Method of performing authentication between network nodes

摘要

A method of authentication between first (QNodeX) and second (QNodeY) network nodes within a network suitable for implementing quantum cryptography comprises steps in which the first and second nodes each generate a cryptographic hash ([MXY]AI, [MYX]AJ) of a message ([MXY], [MYX]) using respective authentication keys (AI, AJ) shared with a third network node (QNodeW). The messages may be those exchanged between the first and second nodes during agreement of a quantum key to be used between the nodes. An authentication key to be shared by the first and second nodes may be established using the quantum key. The invention therefore allows an authentication key to be established and shared between the first and second network nodes without direct physical intervention. Networks having large numbers of network nodes may be re-keyed following replacement or maintenance of a network node much more quickly and easily than is the case where re-keying is achieved by physically supplying shared authentication keys.

主权项

1. A method of establishing a plurality of shared authentication keys within a network comprising first and second key management centres (KMCs) and a plurality of other network nodes, each of which shared authentication keys is to be shared by the first KMC and a respective network node, the method comprising the steps of:
(i) supplying the first and second KMCs with a shared authentication key; (ii) establishing a shared authentication key between the first KMC and a network node by performing authentication between the first KMC and the network node, the network node not being the second KMC, the first KMC and the network node each sharing a respective authentication key with the second KMC, and wherein
(a) each of the first KMC and the network node generates a respective message and encrypts the message using the authentication key shared with the second; KMC, wherein the first KMC and the network node directly exchange the encrypted messages and subsequently pass the exchanged encrypted messages to the second KMC;(b) at the second KMC, the message generated and encrypted at the first KMC is decrypted, re-encrypted using the authentication key shared by the network node and the second KMC, and passed to the network node for decryption; and(c) at the second KMC, the message generated and encrypted at the network node is decrypted, re-encrypted using the authentication key shared by the first and second KMCs, and passed to the first KMC for decryption; and (iii) repeating step (ii) for all other network nodes.