CN101325804B - Method, device and system for acquiring cryptographic key - Google Patents

Method, device and system for acquiring cryptographic key Download PDF

Info

Publication number
CN101325804B
CN101325804B CN2007101451465A CN200710145146A CN101325804B CN 101325804 B CN101325804 B CN 101325804B CN 2007101451465 A CN2007101451465 A CN 2007101451465A CN 200710145146 A CN200710145146 A CN 200710145146A CN 101325804 B CN101325804 B CN 101325804B
Authority
CN
China
Prior art keywords
authenticator
key information
migration
network equipment
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2007101451465A
Other languages
Chinese (zh)
Other versions
CN101325804A (en
Inventor
梁文亮
吴建军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007101451465A priority Critical patent/CN101325804B/en
Priority to PCT/CN2008/071254 priority patent/WO2008151569A1/en
Publication of CN101325804A publication Critical patent/CN101325804A/en
Application granted granted Critical
Publication of CN101325804B publication Critical patent/CN101325804B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provided method, device and system for acquiring keys, used for acquiring key information to a network device which needs it after a certifier is transferred, comprising: firstly, the network device which needs to acquire key information transmits a key request to the transferred certifier after receiving indication information for representing that the certifier is transferred, and receives the key information returned by the certifier. Thus, the invention is capable of ensuring that network device which needs to acquire key information of a mobile user may acquire corresponding key information after the certifier is transferred such that the following communication process may go on wheels so as to effectively improve communication performance of a wireless communication system.

Description

Obtain method, equipment and the system of key
Technical field
The present invention relates to network communications technology field, relate in particular to the implementation that obtains key under a kind of situation that takes place to move at authenticator.
Background technology
Along with the fast development of internet service and the extensive use of wireless network, mobile subscriber's fail safe is had higher requirement to wireless system, promptly except that corresponding apparatus authentication, subscription authentication and authorization of service etc. are handled, also need between AP (wireless user and access point) or BS (base station), set up corresponding escape way, realize corresponding security information exchange, and at BS and Authenticator (authentication person), set up secret passage between authentication person and the authentication server, realize security information exchange or the like.
In wireless network, the mobile subscriber need initiate authentication to NAS authenticators such as (network access servers), and after authentication was passed through, mobile subscriber's FA (external agent) was by obtaining corresponding key information with communicating by letter of NAS, so that use in the subsequent communications process.
After the re-authentication operation takes place in mobile subscriber MS, the processing procedure that FA obtains key as shown in Figure 1, corresponding processing procedure may further comprise the steps:
Step 1, MS is by the success of NAS1 access authentication;
Specifically can be to initiate corresponding verification process to aaa server, and finish corresponding authentication operation, determine that MS authentication passes through by NAS1;
Step 2, FA sends request to NAS1 when needs MN-FA key or FA-HA key, with acquisition request corresponding M N-FA key or FA-HA key;
Step 3, re-authentication takes place by NAS1 in MS;
Similar with verification process, specifically can initiate the re-authentication operation to aaa server by NAS1, handle to finish corresponding re-authentication;
Step 4, MS sends MIP-RRQ (MIP registration) message to FA, carries the authentication extension that new key is calculated, and SPI (Security Parameter Index) is perhaps produced by other modes also by the FA-RK calculating that produces behind the re-authentication;
Step 5, after FA received described registration message, relatively the SPI that carries in the MIP-RRQ message determined that SPI changes, and re-authentication promptly takes place, then to NAS1 request key updating information;
Promptly because re-authentication has taken place in step 3, thus the key information on NAS1 and the MS all upgrade, but FA and do not know re-authentication and upgrade after key information, so FA need be to the key information after NAS1 asks renewal;
Step 6, FA then can continue to handle MIP-RRQ message after obtaining key, finishes follow-up processing procedure.
Need to prove in above-mentioned processing procedure, whether no matter re-authentication take place, as long as FA moves, then equally after FA receives MIP-RRQ message, will execution in step 5, with to NAS1 request key,, be used to finish subsequent processes so that obtain current key.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art:
In above-mentioned processing procedure, if the NAS that also takes place in the re-authentication process of MS migration, then FA can't obtain key information from the NAS after the migration, thereby makes that FA can't handle the MIP-RRQ message of receiving after the NAS migration takes place.
Summary of the invention
Embodiments of the invention provide a kind of method, equipment and system that obtains key, thereby can take place under the situation of migration at authenticator, still can guarantee that the network equipment that need obtain key information can obtain corresponding key information, to guarantee carrying out smoothly of subsequent communications process.
The embodiment of the invention provides a kind of method of obtaining key, comprising:
The network equipment that need obtain key information receives the indication information that is used to represent to take place the authenticator migration, and receives the key information that described authenticator sends, and obtains the key information of counterpart terminal.
The present invention also provides a kind of method of obtaining key, comprising:
After the network equipment that need obtain key information receives and is used to represent the indication information of re-authentication takes place, receive the key information of the counterpart terminal of authenticator transmission.
The embodiment of the invention provides a kind of network equipment, comprising:
Authenticator migration determining unit, authenticator moves under being used for determining counterpart terminal according to the indication information that being used to of receiving represents to take place the authenticator migration;
The key request acquiring unit is used for receiving the key information that described authenticator sends after described authenticator migration determining unit determines that authenticator moves under the described terminal, obtains the key information of described terminal correspondence.
The embodiment of the invention provides a kind of system that obtains key, comprises the authenticator and the network equipment that need obtain key information, wherein,
Authenticator is used to receive the key request that the network equipment that need obtain key information is sent, and sends the key information of the terminal correspondence of its generation to the network equipment that needs obtain key information;
Need obtain the network equipment of key information, receive the indication information that is used to represent to take place the authenticator migration, and receive the key information that described authenticator sends.
Example of the present invention also provides a kind of system that obtains key, comprises the authenticator and the network equipment that need obtain key information, wherein,
Authenticator is used for sending to the network equipment that needs obtain key information the key information of the terminal correspondence of its generation;
Need obtain the network equipment of key information, be used to receive be used to represent the indication information of re-authentication takes place after, receive the key information of the described terminal correspondence that authenticator sends.
The technical scheme that provides by the embodiment of the invention described above as can be seen, it can be after authenticator moves, the network equipment that assurance need be obtained key information can obtain corresponding key information, so that the carrying out smoothly of subsequent communications process.Therefore, the realization of the embodiment of the invention can effectively improve the communication performance of wireless communication system.
Description of drawings
Fig. 1 obtains the processing procedure schematic diagram of key information for FA in the prior art;
Fig. 2 obtains the processing procedure schematic diagram one of key information for FA in the embodiment of the invention;
Fig. 3 obtains the processing procedure schematic diagram two of key information for FA in the embodiment of the invention;
Fig. 4 obtains the processing procedure schematic diagram three of key information for FA in the embodiment of the invention;
Fig. 5 obtains the process state machine schematic diagram of key information for FA in the embodiment of the invention;
Fig. 6 is the complete process process schematic diagram of the embodiment of the invention;
The structural representation of the system that Fig. 7 provides for the embodiment of the invention.
Embodiment
The embodiment of the invention is used for after the authenticator of terminal moves, the network equipment that obtains key information for needs obtains key information, promptly the network equipment that needs obtain key information receive be used to represent the indication information of authenticator migration takes place after, then the authenticator of determining the terminal correspondence moves, and the authenticator after migration sends key request, thereby receive the key information that described authenticator returns, obtain the key information of this terminal correspondence.
In the embodiment of the invention, the network equipment that described needs obtain key information includes but not limited to FA (external agent), BS (base station) or GW equipment such as (gateways), and described key information includes but not limited to: at least one item in key, SPI (Security Parameter Index) and the life cycle.
The embodiment of the invention is in implementation procedure, be used to represent that the indication information that the authenticator migration takes place specifically can send to the network equipment that needs obtain key information by the authenticator after the migration or by former authenticator (authenticator before the migration) or by terminal or by HA (home agent) or by equipment such as AAA (authentication, authentication, charging) servers, thereby make the network equipment that need obtain key information accordingly can know described indication information.Alternatively, authenticator after the described migration or former authenticator or terminal or equipment such as HA or aaa server can also be to the addresses of the authenticator after needs obtain the network equipment transmission migration of key information; Wherein, address as if the authenticator after the network equipment transmission migration of obtaining key information by from former authenticator to needs, then described authenticator is the corresponding relation between the address of authenticator after maintenance terminal and the migration also, and alternatively at the life cycle of this correspondence setting correspondence, so that behind the process predetermined amount of time, just can delete the described correspondence relationship information of maintenance, thereby the storage of release busy and management resource.
In above-mentioned processing procedure, if send described indication information by terminal to the network equipment that needs obtain key information, then terminal needs to determine in advance to take place the authenticator migration.Terminal determines that the process that the authenticator migration takes place specifically can comprise: at first, in the process of authentication, by authenticator self identifying information is sent to terminal, like this, terminal just can determine whether authenticator moves according to the identifying information of the current authenticator of receiving and the comparative result of the identifying information of the authenticator of receiving before; For example, described identifying information can comprise: the address information of authenticator and/or authenticator are to the jumping figure of gateway.
In the embodiment of the invention, after the authenticator after the migration generated the key information of terminal correspondence, it can initiatively send to the network equipment that corresponding needs obtain key information with described key information; Perhaps, alternatively, by the authenticator after the migration key information of the terminal correspondence that generates is sent to former authenticator, and send to the network equipment that need obtain key information by former authenticator.
In embodiments of the present invention, realize obtaining of key information if need obtain the network equipment of key information by above-mentioned processing procedure, then alternatively, the network equipment that need obtain key information is after the authenticator of determining the terminal correspondence moves, can also judge whether to receive the key information that the authenticator after the migration is sent, if after determining not get access to the key information of the terminal correspondence that the authenticator after the migration generates, then can obtain described key information by the mode that the authenticator after migration sends key request.
The embodiment of the invention is in the specific implementation process, the network equipment that need obtain key information can also comprise the operation of the address information of the authenticator after obtaining migration before the authenticator after the migration sends key request, so that need obtain the address that the network equipment of key information can get access to the authenticator after the migration, be convenient to send secret key request message to it.The mode that specifically can be used to obtain the address information of the authenticator after the migration comprises: a kind ofly can be the address information of the authenticator after the former authenticator acquisition request migration before move; Another kind is the address information that receives the authenticator after the migration that authenticator after the migration or former authenticator initiatively send.
In the authenticator transition process, if FA, BS or GW etc. need obtain the network equipment of key information and also move, the former needs that authenticator after the migration can at first send to key information before the migration obtain the network equipment of key information, and the network equipment that is obtained key information by described former needs sends to the network equipment that needs after the migration obtain key information with described key information; Perhaps, also can send the indication of the network equipment migration that need obtain key information or the information such as address that the needs after the migration obtain the network equipment of key information to the authenticator after the migration by the network equipment that former needs obtain key information, perhaps, the network equipment that obtains key information by the needs after the migration sends the indication of the network equipment migration that need obtain key information or the address that the needs after the migration obtain the network equipment of key information to the authenticator after the migration, so that the authenticator after the migration sends to the network equipment that needs after the migration obtain key information with key information.
To be example as the network equipment that needs obtain key information with FA below, the specific implementation process branch different situations of obtaining the processing procedure of key information will accordingly be described:
(1) FA has finished migration prior to NAS, and new FA has obtained the address of former authenticator
In this case, with the current FA of the new FA after the migration, and adopt above-mentioned processing procedure can guarantee that promptly the network equipment that need obtain key information can obtain corresponding secret key information as terminal;
(2) NAS has finished migration prior to FA, and former FA has obtained the address of new NAS
In this case, the new FA after the migration can obtain new NAS address in transition process, and this just makes that the network equipment that need obtain key information can obtain corresponding secret key information at an easy rate; For example, send the indication of FA migration or the address of the FA after the migration by the FA after the migration to new NAS, perhaps, send the indication of FA migration or the information such as address of new FA by former FA to new NAS, afterwards, by new NAS key information is sent to FA after the migration, so that new NAS sends to new FA with key information;
(3) in the FA transition process, this moment, former NAS carried out the NAS migration
In this case, new FA need be to former NAS request key, specifically can comprise in former NAS sends to key information the process of new FA:
If former NAS is when informing that new FA is carrying out the NAS migration, also new FA is informed in the address of new NAS, send key request by new FA to new NAS, new NAS then replys new key information if finish re-authentication, otherwise, reply one make instruction that new FA waits for or etc. re-authentication again new key information is sent to new FA after finishing;
The current NAS that carrying out moves if former NAS only notifies new FA, but do not inform the address of new NAS after its migration, then new FA can ask the address of new NAS to former NAS, and (promptly the authenticator after the migration can at first send to former FA with key information, afterwards, by former FA described key information is sent to FA after the migration), perhaps wait for initiatively new key more of new NAS.
In the embodiment of the invention, before the authenticator of determining the terminal correspondence moves, the network equipment that need obtain key information needs also to determine whether terminal re-authentication takes place, so that under the situation of determining terminal generation re-authentication, further whether the authenticator of determining the terminal correspondence moves, and then utilizes the embodiment of the invention to solve the problem of obtaining of the key information under the situation that the authenticator migration takes place.Wherein, the operation whether terminal of determining the network equipment that need obtain key information re-authentication takes place specifically can comprise: preserve the SPI (Security Parameter Index) between terminal and the home agent in needs obtain the network equipment of key information, if the SPI in the register requirement that the terminal of receiving or other equipment are sent is different with the SPI between the home agent with the terminal of preservation, then determine to have taken place re-authentication at terminal, otherwise, determine not take place re-authentication; Perhaps, the network equipment that need obtain key information can also determine whether terminal the re-authentication operation takes place according to the re-authentication indication information of explicit re-authentication indication in the message of receiving or implicit expression.
Is example with FA as the network equipment that needs obtain key information, and the key information that FA need obtain can be the MIP key information.The embodiment of the invention specifically can solve FA upgrade exist in the MIP cipher key processes the problem that migration can't obtain the MIP key takes place because of NAS, and reduce the time of competing scene and obtaining key, the implementation that provides FA to obtain effective MIP key, this MIP key can comprise MN-FA key and FA-HA key.Need to prove that the embodiment of the invention is not limited in this concrete giving an example of using.
In re-authentication process at terminal, can be accompanied by the authenticator migration, also can directly just on original authenticator, carry out.When authenticator moves, need the address information of the new authenticator of notice FA, so that FA subsequent request key information.The migration of FA migration and authenticator is independent mutually, promptly may move simultaneously, and may not to move simultaneously also.
To move with the NAS as authenticator below, the key information that FA need obtain comprises that the application scenarios of MN-FA key is an example, and the specific implementation process of the embodiment of the invention is described.Under this scene, corresponding processing procedure such as Fig. 2, Fig. 3 and shown in Figure 4 specifically may further comprise the steps:
Step 1, MS is by the success of NAS1 access authentication;
Step 2, FA sends request to NAS1 when needs MN-FA key, specifically can be by sending context request to NAS1, with the acquisition request corresponding secret key;
The NAS migration for to be undertaken by NAS2, has promptly taken place at the re-authentication of MS in step 3;
In this re-authentication process, key information on NAS2 and the MS upgrades, but FA is not known the re-authentication incident that taken place, and does not also know the key information after the renewal;
Step 4, behind re-authentication, MS or HA (home agent) etc. (only being that example is drawn with MS among the figure) equipment sends MIP-RRQ message to FA, carrying the authentication extension of new cipher key calculation in the described message, SPI is wherein calculated by the FA-RK that produces behind the re-authentication to obtain, and perhaps also can be used to determine whether to take place the indication information of re-authentication for other;
Step 5, after FA receives described message, relatively whether the SPI that carries in the MIP-RRQ message is identical with the SPI of local maintenance, (determine to take place re-authentication) if determine to change, perhaps confirm that according to indication information re-authentication takes place, then obtain the key information after the renewal, specifically still can be by sending context request, with the acquisition request corresponding secret key to NAS2;
In this step, if FA moves, then FA is behind the address that obtains former NAS, and new FA also is in the same state, promptly knows former NAS address information, and need obtain the MIP key information;
In this step, the implementation procedure of concrete key after the NAS acquisition request is upgraded can but be not limited to three kinds, with reference to Fig. 2, Fig. 3 and shown in Figure 4, each implementation procedure is respectively:
(1) as shown in Figure 2, in the transition process of NAS2, the message of NAS2 notice FA does not also arrive FA, and then FA is to NAS1 request key updating information; And return the NAS migration by NAS1 to it and indicate and/or new NAS address (being the NAS2 address); Then, FA sends secret key request message to NAS2, with acquisition request corresponding M IP key information;
(2) as shown in Figure 3, in the transition process of NAS2, the message of NAS2 notice FA does not also arrive FA, and then FA is to NAS1 request key updating information; And return the NAS migration by NAS1 to FA and indicate and/or new NAS address (being the NAS2 address); Before NAS2 sent secret key request message, the notification message of NAS2 migration arrived FA at FA, if carry key and contextual information after the renewal in this message, then FA no longer sends key request; Otherwise FA continues to send key request to NAS2, with acquisition request corresponding M IP key information;
(3) as shown in Figure 4, in the transition process of NAS2, the message of NAS2 notice FA has arrived FA, if carry key and contextual information after the renewal in this message, then FA no longer sends key request to NAS2; Otherwise FA continues to send key request to NAS2, with acquisition request corresponding M IP key information.
Need to prove, if migration has also taken place in FA, and the updating message of NAS2 has sent to former FA, then former FA need be transmitted to new FA with described updating message, so that new FA still can obtain corresponding M IP key information easily, perhaps, return the indication of a FA migration or the address of new FA and give NAS2, NAS2 sends key information to new FA then.
By the processing procedure of above-mentioned steps 1, behind the key information after FA obtains to upgrade, then can continue to handle MIP-RRQ message to step 5.
Based on whether only carrying the situation of the information of re-authentication in the MIP-RRQ message in the above-mentioned application scenarios, the embodiment of the invention also provides another kind of specific embodiments, in this scheme, consider to be chosen in to carry the indication information whether NAS moves in the MIP-RRQ message, corresponding processing procedure specifically can comprise following process as shown in Figure 5:
Step 1, authentication for the first time, NAS1 sends to self address or NAS MS and notes down to the jumping figure of serving GW (gateway) in the EAP process;
Step 2, re-authentication, MS have also obtained NAS1 address or the NAS jumping figure to service GW, and compare with the address or the jumping figure information (being the information of record in the step 1) of record before, find identically, confirm that then NAS does not move;
Step 3, MS sends among the MIP-RRQ and carries indication information, with the expression re-authentication but do not have a NAS migration, described indication information can be the SPI algorithms of different, perhaps, independent extension header;
In the specific implementation process: migration has taken place in the odd number indication NAS that can be SPI, and even numbers is then opposite, and indication NAS does not move; If the extension header mode can directly comprise the transition state that a type is represented NAS in extension header, perhaps just directly comprise the address information of current NAS;
Step 4, re-authentication, MS have also obtained the NAS2 address or NAS arrives the jumping figure of serving GW, and compares with address of writing down before or jumping figure information (being the information of record in the step 1), finds difference, confirms that then migration has taken place NAS;
Step 5, MS sends among the MIP-RRQ and carries indication information, and re-authentication takes place in MS with expression, and follows the NAS migration to take place.
Based on above-mentioned processing procedure, then FA receives that the processing procedure that adopts after the corresponding M IP-RRQ message is specifically as follows:
(1) after FA receives MIP-RRQ message,, then handles:, then continue to handle if there is not re-authentication according to the indication information of MIP-RRQ message if do not carry the NAS address information in the message; If re-authentication but do not have NAS migration is to former NAS request key; If re-authentication and follow NAS migration, wait for that new NAS initiatively sends announcement information, if do not carry the required key information of FA in the announcement information that new NAS sends, then need to ask corresponding key information to new NAS, perhaps, also can be or the key information after upgrading to NAS information that former NAS please look for novelty;
(2) after FA receives MIP-RRQ message, if directly carried the NAS address information in the MIP-RRQ message, FA can be directly to indicated NAS request key information.
For ease of further understanding the implementation procedure that FA obtains the MIP key, below in conjunction with accompanying drawing, be example with the MN-FA key that obtains in the MIP key, corresponding processing procedure is described further.
As shown in Figure 6, the realization processing procedure of the state machine of FA may further comprise the steps:
Step 1, FA receives MIP-RRQ message;
Step 2 judges whether this locality exists the MN-FA key, if exist, then execution in step 3, otherwise, execution in step 7;
Step 3, whether the SPI in the MIP-RRQ message of relatively receiving is identical with the SPI of this locality preservation, if identical, promptly two SPI are consistent, then re-authentication does not take place in expression, execution in step 15, otherwise re-authentication, execution in step 4 take place in expression;
Step 4 judges whether to take place the NAS migration, if, then execution in step 5, otherwise, execution in step 6, specifically can but be not limited to indication that whether expression NAS that the Context-Rpt (context report) that sends according to SPI or new NAS etc. receives move and judge whether to take place NAS and move;
In this step, if temporarily can't determine whether to take place the NAS migration, then execution in step 7;
Need to prove, in this step,, then can also further determine whether to receive the key of new NAS if determine to move, if receive that then execution in step 15, otherwise, execution in step 5; Wherein, the key of the new NAS that receives may be that new NAS directly sends, and also may be the key of its new NAS that receives from new NAS of sending from former NAS;
Step 5 judges whether FA has known the address of the new NAS after the migration, if know that then execution in step 8, otherwise, execution in step 9;
Step 6, FA is to former NAS acquisition request MN-FA, and execution in step 15.
Step 7, FA perhaps directly is provided with clock and waits for the information (authenticator that re-authentication carries out) that receives from authenticator to former NAS acquisition request MN-FA, if receive the NAS feedback information from former NAS, then execution in step 10, if FA receives the indication information that new NAS sends, then execution in step 12;
Receive after the described information, stop set clock; If the expired information of also not receiving from authenticator of clock then abandons described MIP-RRQ message;
Step 8, the new NAS acquisition request MN-FA of FA after migration, and execution in step 15.
Step 9, FA waits for the indication of new NAS, perhaps, inquires about address or the MN-FA of new NAS to former NAS, and after the feedback of indication of receiving new NAS or former NAS, execution in step 12; Wherein, the indication of the new NAS that receives or the feedback of former NAS can also can be the addresses of new NAS for the MN-FA of new NAS;
Step 10, the feedback information that FA returns according to former NAS judge whether to take place NAS migration, if take place, and execution in step then, 12, otherwise, execution in step 11;
Equally, in this step, still can but be not limited to judge whether to take place NAS migration according to the indication whether the expression NAS that SPI or Context-Rpt (context report) etc. receives moves;
Step 11 if do not carry MN-FA in the feedback information that former NAS sends, then sends request to former NAS, with acquisition request corresponding M N-FA, execution in step 15 after obtaining described MN-FA, if former NAS has carried described MN-FA in feedback information, then direct execution in step 15.
Step 12 judges that whether new NAS sends to FA with the MN-FA of correspondence, judges promptly whether FA receives MN-FA, if receive that then execution in step 13, otherwise, the then address that from the feedback information of the indication of the new NAS that receives or former NAS, obtains new NAS, and execution in step 14;
Step 13, FA obtains MN-FA from the information that new NAS sends, and execution in step 15;
Step 14, according to the address of new NAS, FA is from new NAS acquisition request corresponding M A-FA, and after obtaining described MN-FA execution in step 15;
Step 15, FA handles the MIP-RRQ message of receiving according to the key information that obtains.
The system that the embodiment of the invention also provides a kind of network equipment to obtain key, its specific implementation structure specifically can comprise following processing unit as shown in Figure 7:
(1) authenticator
It is used to receive the key request that the network equipment that need obtain key information is sent, and sends the key information of the terminal correspondence of its generation to the network equipment that needs obtain key information, specifically can comprise:
(1) key request receiving element is used to receive the key request that the network equipment that need obtain key information is sent;
(2) key information transmitting element is used for after described key request receiving element receives key request, and the network equipment that obtains key information to needs sends the key information of the terminal correspondence of its generation.
Alternatively, described authenticator can also comprise migration indication transmitting element, and the network equipment that is used for obtaining to described needs key information sends the indication information that is used to represent to take place the authenticator migration; This authenticator is specifically as follows the authenticator after the migration, also can be the former authenticator before moving; If described migration indication transmitting element is arranged in the former authenticator, and need be to the address of the authenticator after needs obtain the network equipment transmission migration of key information, then described authenticator also comprises the end message maintenance unit, be used for the corresponding relation between the address of authenticator after maintenance terminal and the migration, alternatively at the life cycle of this correspondence setting correspondence.
In this authenticator, can comprise following arbitrary unit:
The direct transmitting element of key information behind the key information that is used for the authenticator after the migration is generated, directly initiatively sends to the network equipment that need obtain key information;
Key information indirect transfer unit is used for the key information that the authenticator after the migration generates is sent to the former intermal comflict device of recognizing, and sends to the network equipment that need obtain key information by former authenticator.
Determine for ease of terminal whether authenticator moves, and then can also comprise the identifying information transmitting element at described authenticator, to be used for that the address information of authenticator or authenticator are sent to described terminal to the jumping figure of gateway as identifying information.
(2) network equipment
This network equipment is for obtaining the network equipment of key information, and it is after reception is used to represent the indication information of authenticator migration takes place, and the authenticator after migration sends key request, receives the key information that described authenticator returns.
Say that more specifically the network equipment that need obtain key information specifically can comprise:
(1) authenticator migration determining unit is used for representing that according to being used to of receiving the indication information that the authenticator migration takes place determines that the authenticator of terminal correspondence moves;
(2) key request acquiring unit, be used for after described authenticator migration determining unit determines that the authenticator of terminal correspondence moves, authenticator after migration sends key request, and is used to receive the key information that described authenticator returns, and obtains the key of this terminal correspondence.
Alternatively, the network equipment that need obtain key information can also comprise the judgment processing unit, be used for after described authenticator migration determining unit determines to take place the authenticator migration,, then notify described key request acquiring unit if determine not get access to the key information that the authenticator after the migration generates.
Alternatively, the network equipment that need obtain key information can also comprise the authenticator address acquisition unit, be used to receive and obtain the address information of the authenticator after the migration that authenticator after the migration or former authenticator send, and notify described key request acquiring unit, so that send key request according to described address information.
Alternatively, the network equipment that need obtain key information can also comprise following arbitrary unit:
The key information retransmission unit is used to receive the key information that the authenticator after the migration is sent, and described key information is sent to the network equipment that needs after the migration obtain key information;
Network equipment announcing removal unit, be used for behind the key information that the authenticator that receives after moving is sent, return the indication of the network equipment migration that need obtain key information or the address information that the needs after the migration obtain the network equipment of key information to the authenticator after the migration; Perhaps, initiatively send the indication of the network equipment migration that need obtain key information or the address information that the needs after the migration obtain the network equipment of key information to the authenticator after the migration; So that the authenticator after the migration can send to key information the network equipment that needs after the migration obtain key information.
(3) terminal
Under the certain applications scene, terminal can also send the indication information that migration takes place the authenticator be used for the indicating terminal correspondence to the network equipment that needs obtain key information, so can also comprise in the terminal being used for the processing unit whether definite authenticator moves, specifically can comprise:
The migration determining unit is used for the process in authentication, receives the identifying information that authenticator sends, and the identifying information of identifying information that will the current authenticator of receiving and the authenticator received before compares, and determines whether authenticator moves;
The indication information transfer unit is used for after described migration determining unit is determined to move, and the network equipment that obtains key information to needs sends the indication information that is used to represent to take place the authenticator migration.
In sum, the embodiment of the invention has solved FA and has upgraded under the situation that migration takes place the NAS that exists in the MIP cipher key processes and can't obtain the problem of upgrading back MIP key, thereby can eliminate the competition scene as far as possible, reduce the time that obtains key as far as possible, therefore, the embodiment of the invention provides the implementation that can make FA obtain effective MIP key, has overcome existing problem in the prior art.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (25)

1. a method of obtaining key is characterized in that, is used for the migration back taking place for the network equipment that need obtain key information obtains key information at authenticator, comprising:
The network equipment that need obtain key information receives the key information that the authenticator after being used to represent that the indication information of authenticator migration takes place and receiving migration sends, and obtains the key information of counterpart terminal.
2. method according to claim 1, it is characterized in that, the network equipment that described needs obtain key information receives, the indication information that is used to represent to take place the authenticator migration that is sent by the authenticator after the migration or former authenticator or described terminal or home agent or authentication, authentication, charging aaa server; Perhaps,
The network equipment that described needs obtain key information receives, by the authenticator after the migration or former authenticator or the described indication information of described terminal or home agent or aaa server transmission and the address of the authenticator after the migration.
3. method according to claim 2 is characterized in that, when sending described indication information by terminal, this method also comprises:
In the process of authentication, described terminal receives the identifying information of the authenticator that is sent by network side;
Described terminal compares according to the identifying information of the current authenticator of the receiving identifying information with the authenticator of receiving before, determines whether authenticator moves.
4. method according to claim 3 is characterized in that, described identifying information comprises: in the jumping figure of gateway at least one of the address information of authenticator, the identification information of authenticator and authenticator.
5. according to each described method of claim 1 to 4, it is characterized in that, also comprise:
The network equipment that described needs obtain key information receives by the authenticator after the migration behind the key information that generates described counterpart terminal, initiatively the described key information that sends; Perhaps,
The network equipment that described needs obtain key information receives by the authenticator after the migration behind the key information that generates described counterpart terminal, via the described key information of former authenticator transmission.
6. method according to claim 5 is characterized in that, after the network equipment that described needs obtain key information determined that the authenticator of terminal correspondence moves, this method also comprised:
Behind the key information of the described counterpart terminal that the authenticator of the network equipment that need obtain key information after determining not get access to migration generates, the authenticator after migration sends key request.
7. according to each described method of claim 1 to 4, it is characterized in that, the authenticator of the network equipment after migration that described needs obtain key information sends the step that key request also comprises the address information of the authenticator after obtaining migration before, and this step comprises:
The address information of the authenticator after the migration of former authenticator acquisition request; The address information of the authenticator after the migration that authenticator after perhaps, reception is moved or former authenticator or terminal or home agent or aaa server initiatively send.
8. according to each described method of claim 1 to 4, it is characterized in that in the authenticator transition process, also move if need obtain the network equipment of key information, then this method also comprises following arbitrary step:
The network equipment that needs after the migration obtain key information obtains the network equipment of key information by former needs, obtains the key information that the authenticator after the migration sends;
The network equipment that obtains key information by the needs after the migration sends the indication of the network equipment migration that need obtain key information or the address that the needs after the migration obtain the network equipment of key information to the authenticator after the migration, and by the authenticator after the migration key information is sent to the network equipment that needs after the described migration obtain key information;
The network equipment that needs after the migration obtain key information receives, getting access to after former needs obtain needs that the network equipment of key information sends and obtain the address of the indication of network equipment migration of key information or the network equipment that the needs after the migration obtain key information the key information of transmission by the authenticator after the migration.
9. according to each described method of claim 1 to 4, it is characterized in that, before determining that authenticator moves under the described terminal, comprise that also the network equipment that need obtain key information determines that the step of re-authentication has taken place terminal, and this step comprises specifically:
Need obtain the Security Parameter Index SPI that preserves in the network equipment of key information between described terminal and the home agent,, then determine the generation re-authentication if terminal is different with the S PI of preservation with SPI between the home agent in the register requirement of receiving.
10. method of obtaining key is used for behind re-authentication it is characterized in that for the network equipment that need obtain key information obtains key information, comprising:
After the network equipment that need obtain key information receives and is used to represent the indication information of re-authentication takes place, receive the key information of the counterpart terminal of authenticator transmission.
11. method according to claim 10 is characterized in that, described authenticator is the authenticator that carries out re-authentication.
12. method according to claim 11 is characterized in that, the network equipment that need obtain key information starts a timer after receiving and being used to represent the indication information of re-authentication takes place, and receives the key information of described terminal in the timer term of validity.
13. method according to claim 12 is characterized in that, if do not receive described key information in the timer term of validity, abandons the mobile IP login request that terminal sends.
14. a network equipment is characterized in that, is used for obtaining after authenticator moves key information, this network equipment comprises:
Authenticator migration determining unit, authenticator moves under being used for determining counterpart terminal according to the indication information that being used to of receiving represents to take place the authenticator migration;
The key request acquiring unit is used for receiving the key information that the authenticator after moving sends after described authenticator migration determining unit determines that authenticator moves under the described terminal, obtains the key information of described terminal correspondence.
15. equipment according to claim 14, it is characterized in that, this equipment also comprises the judgment processing unit, be used for after described authenticator migration determining unit determines to take place the authenticator migration, if determine not get access to the key information that the authenticator after the migration generates, then notify described key request acquiring unit;
And described key request acquiring unit also is used for after the notice of obtaining described judgment processing unit, and the authenticator after described migration sends key request.
16. according to claim 14 or 15 described equipment, it is characterized in that, this equipment also comprises the authenticator address acquisition unit, is used to receive and obtain the address information of the authenticator after the migration that authenticator after the migration or former authenticator send, and notifies described key request acquiring unit.
17. a system that obtains key is characterized in that, is used at authenticator the migration back taking place and obtains key information for the network equipment that need obtain key information, described system comprises the authenticator and the network equipment that need obtain key information, wherein,
Authenticator is used to receive the key request that the network equipment that need obtain key information is sent, and sends the key information of the terminal correspondence of its generation to the network equipment that needs obtain key information;
Need obtain the network equipment of key information, receive the indication information that is used to represent to take place the authenticator migration, and receive the key information that the authenticator after the migration sends.
18. system according to claim 17 is characterized in that, this system also comprises terminal, and this terminal comprises:
The migration determining unit is used for the process in authentication, receives the identifying information that authenticator sends, and compares according to the identifying information of the current authenticator of the receiving identifying information with the authenticator of receiving before, determines whether authenticator moves;
The indication information transfer unit is used for after described migration determining unit is determined to move, and the network equipment that obtains key information to needs sends the indication information that is used to represent to take place the authenticator migration.
19. system according to claim 18 is characterized in that, described authenticator also comprises the identifying information transmitting element, is used for the address information of authenticator or authenticator are sent to described terminal to the jumping figure of gateway as identifying information.
20., it is characterized in that described authenticator comprises key request receiving element and key information transmitting element according to claim 17,18 or 19 described systems, wherein,
The key request receiving element is used to receive the key request that the network equipment that need obtain key information is sent;
The key information transmitting element is used for after described key request receiving element receives key request, and the network equipment that obtains key information to needs sends the key information of the terminal correspondence of its generation;
21., it is characterized in that described authenticator also comprises according to claim 17,18 or 19 described systems:
The direct transmitting element of key information behind the key information that is used for the authenticator after the migration is generated, directly sends to the network equipment that described needs obtain key information; Perhaps,
Key information indirect transfer unit is used for the authenticator after the migration is sent to former authenticator with the key information that generates, and sends to the network equipment that described needs obtain key information by former authenticator.
22. according to claim 17,18 or 19 described systems, it is characterized in that, described authenticator also comprises migration indication transmitting element, is used for sending the address that is used to represent take place the indication information and/or the authenticator after the migration of authenticator migration to the network equipment that needs obtain key information.
23. system according to claim 22, it is characterized in that, if the address of the authenticator of described migration indication transmitting element after the network equipment that needs obtain key information sends migration, then described authenticator also comprises the end message maintenance unit, is used for the corresponding relation between the address of authenticator after maintenance terminal and the migration.
24., it is characterized in that described needs obtain in the network equipment of key information and also comprise according to claim 17,18 or 19 described systems:
The key information retransmission unit is used to receive the key information that the authenticator after the migration is sent, and sends to the network equipment that needs after the migration obtain key information; Perhaps,
Network equipment announcing removal unit, be used for behind the key information that the authenticator that receives after moving is sent, return the indication of the network equipment migration that need obtain key information or the address information that the needs after the migration obtain the network equipment of key information to the authenticator after the migration; Perhaps, initiatively send the indication of the network equipment migration that need obtain key information or the address information that the needs after the migration obtain the network equipment of key information to the authenticator after the migration.
25. a system that obtains key is characterized in that, being used for behind re-authentication is that the network equipment that need obtain key information obtains key information, and described system comprises the authenticator and the network equipment that need obtain key information, wherein,
Authenticator is used for sending to the network equipment that needs obtain key information the key information of the terminal correspondence of its generation;
Need obtain the network equipment of key information, be used to receive be used to represent the indication information of re-authentication takes place after, receive the key information of the described terminal correspondence that authenticator sends.
CN2007101451465A 2007-06-11 2007-08-23 Method, device and system for acquiring cryptographic key Active CN101325804B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2007101451465A CN101325804B (en) 2007-06-11 2007-08-23 Method, device and system for acquiring cryptographic key
PCT/CN2008/071254 WO2008151569A1 (en) 2007-06-11 2008-06-10 Method, device and system for acquiring key

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
CN200710112367.2 2007-06-11
CN200710112367 2007-06-11
CN200710136389 2007-07-26
CN200710136389.2 2007-07-26
CN2007101451465A CN101325804B (en) 2007-06-11 2007-08-23 Method, device and system for acquiring cryptographic key

Publications (2)

Publication Number Publication Date
CN101325804A CN101325804A (en) 2008-12-17
CN101325804B true CN101325804B (en) 2011-04-20

Family

ID=40189067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101451465A Active CN101325804B (en) 2007-06-11 2007-08-23 Method, device and system for acquiring cryptographic key

Country Status (1)

Country Link
CN (1) CN101325804B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101909292B (en) * 2010-08-18 2016-04-13 中兴通讯股份有限公司 The update method of air interface key, core net node and subscriber equipment
CN106559913B (en) * 2015-09-25 2019-11-05 展讯通信(上海)有限公司 Data transfer control method when mobile terminal and its LTE and WLAN are converged

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004047397A2 (en) * 2002-11-15 2004-06-03 Cisco Technology, Inc. A method for fast, secure 802.11 re-association without additional authentication, accounting, and authorization infrastructure
CN1658553A (en) * 2004-02-20 2005-08-24 中国电子科技集团公司第三十研究所 Strong discrimination method of enciphered mode by public key cryptographic algorithm
CN1921379A (en) * 2005-08-25 2007-02-28 华为技术有限公司 Method for object discriminator/key supplier to get key

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004047397A2 (en) * 2002-11-15 2004-06-03 Cisco Technology, Inc. A method for fast, secure 802.11 re-association without additional authentication, accounting, and authorization infrastructure
CN1658553A (en) * 2004-02-20 2005-08-24 中国电子科技集团公司第三十研究所 Strong discrimination method of enciphered mode by public key cryptographic algorithm
CN1921379A (en) * 2005-08-25 2007-02-28 华为技术有限公司 Method for object discriminator/key supplier to get key

Also Published As

Publication number Publication date
CN101325804A (en) 2008-12-17

Similar Documents

Publication Publication Date Title
CN101317359B (en) Method and device for generating local interface cryptographic key
JP5392879B2 (en) Method and apparatus for authenticating a communication device
CN101163010B (en) Method of authenticating request message and related equipment
CN101006682B (en) Fast network attchment
CN104967595A (en) Method and apparatus for registering devices on Internet of things platform
CN101651540A (en) Method, device and system for updating digital certificate
EP1705828B1 (en) A method of obtaining the user identification for the network application entity
CN109583154A (en) A kind of system and method based on Web middleware access intelligent code key
CN101106806A (en) Method, system and mobile terminal for wireless network to capture mobile IP style of mobile terminal
EP2146517A1 (en) Mobile exchange, wireless base station, and mobile communication method
CN111615837B (en) Data transmission method, related equipment and system
CN103024719A (en) Mobility management entity (MME) selection method and MME selection system for terminal group
CN101325804B (en) Method, device and system for acquiring cryptographic key
CN1885768B (en) Worldwide web authentication method
KR101178272B1 (en) Protocol expansion of a signaling message
CN101599878A (en) Re-authentication method, system and authentication device
JPH11161618A (en) Mobile computer management device, mobile computer device, and mobile computer registering method
KR20200002506A (en) Apparatus and method for data communication in wireless communication system
CN1997212A (en) Method for location update in the wireless communication network
US11381562B2 (en) Detection of a user equipment type related to access, services authorization and/or authentication
KR100419578B1 (en) Session control method in DIAMETER base transfer internet protocol net
CN101754200B (en) Registration method, registration system and registration device
CN101577912B (en) Method and device for keeping consistent user states in all network elements of ASN
CN101119594B (en) Method of implementing home agent root key synchronization between home agent and foreign agent
CN101447978B (en) Method for acquiring correct HA-RK Context by accessing AAA server in WiMAX network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant