum key sequence is first subjected to key rearrangement and fragment combination processing to form a stable master key sequence, while the negotiated key is introduced as a perturbation input into the key derivation function.

[0088] Specifically, the quantum key sequence can be divided into multiple key fragments, and the order of these fragments can be rearranged based on session binding parameters to generate master key input data for derivation processing. Based on this, the negotiation key is hash-compressed to generate a perturbation vector, which is then concatenated with the quantum key sequence using a bitwise XOR operation to form new key input data. In this way, even if the negotiation key quality is relatively low, it can still participate in the collaborative key generation process as a random perturbation, thus avoiding the structural regularity problems that may arise in a single use case for quantum keys. Furthermore, since quantum keys originate from the quantum channel measurement process and have high randomness, the collaborative key generated in this mode can inherit the randomness advantage of the quantum key and further enhance the unique association between the key and the communication session through session binding parameters, thereby improving the security strength of the session key generation process in communication.

[0089] 2) Negotiated key-driven fusion mode:

[0090] In generating the collaborative key, the negotiated key is used as the primary key material, while the quantum key is used as auxiliary perturbation information in the key derivation process. This mode is typically triggered when the quantum key quality assessment result is lower than a preset quantum key quality threshold, while the negotiated key quality parameters meet the preset negotiated key quality threshold. Considering that quantum keys may be affected by factors such as quantum channel noise, detector dark count rate, or increased bit error rate in some practical deployment environments, leading to a decrease in the randomness or entropy of the generated quantum keys during certain time periods, this mode uses the negotiated key as the primary key material to ensure the stability of the session key generation process. In the specific processing, the negotiated key is first subjected to key expansion processing to form a master key sequence with a length that meets the requirements for session key generation; then, the quantum key sequence is subjected to compression processing or hash mapping processing to generate auxiliary random factors used in the key derivation process.

[0091] By using quantum keys as auxiliary random inputs in collaborative key computation, additional uncertainty is introduced into the key generation process without affecting the dominant structure of the negotiated key, thereby increasing the complexity of the key structure. Simultaneously, the collaborative key is still bound to the current communication session through session binding parameters, ensuring that there are no predictable correlations between keys generated by different communication sessions. Through this approach, the continuity and security of the communication key generation process can be maintained even when the quality of the quantum keys is unstable.

[0092] 3) Dual-key collaborative fusion mode:

[0093] Simultaneously, both quantum keys and negotiated keys are used as core input materials for collaborative key generation. This mode is typically triggered when both the quantum key quality parameter and the negotiated key quality parameter are higher than their respective preset thresholds. At this point, both types of key materials possess high quality, thus participating in session key generation through collaborative fusion. In the specific implementation, a unified length mapping process is first performed on the quantum key sequence and the negotiated key sequence, ensuring that both types of key sequences have a consistent structural form during key derivation. Subsequently, fusion parameters are constructed based on session binding parameters, and the quantum key sequence, negotiated key sequence, and fusion parameters are jointly input into the key derivation function. By performing multiple rounds of hash mapping and hybrid operations in the key derivation function, the two types of key materials form a cross-dependency relationship during the derivation process, ensuring that the final generated collaborative key simultaneously contains the randomness characteristics of the quantum key and the structural stability of the negotiated key.

[0094] Since quantum keys originate from physical random processes, while negotiated keys are constructed using cryptographic algorithms, they differ in their security foundation. Collaborative fusion avoids the potential security risks associated with a single key source. Furthermore, session binding parameters participate in the fusion process as session characteristic information, ensuring that the collaborative key differs significantly across different communication sessions, thus preventing key reuse. Collaborative keys generated through this method exhibit high security performance in terms of randomness, unpredictability, and session isolation. Therefore, this fusion mode is preferred when both quantum keys and negotiated keys possess high quality.

[0095] In step S4, a communication session key is generated based on the collaborative key, and encryption transmission of communication data is performed based on the communication session key, including: performing key derivation processing based on the collaborative key and the session identifier to generate the communication session key; establishing a binding relationship between the communication session key and the current communication session, and performing encryption processing on the communication data based on the communication session key; and performing destruction processing on the communication session key when the communication session ends.

[0096] In this embodiment of the invention, it is necessary to further convert the collaborative key into a communication session key that actually participates in the communication encryption process. This process is accomplished through a key derivation mechanism. The purpose of this process is to prevent the collaborative key from being directly used for data encryption, thereby reducing the risk of key exposure and achieving key isolation between different communication sessions.

[0097] In this embodiment, the collaboration key and the session identifier generated during the current authentication phase are first obtained, and both are used as inputs to perform key derivation processing. The session identifier is used to identify the unique identity information of the current communication connection, and it can be generated by combining information such as authentication timestamp, communication device identifier, and random number, thereby ensuring that different communication sessions correspond to different session identifiers. Subsequently, the collaboration key and the session identifier are input into the key derivation function, and a communication session key for the current communication connection is generated through hash expansion or key expansion operations. By introducing the session identifier into the derivation calculation, even if the collaboration key remains consistent across different sessions, different communication session keys can still be generated, thereby improving communication security.

[0098] After obtaining the communication session key, a binding relationship is established between the communication session key and the current communication session. Specifically, the mapping relationship between the communication session identifier and the corresponding communication session key is recorded in the session management module, and the communication session key is invoked to perform data encryption processing during communication data transmission. For example, when transmitting business data between communication devices, symmetric encryption processing can be performed on the data to be sent based on the communication session key, so that the communication data remains in an ciphertext state during transmission, thereby preventing third parties in the communication link from obtaining plaintext information. At the same time, at the receiving device, the same communication session key can be used to perform decryption processing on the received ciphertext data, thereby recovering the original communication data. Since the communication session key is jointly derived from the collaboration key and the session identifier, it inherits both the randomness characteristics of the fusion of quantum key and negotiated key and has a unique correspondence with the current communication session.

[0099] To prevent the session key from being reused in subsequent communications after the communication session ends, this embodiment also performs a destruction process on the communication session key. Specifically, upon detecting a disconnection of the communication connection or the timeout of the communication session, the communication session key stored in memory is immediately deleted, and the corresponding key mapping record in the session management module is cleared. If necessary, an overwrite operation can also be performed on the storage area to avoid the key remaining in the cache. By performing key destruction after the communication session ends, it is ensured that the communication session key is only valid within the lifecycle of the corresponding communication session, thereby reducing the risk of key leakage and further improving the overall data security protection capability of the communication.

[0100] In one alternative embodiment, in actual communication, some business sessions may last for a long time, such as continuous data transmission, remote control links, or continuous encrypted channels. If the same communication session key is always used for encryption, potential cryptanalysis risks may accumulate during long-term communication.

[0101] In this implementation, after a communication session is established, the session identifier corresponding to the current communication session and the time of collaborative key generation are recorded, and the amount of communication data or the duration of communication is continuously monitored during the communication process. When the cumulative amount of communication data exceeds a preset data threshold, or the duration of communication reaches a preset time threshold, the collaborative key update process is re-triggered based on the current session identifier. Specifically, a new quantum key fragment is extracted from the quantum key cache pool, and key negotiation is performed again in combination with the public key information of the current communication device to generate a new negotiation key. Subsequently, the newly acquired quantum key fragment and the new negotiation key are input into the key collaboration processing module, and the updated collaborative key is regenerated through a preset key fusion strategy.

[0102] After generating a new collaborative key, a new communication session key is derived based on this collaborative key. This newly generated communication session key is then bound to the current communication session. Simultaneously, the original communication session key is invalidated, preventing it from participating in subsequent communication data encryption. This method allows for periodic updates of the session key during long-term communication, thereby reducing the security risks associated with prolonged key use.

[0103] This implementation introduces a collaborative key dynamic evolution mechanism on the basis of dual-stack authentication and key collaborative processing framework, so that quantum keys and negotiated keys can continuously participate in the key update process during communication, thereby further improving the overall security strength of the key system and enhancing the long-term security guarantee capability in complex communication environments.

[0104] In one optional embodiment, after obtaining the quantum key and the negotiation key, a set of key recombination control parameters are first generated based on the session identifier. Then, the quantum key is fragmented based on these parameters to form multiple quantum key sub-fragments. Subsequently, the negotiation key is position-mapped according to the key recombination control parameters to obtain multiple negotiation key sub-sequences. Next, the quantum key sub-fragments and negotiation key sub-sequences are alternately combined according to a preset interleaving rule to form a key combination sequence.

[0105] After constructing the key combination sequence, key derivation operations are performed based on the key combination sequence to generate the final collaborative key. Since the quantum key fragments and the negotiated key subsequences have undergone fragment-level recombination and position mapping processing before fusion, the generated collaborative key has higher structural uncertainty, making it difficult for potential attackers to infer the final key structure by analyzing a single key source.

[0106] By introducing the aforementioned key fragment recombination processing mechanism, the quantum key and the negotiated key form a complex combination structure before fusion, thereby further enhancing the randomness and security strength of the collaborative key generation process.

[0107] like Figure 2 One embodiment of the present invention provides a quantum key collaborative processing device with dual-stack authentication. The device includes: a data acquisition module, used to acquire certificate information of a communication device under different cryptographic algorithm systems, and perform corresponding authentication processing on each certificate information to obtain a dual-stack authentication result; a key extraction module, used to acquire a quantum key and a negotiation key generated through key negotiation when the dual-stack authentication result meets preset authentication conditions; a key collaboration module, used to perform collaborative processing based on the quantum key and the negotiation key to generate a collaboration key for a communication session; and a data encryption module, used to generate a communication session key based on the collaboration key, and perform encrypted transmission processing of communication data based on the communication session key.

[0108] Those skilled in the art will understand that all or part of the steps in the methods of the above embodiments can be implemented by a program instructing related hardware. This program is stored in a storage medium and includes several instructions to cause a microcontroller, chip, or processor to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as a USB flash drive, a portable hard drive, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.

Claims

1. A dual-stack authenticated quantum key distribution method, characterized in that, The method includes: Obtain certificate information of communication devices under different cryptographic algorithm systems, and perform corresponding authentication processing on each certificate information to obtain dual-stack authentication results; When the dual-stack authentication result meets the preset authentication conditions, the quantum key and the negotiation key generated through key negotiation are obtained; Based on the quantum key and the negotiated key, collaborative processing is performed to generate a collaborative key for the communication session; A communication session key is generated based on the collaborative key, and the encrypted transmission of communication data is performed based on the communication session key.

2. The dual-stack authenticated quantum key collaborative processing method according to claim 1, characterized in that, Different cryptographic algorithm systems include classical public-key cryptography and post-quantum cryptography; among them, Classic public-key cryptography algorithms include: Any one or more of the following algorithms: RSA, Elliptic Curve Cryptography (ECC), and SM2.

3. The dual-stack authenticated quantum key collaborative processing method according to claim 2, characterized in that, The rules for performing authentication processing on certificate information corresponding to classic public-key cryptography algorithms are as follows: Obtain the digital certificate of the communication device under the corresponding classic public-key cryptography algorithm system, and extract the public key information from the digital certificate; The authentication data submitted by the communication device is digitally signed and verified based on the public key information in the digital certificate. If the digital signature verification is successful, the authentication result corresponding to the classic public-key cryptography algorithm system is confirmed as successful; otherwise, the authentication is determined to have failed.

4. The dual-stack authenticated quantum key collaborative processing method according to claim 2, characterized in that, The rules for performing authentication processing on certificate information corresponding to the post-quantum cryptography algorithm system are as follows: Obtain the digital certificate of the communication device under the post-quantum cryptography algorithm system, and extract the post-quantum public key information from the digital certificate; Obtain the quantum key and generate an authentication challenge value based on the quantum key; The authentication challenge value is sent to the communication device, which then performs a signature operation on the authentication challenge value based on its subsequent quantum private key and returns the authentication signature data. Based on the post-quantum public key information, post-quantum signature verification processing is performed on the authentication signature data. If the verification is successful, the authentication processing result corresponding to the post-quantum cryptographic algorithm system is confirmed as successful; otherwise, the authentication is determined to have failed.

5. The dual-stack authenticated quantum key collaborative processing method according to claim 2, characterized in that, When the dual-stack authentication result meets the preset authentication conditions, the quantum key and the negotiation key generated through key negotiation are obtained, including: When both the authentication status identifier of the classical public-key cryptography algorithm system and the authentication status identifier of the post-quantum cryptography algorithm system are authenticated as passed, it is determined that the dual-stack authentication result meets the preset authentication conditions. In response to a trigger signal that the dual-stack authentication result meets the preset authentication conditions, a session identifier corresponding to the current authentication session is generated based on the dual-stack authentication result; Based on the session identifier, a quantum key fragment matching the session identifier is extracted from the quantum key cache pool to serve as the quantum key; Based on the public key information in the digital certificate of the communication device, a key negotiation process is performed to generate a negotiation key.

6. The dual-stack authenticated quantum key collaborative processing method according to claim 5, characterized in that, Based on the quantum key and the negotiated key, collaborative processing is performed to generate a collaborative key for the communication session, including: Obtain the quantum key and the negotiation key, and generate session binding parameters based on the session identifier; Perform key quality evaluation processing on the quantum key and the negotiated key respectively to obtain quantum key quality parameters and negotiated key quality parameters; A key fusion strategy is determined based on the quantum key quality parameters and the negotiation key quality parameters, and key derivation processing is performed on the quantum key, the negotiation key and the session binding parameters based on the key fusion strategy to generate a collaborative key for the communication session.

7. The dual-stack authenticated quantum key collaborative processing method according to claim 6, characterized in that, Perform key quality evaluation processing on the quantum key and the negotiated key respectively to obtain quantum key quality parameters and negotiated key quality parameters, including: Randomness detection processing is performed on the quantum key and the negotiated key respectively to obtain the corresponding randomness index; Entropy estimation processing is performed on the quantum key and the negotiated key respectively to obtain the corresponding entropy index; Quantum key quality parameters and negotiated key quality parameters are generated based on the randomness index and the entropy index, respectively.

8. The dual-stack authenticated quantum key collaborative processing method according to claim 6, characterized in that, Determining a key fusion strategy based on the quantum key quality parameters and the negotiated key quality parameters includes: The quantum key quality parameters are compared with a preset quantum key quality threshold to determine the quantum key availability status identifier. The negotiation key quality parameter is compared with a preset negotiation key quality threshold to determine the availability status of the negotiation key. The key fusion mode is determined based on the available state identifier of the quantum key and the available state identifier of the negotiated key; wherein... The key fusion mode includes: Quantum key-driven fusion mode, negotiated key-driven fusion mode, and dual-key collaborative fusion mode.

9. The dual-stack authenticated quantum key collaborative processing method according to claim 6, characterized in that, Generate a communication session key based on the collaborative key, and perform encrypted transmission processing of communication data based on the communication session key, including: Based on the collaboration key and the session identifier, perform key derivation processing to generate the communication session key; The communication session key is bound to the current communication session, and the communication data is encrypted based on the communication session key. When the communication session ends, the communication session key is destroyed.

10. A dual-stack authenticated quantum key distribution processing device, characterized in that, The device includes: The data acquisition module is used to acquire certificate information of communication devices under different cryptographic algorithm systems, and perform corresponding authentication processing on each certificate information to obtain dual-stack authentication results; The key extraction module is used to obtain the quantum key and the negotiation key generated through key negotiation when the dual-stack authentication result meets the preset authentication conditions; A key coordination module is used to perform coordinated processing based on the quantum key and the negotiated key to generate a coordination key for communication sessions; The data encryption module is used to generate a communication session key based on the collaborative key, and to perform encrypted transmission processing of communication data based on the communication session key.