CN102065421A - Method, device and system for updating key - Google Patents

Method, device and system for updating key Download PDF

Info

Publication number
CN102065421A
CN102065421A CN2009102378201A CN200910237820A CN102065421A CN 102065421 A CN102065421 A CN 102065421A CN 2009102378201 A CN2009102378201 A CN 2009102378201A CN 200910237820 A CN200910237820 A CN 200910237820A CN 102065421 A CN102065421 A CN 102065421A
Authority
CN
China
Prior art keywords
key
naf
subscriber equipment
random number
business cipher
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2009102378201A
Other languages
Chinese (zh)
Other versions
CN102065421B (en
Inventor
彭华熹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN200910237820.1A priority Critical patent/CN102065421B/en
Publication of CN102065421A publication Critical patent/CN102065421A/en
Application granted granted Critical
Publication of CN102065421B publication Critical patent/CN102065421B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a method for updating a key. The method comprises the following steps: receiving a bootstrapping service identifier from network application function (NAF) and inquiring whether a root key is in the valid period according to the bootstrapping service identifier; if the root key is not in the valid period, returning the error message to user equipment (UE) by NAF and ensuring NAF to initiate generic bootstrapping architecture (GBA) with the UE; and if the root key is in the valid period, generating a random number, obtaining a service key according to the random number, sending the service key, the valid period of the service key and the random number to NAF and ensuring NAF to carry out two-way authentication with the UE according to the service key and the random number. The embodiment of the invention reduces the load of bootstrapping server function (BSF) and the load of a service server. The embodiment of the invention also discloses a device and system applying the method.

Description

A kind of methods, devices and systems of more new key
Technical field
The present invention relates to communication technical field, relate in particular to a kind of methods, devices and systems of more new key.
Background technology
Along with development of Communication Technique, communication system is also more and more higher to the requirement of network security, and using shared key is a kind of important means of guaranteeing network security.3GPP (3rd Generation PartnershipProject, third generation partner program) GBA (the Generic BootstrappingArchitecture of definition in, universal guiding structure) provides a kind of at UE (User Equipment, subscriber equipment) sets up the general mechanism of sharing key and between the server, this mechanism realizes based on AKA (Authentication andKey Agreement, Authentication and Key Agreement) authentication mechanism.The AKA authentication mechanism is 2G (2ndGeneration, second generation mobile communication technology)/3G (3rd Generation, the 3G (Third Generation) Moblie technology) a kind of mutual authentication that uses in the network and the mechanism of key agreement can be finished the service security bootup process in GBA.
Also introduce a new network element BSF (Bootstrapping Server Function, guide service function) among the GBA, used AKA to carry out key agreement by BSF between UE and the HSS (Home Subscriber Server, home signature user server).After AKA finishes, BSF and UE negotiate a session key, NAF (Network Application Function, network application function) from BSF, obtains session key and user related information, set up shared key with UE, and utilize and should share key and provide safeguard protection for application service, particularly when beginning, the application service session provides mutual authentication for UE and NAF; In addition, can also utilize this shared key to finish Confidentiality protection or integrity verification.Between UE and the BSF, between NAF and the BSF and the communication between BSF and the HSS be irrelevant with concrete application.Because obtaining the quantity of the network element of Ciphering Key from HSS in network should be few more good more, therefore, the introducing of BSF has reduced the quantity of obtaining the network element of Ciphering Key from HSS.
As shown in Figure 1, be the network model schematic diagram of GBA, wherein, BSF does not need SLF by the HSS title that inquiry SLF (Subscription Locator Function, Subscription Locator Function) obtains the storage relevant user data in single HSS environment.In addition, when BSF is configured to use preassigned HSS, does not require yet and use SLF.HSS is HLR (Home LocationRegister, attaching position register) in the network of 2G.
The 3G GBA process that defines among the 3GPP equally also is applicable to the GBA process based on SIM (SubscriberIdentity Module, user identification module) card of 2G.3G GBA process based on USIM (UniversalSubscriber Identity Module, global User Recognition) card comprises GBA initialization flow process and Operational Visit flow process, as shown in Figure 2, is GBA initialization flowchart of the prior art, may further comprise the steps:
Step 201, UE sends the GBA initialization request to BSF.
Step 202, BSF fetches AV (Authentication Vector, Ciphering Key) by reference point Zh from HSS.
Wherein, AV=RAND (random number) || AUTN (authentication token) || XRES (Expected Response value) || CK (encryption key) || IK (Integrity Key).
Step 203, HSS is to BSF return authentication vector AV.
Step 204, BSF preserves CK, IK and XRES, sends RAND and AUTN to UE with 401 unauthorized message, requires UE that BSF is authenticated.
Step 205, UE sends to USIM (Universal SubscriberIdentity Module with RAND and AUTN, whole world User Recognition) card checking AUTN, the 401 unauthorized message of confirming to receive are from the network of authorizing, simultaneously, UE calculates CK, IK and RES, and result of calculation is returned to UE.
Step 206, UE sends challenge response RES to BSF.
Step 207, whether BSF checking RES equals XRES, and calculates root key Ks=CK||IK, and generates the value of B-TID (Bootstrapping Transaction Identifier, guide service sign).
The form of B-TID is base64encode (RAND) @BSF_servers_domain_name.
Step 208, BSF sends the 200OK message that comprises B-TID and represents authentication success to UE, and in 200OK message, BSF provides the lifetime of Ks simultaneously.
Step 209, UE calculates and preserves the lifetime of Ks=CK||IK and Ks.
After finishing the GBA initialization, can enter the Operational Visit stage, as shown in Figure 3, be Operational Visit flow chart of the prior art, may further comprise the steps:
Step 301, when UE needed access service platform NAF, UE sent B-TID to NAF.
Step 302, whether NAF exists business cipher key Ks_NAF according to B-TID at local search, if there is not Ks_NAF in this locality, then execution in step 303; If there is Ks_NAF in this locality, then execution in step 308.
Step 303, NAF inquires about Ks_NAF according to B-TID to BSF.
Step 304, whether BSF surpasses the term of validity according to B-TID inquiry Ks, if Ks surpasses the term of validity, then execution in step 305; If Ks does not surpass the term of validity, then execution in step 307.
Step 305, BSF returns error message to NAF.
Step 306, NAF returns error message to UE, requires UE to initiate the GBA initialization procedure.
Step 307, BSF calculating K s_NAF returns the Ks_NAF and the Ks_NAF term of validity and gives NAF.
Particularly, Ks_NAF=KDF (Ks, " gba-me ", RAND, IMPI, NAF_Id), wherein, KDF is the key derivative function, IMPI (IP Multimedia Private Identity, the privately owned sign of internet protocol multi-media) be the identity that IMS (IP Multimedia Subsystem, internet protocol multi-media sub-system) uses, NAF_Id is the sign of business platform.
Step 308, NAF receives and preserves the Ks_NAF and the term of validity.
Step 309, whether before the deadline NAF checks Ks_NAF, if Ks_NAF is not before the deadline, then execution in step 310; If Ks_NAF before the deadline, then execution in step 311.
Step 310, NAF returns error message and gives UE, requires UE to carry out the GBA initialization procedure.
Step 311, NAF sends authentication challenge to UE.
Step 312, UE calculating K s_NAF, and use Ks_NAF and NAF to carry out HTTP Digest (Hypertext Transfer Protocol Digest, HTML (Hypertext Markup Language) classification) bi-directional authentification flow process.
Wherein, and Ks_NAF=KDF (Ks, " gba-me ", RAND, IMPI, NAF_Id), follow-up service message all passes through the protection of HTTP Digest escape way.
In above-mentioned flow process, consult between UE and BSF and storage GBA root key Ks, this Ks be used for deriving respectively Ks_NAF of each business platform NAF, UE stores a plurality of Ks_NAF and the term of validity.In general, the term of validity of Ks key is compared Ks_NAF and will be grown.Because Ks_NAF=KDF (Ks, " gba-me ", RAND, IMPI NAF_Id), therefore when Ks_NAF does not need to upgrade before the deadline, can cause Ks also must upgrade.A UE may go up the application program that can move a plurality of use GBA, and a plurality of application programs all need to use Ks derivation Ks_NAF separately, and can distribute the corresponding Ks_NAF key term of validity.
As shown in Figure 4, be more new key schematic diagram of the prior art, wherein, the Ks that consults during the GBA initialization and the B-TID term of validity are 0 to 7, be 2 times of the Ks_NAF term of validity, Ks_NAF1, the Ks_NAF2 that NAF1, NAF2 and NAF3 distribute and the term of validity of Ks_NAF3 are respectively 1 to 4,2 to 5,4.5 to 6.
When Ks_NAF1 lost efficacy, meeting be Ks1 and B-TID1 at time point 4 triggering GBA initialization procedures renewal Ks and B-TID, because the variation of B-TID can cause the Ks_NAF2 of UE and NAF2 also to need to upgrade at time point 4, promptly according to the new Ks_NAF2_1 of Ks1 derivation.And when Ks_NAF3 lost efficacy, can trigger the GBA initialization procedure at time point 6 and be updated to Ks_2 and B-TID2 once more, the new Ks_NAF3_1 thereby UE derives.And when Ks_NAF3_1 lost efficacy, can trigger the GBA initialization procedure at time point 8.
The inventor finds that there is following defective at least in prior art in realizing process of the present invention:
Root key Ks is subject to the term of validity of business cipher key Ks_NAF and brings in constant renewal in, thereby causes UE frequent access BSF, also causes the frequent updating of Ks_NAF business cipher key, has increased the load of BSF and the load of service server.
Summary of the invention
The embodiment of the invention provides a kind of methods, devices and systems of more new key, is used to reduce the load of BSF and the load of service server.
The embodiment of the invention provides a kind of method of more new key, may further comprise the steps:
According to described guide service sign inquiry root key before the deadline whether reception from the guide service sign of network application function NAF;
If described root key not before the deadline, then returns error message by described NAF to subscriber equipment, and carry out universal guiding structure GBA initialization with described subscriber equipment; If described root key before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF, make described NAF carry out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment.
Preferably, before the guide service sign of described reception from NAF, also comprise:
Described NAF receives the described guide service sign from described subscriber equipment, inquires this locality according to described guide service sign and does not exist business cipher key or business cipher key not before the deadline.
Preferably, described NAF carries out bi-directional authentification according to business cipher key and random number and subscriber equipment, specifically comprises:
The term of validity and described random number that described NAF receives and stores described business cipher key, described business cipher key, and to described subscriber equipment transmission authentication request and described random number;
Described subscriber equipment carries out bi-directional authentification according to the described random number computing service key that receives according to described business cipher key that calculates and described NAF.
Preferably, described and subscriber equipment carries out the GBA initialization, specifically comprises:
Reception is from the GBA initialization request of described subscriber equipment, and HSS obtains Ciphering Key from home signature user server, requires described subscriber equipment to authenticate according to described Ciphering Key;
Reception is from the challenge response of described subscriber equipment, verify described challenge response, and obtain root key and guide service sign, and the term of validity of described guide service sign and described root key is sent to described subscriber equipment, make described subscriber equipment obtain the term of validity of root key and described root key.
The embodiment of the invention also provides a kind of device of more new key, comprising:
According to described guide service sign inquiry root key before the deadline whether enquiry module is used to receive the guide service sign from NAF;
Initialization module is used for inquiring described root key not before the deadline the time at described enquiry module, returns error message by described NAF to subscriber equipment, and carries out the GBA initialization with described subscriber equipment;
Acquisition module is used for inquiring described root key before the deadline the time at described enquiry module, generates random number, obtains business cipher key according to described random number,
Sending module, the term of validity and the described random number that are used for the business cipher key that described acquisition module is obtained, described business cipher key send to described NAF, make described NAF carry out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment.
Preferably, described initialization module specifically is used to receive the GBA initialization request from described subscriber equipment, obtains Ciphering Key from HSS, requires described subscriber equipment to authenticate according to described Ciphering Key; Reception is from the challenge response of described subscriber equipment, verify described challenge response, and obtain root key and guide service sign, and the term of validity of described guide service sign and described root key is sent to described subscriber equipment, make described subscriber equipment obtain the term of validity of root key and described root key.
The embodiment of the invention also provides a kind of system of more new key, comprises NAF entity and guide service function BSF entity, wherein,
Described NAF entity, be used for according to the guide service sign to described BSF entity inquiry business key, reception is from the term of validity and the random number of the business cipher key of described BSF entity, described business cipher key, carries out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment;
According to described guide service sign inquiry root key before the deadline whether described BSF entity receives the described guide service sign from described NAF entity; If described root key is not before the deadline, then returns error message to subscriber equipment, and carry out the GBA initialization with described subscriber equipment by described NAF entity; If described root key is before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF entity.
Preferably, described NAF entity also is used to receive the described guide service sign from described subscriber equipment, whether has business cipher key and business cipher key before the deadline according to described guide service sign inquiry this locality.
Preferably, described NAF entity, specifically be used for identifying to described BSF entity inquiry business key according to guide service, the term of validity and the described random number that receive and store described business cipher key, described business cipher key, and to described subscriber equipment transmission authentication request and described random number; Make described subscriber equipment carry out bi-directional authentification according to the described random number computing service key that receives and according to the described business cipher key that calculates.
Preferably, described BSF entity, specifically be used to receive described guide service sign from described NAF entity, according to described guide service sign inquiry root key whether before the deadline, if described root key is not before the deadline, then receive GBA initialization request from described subscriber equipment, obtain Ciphering Key from HSS, require described subscriber equipment to authenticate according to described Ciphering Key, reception is from the challenge response of described subscriber equipment, verify described challenge response, and obtain root key and guide service sign, the term of validity of described guide service sign and described root key is sent to described subscriber equipment, make described subscriber equipment obtain the term of validity of root key and described root key; If described root key is before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF entity.
Compared with prior art, the embodiment of the invention has the following advantages: the embodiment of the invention is at root key Ks before the deadline and under the business cipher key Ks_NAF situation about losing efficacy, for NAF redistributes business cipher key Ks_NAF, avoided Ks when not out of date by frequent updating, also avoided frequent updating, reduced the key updating load of BSF and NAF Ks_NAF.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in the embodiment of the invention or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the network model schematic diagram of GBA;
Fig. 2 is a GBA initialization flowchart of the prior art;
Fig. 3 is an Operational Visit flow chart of the prior art;
Fig. 4 is a more new key schematic diagram of the prior art;
Fig. 5 is the method flow diagram of a kind of more new key in the embodiment of the invention;
Fig. 6 is the renewal key flow chart in the embodiment of the invention application scenarios;
Fig. 7 is the more new key schematic diagram in the embodiment of the invention application scenarios;
Fig. 8 is the apparatus structure schematic diagram of a kind of more new key in the embodiment of the invention;
Fig. 9 is the system configuration schematic diagram of a kind of more new key in the embodiment of the invention.
Embodiment
In the technical scheme that the embodiment of the invention provides, its core concept is that NAF receives the guide service sign from subscriber equipment, inquiring this locality according to this guide service sign does not exist business cipher key or business cipher key not before the deadline the time, to BSF inquiry root key.According to this guide service sign inquiry root key before the deadline whether BSF receives the guide service sign from NAF; If described root key then returns error message to subscriber equipment not before the deadline, and carry out universal guiding structure GBA initialization with described subscriber equipment; If described root key before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF, make described NAF carry out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment.
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme of the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
As shown in Figure 5, the method flow diagram for a kind of more new key in the embodiment of the invention may further comprise the steps:
According to this guide service sign inquiry root key before the deadline whether step 501 receives the guide service sign from NAF.If root key is not before the deadline, then execution in step 502; If root key before the deadline, then execution in step 503.
Step 502 is returned error message by NAF to subscriber equipment, and carries out the GBA initialization with this subscriber equipment.
Step 503 generates random number, obtains business cipher key according to this random number, and the term of validity and the random number of this business cipher key, business cipher key sent to NAF, makes this NAF carry out bi-directional authentification according to business cipher key and random number and subscriber equipment.
The embodiment of the invention is at root key Ks before the deadline and under the business cipher key Ks_NAF situation about losing efficacy, for NAF redistributes business cipher key Ks_NAF, avoided Ks when not out of date by frequent updating, also avoided frequent updating to Ks_NAF, reduced the key updating load of BSF and NAF.
Below concrete application scenarios the renewal encryption key method in the embodiment of the invention is described in detail.
As shown in Figure 6, the renewal key flow chart in the embodiment of the invention application scenarios specifically may further comprise the steps:
Step 601 during UE visit NAF, sends B-TID to NAF.
Step 602, whether NAF exists Ks_NAF according to B-TID inquiry this locality, if there is not Ks_NAF in this locality, then execution in step 603; If there is Ks_NAF in this locality, then execution in step 608.
Step 603, NAF inquires about Ks_NAF according to B-TID to BSF.
Step 604, whether before the deadline BSF inquires about Ks according to B-TID, if Ks is not before the deadline, then execution in step 605; If Ks before the deadline, then execution in step 607.
Step 605, BSF returns error message to NAF.
Step 606, NAF returns error message to UE, requires UE to initiate the GBA initialization procedure.
Step 607, BSF generates random number R at random, and according to R calculating K s_NAF.
Wherein, and Ks_NAF=KDF (Ks, " gba-me ", RAND, IMPI, NAF_Id, R).
Step 608, BSF makes NAF receive and preserve the term of validity of Ks_NAF, R and Ks_NAF to the term of validity that NAF returns Ks_NAF, R and Ks_NAF.
Step 609, whether before the deadline NAF checks Ks_NAF, if Ks_NAF is not before the deadline, then execution in step 610; If Ks_NAF before the deadline, then execution in step 615.
Step 610, NAF inquires about Ks_NAF according to B-TID to BSF.
Step 611, whether before the deadline BSF inquires about Ks according to B-TID, if Ks is before the deadline, then execution in step 612; If Ks is not before the deadline, then execution in step 614.
Step 612, BSF returns error message to NAF.
Step 613, NAF returns mistake to UE, requires UE to initiate the GBA initialization procedure.
Step 614, BSF generates random number R at random, according to R calculating K s_NAF.
Wherein, and Ks_NAF=KDF (Ks, " gba-me ", RAND, IMPI, NAF_Id, R), the Ks_NAF after the renewal can be with reference to shown in Figure 7.
Step 615, BSF makes NAF receive and preserve the term of validity of Ks_NAF, R and Ks_NAF to the term of validity that NAF returns Ks_NAF, R and Ks_NAF.
Step 616, NAF sends authentication challenge and R to UE.
Step 617, after UE received authentication challenge and R, calculating K s_NAF used Ks_NAF and NAF to carry out HTTP Digest bi-directional authentification flow process.
Wherein, and Ks_NAF=KDF (Ks, " gba-me ", RAND, IMPI, NAF_Id, R), follow-up service message all passes through the protection of HTTP Digest escape way.
The embodiment of the invention is at root key Ks before the deadline and under the business cipher key Ks_NAF situation about losing efficacy, for NAF redistributes business cipher key Ks_NAF, avoided Ks when not out of date by frequent updating, also avoided frequent updating to Ks_NAF, reduced the key updating load of BSF and NAF.
The embodiment of the invention provides renewal encryption key method and application scenarios in the above-described embodiment, and correspondingly, the embodiment of the invention also provides device and the system that uses above-mentioned renewal encryption key method.
As shown in Figure 8, the apparatus structure schematic diagram for a kind of more new key in the embodiment of the invention comprises:
According to described guide service sign inquiry root key before the deadline whether enquiry module 810 is used to receive the guide service sign from NAF;
Initialization module 820 is used for inquiring described root key not before the deadline the time at described enquiry module 810, returns error message by described NAF to subscriber equipment, and carries out the GBA initialization with described subscriber equipment;
Acquisition module 830 is used for inquiring described root key before the deadline the time at described enquiry module 810, generates random number, obtains business cipher key according to described random number,
Sending module 840, the term of validity and the described random number that are used for the business cipher key that described acquisition module 830 is obtained, described business cipher key send to described NAF, make described NAF carry out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment.
Above-mentioned initialization module 820 specifically is used to receive the GBA initialization request from described subscriber equipment, obtains Ciphering Key from HSS, requires described subscriber equipment to authenticate according to described Ciphering Key; Reception is from the challenge response of described subscriber equipment, verify described challenge response, and obtain root key and guide service sign, and the term of validity of described guide service sign and described root key is sent to described subscriber equipment, make described subscriber equipment obtain the term of validity of root key and described root key.
The embodiment of the invention is at root key Ks before the deadline and under the business cipher key Ks_NAF situation about losing efficacy, for NAF redistributes business cipher key Ks_NAF, avoided Ks when not out of date by frequent updating, also avoided frequent updating to Ks_NAF, reduced the key updating load of BSF and NAF.
As shown in Figure 9, be the system configuration schematic diagram of a kind of more new key in the embodiment of the invention, comprise NAF entity 910 and guide service function BSF entity 920, wherein,
Described NAF entity 910, be used for according to the guide service sign to described BSF entity 920 inquiry business keys, reception is from the term of validity and the random number of the business cipher key of described BSF entity, described business cipher key, carries out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment;
According to described guide service sign inquiry root key before the deadline whether described BSF entity 920 receives the described guide service sign from described NAF entity 910; If described root key is not before the deadline, then returns error message to subscriber equipment, and carry out the GBA initialization with described subscriber equipment by described NAF entity 920; If described root key is before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF entity 910.
Above-mentioned NAF entity 910 also is used to receive the described guide service sign from described subscriber equipment, whether has business cipher key and business cipher key before the deadline according to described guide service sign inquiry this locality.
Above-mentioned NAF entity 910, specifically be used for according to the guide service sign to described BSF entity 920 inquiry business keys, the term of validity and the described random number that receive and store described business cipher key, described business cipher key, and to described subscriber equipment transmission authentication request and described random number; Make described subscriber equipment carry out bi-directional authentification according to the described random number computing service key that receives and according to the described business cipher key that calculates.
Above-mentioned BSF entity 920, specifically be used to receive described guide service sign from described NAF entity 910, according to described guide service sign inquiry root key whether before the deadline, if described root key is not before the deadline, then receive GBA initialization request from described subscriber equipment, obtain Ciphering Key from HSS, require described subscriber equipment to authenticate according to described Ciphering Key, reception is from the challenge response of described subscriber equipment, verify described challenge response, and obtain root key and guide service sign, the term of validity of described guide service sign and described root key is sent to described subscriber equipment, make described subscriber equipment obtain the term of validity of root key and described root key; If described root key is before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF entity.
The embodiment of the invention is at root key Ks before the deadline and under the business cipher key Ks_NAF situation about losing efficacy, for NAF redistributes business cipher key Ks_NAF, avoided Ks when not out of date by frequent updating, also avoided frequent updating to Ks_NAF, reduced the key updating load of BSF and NAF.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that the technical scheme of the embodiment of the invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a station terminal equipment (can be mobile phone, personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from embodiment of the invention principle; can also make some improvements and modifications, these improvements and modifications also should be looked protection scope of the present invention.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be integrated in one, and also can separate deployment; A module can be merged into, also a plurality of submodules can be further split into.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (10)

1. the method for new key more is characterized in that, may further comprise the steps:
According to described guide service sign inquiry root key before the deadline whether reception from the guide service sign of network application function NAF;
If described root key not before the deadline, then returns error message by described NAF to subscriber equipment, and carry out universal guiding structure GBA initialization with described subscriber equipment; If described root key before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF, make described NAF carry out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment.
2. the method for claim 1 is characterized in that, before the guide service sign of described reception from NAF, also comprises:
Described NAF receives the described guide service sign from described subscriber equipment, inquires this locality according to described guide service sign and does not exist business cipher key or business cipher key not before the deadline.
3. the method for claim 1 is characterized in that, described NAF carries out bi-directional authentification according to business cipher key and random number and subscriber equipment, specifically comprises:
The term of validity and described random number that described NAF receives and stores described business cipher key, described business cipher key, and to described subscriber equipment transmission authentication request and described random number;
Described subscriber equipment carries out bi-directional authentification according to the described random number computing service key that receives according to described business cipher key that calculates and described NAF.
4. the method for claim 1 is characterized in that, described and subscriber equipment carries out the GBA initialization, specifically comprises:
Reception is from the GBA initialization request of described subscriber equipment, and HSS obtains Ciphering Key from home signature user server, requires described subscriber equipment to authenticate according to described Ciphering Key;
Reception is from the challenge response of described subscriber equipment, verify described challenge response, and obtain root key and guide service sign, and the term of validity of described guide service sign and described root key is sent to described subscriber equipment, make described subscriber equipment obtain the term of validity of root key and described root key.
5. the device of new key more is characterized in that, comprising:
According to described guide service sign inquiry root key before the deadline whether enquiry module is used to receive the guide service sign from NAF;
Initialization module is used for inquiring described root key not before the deadline the time at described enquiry module, returns error message by described NAF to subscriber equipment, and carries out the GBA initialization with described subscriber equipment;
Acquisition module is used for inquiring described root key before the deadline the time at described enquiry module, generates random number, obtains business cipher key according to described random number,
Sending module, the term of validity and the described random number that are used for the business cipher key that described acquisition module is obtained, described business cipher key send to described NAF, make described NAF carry out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment.
6. device as claimed in claim 5 is characterized in that,
Described initialization module specifically is used to receive the GBA initialization request from described subscriber equipment, obtains Ciphering Key from HSS, requires described subscriber equipment to authenticate according to described Ciphering Key; Reception is from the challenge response of described subscriber equipment, verify described challenge response, and obtain root key and guide service sign, and the term of validity of described guide service sign and described root key is sent to described subscriber equipment, make described subscriber equipment obtain the term of validity of root key and described root key.
7. the system of new key more is characterized in that, comprises NAF entity and guide service function BSF entity, wherein,
Described NAF entity, be used for according to the guide service sign to described BSF entity inquiry business key, reception is from the term of validity and the random number of the business cipher key of described BSF entity, described business cipher key, carries out bi-directional authentification according to described business cipher key and described random number and described subscriber equipment;
According to described guide service sign inquiry root key before the deadline whether described BSF entity receives the described guide service sign from described NAF entity; If described root key is not before the deadline, then returns error message to subscriber equipment, and carry out the GBA initialization with described subscriber equipment by described NAF entity; If described root key is before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF entity.
8. system as claimed in claim 7 is characterized in that,
Described NAF entity also is used to receive the described guide service sign from described subscriber equipment, whether has business cipher key and business cipher key before the deadline according to described guide service sign inquiry this locality.
9. system as claimed in claim 7 is characterized in that,
Described NAF entity, specifically be used for according to the guide service sign to described BSF entity inquiry business key, the term of validity and the described random number that receive and store described business cipher key, described business cipher key, and to described subscriber equipment transmission authentication request and described random number; Make described subscriber equipment carry out bi-directional authentification according to the described random number computing service key that receives and according to the described business cipher key that calculates.
10. system as claimed in claim 7 is characterized in that,
Described BSF entity, specifically be used to receive described guide service sign from described NAF entity, according to described guide service sign inquiry root key whether before the deadline, if described root key is not before the deadline, then receive GBA initialization request from described subscriber equipment, obtain Ciphering Key from HSS, require described subscriber equipment to authenticate according to described Ciphering Key, reception is from the challenge response of described subscriber equipment, verify described challenge response, and obtain root key and guide service sign, the term of validity of described guide service sign and described root key is sent to described subscriber equipment, make described subscriber equipment obtain the term of validity of root key and described root key; If described root key is before the deadline, then generate random number, obtain business cipher key according to described random number, and the term of validity and the described random number of described business cipher key, described business cipher key sent to described NAF entity.
CN200910237820.1A 2009-11-11 2009-11-11 Method, device and system for updating key Active CN102065421B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910237820.1A CN102065421B (en) 2009-11-11 2009-11-11 Method, device and system for updating key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910237820.1A CN102065421B (en) 2009-11-11 2009-11-11 Method, device and system for updating key

Publications (2)

Publication Number Publication Date
CN102065421A true CN102065421A (en) 2011-05-18
CN102065421B CN102065421B (en) 2014-10-08

Family

ID=44000472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910237820.1A Active CN102065421B (en) 2009-11-11 2009-11-11 Method, device and system for updating key

Country Status (1)

Country Link
CN (1) CN102065421B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534050A (en) * 2015-09-11 2017-03-22 中移(杭州)信息技术有限公司 Method and device for realizing key agreement of virtual private network (VPN)
CN108702615A (en) * 2016-02-12 2018-10-23 瑞典爱立信有限公司 Protection interface and process for establishing secure communications links
WO2020151581A1 (en) * 2019-01-21 2020-07-30 华为技术有限公司 Method and apparatus for generating key
CN112311543A (en) * 2020-11-17 2021-02-02 中国联合网络通信集团有限公司 GBA key generation method, terminal and NAF network element
CN113596830A (en) * 2021-07-27 2021-11-02 中国联合网络通信集团有限公司 Communication method, communication apparatus, electronic device, storage medium, and program product

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007008120A1 (en) * 2005-07-07 2007-01-18 Telefonaktiebolaget Lm Ericsson (Publ) Method and arrangement for authentication and privacy
CN101043328A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Cipher key updating method of universal leading frame
CN101331730A (en) * 2005-09-26 2008-12-24 诺基亚公司 Method and apparatus for refreshing keys within a bootstrapping architecture

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007008120A1 (en) * 2005-07-07 2007-01-18 Telefonaktiebolaget Lm Ericsson (Publ) Method and arrangement for authentication and privacy
CN101331730A (en) * 2005-09-26 2008-12-24 诺基亚公司 Method and apparatus for refreshing keys within a bootstrapping architecture
CN101043328A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Cipher key updating method of universal leading frame

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534050A (en) * 2015-09-11 2017-03-22 中移(杭州)信息技术有限公司 Method and device for realizing key agreement of virtual private network (VPN)
CN108702615A (en) * 2016-02-12 2018-10-23 瑞典爱立信有限公司 Protection interface and process for establishing secure communications links
CN108702615B (en) * 2016-02-12 2022-08-05 瑞典爱立信有限公司 Protected interface and process for establishing a secure communication link
WO2020151581A1 (en) * 2019-01-21 2020-07-30 华为技术有限公司 Method and apparatus for generating key
CN112311543A (en) * 2020-11-17 2021-02-02 中国联合网络通信集团有限公司 GBA key generation method, terminal and NAF network element
CN112311543B (en) * 2020-11-17 2023-04-18 中国联合网络通信集团有限公司 GBA key generation method, terminal and NAF network element
CN113596830A (en) * 2021-07-27 2021-11-02 中国联合网络通信集团有限公司 Communication method, communication apparatus, electronic device, storage medium, and program product
CN113596830B (en) * 2021-07-27 2023-03-24 中国联合网络通信集团有限公司 Communication method, communication apparatus, electronic device, storage medium, and program product

Also Published As

Publication number Publication date
CN102065421B (en) 2014-10-08

Similar Documents

Publication Publication Date Title
CN101621801B (en) Method, system, server and terminal for authenticating wireless local area network
KR101485230B1 (en) Secure multi-uim authentication and key exchange
CN101163010B (en) Method of authenticating request message and related equipment
CN102006299B (en) Trustworthy internet-oriented entity ID (Identity)-based ID authentication method and system
CN101156352B (en) Authentication method, system and authentication center based on mobile network P2P communication
CN102196426B (en) Method, device and system for accessing IMS (IP multimedia subsystem) network
CN101039311B (en) Identification web page service network system and its authentication method
US9015819B2 (en) Method and system for single sign-on
CN107347068A (en) Single-point logging method and system, electronic equipment
CN102413464B (en) GBA (General Bootstrapping Architecture)-based secret key negotiation system and method of telecommunication capability open platform
CN103249045A (en) Identification method, device and system
US8234497B2 (en) Method and apparatus for providing secure linking to a user identity in a digital rights management system
US20080181401A1 (en) Method of Establishing a Secure Communication Link
CN103200159A (en) Network access method and equipment
CN103581153A (en) Encryption method and device in system of Internet of Things
CN101087261B (en) Method, device and system for realizing push function based on general guiding architecture
CN102065421B (en) Method, device and system for updating key
CN114390524B (en) Method and device for realizing one-key login service
CN103024735B (en) Method and equipment for service access of card-free terminal
CN101030862B (en) Method, network and UE for authenticating non-IP multi-medium service UE
CN103051594A (en) Method, network side equipment and system of establishing end-to-end security of marked net
CN102694779B (en) Combination attestation system and authentication method
CN114158046B (en) Method and device for realizing one-key login service
CN101087260B (en) Method and device for realizing push function via guiding architecture
CN102638440A (en) Method and system for realizing single sign on (SSO) in IP multimedia subsystem (IMS) network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant