CN101610511A - The guard method of terminal privacy and device - Google Patents
The guard method of terminal privacy and device Download PDFInfo
- Publication number
- CN101610511A CN101610511A CNA2009101593412A CN200910159341A CN101610511A CN 101610511 A CN101610511 A CN 101610511A CN A2009101593412 A CNA2009101593412 A CN A2009101593412A CN 200910159341 A CN200910159341 A CN 200910159341A CN 101610511 A CN101610511 A CN 101610511A
- Authority
- CN
- China
- Prior art keywords
- terminal
- base station
- calculated value
- request message
- distance measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
Abstract
The invention discloses a kind of guard method and device of terminal privacy.In said method, when terminal initial networking or network re-entry, the base station receives the distance measurement request message from this terminal, wherein, carry the safe calculated value of the Media Access Control Address that terminal calculates in the above-mentioned distance measurement request message, this safe calculated value is used to protect real terminal media access control address and marking terminal; After above-mentioned terminal completed successfully authenticated/authorized, the base station used above-mentioned safe calculated value to calculate air interface key.According to technical scheme provided by the invention, solved the problem that does not solve the risk that AMS MAC Address plaintext transmission brought in the correlation technique, and then the fail safe that has improved system.
Description
Technical field
The present invention relates to the communications field, in particular to a kind of guard method and device of terminal privacy.
Background technology
(the Institute of Electrical and ElectronicEngineers of electronic motor engineering association, abbreviating IEEE as) 802.16 standards systems mainly are at metropolitan area network, its main target is the wireless access system air interface physical layer (Physical of development in 2~66GHz frequency band, abbreviate PHY as) and medium access control layer (Media AccessControl, abbreviate MAC as) standard, also have uniformity test relevant and the coexistence standard between the different radio connecting system simultaneously with air interface protocol.
According to whether supporting mobility, IEEE 802.16 standards can be divided into fixed broadband wireless and insert air-interface standard and mobile broadband wireless access air-interface standard, wherein, 802.16d be to belong to the fixed wireless access air-interface standard, pass in IEEE 802 committees, with the title issue of IEEE 802.16-2004 in June, 2004.And 802.16e belongs to mobile broadband wireless access air-interface standard, passes in IEEE 802 committees in November, 2005, with the title issue of IEEE 802.16-2005.Inserting of microwave whole world interoperability authentication (the Worldwide Interoperability forMicrowave Access of alliance, abbreviate WiMAX as) promptly be based on the standard of IEEE 802.16 air interfaces, become the wireless access wide band technology of influence power maximum in the world at present.
At present, IEEE is working out the 802.16m standard.This standard is in order to study next step evolution path of WiMAX, target is to become the next generation mobile communication technology, and finally to (the International Telecommunication Unit of International Telecommunications Union, abbreviating ITU as) motion of submission technology becomes one of senior international wireless communication system (International MobileTelecommunication Advance abbreviates IMT-Advanced as) standard of ITU.This standard is with the existing 802.16e standard of compatibility.
802.16m system requirements document (System Requirement Document; abbreviating SRD as) regulation need protect the privacy of terminal; promptly; need protection terminal media access control address (AMS MAC Address) in the plaintext transmission of eating dishes without rice or wine, thereby to avoid the assailant can obtain the privacy that this address threatens terminal.In order to realize this goal, the system description document of 16m (System Description Document, abbreviate SDD as) defined two types moving station mark-promptly, Temporary Mobile Station Identity (TemporaryStation ID, abbreviate TSTID as) and formal mobile station identification (Station ID, abbreviate STID as), two identifiers are all unique in the scope of base station.TSTID is that the unique branch of terminal is used in the temporary mark terminal by the base station in the ranging process that terminal initial networks, specifically, promptly, terminal is in distance measurement request (RNG-REQ) message, the AMSMAC Address of oneself is reported the base station, the base station will send to terminal for the TSTID of terminal distribution in ranging response (RNG-RSP) message, interacting message after this just comes marking terminal with TSTID, and the base station will be distributed to till the terminal for the STID of terminal distribution in registration process.The transmission of STID needs protection mechanism.Then, the base station discharges TSTID, uses STID to be used at follow-up flow process marking terminal.
But this method has only been protected the mapping relations of AMS MAC Address and STID, does not still solve the risk that AMS MAC Address plaintext transmission is brought.Because the assailant can intercept and capture this address, therefore, can forge or follow the tracks of user's whereabouts.
Summary of the invention
At the problem that does not solve the risk that AMS MAC Address plaintext transmission brought in the correlation technique and propose the present invention, for this reason, main purpose of the present invention is to provide a kind of protection scheme of terminal privacy, to address the above problem.
To achieve these goals, according to an aspect of the present invention, provide a kind of guard method of terminal privacy.
Guard method according to terminal privacy of the present invention comprises: when terminal initial networking or network re-entry, the base station receives the distance measurement request message from this terminal, wherein, carry the safe calculated value of the Media Access Control Address that terminal calculates in the above-mentioned distance measurement request message, this safe calculated value is used to protect real terminal media access control address and identifies this terminal; After above-mentioned terminal completed successfully authenticated/authorized, the base station used above-mentioned safe calculated value to calculate air interface key.
Preferably, receive in the base station before the distance measurement request message of self terminal, said method also comprises: the safe calculated value of terminal computing medium access control address, and to base station transmission distance measurement request message.
Preferably, terminal is according to the safe calculated value of terminal media access control address and one of following at least computing medium access control address: random number, Base Station Identification that the random number that terminal generates, base station generate.
Preferably, after the base station received the distance measurement request message of self terminal, said method also comprises: the base station sent ranging response message to terminal, and calculated value safe to carry therein belongs to terminal with the indication ranging response message.
Preferably, after terminal completed successfully authenticated/authorized, said method also comprised: terminal calculated value safe in utilization calculates air interface key.
Preferably, after base station calculated value safe in utilization calculated air interface key, said method also comprises: the base station received the login request message of self terminal, wherein, carry the Media Access Control Address of terminal in the login request message, login request message is encrypted according to air interface key by terminal.
Preferably, when terminal need be carried out switching between the base station, the target BS that switch as terminal the base station, target BS received the distance measurement request message of self terminal, wherein, carry safe calculated value in the distance measurement request message.
Preferably, need carry out switching between the base station in terminal, and the base station switch as terminal target BS the time, the safe calculated value that the target BS receiving terminal sends in switching command message via serving BS.
Preferably, when terminal exitted from idle mode network re-entry, the base station received the distance measurement request message of self terminal, wherein, carried safe calculated value in the distance measurement request message.
Preferably, it is one of following that safe calculated value comprises at least: cryptographic Hash, cryptographic calculation value, wherein, cryptographic Hash is calculated according to one of following algorithm: letter disappear digest algorithm, safety hash algorithm, cipher block chaining message authentication code calculation, Dot16KDF algorithm.
Preferably, air interface key comprises one of following at least: authorization key, message integrity protection key, traffic encryption key, key-encrypting key.
To achieve these goals, according to a further aspect in the invention, provide a kind of protective device of terminal privacy.
Protective device according to terminal privacy of the present invention comprises: first receiver module, be arranged on base station side, be used for when terminal initial networking or network re-entry, receive the distance measurement request message of self terminal, wherein, carry the safe calculated value of the Media Access Control Address that terminal calculates in the distance measurement request message, safe calculated value is used to protect real terminal media access control address and marking terminal; First computing module is arranged on base station side, is used for after terminal completes successfully authenticated/authorized, and the safe calculated value that uses first receiver module to receive calculates air interface key.
Preferably, said apparatus also comprises: first sending module, be arranged on base station side, and be used for sending ranging response message, and calculated value safe to carry therein belongs to terminal with the indication ranging response message to terminal; Second receiver module is arranged on base station side, is used to receive the login request message of self terminal, wherein, carries the Media Access Control Address of terminal in the login request message, and login request message is encrypted according to air interface key by terminal; Second computing module is arranged on end side, is used for the safe calculated value of computing medium access control address; Second sending module is arranged on end side, is used for sending distance measurement request message to the base station; The 3rd computing module is arranged on end side, is used for calculated value safe in utilization and calculates air interface key.
By the present invention, adopt the base station to use to receive the safe calculated value that carries the Media Access Control Address that terminal calculates of self terminal to calculate the method for air interface key, solved the problem that does not solve the risk that AMS MAC Address plaintext transmission brought in the correlation technique, and then the fail safe that has improved system.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart according to the guard method of the terminal privacy of the embodiment of the invention;
Fig. 2 is the interaction diagrams according to the implementation method of terminal privacy protection in the wireless communication system of the embodiment of the invention;
Fig. 3 is the schematic diagram according to the aerial derivative key of generation of the embodiment of the invention;
Fig. 4 is the interaction diagrams according to the embodiment of the invention three;
Fig. 5 is the interaction diagrams according to the embodiment of the invention four;
Fig. 6 is the interaction diagrams according to the embodiment of the invention five;
Fig. 7 is the structured flowchart according to the protective device of the terminal privacy of the embodiment of the invention;
Fig. 8 is the preferred structure block diagram according to the protective device of the terminal privacy of the embodiment of the invention.
Embodiment
Function was both stated
Consider the problem that does not solve the risk that AMS MAC Address plaintext transmission brought in the terminal privacy (AMS Privacy) of 802.16m definition now; the embodiment of the invention provides a kind of protection scheme of terminal privacy; when terminal initial networking or network re-entry; the safe operation values of terminal computing terminal MAC Address, and this terminal MAC Address safety operation values sent to the base station in distance measurement request message.After terminal completed successfully authenticated/authorized, terminal and network side calculated relevant air interface key with this terminal MAC Address safety operation values when calculating the derivative key of air interface.
Need to prove that under the situation of not conflicting, embodiment and the feature among the embodiment among the application can make up mutually.Describe the present invention below with reference to the accompanying drawings and in conjunction with the embodiments in detail.
Method embodiment
According to embodiments of the invention, provide a kind of guard method of terminal privacy.Fig. 1 is the flow chart according to the guard method of the terminal privacy of the embodiment of the invention, and as shown in Figure 1, this method comprises that following step S102 is to step S104:
Step S102; when terminal initial networking or network re-entry; the base station receives the distance measurement request message of self terminal; wherein; carry the safe calculated value of the Media Access Control Address that terminal calculates in the distance measurement request message, safe calculated value is used to protect real terminal MAC Address and marking terminal.Wherein, safe calculated value can comprise one of following at least: Hash (Hash) value, cryptographic calculation value etc.
Before this, the safe calculated value of terminal computing medium access control address, and to base station transmission distance measurement request message, then, the base station sends ranging response message to terminal, and calculated value safe to carry therein belongs to terminal with the indication ranging response message.
Wherein, the input parameter of computing terminal MAC Address safety operation values is: the terminal MAC Address, and/or the random number R andom_AMS of terminal generation, and/or the random number R andom_ABS of base station generation, and/or Base Station Identification ABSID, that is to say that terminal can be come one of at least the computationally secure operation values according to terminal MAC Address and above-mentioned other 3 parameters.
Step S104, after terminal completed successfully authenticated/authorized, base station calculated value safe in utilization calculated air interface key.Simultaneously, terminal calculated value safe in utilization calculates air interface key.Wherein, it is one of following that air interface key can comprise at least: authorization key (Authorization Key; abbreviate AK as), message integrity protection key (Cipher-based MessageAuthentication Code; abbreviate CMAC as) KEY, traffic encryption key (Transmission Encrypt Key; abbreviate TEK as), key-encrypting key (KeyEncrypt Key abbreviates KEK as).
After this, preferably, this method can also comprise following operation: after completing successfully three-way handshake process, terminal can be in login request message REG-REQ, and oneself AMSMAC Address is reported the base station.The transmission of this AMS AMC Address needs encipherment protection.The base station receives the login request message of self terminal, wherein, carries the Media Access Control Address of terminal in the login request message, and login request message is encrypted according to air interface key by terminal; Encrypt the registration reply message that carries mobile station identification according to air interface key to the terminal distribution mobile station identification base station, and the registration reply message after terminal sends encryption.
Be described in detail below in conjunction with the implementation procedure of example the embodiment of the invention.
Embodiment one
Fig. 2 is the interaction diagrams according to the implementation method of terminal privacy protection in the wireless communication system of the embodiment of the invention, and as shown in Figure 2, a kind of implementation method of terminal privacy protection comprises that following step S201 is to step S211 in the wireless communication system:
Step S201, terminal scanning descending (Down Link abbreviates DL as) channel is set up synchronously with the base station, obtains descending/up (Up Link abbreviates UL as) parameter.
Step S202, terminal is calculated Hash (Hash) value of AMS MAC Address, i.e. AMS MAC Address*,
AMS?MAC?Address*=F(AMS?MAC?Address,ABSID,48),
Or AMS MAC Address*=F (AMS MAC Address, Rand_AMS, 48),
Or AMS MAC Address*=F (AMS MAC Address, Rand_ABS, 48),
Or AMS MAC Address*=F (AMS MAC Address, ABSID|Random_AMS, 48),
Or AMS MAC Address*=F (AMS MAC Address, Random_AMS|ABSID, 48),
Or AMS MAC Address*=F (AMS MAC Address, ABSID|Random_ABS, 48),
Or AMS MAC Address*=F (AMS MAC Address, Random_ABS|ABSID, 48),
Or AMS MAC Address*=F (AMS MAC Address, ABSID|Random_ABS|Random_AMS, 48),
Or AMS MAC Address*=F (AMS MAC Address, Random_ABS|Random_AMS|ABSID, 48).
Wherein, F can be any hash function, for example, letter disappears, and (Message-DigestAlgorithm 5 for summary, abbreviate MD5 as) algorithm, Hash (Secure HashAlgorithm the abbreviates SHA as) algorithm of safety, CMAC algorithm (cipher block chaining message authentication code), the Dot16KDF algorithm of IEEE 802.16 definition etc.; Random_ABS is the random number that the base station generates, this random number is broadcasted by mapping message (A-MAP), perhaps when terminal is carried out step S201, the base station is a terminal distribution, and in CDMA_Allocation_IE (this information word is used for the base station to the terminal distribution bandwidth, and terminal is sending distance measurement request message to the base station on this bandwidth), be handed down to terminal; Random_AMS is the random number that terminal generates.Random_ABS and Random_AMS all can be 16,32,48,64,128 etc.
Step S203, terminal sends RNG-REQ message to the base station, carries following parameter in this RNG-REQ message: AMS MAC Address*.
Step S204, the base station sends RNG-RSP message to terminal, carries parameter A MS MAC Address* in this RNG-RSP message, and this parameter is used to identify this ranging response message and belongs to which terminal.
Step S205, pre-authentication capability negotiation process is carried out in terminal and base station, consults the parameter that verification process after a while need be used.
Step S206, terminal and network side carry out the authentication and authorization operation.
Step S207, terminal and base station utilize AMS MAC Address* to calculate air interface key AK, and derive CMAC KEY by AK, and/or KEK.
Step S208, terminal and network side carry out three-way handshake process, checking authorization key AK.
Step S209, terminal and base station generate TEK, are used to encrypt the data flow of eating dishes without rice or wine.
Step S210, terminal sends login request message to the base station, and this login request message is carried parameter alternatively: AMS MAC Address, this login request message need be carried out encipherment protection with TEK.
Step S211, the base station sends registration reply message to terminal, and this registration reply message carries parameter: STID.The transmission of STID needs encipherment protection.After this message interaction process promptly can use STID to come marking terminal.
Embodiment two
Fig. 3 is the schematic diagram according to the aerial derivative key of generation of the embodiment of the invention, and as shown in Figure 3, the generating mode of AK is referring to following formula:
AK<=Dot16KDF(PMK,AMS?MAC?Address*|ABSID|“AK”,160)
Wherein, Dot16KDF is the cryptographic algorithm function of definition among the IEEE 802.16." | " is used to indicate cascade as IEEE 802.16 definition.AMS MAC Address* is the hash value of terminal MAC Address.ABSID is the identification information of base station." " expression content wherein is a character string, and " AK " promptly represents this monogram corresponding characters string of AK.The length of " 160 " expression AK, unit is bit.Can draw by the MSK derivation with reference to the associated description in the background technology: PMK, and MSK is the root key in IEEE 802.16 standards, is that mobile radio station and base station generate respectively at two ends in initial authentication process.Need to prove, in an embodiment of the present invention, the implication that identical symbology is identical.
The generating mode of CMAC_KEY_U and CMAC_KEY_D is realized by following formula:
At first, determine CMAC_PREKEY_U and CMAC_PREKEY_D, CMAC_PREKEY_U and CMAC_PREKEY_D are the intermediate parameters of derivation CMAC_KEY_U and CMAC_KEY_D.Wherein, CMAC_PREKEY_U and CMAC_PREKEY_D generating mode are:
CMAC_PREKEY_U|CMAC_PREKEY_D<=Dot16KDF(AK,AMS?MAC?Address*|ABSID|“CMAC_KEYS”,256)。
Wherein, " CMAC_KEYS " is this character combination corresponding characters string of CMAC_KEYS.The length of 256 expression derivation result is 256bit.The result that following formula generated is the concatenated values of CMAC_PREKEY_U and CMAC_PREKEY_D, and the value that 128bit is CMAC_PREKEY_U and CMAC_PREKEY_D is respectively got in front and back.
CMAC_PREKEY_U and CMAC_PREKEY_D generating mode also can be realized by following formula:
CMAC_PREKEY_U|CMAC_PREKEY_D|KEK<=Dot16KDF(AK,AMS?MAC?Address*|ABSID|“CMAC_KEYS+KEK”,384)
Different with preceding formula is that this formula has generated key K EK in the lump, and the result who generates is got 128bit respectively three times, will correspond respectively to CMAC_PREKEY_U, CMAC_PREKEY_D and KEK.
The generating mode of CMAC_KEY_U and CMAC_KEY_D is:
CMAC_KEY_U<=AESCMAC_PREKEY_U(CMAC_KEY_COUNT)
CMAC_KEY_D<=AESCMAC_PREKEY_D(CMAC_KEY_COUNT)
Wherein, AES is Advanced Encryption Standard (Advanced Encryption Standard) algorithm, can determine CMAC_KEY_U and CMAC_KEY_D by above-mentioned two formulas.
The generating mode of TEK is referring to following formula:
TEK<=Dot16KDF(AK,SAID|AMS?MAC?Address*|COUNTER_TEK|“TEK”,128)
Wherein, AK is the authorization key that aforementioned manner generates, and COUNTER_TEK is a counter, this counter is finished initial or re-authentication in terminal at every turn/and replacement during mandates, after this every couple of TEK once upgrades, and this value increases progressively 1.SAID is the Security Association sign, is that travelling carriage distributes by the base station, and the generation of this parameter can repeat no more here referring to the relevant regulations among the IEEE 802.16m." TEK " promptly represents this monogram corresponding characters string of TEK.The length of 128 expression TEK is 128bit.
The generating mode of TEK also can be realized by following formula:
TEK<=Dot16KDF(AK,SAID|COUNTER_TEK|“TEK”,128)。Identical in each meaning of parameters in the formula and the aforementioned TEK production repeats no more here.
Embodiment three
When terminal need be carried out switching between the base station, terminal sent to target BS with the terminal MAC Address safety calculated value that upgrades.Fig. 4 is the interaction diagrams according to the embodiment of the invention three, and concrete operations comprise the steps that mainly S402 is to step S408 as shown in Figure 4:
Step S402, terminal sends terminal switching command (AAI_HO_CMD) message to current serving BS, need switch to target BS with this terminal of notification service base station.
Step S404, serving BS and target BS carry out switch acknowledgment message reciprocal process, promptly will switch to target BS affirmation terminal.
Step S406, terminal is calculated the safe calculated value (AMSMAC Address*) of the terminal MAC Address of upgrading, and sends distance measurement request (RNG-REQ) message to target BS, and this message is carried parameter: AMS MAC Address*.
Step S408, target BS sends ranging response (RNG-RSP) message and gives terminal.
Embodiment four
Present embodiment shows terminal when switching, and transmits the another kind of method of terminal MAC Address to target BS, and Fig. 5 is the interaction diagrams according to the embodiment of the invention four, as shown in Figure 5, comprises that following step S502 is to step S508:
Step S502, terminal before the base station sends switching command message, the safe calculated value of computing terminal MAC Address, and in switch indicating information, send to serving BS.
Step S504, serving BS and target BS carry out switch acknowledgment message reciprocal process, promptly will switch to target BS affirmation terminal.In this process, serving BS sends to target BS with the safe calculated value of terminal MAC Address.
Step S506, terminal sends distance measurement request (RNG-REQ) message to target BS.
Step S508, target BS sends ranging response (RNG-RSP) message and gives terminal.
Embodiment five
When terminal is carried out the position renewal or is withdrawed from the free time (Idle) pattern at needs, terminal sends to the base station with the terminal MAC Address safety calculated value that upgrades, Fig. 6 is the interaction diagrams according to the embodiment of the invention five, as shown in Figure 6, comprises the steps that mainly S602 is to step S604:
Step S602, when withdrawing from Idle pattern network re-entry trigger condition and satisfy, the safe calculated value of terminal computing terminal MAC Address, and send distance measurement request message to the base station.This message is carried parameter: the safe calculated value of terminal MAC Address.
Step S604, the base station sends ranging response message to terminal.
Device embodiment
According to embodiments of the invention, provide a kind of protective device of terminal privacy.Fig. 7 is the structured flowchart according to the protective device of the terminal privacy of the embodiment of the invention; as shown in Figure 7, each module of this device is separately positioned on base station 4 and terminal 6 both sides, wherein; base station 4 sides comprise: first receiver module 42 and first computing module 44 are described said structure below.
First receiver module 42, be arranged on base station 44 sides, be used for when terminal 6 initial network entry or network re-entry, receive the distance measurement request message of self terminal 6, wherein, carry the safe calculated value of the Media Access Control Address that terminal 6 calculates in the distance measurement request message, safe calculated value is used to protect real terminal media access control address and marking terminal 6; First computing module 44 is connected to first receiver module 42, is arranged on base station 4 sides, is used for after terminal 6 completes successfully authenticated/authorized, and the safe calculated value that uses first receiver module 42 to receive calculates air interface key.
Fig. 8 is the preferred structure block diagram according to the protective device of the terminal privacy of the embodiment of the invention; as shown in Figure 8; base station 4 comprises: first sending module 46; second receiver module 48; terminal 6 comprises: second computing module 62; second sending module, 64, the three computing modules 66 are described said structure below.
First sending module 46 is arranged on base station 4 sides, be used for sending ranging response message to terminal 6, and calculated value safe to carry therein belongs to terminal 6 with the indication ranging response message; Second receiver module 48 is arranged on base station 4 sides, is used to receive the login request message of self terminal 6, wherein, carries the Media Access Control Address of terminal 6 in the login request message, and login request message is encrypted according to air interface key by terminal 6.
Second computing module 62 is arranged on terminal 6 sides, is used for the safe calculated value of computing medium access control address; Second sending module 64 is connected to second computing module 62, is arranged on terminal 6 sides, is used for sending to base station 4 the distance measurement request message of the safe calculated value that carries 62 calculating of second computing module; The 3rd computing module 66 is connected to second computing module 62, is arranged on terminal 6 sides, and the safe calculated value that is used to use second computing module 62 to calculate calculates air interface key.
In sum; by the above embodiment of the present invention, provide a kind of protection scheme of terminal privacy, when terminal initial networking or network re-entry; the safe operation values of terminal computing terminal MAC Address, and this terminal MAC Address safety operation values sent to the base station in distance measurement request message.After terminal completes successfully authenticated/authorized, terminal and network side are when calculating the derivative key of air interface, calculate relevant air interface key with this terminal MAC Address safety calculated value, solved the problem that does not solve the risk that AMS MAC Address plaintext transmission brought in the terminal privacy (AMS Privacy) of 802.16m definition now, and then the fail safe that has improved system.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to IEEE 802.16 systems, its associative mode can be applied in other wireless communication system.For a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. the guard method of a terminal privacy is characterized in that, comprising:
When terminal initial networking or network re-entry, the base station receives the distance measurement request message from described terminal, wherein, carry the safe calculated value of the Media Access Control Address that described terminal calculates in the described distance measurement request message, described safe calculated value is used to protect real terminal media access control address and identifies described terminal;
After described terminal completed successfully authenticated/authorized, described base station used described safe calculated value to calculate air interface key.
2. method according to claim 1 is characterized in that, before the described distance measurement request message of described base station reception from described terminal, described method also comprises:
Described terminal is calculated the described safe calculated value of described Media Access Control Address, and sends distance measurement request message to described base station.
3. method according to claim 2 is characterized in that, described terminal is according to terminal media access control address and one of the following at least described safe calculated value that calculates described Media Access Control Address:
Random number, Base Station Identification that the random number that terminal generates, base station generate.
4. method according to claim 1 is characterized in that, after the described distance measurement request message of described base station reception from described terminal, described method also comprises:
Described base station sends ranging response message to described terminal, and carries described safe calculated value therein and belong to described terminal to indicate described ranging response message.
5. method according to claim 1 is characterized in that, after described terminal completed successfully authenticated/authorized, described method also comprised:
Described terminal uses described safe calculated value to calculate described air interface key.
6. method according to claim 1 is characterized in that, uses after described safe calculated value calculates described air interface key in described base station, and described method also comprises:
Described base station receives the login request message from described terminal, wherein, carries the described Media Access Control Address of described terminal in the described login request message, and described login request message is encrypted according to described air interface key by described terminal.
7. method according to claim 1, it is characterized in that, when described terminal need be carried out switching between the base station, the target BS that switch as described terminal described base station, described target BS receives the distance measurement request message from described terminal, wherein, carry described safe calculated value in the described distance measurement request message.
8. method according to claim 1, it is characterized in that, need carry out switching between the base station in described terminal, and during the target BS that switch as described terminal described base station, described target BS receives the described safe calculated value that described terminal sends in switching command message via described serving BS.
9. method according to claim 1 is characterized in that, when described terminal exitted from idle mode network re-entry, described base station received the distance measurement request message from described terminal, wherein, carries described safe calculated value in the described distance measurement request message.
10. according to each described method in the claim 1 to 9, it is characterized in that it is one of following that described safe calculated value comprises at least:
Cryptographic Hash, cryptographic calculation value, wherein, described cryptographic Hash is calculated according to one of following algorithm: letter disappear digest algorithm, safety hash algorithm, cipher block chaining message authentication code calculation, Dot16KDF algorithm.
11., it is characterized in that it is one of following that described air interface key comprises at least according to each described method in the claim 1 to 9:
Authorization key, message integrity protection key, traffic encryption key, key-encrypting key.
12. the protective device of a terminal privacy is characterized in that, comprising:
First receiver module, be arranged on base station side, be used for when terminal initial networking or network re-entry, reception is from the distance measurement request message of described terminal, wherein, carry the safe calculated value of the Media Access Control Address that described terminal calculates in the described distance measurement request message, described safe calculated value is used to protect real terminal media access control address and identifies described terminal;
First computing module is arranged on base station side, is used for after described terminal completes successfully authenticated/authorized, and the described safe calculated value that uses described first receiver module to receive calculates air interface key.
13. device according to claim 12 is characterized in that, also comprises:
First sending module is arranged on base station side, is used for sending ranging response message to described terminal, and carries described safe calculated value therein and belong to described terminal to indicate described ranging response message;
Second receiver module, be arranged on base station side, be used to receive login request message, wherein from described terminal, carry the described Media Access Control Address of described terminal in the described login request message, described login request message is encrypted according to described air interface key by described terminal;
Second computing module is arranged on end side, is used to calculate the described safe calculated value of described Media Access Control Address;
Second sending module is arranged on end side, is used for sending distance measurement request message to described base station;
The 3rd computing module is arranged on end side, is used to use described safe calculated value to calculate described air interface key.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009101593412A CN101610511A (en) | 2009-07-08 | 2009-07-08 | The guard method of terminal privacy and device |
| PCT/CN2010/075041 WO2011003352A1 (en) | 2009-07-08 | 2010-07-07 | Method and device for protecting terminal privacy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009101593412A CN101610511A (en) | 2009-07-08 | 2009-07-08 | The guard method of terminal privacy and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101610511A true CN101610511A (en) | 2009-12-23 |
Family
ID=41484042
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009101593412A Pending CN101610511A (en) | 2009-07-08 | 2009-07-08 | The guard method of terminal privacy and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101610511A (en) |
| WO (1) | WO2011003352A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011003352A1 (en) * | 2009-07-08 | 2011-01-13 | 中兴通讯股份有限公司 | Method and device for protecting terminal privacy |
| CN102196532A (en) * | 2010-03-05 | 2011-09-21 | 中兴通讯股份有限公司 | Network access method and system |
| CN110177371A (en) * | 2019-04-04 | 2019-08-27 | 阿里巴巴集团控股有限公司 | The method and device of generating device identification information |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017026930A1 (en) * | 2015-08-11 | 2017-02-16 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and devices for privacy enhancement in networks |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1677919A (en) * | 2004-03-29 | 2005-10-05 | 三洋电机株式会社 | Radio transmission device, mutual authentication method and mutual authentication program |
| WO2008153284A2 (en) * | 2007-06-14 | 2008-12-18 | Lg Electronics Inc. | Method for providing confidentiality protection of control signaling using certificate |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100521820C (en) * | 2005-08-23 | 2009-07-29 | 华为技术有限公司 | Method for checking distance measurement requirement information and wireless access network |
| CN101610511A (en) * | 2009-07-08 | 2009-12-23 | 中兴通讯股份有限公司 | The guard method of terminal privacy and device |
-
2009
- 2009-07-08 CN CNA2009101593412A patent/CN101610511A/en active Pending
-
2010
- 2010-07-07 WO PCT/CN2010/075041 patent/WO2011003352A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1677919A (en) * | 2004-03-29 | 2005-10-05 | 三洋电机株式会社 | Radio transmission device, mutual authentication method and mutual authentication program |
| WO2008153284A2 (en) * | 2007-06-14 | 2008-12-18 | Lg Electronics Inc. | Method for providing confidentiality protection of control signaling using certificate |
Non-Patent Citations (1)
| Title |
|---|
| 冯成燕: "《Proposed AWD Text for AMS Privacy in IEEE 802.16m》", 《IEEE C80216M-09_1262R1》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011003352A1 (en) * | 2009-07-08 | 2011-01-13 | 中兴通讯股份有限公司 | Method and device for protecting terminal privacy |
| CN102196532A (en) * | 2010-03-05 | 2011-09-21 | 中兴通讯股份有限公司 | Network access method and system |
| CN110177371A (en) * | 2019-04-04 | 2019-08-27 | 阿里巴巴集团控股有限公司 | The method and device of generating device identification information |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011003352A1 (en) | 2011-01-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11122428B2 (en) | Transmission data protection system, method, and apparatus | |
| EP2528268B3 (en) | Cyptographic key generation | |
| EP2320597B1 (en) | Method of cryptographic synchronization | |
| US8397071B2 (en) | Generation method and update method of authorization key for mobile communication | |
| EP2288195B1 (en) | Method and apparatus for operating a base station in a wireless communication system | |
| US8959333B2 (en) | Method and system for providing a mesh key | |
| KR101038096B1 (en) | Secure key authentication method for binary cdma network | |
| US8380980B2 (en) | System and method for providing security in mobile WiMAX network system | |
| CN101771992B (en) | Method, equipment and system for protection of confidentiality of international mobile subscriber identifier IMSI | |
| CN100488281C (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN102084608A (en) | Method of supporting location privacy | |
| CN101631306A (en) | Updating method of air key, terminal and base station | |
| CN1801705B (en) | Pre-authentication method | |
| AU2010284792B2 (en) | Method and apparatus for reducing overhead for integrity check of data in wireless communication system | |
| CN101610511A (en) | The guard method of terminal privacy and device | |
| US20170272405A1 (en) | Security Improvements in a Wireless Data Exchange Protocol | |
| CN101742492B (en) | Key processing method and system | |
| CN104507065B (en) | Non-repudiation charging method in heterogeneous wireless network | |
| CN101510825B (en) | Protection method and system for management message | |
| Huang et al. | Improving Security Levels of IEEE802. 16e Authentication by Involving Diffie-Hellman PKDS. | |
| CN1964259B (en) | A method to manage secret key in the course of switch-over | |
| KR100330418B1 (en) | Authentication Method in Mobile Communication Environment | |
| CN101668289B (en) | Method and system for updating air interface secret key in wireless communication system | |
| CN101588576A (en) | Method and a system for protecting terminal privacy in wireless communication system | |
| CN101583130B (en) | The generation method and apparatus of air interface key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20091223 |