CN120582913B

CN120582913B - Mail transmission method based on quantum local area network

Info

Publication number: CN120582913B
Application number: CN202511091185.6A
Authority: CN
Inventors: 王大为; 王轶
Original assignee: China Telecom Quantum Information Technology Group Co ltd
Current assignee: China Telecom Quantum Information Technology Group Co ltd
Priority date: 2025-08-05
Filing date: 2025-08-05
Publication date: 2025-10-03
Anticipated expiration: 2045-08-05
Also published as: CN120582913A

Abstract

The application discloses a mail transmission method based on a quantum local area network. The quantum local area network comprises a sending terminal, a first centralized control station, a second centralized control station and a secret mail system, wherein the first centralized control station, the second centralized control station and the secret mail system are in communication connection with the sending terminal. Then, the password mail system authenticates the transmitting terminal according to the first authentication key and the second authentication key prestored in the password mail system. And then, under the condition that the authentication of the sending terminal passes, the mail encryption system determines a target terminal according to the mail abstract information, and the target terminal establishes communication connection with the second centralized control station. And finally, distributing the generated first quantum symmetric key by the password mail system according to the online state of the target terminal at the current moment so as to encrypt and transmit the target mail. Thus, the first quantum symmetric key is subjected to differentiated distribution processing according to the online state of the target terminal, so that the transmission efficiency and the resource utilization rate can be improved.

Description

Mail transmission method based on quantum local area network

Technical Field

The application relates to the field of quantum encryption communication, in particular to a mail transmission method based on a quantum local area network.

Background

In the related technology, the mail can be encrypted through the quantum key, so that network attack in the transmission process is prevented, and the mail transmission safety is ensured. However, in the quantum encryption mail transmission scenario, the related technical solution often needs to encrypt and forward the mail through the server, so that the key management efficiency and the data transmission efficiency are not good.

Disclosure of Invention

The application provides a mail transmission method based on a quantum local area network.

The embodiment of the application provides a mail transmission method based on a quantum local area network, wherein the quantum local area network comprises a sending terminal, a first centralized control station, a second centralized control station and a secret mail system, wherein the first centralized control station, the second centralized control station and the secret mail system are in communication connection with the sending terminal, and the method comprises the following steps:

The sending terminal sends a first authentication key and mail abstract information of a target mail to be sent to the secret mail system;

the password mail system authenticates the sending terminal according to the first authentication key and a second authentication key prestored in the password mail system;

The mail encryption system determines a target terminal according to the mail abstract information under the condition that the authentication of the sending terminal is passed, and the target terminal and the second centralized control station are in communication connection;

And the secret mail system distributes the generated first quantum symmetric key according to the online state of the target terminal at the current moment so as to encrypt and transmit the target mail.

Thus, the transmitting terminal transmits the first authentication key, the mail digest information of the target mail to be transmitted, to the cryptographic system. Then, the password mail system authenticates the transmitting terminal according to the first authentication key and the second authentication key prestored in the password mail system. And then, under the condition that the authentication of the sending terminal passes, the mail encryption system determines a target terminal according to the mail abstract information, and the target terminal establishes communication connection with the second centralized control station. And finally, distributing the generated first quantum symmetric key by the password mail system according to the online state of the target terminal at the current moment so as to encrypt and transmit the target mail. Therefore, the password mail system directly performs matching authentication locally based on the second authentication key prestored by the password mail system, redundant steps of key interaction in the authentication process are reduced, and the response speed of identity authentication is improved. And the target terminals are positioned through the mail abstract information and are associated with the corresponding second centralized control station, so that the quantum encryption mail transmission scene of one sending terminal to a plurality of target terminals can be supported. In addition, the secret mail system performs differentiated distribution processing on the first quantum symmetric key according to the online state of the target terminal, so that the transmission efficiency and the resource utilization rate of the quantum encryption mail in a complex network environment can be improved.

In some embodiments, the authenticating the sending terminal according to the first authentication key and the second authentication key pre-stored by itself includes:

If the second authentication key is matched with the first authentication key, the password mail system determines that the sending terminal passes authentication;

And in the case that the second authentication key is not matched with the first authentication key, the password mail system determines that the authentication of the sending terminal fails.

In this way, the cryptographic system determines that the sending terminal is authenticated if there is a match between the second authentication key and the first authentication key. And if the second authentication key is not matched with the first authentication key, the password mail system determines that the authentication of the sending terminal fails. Therefore, the second authentication key pre-stored by the password mail system is directly called to be locally matched with the first authentication key submitted by the sending terminal, the link of interaction authentication with an external quantum password management service system in the traditional scheme is omitted, the delay and redundancy flow of cross-system communication are reduced, and the authentication response speed is improved.

In certain embodiments, the method further comprises:

and the mail transmission is terminated by the mail encryption system under the condition that the authentication of the sending terminal fails.

Thus, the mail transmission is terminated by the mail system in the case that the authentication of the transmitting terminal fails. Therefore, the process is terminated in time under the condition of authentication failure, the operations of subsequent unnecessary key generation, distribution, data encryption transmission and the like can be avoided, and the invalid occupation of resources is reduced.

In some embodiments, the distributing the generated first quantum symmetric key according to the online state of the target terminal at the current moment includes:

Under the condition that the target terminal is in an on-line state at the current moment, the secret mail system sends a first quantum key in the first quantum symmetric key to the first centralized control station based on a quantum channel;

the cryptographic system sends a second quantum key of the first quantum symmetric key to the second centralized control station based on the quantum channel.

In this way, when the target terminal is in an on-line state at the current moment, the email system sends a first quantum key of the first quantum symmetric keys to the first centralized control station based on the quantum channel. Next, the cryptographic system transmits a second quantum key of the first quantum symmetric key to the second centralized control station based on the quantum channel. In this way, under the condition that the target terminal is in an on-line state at the current moment, the first quantum key and the second quantum key are distributed to the first centralized control station associated with the sending terminal and the second centralized control station associated with the target terminal through the quantum channel, so that the quantum key is ensured not to be eavesdropped or tampered in the distribution process, and the E-mail is processed by using the quantum key later.

In certain embodiments, the method further comprises:

the first centralized control station encrypts the target mail according to the received first quantum key to generate first encrypted information;

the first centralized control station transmits the first encrypted information to the second centralized control station.

Thus, the first centralized control station encrypts the target mail according to the received first quantum key to generate first encrypted information. The first centralized control station then transmits the first encrypted information to the second centralized control station. In this way, the whole process does not need to process the target mail by the password mail system, so that the leakage risk of the target mail in the password mail system can be avoided, and the end-to-end secure transmission link from the sending terminal to the receiving terminal is constructed by combining the non-decryptability of the quantum key. And, the end-to-end secure transmission link from the sending terminal to the receiving terminal can reduce the delay of the intermediate link, thereby improving the encryption transmission efficiency.

In certain embodiments, the method further comprises:

the second centralized control station decrypts the first encrypted information according to the received second quantum key to generate the target mail;

and the second centralized control station sends the target mail to the target terminal.

In this way, the second centralized control station decrypts the first encrypted information according to the received second quantum key to generate the target mail. Then, the second centralized control station transmits the target mail to the target terminal. In this way, the second centralized control station decrypts the first encrypted information by using the second quantum key matched with the first quantum key, and only if the keys are completely matched, the target mail can be restored, so that the mail content is ensured not to be tampered in transmission.

And under the condition that the target terminal is in an offline state at the current moment, the secret mail system sends a first quantum key in the first quantum symmetric key to the first centralized control station based on a quantum channel.

In this way, when the target terminal is in an offline state at the current moment, the email system sends a first quantum key of the first quantum symmetric keys to the first centralized control station based on the quantum channel. Thus, when the target terminal is in an offline state, the secret mail system distributes the first quantum key to the first centralized control station only through the quantum channel, and the waste of quantum channel bandwidth and key resources under the condition that the target terminal cannot respond is avoided.

In certain embodiments, the method further comprises:

The first centralized control station sends the first encrypted information to the cryptographic system.

Thus, the first centralized control station encrypts the target mail according to the received first quantum key to generate first encrypted information. The first centralized control station then transmits the first encrypted information to the cryptographic system. In this way, the first centralized control station encrypts the target mail by using the first quantum key distributed by the quantum channel, and the generated first encrypted information has high security of quantum encryption.

In certain embodiments, the method further comprises:

The password mail system receives the first encrypted information;

And the encryption mail system decrypts the first encrypted information according to the second quantum key in the first quantum symmetric key, generates the target mail and stores the target mail.

Thus, the cryptographic system receives the first encrypted information. And the encryption mail system decrypts the first encrypted information according to the second quantum key in the first quantum symmetric key, generates a target mail and stores the target mail. In this way, the first encryption information is decrypted through the second quantum key, the target mail is converted into a plaintext to be stored, and a basis is provided for subsequent re-encryption and forwarding based on the new key.

In certain embodiments, the method further comprises:

the password mail system is used for periodically monitoring the online state of the target terminal at intervals of preset time length;

Under the condition that the target terminal is in an on-line state, the email system generates a second quantum symmetric key;

the secret mail system sends a third quantum key in the second quantum symmetric key to the second centralized control station;

the email system encrypts the target email according to a fourth quantum key in the second quantum symmetric key to generate second encrypted information;

The cryptographic system sends the second encrypted information to the second centralized control station.

Thus, the password mail system periodically monitors the online state of the target terminal at intervals of a preset time length. Then, under the condition that the target terminal is monitored to be in an on-line state, the email system generates a second quantum symmetric key. The cryptographic system then transmits a third quantum key of the second quantum-symmetric key to the second centralized control station. And then, the target mail is encrypted by the encryption mail system according to a fourth quantum key in the second quantum symmetric key, so as to generate second encrypted information. Finally, the cryptographic system sends second encrypted information to the second centralized control station. Thus, the key management cost required by long-term storage of the encrypted information is avoided, and the security of the transmission of the target mail is ensured through secondary encryption.

In certain embodiments, the method further comprises:

the second centralized control station receives the third quantum key sent by the secret mail system;

The second centralized control station decrypts the second encrypted information according to the third quantum key to generate the target mail;

Thus, the second centralized control station receives the third quantum key sent by the cryptographic system. And then, the second centralized control station decrypts the second encrypted information according to the third quantum key to generate the target mail. And finally, the second centralized control station sends the target mail to the target terminal. Thus, the secondary forwarding link from the password mail system to the target terminal is still under the quantum encryption protection, and the high security of the full link is continued.

Additional aspects and advantages of embodiments of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of embodiments of the application.

Drawings

The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:

FIG. 1 is a schematic flow chart of a mail transmission method according to an embodiment of the present application;

FIG. 2 is a schematic diagram of a quantum local area network in accordance with an embodiment of the application;

FIG. 3 is a second flow chart of a mail transmission method according to an embodiment of the application;

FIG. 4 is a third flow chart of a mail transmission method according to an embodiment of the present application;

FIG. 5 is a flow chart of a mail transmission method according to an embodiment of the present application;

FIG. 6 is a fifth flow chart of a mail transmission method according to an embodiment of the present application;

FIG. 7 is a flowchart of a mail transmission method according to an embodiment of the present application;

Fig. 8 is a signaling diagram of a mail transmission method in which a target terminal is in an offline state according to an embodiment of the present application;

FIG. 9 is a flow chart of a mail transmission method according to an embodiment of the present application;

FIG. 10 is a flowchart of a mail transmission method according to an embodiment of the present application;

FIG. 11 is a flowchart of a mail transmission method according to an embodiment of the present application;

FIG. 12 is a schematic flow chart of a mail transmission method according to an embodiment of the present application;

FIG. 13 is a flowchart of an exemplary mail transmission method according to an embodiment of the present application;

Fig. 14 is a signaling diagram of a mail transmission method in which a target terminal is in an offline state according to an embodiment of the present application.

Detailed Description

Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are exemplary only for explaining the embodiments of the present application and are not to be construed as limiting the embodiments of the present application.

In the current practical application of quantum communication technology, mail content can be encrypted by quantum keys. Depending on the underlying principle of quantum mechanics (such as quantum unclonability, collapse characteristic measurement and the like), the quantum key can effectively resist various network attacks in the transmission process, even if an eavesdropper tries to intercept or crack the key, the operation of the quantum key can be perceived in real time due to the change of the quantum state, so that the safety of mail in a transmission link is ensured.

However, in the specific transmission scenario of the quantum encryption mail, the authentication process of the related technical scheme often depends on the quantum password management service system to complete the whole process operation, that is, the authentication key sent by the terminal needs to be transmitted to the quantum password management service system, after the quantum password management service system completes authentication, the authentication result is returned to the password mail system, and then the password mail system determines whether the authentication is passed or not according to the authentication result. This cross-system round-trip interaction not only lengthens authentication time, but also increases management complexity because the authentication key needs to be streamed between multiple nodes.

In addition, the mail transmission flow of the related technical scheme generally adopts a terminal-server-terminal transfer mode, namely, a sending terminal needs to send mails to a secret mail system first and then distribute the mails to a receiving terminal by the secret mail system. Thus, since the security of quantum encryption depends on the key consistency of the full link, if the whole transmission meets the quantum encryption standard, each link from the sending terminal to the server and from the server to the receiving terminal must be separately subjected to the quantum key distribution and encryption operation. For example, the sending terminal needs to encrypt the mail with the first set of quantum keys and transmit the mail to the secret mail system, and the secret mail system needs to re-encrypt with the second set of quantum keys before transmitting the mail to the receiving terminal after receiving the mail, and any link does not adopt quantum encryption (or key mismatch), which results in the quantum security failure of the whole transmission link, and the level of traditional encryption is reduced.

In addition, in the related technical scheme, whether the receiving terminal is on line or not, the mail is required to finish the decryption and re-encryption transfer operation in the server, the process increases the calculation power consumption and storage pressure of the server, and particularly in a group sending mail scene, each group of receiving terminals is required to independently generate a secret key and repeat the transfer process, so that the complexity of the overall operation is obviously increased, and the practicability and popularization efficiency of the quantum encryption mail are severely restricted.

Based on the above problems, referring to fig. 1, an embodiment of the present application provides a mail transmission method based on a quantum local area network, where the quantum local area network includes a sending terminal, a first centralized control station, a second centralized control station, and a secret mail system that establish communication connection with the sending terminal, and the method includes:

01, the sending terminal sends a first authentication key and mail abstract information of a target mail to be sent to a mail system;

02, the password mail system authenticates the sending terminal according to the first authentication key and the second authentication key prestored in the password mail system;

under the condition that the sending terminal passes the authentication, the mail encryption system determines a target terminal according to the mail abstract information, and the target terminal establishes communication connection with a second centralized control station;

and 04, distributing the generated first quantum symmetric key by the password mail system according to the online state of the target terminal at the current moment so as to encrypt and transmit the target mail.

Specifically, the quantum local area network refers to a local communication network within a metropolitan area constructed based on quantum communication technology. The quantum local area network comprises nodes such as a transmitting terminal, a receiving terminal, a centralized control station, a secret mail system, a target terminal and the like, quantum key distribution is realized through a quantum channel, quantum encryption communication among network access devices is supported, and safe information transmission of the devices in the area is ensured. Referring to fig. 2, fig. 2 is a schematic diagram of a quantum lan.

The sending terminal refers to user equipment (such as a mobile phone, a computer and the like) initiating mail sending, a quantum security chip (such as a SIM card and a U shield) is needed to be inserted to store and call an authentication key, is a source of a target mail and is responsible for sending authentication information and mail related data to a mail encryption system.

The first centralized control station is positioned in the quantum local area network and is directly associated with the transmitting terminal. The first centralized control station is provided with a QKD device, can receive the quantum key sent by the key system and the mail data sent by the sending terminal, encrypts the mail data by using the quantum key and then transmits the encrypted mail data through a classical channel, and is a service node of the sending terminal accessing the quantum network.

The second centralized control station is positioned in the quantum local area network and is directly related to the target terminal. The second centralized control station is also an access service station in the quantum local area network, is connected with the target terminal in a communication way, can receive the quantum key and the encrypted mail sent by the key system, decrypts the encrypted mail by using the quantum key and then forwards the encrypted mail to the target terminal, and is a node of the target terminal accessed to the quantum local area network, and is connected with the first centralized control station through quantum channels such as optical fibers to support quantum encryption communication. It should be noted that, the first centralized control station and the second centralized control station have no substantial difference in function and structure, and the naming of the first centralized control station and the second centralized control station is only to distinguish the associated terminal attribute (such as corresponding to the sending terminal and the target terminal respectively), and no difference in primary and secondary or priority of the function exists.

The password mail system integrates a quantum password management service system and a password mail server, and the password mail server also integrates a quantum password management subsystem. The secret mail system can receive the authentication key and complete matching authentication, determine a target terminal, generate and distribute quantum keys according to the terminal on-line condition, and overall manage the authentication, key management and mail transmission control of the quantum encrypted mail.

The first authentication key refers to a key randomly extracted by the sending terminal from an authentication key set for the password mail service in the quantum security chip, is used for proving the legitimacy of the sending terminal to the password mail system, and is an identity authentication credential for initiating the sending of the quantum encrypted mail. The authentication key in the quantum security chip has a key identification for explicit use.

The second authentication key refers to a key pre-stored in the cryptographic system, in particular pre-stored in the quantum cryptography management subsystem. That is, after the user opens the quantum cryptography function, a quantum security chip (such as a SIM card and a U shield) is provided for the user's terminal device, and an authentication key Ka dedicated for the quantum cryptography service is filled into the quantum security chip. The authentication key Ka is explicitly marked as a type of cryptographic service and is configured with a unique key identification. Simultaneously with the key filling, a key Ka' corresponding to the authentication key Ka is stored in advance in the quantum cryptography management subsystem. Through the configuration, the quantum security chip and the quantum password management subsystem respectively hold matched symmetric keys, and a foundation is provided for a subsequent authentication process. The password mail system completes authentication by comparing the second authentication key with the first authentication key, and ensures the legitimacy of the identity of the sending terminal.

The target mail refers to mail content edited by a sending terminal and required to be transmitted to a receiving party in a quantum encryption mode, and is a core data object of encryption transmission.

The mail digest information includes user information of a mail receiving object (i.e., a target terminal) and is transmitted to the password mail system by the transmitting terminal after authentication is successful. The mail abstract information is used for determining the identity of the target terminal by the mail system, and is a key basis for determining the transmission path by the mail system.

The target terminal refers to terminal equipment (such as a mobile phone and a computer) which is used by a mail receiver and is inserted with a quantum security chip, and establishes communication connection with the second centralized control station, so that the target terminal is a receiving end of the target mail. The location of the target terminal depends on the mail digest information, which includes the identity of the target terminal (e.g., terminal ID, belonging user account, etc.), through which the target terminal is first identified by the email system.

The target terminal may include a plurality of terminal devices, that is, the user may send mail to a plurality of users through the sending terminal. If the target terminals are in communication connection with different centralized control stations, the secret mail system needs to respectively generate and distribute the corresponding quantum symmetric keys for the centralized control stations corresponding to each target terminal, and each centralized control station completes encryption transmission with the associated target terminal based on the received keys so as to ensure that the target terminals covered by different centralized control stations can safely receive mails.

The online state of the target terminal refers to a state that whether the target terminal is in a range where the quantum local area network can establish quantum encryption communication connection and can be addressed, and the cryptographic mail system determines whether to adopt a direct transmission or transfer storage transmission mode through the judgment. In some embodiments, when the mail digest information and the first authentication key are received by the cryptographic system, and the authentication of the sending terminal passes, the cryptographic system immediately sends a status inquiry request (such as a heartbeat signal and a communication link test packet) to the target terminal, so as to inquire whether the second centralized control station maintains a normal communication connection with the target terminal, thereby determining the online status of the target terminal.

The first quantum symmetric key refers to a symmetric quantum key generated by a cryptographic mail system (specifically generated by a quantum cryptography management subsystem) for encrypting and transmitting a target mail, and is used for encrypting and protecting transmitted mail data.

Firstly, when a sending terminal initiates a mail sending request, a first authentication key is extracted from an authentication key set special for a secret mail service in a quantum security chip of the sending terminal, and the first authentication key is sent to a secret mail system to trigger an encryption transmission flow.

Then, when the quantum cipher management service system in the cipher mail system recognizes that the received quantum key is an authentication key dedicated to the cipher mail service, the authentication operation is directly transferred to the quantum cipher management subsystem in the cipher mail server. And then, the quantum password management subsystem invokes a second authentication key prestored in itself, compares the second authentication key with the first authentication key sent by the sending terminal, and performs identity authentication. Therefore, the quantum password management service system is not required to complete authentication and then return an authentication result to the password mail server, so that the key management efficiency is improved and the authentication time is shortened.

Then, after the identity authentication of the sending terminal passes, the mail encryption system locates the target terminal according to the mail abstract information. And confirming a second centralized control station in communication connection with the target terminal, and providing a basis for the subsequent transmission path planning.

Finally, the secret mail system judges whether the target terminal is online at the current moment (namely, whether the target terminal is in a state that quantum local area network can establish quantum encryption communication connection and can be addressed) and distributes the generated first quantum symmetric key according to the online state of the target terminal at the current moment so as to encrypt and transmit the target mail.

In summary, in the mail transmission method based on the quantum local area network provided by the embodiment of the application, the sending terminal sends the first authentication key and the mail abstract information of the target mail to be sent to the mail system. Then, the password mail system authenticates the transmitting terminal according to the first authentication key and the second authentication key prestored in the password mail system. And then, under the condition that the authentication of the sending terminal passes, the mail encryption system determines a target terminal according to the mail abstract information, and the target terminal establishes communication connection with the second centralized control station. And finally, distributing the generated first quantum symmetric key by the password mail system according to the online state of the target terminal at the current moment so as to encrypt and transmit the target mail. Therefore, the password mail system directly performs matching authentication locally based on the second authentication key prestored by the password mail system, redundant steps of key interaction in the authentication process are reduced, and the response speed of identity authentication is improved. And the target terminals are positioned through the mail abstract information and are associated with the corresponding second centralized control station, so that the quantum encryption mail transmission scene of one sending terminal to a plurality of target terminals can be supported. In addition, the secret mail system performs differentiated distribution processing on the first quantum symmetric key according to the online state of the target terminal, so that the transmission efficiency and the resource utilization rate of the quantum encryption mail in a complex network environment can be improved.

Referring to fig. 3, in some embodiments, step 02 (authenticating the transmitting terminal according to the first authentication key and the second authentication key pre-stored in itself) includes:

021, under the condition that the second authentication key is matched with the first authentication key, the password mail system determines that the authentication of the sending terminal passes;

022, in the case that the second authentication key is not matched with the first authentication key, the password mail system determines that the authentication of the sending terminal fails.

Specifically, after receiving the first authentication key, the email system compares all the second authentication keys stored by itself with the first authentication key. If the second authentication key is matched with the first authentication key, judging that the identity of the sending terminal is legal, and passing the authentication. If the second authentication key is not matched with the first authentication key, the identity of the sending terminal is judged to be not approved, and the authentication fails. In this way, it is ensured that only legitimate terminal devices can access the quantum local area network.

Referring to fig. 4, in some embodiments, the method further comprises:

and 05, terminating the mail transmission by the password mail system under the condition that the authentication of the sending terminal fails.

Specifically, the authentication failure of the sending terminal may be caused by the conditions that the sending terminal does not authorize to open the quantum secret mail function, a secret key in the quantum security chip is tampered or damaged, the terminal equipment is illegally imitated, and the like, which means that the sending terminal may not have legal quantum secret mail transmission authority. In such a case, the email system immediately interrupts all subsequent email transmission related processes after detecting the failure of the key matching, including stopping the analysis of the email digest information, terminating the generation and distribution of the quantum key, refusing to receive or process the email data of the sending terminal, and so on. Thus, the possibility that an unauthorized terminal accesses the quantum encryption transmission link can be blocked, and the illegal terminal is prevented from sending mails or stealing key resources by forging identities.

Referring to fig. 5, in some embodiments, step 04 (distributing the generated first quantum-symmetric key according to the online state of the target terminal at the current moment) includes:

041, under the condition that the target terminal is in an on-line state at the current moment, the email system sends a first quantum key in the first quantum symmetric key to the first centralized control station based on a quantum channel;

042 the cryptographic mail system transmits a second quantum key of the first quantum symmetric key to the second centralized control station based on the quantum channel.

Specifically, the quantum channel is a special communication channel constructed based on the quantum mechanics principle, is used for safely transmitting the quantum key, has the anti-eavesdropping characteristic (eavesdropping behavior can be perceived in real time because of the collapse caused by quantum state measurement), ensures that the quantum key is not eavesdropped or tampered in the distribution process, and provides a safety foundation for subsequent mail encryption.

The first quantum key refers to an encryption key which is generated by the encryption mail system and sent to the first centralized control station through a quantum channel and is used for encrypting the target mail by the first centralized control station, so that mail data of a sending terminal is encrypted by the quantum key before entering a transmission link, and source safety is guaranteed.

The second quantum key is sent to the second centralized control station by the secret mail system through a quantum channel and is used for decrypting the received encrypted mail by the second centralized control station. The first quantum key and the second quantum key form a pair of symmetric keys.

And under the condition that the secret mail system sends a state query request to a second centralized control station associated with the target terminal, and the target terminal is confirmed to be in an on-line state currently (namely, keeps normal communication connection with the second centralized control station and is in quantum channel coverage range) through link connectivity detection (such as heartbeat response and communication link test), the secret mail system generates a pair of first quantum symmetric keys for encrypting and transmitting the mails. The cryptographic system then transmits the first quantum key based on the quantum channel in a targeted manner to a first centralized control station associated with the transmitting terminal, ensuring that the transmitting terminal side can obtain the key required for encryption. Meanwhile, the secret mail system can directionally send the second quantum key to a second centralized control station associated with the target terminal through the quantum channel, so that the receiving terminal side can obtain the key required by decryption.

Referring to fig. 6, the method further includes:

043, the first centralized control station encrypts the target mail according to the received first quantum key to generate first encrypted information;

044, the first centralized control station transmits the first encryption information to the second centralized control station.

Specifically, the first encryption information refers to encrypted data generated by the first centralized control station after encrypting the target mail by using the first quantum key.

The first centralized control station confirms that the target terminal is in an on-line state in the secret mail system, encrypts the target mail by using the first quantum key after receiving the first quantum key, and transmits the encrypted mail to the second centralized control station through a classical network channel. Therefore, mail transmission in an online scene can be ensured to be protected based on quantum-level keys, and a transfer link of a server is skipped to improve efficiency.

Thus, the first centralized control station encrypts the target mail according to the received first quantum key to generate first encrypted information. The first centralized control station then transmits the first encrypted information to the second centralized control station. In this way, the whole process does not need to process the target mail by the password mail system, so that the leakage risk of the target mail in the password mail system can be avoided, and the end-to-end secure transmission link from the sending terminal to the receiving terminal is constructed by combining the non-decryptability of the quantum key. And moreover, the end-to-end secure transmission link from the sending terminal to the target terminal can reduce intermediate link delay, so that encryption transmission efficiency is improved.

Referring to fig. 7, the method further includes:

045, the second centralized control station decrypts the first encrypted information according to the received second quantum key to generate a target mail;

046, the second centralized control station sends the target mail to the target terminal.

Specifically, after receiving the second quantum key sent by the password mail system through the quantum channel and receiving the first encrypted information sent by the first centralized control station through the classical network channel, the second centralized control station uses the second quantum key to decrypt the first encrypted information and restore the target mail. And then, the second centralized control station sends the decrypted target mail to a corresponding target terminal to finish mail transmission. Therefore, the quantum key synchronization between the centralized control stations is matched with the data transmission of the classical channel, so that the safe decryption and direct transmission of the online terminal quantum encrypted mail are realized, and the delay and the safety risk possibly brought by the mail transfer through the server are avoided.

The mail transmission method in which the target terminal is in an offline state is described below with a complete example. Referring to fig. 8, fig. 8 is a signaling diagram of a mail transmission method in which a target terminal is offline. The sending terminal is a client A, the target terminal is a client B, the first centralized control station is a centralized control station A, and the second centralized control station is a centralized control station B.

First, in the identity authentication stage (client A. Fwdarw. Quantum password management service System. Fwdarw. The password mail Server), the client A submits an authentication key Ka (including a key identifier for identifying identity) to the vector password management service System, and simultaneously directly sends mail digest information to the password mail Server. Then, the quantum cryptography management service system forwards the authentication key Ka to the quantum cryptography management subsystem after recognizing the key identification as the authentication key. And finally, the quantum cryptography management subsystem performs matching verification on the received Ka and the stored key Ka', and if the verification passes, the verification is successful, and the online state of the client B is judged.

Then, in the quantum key distribution and mail encryption stage (the secret mail server, the centralized control station A/B, the centralized control station A, the centralized control station B), when the client B is in an on-line state, the secret mail server sends the generated first quantum key K1 to the centralized control station A through a quantum channel (dotted line), and sends the generated second quantum key K2 to the centralized control station B. Next, the central control station a encrypts the original mail data with the received quantum key K1, generating first encrypted information. The encrypted mail is sent from the centralized control station a to the centralized control station B via the classical network. Subsequently, the central control station B decrypts the received quantum key K2 to restore the target mail. And finally, the centralized control station B forwards the decrypted target mail to the client B.

Referring to fig. 9, in some embodiments, step 04 (distributing the generated first quantum symmetric key according to the online state of the target terminal at the current moment) includes:

047, under the condition that the target terminal is in an offline state at the current moment, the email system sends a first quantum key in the first quantum symmetric key to the first centralized control station based on the quantum channel.

Specifically, when the cryptographic system sends a state query request to a second centralized control station associated with the target terminal, and the target terminal is confirmed to be in an offline state (i.e. the target terminal is not connected to the quantum local area network or cannot respond to the communication request) through link connectivity detection (such as heartbeat response and communication link test), the cryptographic system generates a first quantum symmetric key and distributes the first quantum key to the first centralized control station associated with the sending terminal only through a quantum channel.

Referring to fig. 10, in some embodiments, the method further comprises:

048, the first centralized control station encrypts the target mail according to the received first quantum key to generate first encrypted information;

049, the first centralized control station transmits the first encrypted information to the secret mail system.

Specifically, under the condition that the target terminal is in an offline state currently, the first centralized control station receives a first quantum key sent by the password mail system through a quantum channel. And then, the first centralized control station encrypts the target mail by using the first quantum key to generate first encryption information which cannot be directly read, so that the mail content cannot be cracked by unauthorized parties in the transmission process. And the generated first encryption information is sent to the encryption system through the classical network channel, and the encryption system performs subsequent processing according to the on-line state of the target terminal.

Referring to fig. 11, in some embodiments, the method further comprises:

050, receiving the first encrypted information by the password mail system;

051. The cryptographic mail system decrypts the first encrypted information according to the second quantum key in the first quantum symmetric key to generate the target mail and stores the target mail.

Specifically, the cryptographic system receives first encrypted information sent by the first centralized control station through a classical network channel. And then, the secret mail system extracts a second quantum key from the generated first quantum symmetric key, decrypts the received first encrypted information by using the second quantum key, restores the plaintext content of the target mail, and ensures the integrity and accuracy of the mail content. After decryption is completed, the target mail plaintext is stored in the local secure storage area by the password mail system. In some embodiments, the email system is capable of protecting the plaintext of the target email through its own local encryption mechanism (e.g., storage encryption).

Since quantum cryptography follows the principle of "one-time-pad", i.e. the same key is only used for a single transmission, it is not reusable. Thus, the first encryption information is the product encrypted by the first quantum key, the key is only suitable for the transmission link of the sending terminal-the secret mail system, and after the subsequent target terminal is on line, a new quantum symmetric key (instead of multiplexing the first quantum key) is required to be generated for forwarding so as to meet the security requirement of quantum encryption.

Referring to fig. 12, in some embodiments, the method further comprises:

052, periodically monitoring the online state of the target terminal by the password mail system at intervals of preset time length;

053, under the condition that the target terminal is in an on-line state, the email system generates a second quantum symmetric key;

054, the secret mail system sends a third quantum key in the second quantum symmetric key to the second centralized control station;

055, encrypting the target mail by the password mail system according to the fourth quantum key in the second quantum symmetric key to generate second encrypted information;

056, the encrypting system sends the second encrypted information to the second centralized control station.

Specifically, the preset duration refers to a fixed time interval (such as 1 minute and 5 minutes) set by the password mail system, and is used for triggering periodic checking on the online state of the target terminal. Therefore, the monitoring frequency is controlled through the preset duration, the target terminal can be timely found to be online, excessive system resources are prevented from being occupied by frequent monitoring, and the instantaneity and the resource consumption are balanced.

The periodic monitoring refers to an online state detection mechanism which is repeatedly executed by the password mail system according to a preset time length, and continuously acquires the connection state of the target terminal by sending a query request.

The second quantum symmetric key refers to a pair of symmetric keys which are newly generated by the email system and used for email secondary encryption forwarding after the target terminal is monitored to be online, and the symmetric keys comprise a third quantum key and a fourth quantum key. The third quantum key refers to a part of the second quantum symmetric key for decryption, and the part is sent to a second centralized control station associated with the target terminal by the encryption system and used for decrypting the received second encrypted information. The fourth quantum key refers to a part used for encryption in the second quantum symmetric key, is reserved by the encryption system and used for carrying out encryption processing on the stored target mail, and generates second encryption information.

The second encryption information refers to encryption data generated after the encryption of the stored target mail by the encryption mail system by using the fourth quantum key.

After storing the target mail, the mail system starts periodic monitoring of the online state of the target terminal according to a preset fixed time interval, namely, sends a state query request to a second centralized control station associated with the target terminal, and acquires the terminal connection state fed back by the second centralized control station until the target terminal is monitored to be switched from an offline state to an online state, and a subsequent process is triggered.

Then, when the email system confirms that the target terminal is online, a pair of new quantum symmetric keys, namely a second quantum symmetric key, is generated immediately.

And then, the secret mail system directionally transmits a third quantum key in the second quantum symmetric key to a second centralized control station associated with the target terminal through a quantum channel.

Then, the email system invokes the locally stored target email (previously decrypted and buffered email Wen Youjian), encrypts it using the fourth quantum key in the second quantum symmetric key, generating second encrypted information that is not directly readable.

And finally, the encryption mail system sends the generated second encryption information to a second centralized control station through a classical network channel, the second centralized control station decrypts the second encryption information based on the received third quantum key, and finally the second encryption information is forwarded to the target terminal.

Referring to fig. 13, in some embodiments, the method further comprises:

058, the second centralized control station receives the third quantum key sent by the secret mail system;

059, the second centralized control station decrypts the second encrypted information according to the third quantum key to generate a target mail;

And 060, the second centralized control station sends the target mail to the target terminal.

Specifically, the second centralized control station transmits a third quantum key through the quantum channel through the secret mail system. The second centralized control station then receives the second encrypted information sent by the cryptographic system over the classical network channel. And then, the second centralized control station decrypts the received second encrypted information according to the third quantum key matching, and restores the plaintext content of the target mail. And finally, after decryption is completed, the second centralized control station sends the target mail in the plaintext form to the online target terminal through a secure link in the quantum local area network.

The mail transmission method in which the target terminal is in an offline state is described below with a complete example. Referring to fig. 14, fig. 14 is a signaling diagram of a mail transmission method in which a target terminal is offline. The sending terminal is a client A, the target terminal is a client C, the first centralized control station is a centralized control station A, and the second centralized control station is a centralized control station C.

First, in the identity authentication stage (client A. Fwdarw. Quantum password management service System. Fwdarw. The password mail Server), the client A submits an authentication key Ka (including a key identifier for identifying identity) to the vector password management service System, and simultaneously directly sends mail digest information to the password mail Server. Then, the quantum cryptography management service system forwards the authentication key Ka to the quantum cryptography management subsystem after recognizing the key identification as the authentication key. And finally, the quantum cryptography management subsystem performs matching verification on the received Ka and the stored key Ka', and if the verification passes, the verification is successful, and the online state of the client C is judged.

In the off-line processing stage (the encryption server- & gt centralized control station A, the centralized control station A- & gt the encryption server), when the broken client C is in an off-line state, the encryption server transmits the generated first quantum key K1 to the centralized control station A through a quantum channel (dotted line). Next, the central control station a encrypts the original mail data with the received quantum key K1, generating first encrypted information. The encrypted mail is sent from the centralized control station a to the mail server. Then, the mail server decrypts the mail by using the generated quantum key K2, restores the mail, and stores the mail.

And finally, in the online resending stage (the password server, detection online and secondary encryption resending), the password server continuously monitors the online state of the client C, and when the client C is judged to be in the online state, the online resending process is started. The password mail server generates a third quantum key K3 and a fourth quantum key K4, and sends the third quantum key K3 to the centralized control station C through a quantum channel. The mail server uses the third quantum key K3 to re-encrypt the temporary storage target mail, generates second encrypted information, and sends the second encrypted information to the centralized control station C through the classical network. And the centralized control station C decrypts the second encrypted information by using the fourth quantum key K4 to generate a target mail, and forwards the target mail to the client C.

The present application also provides a computer-readable storage medium containing a computer program. The computer programs, when executed by one or more processors, cause the one or more processors to perform the methods of the present application.

It is understood that the computer program comprises computer program code. The computer program code may be in the form of source code, object code, executable files, or in some intermediate form, among others. The computer readable storage medium may include any entity or device capable of carrying computer program code, a recording medium, a USB flash disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth.

In the description of the present specification, reference to the terms "specifically," "further," "particularly," "understandably," and the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In the present specification, schematic representations of the above terms are not intended to refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.

While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims

1. A method for transmitting mail based on a quantum local area network, characterized in that the quantum local area network includes a sending terminal, a first centralized control station communicating with the sending terminal, a second centralized control station, and a secret mail system, the secret mail system includes a quantum cryptography management service system and a secret mail server, and the secret mail server is integrated with a quantum cryptography management subsystem. The method comprises:

The sending terminal sends a first authentication key to the quantum cryptography management service system and sends email summary information of the target email to be sent to the cryptographic email server;

When the quantum cryptography management service system identifies that the first authentication key is an authentication key, the quantum cryptography management service system forwards the first authentication key to the quantum cryptography management subsystem;

The quantum cryptography management subsystem authenticates the sending terminal according to the first authentication key and a second authentication key pre-stored in the subsystem;

When the sending terminal passes the authentication, the encrypted mail server determines the target terminal according to the mail summary information, and the target terminal establishes a communication connection with the second centralized control station;

The encrypted email server distributes the generated first quantum symmetric key according to the current online status of the target terminal to encrypt and transmit the target email;

The step of distributing the generated first quantum symmetric key according to the online status of the target terminal at a current moment to encrypt and transmit the target email includes:

When the target terminal is online at the current moment, the secret mail server sends the first quantum key in the first quantum symmetric key to the first centralized control station, and sends the second quantum key in the first quantum symmetric key to the second centralized control station;

When the target terminal is in an offline state at the current moment, the cryptographic mail server sends the first quantum key in the first quantum symmetric key to the first centralized control station, and periodically monitors the online state of the target terminal at preset time intervals to distribute the generated second quantum symmetric key.

2. The method according to claim 1, wherein authenticating the sending terminal based on the first authentication key and the second authentication key pre-stored in the sending terminal comprises:

If the second authentication key matches the first authentication key, the quantum cryptography management subsystem determines that the sending terminal passes authentication;

In a case where the second authentication key does not match the first authentication key, the quantum cryptography management subsystem determines that the sending terminal authentication fails.

3. The method according to claim 2, further comprising:

The encrypted mail server terminates the mail transmission when the sending terminal fails in authentication.

4. The method according to claim 1, wherein distributing the generated first quantum symmetric key according to the current online status of the target terminal comprises:

When the target terminal is online at the current moment, the secret mail server sends the first quantum key in the first quantum symmetric key to the first centralized control station based on the quantum channel;

The secret mail server sends the second quantum key in the first quantum symmetric key to the second central control station based on the quantum channel.

5. The method according to claim 4, further comprising:

The first centralized control station encrypts the target email according to the received first quantum key to generate first encrypted information;

The first centralized control station sends the first encrypted information to the second centralized control station.

6. The method according to claim 5, further comprising:

The second centralized control station decrypts the first encrypted information according to the received second quantum key to generate the target email;

The second centralized control station sends the target email to the target terminal.

7. The method according to claim 1, wherein distributing the generated first quantum symmetric key according to the current online status of the target terminal comprises:

When the target terminal is in an offline state at a current moment, the cryptographic mail server sends the first quantum key in the first quantum symmetric key to the first centralized control station based on the quantum channel.

8. The method according to claim 7, further comprising:

The first centralized control station sends the first encrypted information to the encrypted mail system.

9. The method according to claim 8, further comprising:

The encrypted mail server receives the first encrypted information;

The encrypted email server decrypts the first encrypted information according to the second quantum key in the first quantum symmetric key, generates the target email, and stores it.

10. The method according to claim 9, further comprising:

The encrypted email server periodically monitors the online status of the target terminal at preset intervals;

When monitoring that the target terminal is in an online state, the cryptographic mail server generates a second quantum symmetric key;

The secret mail server sends the third quantum key in the second quantum symmetric key to the second central control station;

The encrypted email server encrypts the target email according to the fourth quantum key in the second quantum symmetric key to generate second encrypted information;

The encrypted mail server sends the second encrypted information to the second centralized control station.

11. The method according to claim 10, further comprising:

The second centralized control station receives the third quantum key sent by the cryptographic mail system;

The second centralized control station decrypts the second encrypted information according to the third quantum key to generate the target email;