An airport quantum secure remote information display publishing system
By employing quantum-secure key management and layout fingerprinting technology, quantum-secure publishing of the airport remote information display system has been achieved. This solves the key management and content trustworthiness issues of existing systems under the threat of quantum computing, ensuring the trustworthiness of terminal displays and rapid fault location.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUIZHOU AIRPORT INTELLIGENT TECH CO LTD
- Filing Date
- 2026-05-15
- Publication Date
- 2026-06-19
AI Technical Summary
Existing airport remote information display and publishing systems lack targeted key hierarchical management and content trustworthy publishing mechanisms when facing quantum computing threats. They are unable to distinguish between erroneous or tampered content at the terminal side, and the terminal display results lack verifiability, making them susceptible to link failures or attacks.
A quantum-secure key management module generates a hierarchical key map. Combined with a layout fingerprint generation module and a security tag generation module, a layout fingerprint token carrying a virtual channel identifier is sent to the terminal through a dual-path distribution mechanism. Consistency comparison is performed on the terminal side. The terminal trusted display module ensures the credibility of the rendering results, and the anomaly handling module performs rapid isolation and tracing.
It enables trusted content publishing in multi-network, multi-service, and multi-terminal environments, verifiable terminal display results, rapid location and isolation of anomalies, and improved system security and maintainability.
Smart Images

Figure CN122247620A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of quantum secure communication technology, specifically to an airport quantum secure remote information display and publishing system. Background Technology
[0002] Currently, airport remote information display and publishing systems generally adopt a layered architecture of "information source system—publishing control server—transmission network—display terminal." Flight operation systems, emergency command systems, and commercial operation systems connect to the publishing control side via LAN, private network, or public network. The publishing control server then distributes flight information, emergency announcements, and commercial content to be published to numerous display terminals in waiting areas, boarding gates, baggage claim areas, and other locations using existing transmission protocols. To meet compliance and security requirements, existing systems typically overlay virtual private networks (VPNs), transport layer encryption, and access control lists at the network and transport layers, along with account access management, firewalls, and intrusion detection systems, to prevent eavesdropping and unauthorized access. These solutions are primarily designed around considerations of "whether the link is encrypted" and "whether the channel is isolated," often employing relatively static configuration methods for key relationships between different business domains and terminal groups. Key management largely remains at the level of traditional public key infrastructure and symmetric key rotation.
[0003] Regarding information content and terminal-side security control, some existing remote display and publishing systems add digests or checksums to message messages, or use channel-level digital signatures to perform integrity checks and source authentication on received messages. Other systems restrict terminals from receiving content from unauthorized sources by using whitelists, version number checks, and other methods. However, such mechanisms typically protect "single messages" or "a specific data channel." As long as the terminal receives a message with a valid format and correct signature, it will directly display it according to its local rendering logic, making it difficult to distinguish between "erroneous or tampered content from a controlled upper-level system" and "correct content from normal business processes" on the terminal side. Furthermore, the verification of displayed content often remains at the data layer, lacking consistency checks on the actual layout structure, key field arrangement, and display results on the screen. Once the publishing control server or intermediate node is attacked, or the terminal's local rendering configuration is maliciously modified, even if the link encryption and message signature remain valid, the terminal may still display images with incorrect flight information or misleading content. In addition, with the development of quantum computing, key negotiation and authentication relying on traditional public-key algorithms face the risk of being cracked in the medium to long term. Existing research on quantum key distribution or quantum-resistant cryptography mainly focuses on end-to-end encryption of backbone links, data centers, or industrial control networks. For remote information display and publishing scenarios like airports, involving multiple networks, multiple business entities, multiple levels of distribution nodes, and a large number of terminals, there is a lack of targeted key hierarchical management and trusted content publishing mechanisms.
[0004] In this context, how can existing technologies, in the actual operating environment of airports with multi-network convergence, multi-service collaboration, and a large number of widely distributed display terminals, construct a remote information display and publishing mechanism while maintaining the existing network architecture and display terminal form as much as possible? This mechanism should enable key management to be finely divided according to information source, business domain, and terminal or terminal group. The failure or breach of any node in the publishing link should not cause the terminal to indiscriminately accept incorrect content. It should also be able to establish a verifiable correspondence between the final layout structure and key fields rendered on the screen and the upstream published content on the terminal side. Furthermore, when abnormal display behavior is detected, the abnormality should be associated with the corresponding publishing channel and key branch, facilitating rapid location of the problem scope and implementation of bounded isolation and adjustment. Summary of the Invention
[0005] (a) Technical problems to be solved To address the shortcomings of existing technologies, this invention provides an airport quantum-safe remote information display and publishing system to solve the problems mentioned in the background section.
[0006] (II) Technical Solution To achieve the above objectives, the present invention provides the following technical solution: an airport quantum-safe remote information display and publishing system, comprising: S1, Quantum Security Key Management Module, is used to construct and publish virtual channels based on quantum keys, generate hierarchical key graphs, and allocate service domain keys and terminal keys; S2, Layout fingerprint generation module, is used to receive the content to be published and displayed, form a structured layout description including the layout area, field content and target terminal group, and calculate the layout fingerprint; S3, Security Token Generation Module, is used to sign the stencil fingerprint using a post-quantum cryptography algorithm, and calculate the authentication value by combining the business domain key in the hierarchical key graph to generate a stencil fingerprint token carrying a virtual channel identifier; S4, Dual-channel distribution module, is used to send graphic data to the terminal through the content publishing channel and to send layout fingerprint tokens to the terminal through the control channel; S5, Terminal Trusted Display Module, is used to verify the legality of the token based on the terminal key, render the screen according to the graphic data, extract the rendering result to form a local layout fingerprint, and compare it with the layout fingerprint in the token. S6, the anomaly handling and tracing module, is used to control the terminal to display the rendering result when the comparison is consistent, and to switch the terminal to the security template and report the anomaly record containing the virtual channel identifier and key branch information when the comparison is inconsistent.
[0007] Furthermore, S1 includes: Based on the key block generated from the quantum-secure key source, a unique identifier is assigned to each published virtual channel, and the published virtual channel is bound to a single information source, a single terminal group, and a single service domain, respectively. The business domain key and terminal key are generated according to the key derivation rules, and the derivation relationship between the root key, business domain key and terminal key is recorded in a hierarchical key diagram. Each node in the hierarchical key graph contains a published virtual channel identifier, service domain identifier, terminal identifier, validity period, maximum number of uses, current number of uses, and status flag, and is stored in the key management library.
[0008] Furthermore, when multiple requests are made to obtain the same version of the service domain key and terminal key within a preset time on the same published virtual channel, a sequence number is assigned to each request, and idempotent control is performed based on the combination of the published virtual channel identifier and the sequence number, retaining only one corresponding key branch record in the hierarchical key graph. When the statistically obtained quantum secure key source supply rate is lower than the threshold, the key generation mode is switched from relying on the quantum key distribution device to relying on the negotiation node with quantum resistance to generate key blocks, and the old mode identifier, new mode identifier, switching time, and triggering reason are recorded in the key management library.
[0009] Furthermore, S2 includes: The pending content from the flight operation system, emergency information system, and commercial information system is merged into a queue according to the order of arrival; the latest record is retained for records with the same flight identifier and records with the same target terminal group identifier; and the format of flight number, destination, gate, time, and status fields is standardized in accordance with airport operation specifications. A structured layout description is generated based on the screen layout division information of the target terminal. The structured layout description includes the layout area number, screen coordinate position, area size, font number, color number, alignment method, key field text, and target terminal group identifier. A layout fingerprint is generated from the structured layout description according to predetermined rules, and the structured layout description and layout fingerprint are associated with the release virtual channel identifier and sequence number and stored in the release control buffer.
[0010] Furthermore, S3 includes: Based on the published virtual channel identifier and service domain identifier, retrieve the service domain key and key branch information that are in a valid state from the hierarchical key graph, and generate the next key branch when the remaining number of uses of the service domain key is close to the upper limit; After obtaining the pattern fingerprint from the release control buffer, the source signature is generated from the pattern fingerprint using quantum-resistant cryptography, and the authentication value is calculated using the business domain key. The pattern fingerprint, source signature, authentication value, release virtual channel identifier, business domain identifier, validity period and sequence number are combined to form a pattern fingerprint token, which is then written into the control channel transmission queue. When a duplicate request is made on the same virtual channel and with the same sequence number, the registered token is returned according to the version locking policy, and the token digest and key branch information are recorded in the audit log for traceability.
[0011] Furthermore, S4 includes: Extract the graphic content and corresponding layout fingerprint token from the release control buffer according to the release virtual channel identifier and terminal identifier, and send them through the content release channel and control channel respectively according to the terminal group to which the terminal belongs; On the content publishing channel side, the text and image content is encapsulated into message frames carrying terminal identifier, publishing virtual channel identifier and content number and sent through the transmission stack; On the control channel side, the fingerprint token is encapsulated into a control frame carrying a terminal identifier, a virtual channel identifier, and a status code, and sent through a logical path with quantum security hardening capabilities. When sending, the terminal identifier and sequence number are used as association fields to keep the message frame paired with the control frame; When a terminal fails to provide continuous feedback on control channel reception acknowledgments, the terminal is set to a control channel unavailable state, and the terminal identifier, virtual channel identifier, timestamp, and reason for unavailability are recorded.
[0012] Furthermore, S5 includes: While receiving the graphic content message frame carrying the terminal identifier, the publishing virtual channel identifier and the content number sent by the content publishing channel, the terminal also receives the format fingerprint token carrying the same terminal identifier and serial number from the control channel. The terminal verifies the authentication value in the token based on the preset terminal key, and checks the consistency between the format fingerprint and the virtual channel identifier, service domain identifier and validity period field in the token based on the quantum-resistant signature capability; After verification, the text and image content is drawn to the rendering buffer, and the layout area coordinates, area size, font number, color number and key field text are extracted from the rendering buffer to generate a local layout fingerprint. When the local layout fingerprint matches the layout fingerprint in the token within a limited time window, the display controller is controlled to output the screen and record the successful display event.
[0013] Furthermore, the text and image content with different sequence numbers are processed in ascending order of sequence number, and messages with sequence numbers less than the current sequence number are directly discarded, and the confirmed rendering state is maintained when the same sequence number arrives again. When generating a local layout fingerprint, the terminal calculates feature values based only on the layout area corresponding to the flight number, gate, departure time, and status fields. After a match is found, a successful display event containing the virtual channel identifier, terminal identifier, serial number, and timestamp is recorded to reduce the parsing burden of the rendering buffer and ensure the credibility of the display results.
[0014] Furthermore, S6 includes: When the terminal determines that the published virtual channel is in an untrusted state based on the comparison results of the local fingerprint and the fingerprint token in the fingerprint token, and the trustworthiness verification results of the token based on the terminal key and the business domain key, the display of the current round of graphic content will be stopped and switched to a secure template. After the terminal generates a traceability record containing the published virtual channel identifier, terminal identifier, current sequence number, key branch information, cause category and diagnostic information, the traceability record is sent to the central traceability node through the control channel. The central tracing node aggregates events based on the tracing records and hierarchical key map according to the published virtual channel identifier. When the number of tracing records exceeds the threshold, the corresponding business domain key branch is frozen. When the suspension conditions are met, the corresponding published virtual channel is suspended. Records containing the freeze decision and configuration version number are written to the append-only storage medium to maintain the integrity of the evidence chain.
[0015] Compared with the prior art, the present invention has the following beneficial effects: 1. By introducing a virtual channel and hierarchical key graph based on quantum-secure key sources, a template fingerprint token carrying a virtual channel identifier is generated on the publishing control side. On the terminal side, a local template fingerprint is generated after rendering and compared with the template fingerprint in the token. This achieves a quantum-secure publishing effect in the actual environment of multiple networks, multiple services and multiple terminals in airports, with minimal modification to existing networks and terminals. The remote display content source is reliable, the transmission is controllable and the final display result is verifiable, thus avoiding the theft, hijacking or tampering of the displayed information.
[0016] 2. By using a hierarchical key graph to record the derivation relationship between service domain keys and terminal keys, the comparison failure and token untrusted events are fed back to the terminal side as traceability records containing the published virtual channel identifier and key branch information. At the central traceability node, key branch freezing, virtual channel suspension and security template switching are triggered by aggregation according to virtual channels. This enables the rapid location of specific key branches or channel ranges for fine-grained isolation and recovery when anomalies occur in the publishing link, reducing the scope of failure and attack impact and improving the overall security and maintainability of the system. Attached Figure Description
[0017] Figure 1 This is a schematic diagram of the structure of an airport quantum-safe remote information display and publishing system according to the present invention. Detailed Implementation
[0018] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0019] Example: An airport quantum-safe remote information display and publishing system, comprising: S1, the quantum secure key management module, is used to construct and publish virtual channels based on quantum keys, generate hierarchical key graphs, and allocate service domain keys and terminal keys. Specifically, it is implemented as follows: The quantum-secure key management module is preferably deployed in a controlled server room at the airport. It receives and organizes the key bit sequence as raw material for quantum-secure keys when the quantum key distribution device or a quantum-resistant negotiation node continuously generates the key bit sequence. The quantum key distribution device generates random bit sequences at the physical layer, while the quantum-resistant negotiation node generates session bit sequences with quantum-resistant capabilities at the logic layer. In this embodiment, both are collectively referred to as the quantum-secure key source. The module aligns the continuously obtained bits into multiple key blocks according to a preset length, preferably several hundred bits. Based on consistency verification rules, segments with excessive error rates or high repetition rates are discarded or merged with adjacent segments, forming a key block sequence that meets quality requirements within an observation window of several minutes.
[0020] Based on this, the module establishes logical channels by binding each virtual publishing channel to an information source, a group of terminals, and a type of service domain. Here, the virtual publishing channel is a uniquely identified logical publishing relationship; the information source is the upper-level system that generates flight operation information, emergency information, or commercial information; the terminal is the display device used to display remotely published content; and the service domain refers to a type of service with security boundaries, such as flight, emergency, or commercial services. The module assigns a unique identifier to each virtual publishing channel and derives service domain keys and terminal keys hierarchically from the key block sequence according to preset derivation rules. The service domain key is used to distinguish the security scope of different service domains under the same virtual publishing channel, and the terminal key is used to distinguish the security scope of different terminals or terminal groups under the same virtual publishing channel.
[0021] The module organizes the above derivation relationships into a hierarchical key graph. A hierarchical key graph is a graph-like structure that records the derivation relationships between the root key, each service domain key, and each terminal key. Each graph edge or node records the published virtual channel identifier, service domain identifier, terminal identifier, validity period, maximum allowed usage count, current usage count, and status flag. The hierarchical key graph is preferably stored in a key management repository in a structured record format with version numbers and timestamps. The key management repository is a controlled storage unit used to persistently store the hierarchical key graph and its change records. The additional latency of a single derivation process from the original quantum-safe key material to the corresponding service domain key and terminal key is preferably controlled within a range of tens of milliseconds.
[0022] When the same virtual channel requests the same version of the service domain key or terminal key multiple times within a preset time period, the module can assign a sequence number to each request and execute an idempotent strategy based on the sequence number and the virtual channel identifier, retaining only one unique key branch record in the hierarchical key graph. Key branch information refers to the set of identifiers, validity periods, usage counts, and states corresponding to a specific service domain key or terminal key in the hierarchical key graph, used for subsequent module backtracking. Preferably, when the average supply rate of quantum-secure key sources within a statistical observation window is lower than a preset threshold, the module can switch to a software quantum-resistant mode, i.e., the subsequent key block sequence is generated by a negotiation node with quantum resistance capabilities. The switching behavior, along with the version numbers of the old and new modes, the switching time, and the triggering reason, is recorded in the key management library to form a complete chain of evidence.
[0023] S2, Layout fingerprint generation module, is used to receive the content to be published and displayed, form a structured layout description including layout area, field content and target terminal group, and calculate the layout fingerprint. Specifically, it is implemented as follows: The layout fingerprint generation module is located on the publishing control side and is used to uniformly organize the content to be published from the flight operation system, emergency information system, and commercial information system. The flight operation system, emergency information system, and commercial information system refer to the upper-level business systems that generate flight information, emergency announcements, and commercial promotional content, respectively. The content to be published refers to structured or semi-structured information to be sent to the terminal and displayed on the screen via the publishing virtual channel. Preferably, the module introduces the content to be published submitted by each business system into the same scheduling queue and merges them according to arrival time. For multiple updates of the same flight identifier or the same target terminal group identifier within a short period, only the record with the latest timestamp is retained to avoid invalid duplicate publications. In the merged records, the module performs noise reduction and format standardization on the flight number, destination, gate, planned or estimated time, and status fields according to airport operation specifications, such as standardizing date and time formats, using a standardized airport code table, and status enumeration values.
[0024] After completing the above sorting, the module combines the layout information of the target terminal's corresponding screen to map each piece of content to be published into a structured layout description. The structured layout description preferably records the area number of each layout area, its horizontal and vertical positions in the screen coordinate system, its width and height, font size, color number, alignment, as well as the key field text and target terminal group identifier bound to that area. The above coordinate and size parameters can be set to use pixels as the unit, time-related parameters to use seconds as the unit, and text fields and status fields to use a unified encoding table to ensure that upstream and downstream modules parse under the same standard.
[0025] Within a preset time window, the module arranges the structured layout descriptions that have been prepared under the same virtual channel according to a fixed field order, removes auxiliary elements that do not participate in the display or affect passenger readability, and retains only the necessary fields that are directly related to the final display effect. According to the pre-agreed feature generation rules, a corresponding layout fingerprint is generated for each structured layout description. The layout fingerprint refers to the feature value generated based on the structured layout description to identify the target display layout, and its length can preferably be set to several hundred bits. For multiple structured layout descriptions with identical content, the module adopts a deduplication strategy to generate only one layout fingerprint and establishes a reference relationship internally, thereby reducing the resource consumption of subsequent signing and transmission.
[0026] Finally, the structured layout description and the corresponding layout fingerprint are associated with the virtual channel identifier and sequence number and stored in the release control buffer. The release control buffer is a bounded cache area used to temporarily store control information to be sent and content feature values, so that the security tag generation module can directly obtain the corresponding layout fingerprint through a unified interface within the same logical node. In a preferred embodiment, the additional delay introduced by the layout fingerprint generation module for a single piece of content to be displayed during peak airport operation can be set to several tens of milliseconds, so as to complete the standardization and feature processing of the layout structure and key fields without significantly affecting the flight display refresh cycle.
[0027] S3, the security token generation module, is used to sign the pattern fingerprint using a post-quantum cryptography algorithm, calculate the authentication value by combining it with the business domain key in the hierarchical key graph, and generate a pattern fingerprint token carrying a virtual channel identifier. Specifically, it is implemented as follows: The security token generation module is connected to the key management library and the release control buffer. It is used to bind the layout fingerprint with the business domain key in the hierarchical key graph on the release control side to form a layout fingerprint token that can be verified on the terminal side. The hierarchical key graph is a graph structure maintained by the quantum security key management module, which records the root key of the release virtual channel, the keys of each business domain, and the derivation relationship of each terminal key. The business domain key is a key derived for different business domains such as flight, emergency, and commercial. The key branch information is a set of identifiers, validity period, maximum allowed number of uses, current usage count, and status flags corresponding to a certain business domain key branch. The release control buffer is a buffer area used to temporarily store the structured layout description and layout fingerprint.
[0028] When generating a formatted fingerprint token, the module first retrieves the currently marked valid service domain key and its key branch information from the hierarchical key graph based on the published virtual channel identifier and service domain identifier. When it detects that the remaining available times of a certain service domain key are close to the preset limit, the next key branch can be prepared in advance to ensure a smooth key switching process during peak traffic periods. After obtaining the corresponding formatted fingerprint from the published control buffer, the module uses quantum-resistant cryptography to generate a source signature for the formatted fingerprint and calculates the authentication value using the service domain key. The formatted fingerprint body, source signature, authentication value, published virtual channel identifier, service domain identifier, valid start and end time, and sequence number are combined to form a formatted fingerprint token. The formatted fingerprint token is a control object that is subsequently transmitted through the control channel and used for format consistency verification on the terminal side. This token is preferably written into the control channel transmission queue in the form of a structured record with a version number and timestamp. At the same time, a record containing the token digest, key branch information, and generation result is retained in the audit log of this node to form a traceable chain of evidence.
[0029] For repeated generation requests with the same virtual channel and sequence number within a limited time window, the module identifies the request as corresponding to an existing token based on the version locking policy, and directly returns the registered token reference without regenerating it. This ensures that only one unique format fingerprint token record corresponds to the same release round. The format fingerprint token can be set with a status field to indicate the category of the generation result. The status field value preferably includes several situations such as successful generation, unavailable business domain key, non-existent virtual channel, and inconsistent configuration. Records in the non-successful generation state are not written to the control channel sending queue, but are recorded in the audit log as error events for subsequent analysis by operation and maintenance personnel.
[0030] Preferably, a short-term session key can be set above the business domain key layer. The session key is derived from the business domain key and has a short validity period or limited number of uses. The fingerprint token carries a session identifier to guide the terminal to select the corresponding session key from the local cache first for authentication value calculation and verification. This reduces the frequency of access to the central key store and reduces the latency of the control channel while ensuring overall quantum security.
[0031] S4, the dual-path distribution module, is used to send image and text data to the terminal through the content publishing channel and to send layout fingerprint tokens to the terminal through the control channel. Specifically, it is implemented as follows: The dual-path distribution module integrates with the airport's existing network to stably transmit the formatted fingerprint token, which serves as the trust anchor, through a separately set control channel, while maintaining the existing transmission method for the content publishing channel. The content publishing channel refers to the business transmission channel that carries the text and image content, while the control channel refers to the secure transmission channel that carries the formatted fingerprint token and its related control information.
[0032] The module periodically retrieves the text and image content and corresponding fingerprint tokens, organized according to the virtual channel identifier and terminal identifier, from the release control buffer. Based on the terminal group to which the terminal belongs, the module divides the objects to be sent: On the content release channel side, the text and image content is encapsulated into several message frames. Each message frame carries a terminal identifier, a virtual channel identifier, and a content number. The terminal identifier is used to uniquely identify a display terminal, and the content number is used to distinguish different rounds of content under the same virtual channel. The module sends message frames to each terminal in a queue through the airport's existing transmission stack. If no terminal confirmation is received within a preset time, the message frame is retransmitted according to the configured number of retransmissions. The number of concurrent connections for the content release channel can be set to several tens to several hundred connections depending on the size of the terminal to meet the needs of a large number of terminals online at the same time.
[0033] On the control channel side, the module encapsulates the fingerprint token into a control frame. The control frame carries a terminal identifier, a virtual channel identifier, and a status code. The status code indicates the token's transmission status or availability. The control frame is transmitted through a logical path with quantum security hardening capabilities. This logical path refers to a virtual channel with independent keys and policies, partitioned above the physical network. Its bandwidth can be set significantly lower than the content publishing channel, but end-to-end latency is prioritized to be within a few hundred milliseconds to ensure the token is reachable before or during content display. During transmission, the module uses the terminal identifier and sequence number as association fields to map text and image content frames with the same sequence number to the control frame, ensuring that the terminal can accurately pair the same round of text and image content with the corresponding fingerprint token based on the terminal identifier and sequence number.
[0034] Within a preset observation window, for example, within approximately one second, if a terminal fails to provide control channel reception confirmation several times consecutively, the module can mark the terminal as unavailable, temporarily remove it from the virtual channel configuration involving high-security business domains, and record the terminal identifier, virtual channel identifier, timestamp, and reason for unavailability in the audit log for subsequent investigation. Preferably, within the same terminal, the control channel can also be configured for multicast or broadcast, with the dual-path distribution module sending fingerprint tokens under the same virtual channel to dozens of terminals at once according to the terminal identifier. This reduces the number of control channel connections and handshakes, and while maintaining no significant perceptible difference in screen refresh for passengers, the dual-path mechanism is introduced into the existing airport network, keeping the additional impact on overall system latency within acceptable limits.
[0035] S5, the terminal trusted display module, is used to verify the legitimacy of the token based on the terminal key, render the screen according to the graphic data, extract the rendering result to form a local layout fingerprint, and compare it with the layout fingerprint in the token. Specifically, the implementation is as follows: The terminal trusted display module resides in each display terminal and is used to verify the trustworthiness of the published virtual channel using the terminal key and the layout fingerprint token, and extend this trustworthiness to the actual screen display. The terminal key refers to the key derived by the quantum secure key management module according to the terminal identifier or terminal group identifier and pre-written into the protected area of the terminal. The layout fingerprint token refers to the control object carrying the layout fingerprint, local signature, authentication value, and the published virtual channel identifier, service domain identifier and serial number. When a terminal receives a text and image content message frame carrying a terminal identifier, a publishing virtual channel identifier, and a content number from a content publishing channel, it simultaneously receives a format fingerprint token carrying the same terminal identifier and serial number from a control channel. The terminal preferably pre-configures the terminal key of its terminal group and the available service domain key identifier locally. After receiving the format fingerprint token, the terminal first verifies the authentication value in the token based on the terminal key, and then verifies whether the format fingerprint is consistent with the publishing virtual channel identifier, service domain identifier, validity period, and other fields in the token based on the quantum signature resistance capability. If the verification fails within a preset number of repeated attempts, the current round of publishing is marked as untrusted, and the rendering process is no longer entered, and a security rejection event can be recorded.
[0036] When the token is deemed trustworthy, the terminal calls the local rendering engine to draw the graphic content onto the rendering buffer. The rendering buffer is a storage area located in the terminal display control link, used to temporarily store screen data that has not yet been sent to the screen. Before the screen is output, the terminal re-extracts the coordinate position, width and height, font size, color number, and key field text bound to each area from the rendering buffer. Based on the same rules as the publishing control side, a local layout fingerprint is generated. The local layout fingerprint is a feature value calculated by the terminal based on its own rendering results. It is compared one by one with the layout fingerprint carried in the layout fingerprint token within a preset time window of several hundred milliseconds. When the comparison is consistent, the terminal controls the display controller to officially present the corresponding screen and records a successful display event in the local log in a structured recording manner. The successful display event includes at least the publishing virtual channel identifier, terminal identifier, serial number, and timestamp, which is used to support subsequent traceability analysis.
[0037] The terminal processes messages with different serial numbers in ascending order. Messages with serial numbers less than the currently confirmed serial number are discarded. For repeated arrivals of the same serial number, image and text content and layout fingerprint token combinations are rendered and compared again using an idempotent strategy, thus saving terminal computing power and avoiding content rollback. Preferably, the layout fingerprint generation rule can be set to cover only key areas such as flight number, gate, departure time, and status, excluding background images and decorative graphics from layout fingerprint generation. This reduces the burden on rendering buffer parsing and feature calculation, allowing the additional time for layout fingerprint generation and comparison on terminals with limited hardware capabilities to be set to several tens of milliseconds. This enables the terminal-side reliability verification and screen display control to be completed without affecting the flight display refresh rate.
[0038] S6, the anomaly handling and tracing module, is used to control the terminal to display the rendering result when the comparison is consistent, and to switch the terminal to the secure template and report an anomaly record containing the virtual channel identifier and key branch information when the comparison is inconsistent. Specifically, it is implemented as follows: An anomaly handling and tracing module is deployed between the terminal and the central tracing node. On the terminal side, it determines the trustworthiness of the published virtual channel based on the fingerprint comparison result and the trustworthiness of the fingerprint token. If untrustworthy, it blocks the display of unreliable content and simultaneously feeds relevant information back to the central tracing node to support tracing analysis and key branch adjustment based on a hierarchical key graph. A fingerprint mismatch means that the local fingerprint generated by the terminal based on its own rendering buffer does not match the fingerprint carried in the fingerprint token. A fingerprint token being deemed untrustworthy means that the terminal fails to pass the verification of the authentication value and related fields based on the terminal key and the service domain key. If the terminal fails to obtain a trusted token within the set time window, or if the comparison result is inconsistent, it immediately terminates the display process of the current round of text and image content, discards all image data in the rendering buffer that has not yet been output to the screen, and switches to a locally pre-stored secure template. A safety template is a pre-made, unified informational interface that is presented when the displayed content is unreliable or its credibility cannot be determined. It preferably uses high-contrast color schemes and concise text prompts passengers to refer to on-site manual guidance. The switching process must be completed within the current refresh cycle to avoid situations such as black screens or flickering that affect passenger readability.
[0039] After implementing the aforementioned blocking action, the terminal constructs a traceability record. This record includes the published virtual channel identifier, terminal identifier, current sequence number, key branch information obtained from the hierarchical key graph, cause category, and diagnostic information related to the terminal's local rendering and verification process. The key branch information is a set of identifiers, validity periods, usage counts, and status flags corresponding to a specific service domain key or terminal key branch. The cause category is used to distinguish between authentication value verification failure, format fingerprint comparison failure, and token overdue confirmation. The traceability record is transmitted back to the central traceability node according to the control channel's transmission rules when the control channel is idle. Based on the returned traceability records and hierarchical key map, the central traceability node collects similar records in chronological order within a preset observation window, using the published virtual channel identifier as the aggregation key. If the number of failures of the same published virtual channel within the observation window exceeds a preset threshold, the corresponding business domain key branch is frozen or the published virtual channel is suspended. The freeze decision, configuration version number, and timestamp are written into the append-only storage medium to form an auditable chain of evidence. The append-only storage medium refers to a storage unit that supports sequential writing and cannot modify existing records, used to ensure the integrity and reliability of the chain of evidence.
[0040] Throughout the anomaly handling and tracing process, tracing records preferably contain only internal identification information such as terminal identifiers and published virtual channel identifiers, without carrying passenger personal information. Access and operations must be conducted within authorized security boundaries to comply with airport network security and privacy protection requirements. Preferably, the terminal can also maintain a short-term cache locally to store tracing records generated over several rounds, allowing events to accumulate even during brief interruptions in the connection between the terminal and the central tracing node. When fingerprint comparisons for multiple consecutive rounds are inconsistent, maintenance personnel can read this short-term cache offline using dedicated tools and compare it with the currently effective hierarchical keymap version and local rendering engine configuration, thereby reducing the processing load on the central tracing node in the event of sudden large-scale anomalies. Simultaneously, to avoid duplicate reporting of tracing records leading to event statistical bias, the module performs deduplication based on a combination of sequence number and timestamp, ensuring that even if the same anomaly event is submitted multiple times due to network jitter, the central tracing node can still accurately identify it as a valid event, thus guaranteeing the accuracy and effectiveness of tracing analysis.
[0041] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.
Claims
1. An airport quantum-safe remote information display and publishing system, characterized in that, include: S1, Quantum Security Key Management Module, is used to construct and publish virtual channels based on quantum keys, generate hierarchical key graphs, and allocate service domain keys and terminal keys; S2, Layout fingerprint generation module, is used to receive the content to be published and displayed, form a structured layout description including the layout area, field content and target terminal group, and calculate the layout fingerprint; S3, Security Token Generation Module, is used to sign the stencil fingerprint using a post-quantum cryptography algorithm, and calculate the authentication value by combining the business domain key in the hierarchical key graph to generate a stencil fingerprint token carrying a virtual channel identifier; S4, Dual-channel distribution module, is used to send graphic data to the terminal through the content publishing channel and to send layout fingerprint tokens to the terminal through the control channel; S5, Terminal Trusted Display Module, is used to verify the legality of the token based on the terminal key, render the screen according to the graphic data, extract the rendering result to form a local layout fingerprint, and compare it with the layout fingerprint in the token. S6, the anomaly handling and tracing module, is used to control the terminal to display the rendering result when the comparison is consistent, and to switch the terminal to the security template and report the anomaly record containing the virtual channel identifier and key branch information when the comparison is inconsistent.
2. The airport quantum-safe remote information display and publishing system according to claim 1, characterized in that, S1 includes: Based on the key block generated from the quantum-secure key source, a unique identifier is assigned to each published virtual channel, and the published virtual channel is bound to a single information source, a single terminal group, and a single service domain, respectively. The business domain key and terminal key are generated according to the key derivation rules, and the derivation relationship between the root key, business domain key and terminal key is recorded in a hierarchical key diagram. Each node in the hierarchical key graph contains a published virtual channel identifier, service domain identifier, terminal identifier, validity period, maximum number of uses, current number of uses, and status flag, and is stored in the key management library.
3. The airport quantum-safe remote information display and publishing system according to claim 2, characterized in that: When multiple requests are made to obtain the same version of the service domain key and terminal key within a preset time on the same published virtual channel, a sequence number is assigned to each request, and idempotent control is performed based on the combination of the published virtual channel identifier and the sequence number, and only one corresponding key branch record is retained in the hierarchical key graph. When the statistically obtained quantum secure key source supply rate is lower than the threshold, the key generation mode is switched from relying on the quantum key distribution device to relying on the negotiation node with quantum resistance to generate key blocks, and the old mode identifier, new mode identifier, switching time, and triggering reason are recorded in the key management library.
4. The airport quantum-safe remote information display and publishing system according to claim 1, characterized in that, S2 include: The pending content from the flight operation system, emergency information system, and commercial information system is merged into a queue according to the order of arrival; the latest record is retained for records with the same flight identifier and records with the same target terminal group identifier; and the format of flight number, destination, gate, time, and status fields is standardized in accordance with airport operation specifications. A structured layout description is generated based on the screen layout division information of the target terminal. The structured layout description includes the layout area number, screen coordinate position, area size, font number, color number, alignment method, key field text, and target terminal group identifier. A layout fingerprint is generated from the structured layout description according to predetermined rules, and the structured layout description and layout fingerprint are associated with the release virtual channel identifier and sequence number and stored in the release control buffer.
5. The airport quantum-safe remote information display and publishing system according to claim 1, characterized in that, S3 includes: Based on the published virtual channel identifier and service domain identifier, retrieve the service domain key and key branch information that are in a valid state from the hierarchical key graph, and generate the next key branch when the remaining number of uses of the service domain key is close to the upper limit; After obtaining the pattern fingerprint from the release control buffer, the source signature is generated from the pattern fingerprint using quantum-resistant cryptography, and the authentication value is calculated using the business domain key. The pattern fingerprint, source signature, authentication value, release virtual channel identifier, business domain identifier, validity period and sequence number are combined to form a pattern fingerprint token, which is then written into the control channel transmission queue. When a duplicate request is made on the same virtual channel and with the same sequence number, the registered token is returned according to the version locking policy, and the token digest and key branch information are recorded in the audit log for traceability.
6. The airport quantum-safe remote information display and publishing system according to claim 1, characterized in that, S4 includes: Extract the graphic content and corresponding layout fingerprint token from the release control buffer according to the release virtual channel identifier and terminal identifier, and send them through the content release channel and control channel respectively according to the terminal group to which the terminal belongs; On the content publishing channel side, the text and image content is encapsulated into message frames carrying terminal identifier, publishing virtual channel identifier and content number and sent through the transmission stack; On the control channel side, the fingerprint token is encapsulated into a control frame carrying a terminal identifier, a virtual channel identifier, and a status code, and sent through a logical path with quantum security hardening capabilities. When sending, the terminal identifier and sequence number are used as association fields to keep the message frame paired with the control frame; When a terminal fails to provide continuous feedback on control channel reception acknowledgments, the terminal is set to a control channel unavailable state, and the terminal identifier, virtual channel identifier, timestamp, and reason for unavailability are recorded.
7. The airport quantum-safe remote information display and publishing system according to claim 1, characterized in that, S5 include: While receiving the graphic content message frame carrying the terminal identifier, the publishing virtual channel identifier and the content number sent by the content publishing channel, the terminal also receives the format fingerprint token carrying the same terminal identifier and serial number from the control channel. The terminal verifies the authentication value in the token based on the preset terminal key, and checks the consistency between the format fingerprint and the virtual channel identifier, service domain identifier and validity period field in the token based on the quantum-resistant signature capability; After verification, the text and image content is drawn to the rendering buffer, and the layout area coordinates, area size, font number, color number and key field text are extracted from the rendering buffer to generate a local layout fingerprint. When the local layout fingerprint matches the layout fingerprint in the token within a limited time window, the display controller is controlled to output the screen and record the successful display event.
8. The airport quantum-safe remote information display and publishing system according to claim 7, characterized in that: The text and image content with different sequence numbers are processed in ascending order of sequence number. Messages with sequence numbers less than the current sequence number are discarded directly, and the confirmed rendering state is maintained when the same sequence number arrives again. When generating a local layout fingerprint, the terminal calculates feature values based only on the layout area corresponding to the flight number, gate, departure time, and status fields. After a match is found, a successful display event containing the virtual channel identifier, terminal identifier, serial number, and timestamp is recorded to reduce the parsing burden of the rendering buffer and ensure the credibility of the display results.
9. An airport quantum-safe remote information display and publishing system according to claim 1, characterized in that, S6 include: When the terminal determines that the published virtual channel is in an untrusted state based on the comparison results of the local fingerprint and the fingerprint token in the fingerprint token, and the trustworthiness verification results of the token based on the terminal key and the business domain key, the display of the current round of graphic content will be stopped and switched to a secure template. After the terminal generates a traceability record containing the published virtual channel identifier, terminal identifier, current sequence number, key branch information, cause category and diagnostic information, the traceability record is sent to the central traceability node through the control channel. The central tracing node aggregates events based on the tracing records and hierarchical key map according to the published virtual channel identifier. When the number of tracing records exceeds the threshold, the corresponding business domain key branch is frozen. When the suspension conditions are met, the corresponding published virtual channel is suspended. Records containing the freeze decision and configuration version number are written to the append-only storage medium to maintain the integrity of the evidence chain.