CN102611553A - Method for realizing digital signature, user equipment and core network node equipment - Google Patents
Method for realizing digital signature, user equipment and core network node equipment Download PDFInfo
- Publication number
- CN102611553A CN102611553A CN2011101775032A CN201110177503A CN102611553A CN 102611553 A CN102611553 A CN 102611553A CN 2011101775032 A CN2011101775032 A CN 2011101775032A CN 201110177503 A CN201110177503 A CN 201110177503A CN 102611553 A CN102611553 A CN 102611553A
- Authority
- CN
- China
- Prior art keywords
- pki
- digital signature
- sign
- access layer
- layer information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the invention discloses a method for realizing digital signatures, user equipment and core network node equipment, relates to the field of the information safety of a combination system, and aims at solving the problem that a digital signature realizing method is not specifically defined in the 3GPP (the 3rd generation partnership project) standard. A core network node of the invention issues a digital signature public key to the user equipment by a non-access layer message or an access layer message, meanwhile, the user equipment stores the digital signature public key, and the user equipment can verify a digital signature in a received alarm message by a digital signature algorithm and a locally-stored digital signature public key; and the invention defines an issuing method of the digital signature public key in details, so that the defect that the digital signature realizing method is not specifically defined in the 3GPP standard can be made up. The invention is mainly used for public alarm systems.
Description
Technical field
The present invention relates to the information security field of communication system, relate in particular to method, subscriber equipment and the core net node equipment of realizing digital signature.
Background technology
Public alarm system (PWS:Public Warning System) is used for system that the mankind's life and the damnous natural calamity of property or human accident are carried out alarm.In natural calamity, like flood, hurricane, or human accident, under the situation like chemical gas leakage, blast threat, nuclear threat, PWS can be used as a kind of of existing broadcast communication system replenished.The PWS service offers the user by telecom operators, and its content can be provided by warning message supply department (warning notification provider).When some disaster incident or accident generation, operator or warning message supply department produce alert message (warningnotification), and this message uses its network to send to the user by operator.
Because some alert messages of issue for example alarm information such as seismic sea wave possibly cause large-scale fear, so also higher to the security requirement of this type alert message.At present, the way of the security mechanism of the standard code of 3GPP is: alert message is carried out digital signature, and digital signature can be used for guaranteeing the integrality of alert message, guarantees that alert message comes from a believable source.The alert message that has carried out digital signature is broadcast to subscriber equipment (UE:User Equipment).UE will verify " digital signature " in the broadcast.If checking is passed through, UE can initiate alarm to the user, and issues the user to the content of alert message; If authentication failed, UE can notify the user rs authentication failure, and stops to User Alarms.
In 3GPP, realize just having defined the integrality that to protect alarm information with digital signature in the 3GPP standard in the process of above-mentioned PWS alarm, but how not concrete definition digital signature realizes.
Summary of the invention
Embodiments of the invention provide a kind of method, subscriber equipment and core net node equipment of realizing digital signature, have specifically defined digital signature and how to have realized.
For achieving the above object, embodiments of the invention adopt following technical scheme:
A kind of method that realizes digital signature is applied in the public alarm system, and this method comprises: subscriber equipment receives and preserves the digital signature PKI that core net node issues through non-access layer information or access layer information; Said subscriber equipment is verified the digital signature in the alarm information that receives according to the digital signature PKI of Digital Signature Algorithm and preservation.
A kind of method that realizes digital signature is applied in the public alarm system, and this method comprises: core net node receives the request message that comprises the PKI sign that subscriber equipment sends; Said core net node confirms that the PKI sign in the described request message is inequality with the pairing PKI sign of the local digital signature PKI of preserving; Said core net node issues local said digital signature PKI of preserving and corresponding PKI sign thereof through non-access layer information or access layer information to said subscriber equipment.
A kind of subscriber equipment is applied in the public alarm system, and this equipment comprises: receiver module is used to receive and preserve the digital signature PKI that core net node issues through non-access layer information or access layer information; Authentication module, the said digital signature PKI that is used for receiving according to Digital Signature Algorithm and said receiver module is verified the digital signature of the alarm information that receives.
A kind of core net node equipment is applied in the public alarm system, and this equipment comprises: receiver module is used to receive the request message that comprises the PKI sign that subscriber equipment sends; First determination module, the PKI sign of the request message that is used for confirming that said receiver module is received is inequality with the pairing PKI sign of the local digital signature PKI of preserving; Sending module; The PKI sign that is used for confirming request message when first determination module and the local pairing PKI of preserving of digital signature PKI identify when inequality, issue local said digital signature PKI of preserving and corresponding PKI sign thereof through non-access layer information or access layer information to said subscriber equipment.
The method of the realization digital signature that the embodiment of the invention provides, subscriber equipment and core net node equipment; Utilize core net node to issue up-to-date digital signature PKI to subscriber equipment through non-access layer information or access layer information; Simultaneously; Subscriber equipment is preserved this up-to-date digital signature PKI, and subscriber equipment is through Digital Signature Algorithm and the digital signature PKI preserved in this locality, and the digital signature in the alarm information of receiving that can achieve a butt joint is verified; The embodiment of the invention specific definition delivery method of digital signature PKI, remedied in the 3GPP standard the not defective of specific definition digital signature implementation method.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart that the embodiment of the invention 1 realizes the method for digital signature;
Fig. 2 is the block diagram of the embodiment of the invention 1 subscriber equipment;
Fig. 3 is the flow chart that the embodiment of the invention 2 realizes the method for digital signature;
Fig. 4 is the block diagram of the embodiment of the invention 2 core net node equipment;
Fig. 5 is the data structure of security parameter in the prior art;
Fig. 6 is the data structure of the embodiment of the invention 3 security parameters;
Fig. 7 receives and preserves the method flow diagram of the digital signature PKI that core net node issues for 3 one kinds of the embodiment of the invention;
Fig. 8 receives and preserves the method flow diagram of the digital signature PKI that core net node issues for the embodiment of the invention 3 is another kind of;
Fig. 9 is for the embodiment of the invention 3 another reception and preserve the method flow diagram of the digital signature PKI that core net node issues;
Figure 10 is for the embodiment of the invention 3 another reception and preserve the method flow diagram of the digital signature PKI that core net node issues;
Figure 11 is for the embodiment of the invention 3 another reception and preserve the method flow diagram of the digital signature PKI that core net node issues;
Figure 12 is the structure chart of 5 one kinds of subscriber equipmenies of the embodiment of the invention;
Figure 13 is the structure chart of 5 one kinds of core net nodes of the embodiment of the invention.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Embodiment 1
As shown in Figure 1, the method that is applied to the realization digital signature in the public alarm system may further comprise the steps.
101, subscriber equipment receives and preserves the digital signature PKI that core net node issues through non-access layer information or access layer information.
Particularly; When realizing PWS in the 3GPP system, UE receives non-access layer information (being NAS message) or the access layer information (being AS message) that is issued by core net node, carries up-to-date digital signature PKI in this message; UE is kept at this locality with it after receiving this up-to-date digital signature PKI.
(Long Term Evolution: Long Term Evolution), core net node is MME (mobile management entity, Mobility Management Entity) to the LTE that proposes at 3GPP; (Universal Mobile Telecommunications System: UMTS), core net node is SGSN (SERVICING GPRS SUPPORT NODE, a GPRS serving GPRS support node) to the UMTS that proposes at 3GPP; (Global System for Mobile Communications: global system for mobile communications), core net node is MSC (Mobile Switching Center, a mobile switching centre) to the GSM that proposes at 3GPP.
102, said subscriber equipment is verified the digital signature in the alarm information that receives according to the digital signature PKI of Digital Signature Algorithm and preservation.
Particularly, UE need verify the digital signature of alarm information after receiving alarm information, to confirm the integrality and the reliability of this message.Through execution in step 101, UE has preserved the digital signature PKI in this locality, and the private key that this digital signature PKI and digital signature are used when encrypting is a pair of secret keys.When verifying, Digital Signature Algorithm and the local digital signature PKI of preserving that UE uses digital signature when encrypting, to use verify digital signature, verifies true and reliablely through this alert message then is described, next UE can initiate alarm to the user; If checking is not passed through, explain that then this alert message is unreliable or attacked that UE can cancel to the user and initiates alarm.
Need to prove: digital signature by but be not limited to said CBC (Cell BroadcastCenter; Abbreviate as: CBC) or Cell Broadcast Entity (Cell Broadcast Entry abbreviates as: CBE) adopt above-mentioned digital signature private key and Digital Signature Algorithm to encrypt and obtain to the plaintext of alert message in the alarm information.Wherein, CBC and Cell Broadcast Entity are referred to as Cell Broadcast CB equipment.
Any method that Digital Signature Algorithm can be known is by one of skill in the art notified to UE; Make UE can use this algorithm that digital signature is verified; The Notification Method of this digital signature can for describe among the following embodiment 2 be pre-configured in the subscriber equipment or subscriber equipment is selected to obtain according to the Digital Signature Algorithm sign, also can be other method.
In the method for the realization digital signature that the embodiment of the invention provides; Core net node issues the digital signature PKI through non-access layer information or access layer information to subscriber equipment; Simultaneously; Subscriber equipment is preserved this digital signature PKI, and subscriber equipment is through Digital Signature Algorithm and the local digital signature PKI of preserving, and the digital signature in the alarm information of receiving that can achieve a butt joint is verified; The present invention has at length defined the delivery method of digital signature PKI, has remedied in the 3GPP standard the not defective of specific definition digital signature implementation method.
Present embodiment also provides a kind of subscriber equipment that is applied in the public alarm system, and is as shown in Figure 2, and this equipment comprises receiver module 21 and authentication module 22.Wherein, receiver module 21 is used to receive and preserve the digital signature PKI that core net node issues through non-access layer information or access layer information; The said digital signature PKI that authentication module 22 is used for receiving according to Digital Signature Algorithm and said receiver module is verified the digital signature of the alarm information that receives.
The corresponding method of above-mentioned each module is described in detail in above-mentioned, repeats no more at this.
The subscriber equipment that the embodiment of the invention provides is because in receiver module; Preserved the digital signature PKI that core net node issues to subscriber equipment through non-access layer information or access layer information; And the digital signature PKI of authentication module through receiving in Digital Signature Algorithm and the receiver module; The digital signature that can achieve a butt joint in the alarm information of receiving is verified; The embodiment of the invention has at length defined the delivery method of digital signature PKI, has remedied in the 3GPP standard the not defective of specific definition digital signature implementation method.
Embodiment 2
As shown in Figure 3, the method that is applied to the realization digital signature in the public alarm system may further comprise the steps.
301, core net node receives the request message that comprises the PKI sign that subscriber equipment sends.
Particularly; Subscriber equipment sends a request message to core net node; Include the pairing PKI sign of digital signature PKI that subscriber equipment is preserved in this locality in this request message, core net node is execution in step 302 after receiving this request message that comprises the PKI sign.
302, core net node confirms that the PKI sign in the request message is inequality with the pairing PKI sign of the local digital signature PKI of preserving.
Particularly, the pairing PKI sign of digital signature PKI that PKI in core net node comparison of request message sign and core net node are preserved in this locality identifies when inequality if confirm two PKIs, and then execution in step 303.
303, core net node issues local digital signature PKI of preserving and corresponding PKI sign thereof through non-access layer information or access layer information to subscriber equipment.
Particularly; After core net node had confirmed that PKI sign in the request message and the pairing PKI sign of the local digital signature PKI of preserving are inequality, core net node can issue local digital signature PKI of preserving and corresponding PKI sign thereof to subscriber equipment through NAS message or AS message.
After the pairing PKI sign of sign of the PKI in the core net node comparison of request message and the local digital signature PKI of preserving; Comparative result is for equating; Explain that the digital signature PKI of preserving in the digital signature PKI preserved in the subscriber equipment and the core net node is identical; All be up-to-date digital signature PKI, then need do not upgrade that promptly core net node need not send local digital signature PKI of preserving and corresponding PKI sign thereof to subscriber equipment to the digital signature in the subscriber equipment.
On the contrary, when comparative result was unequal, core net node then sent local digital signature PKI of preserving and corresponding PKI sign thereof to subscriber equipment.
In the method for the realization digital signature that the embodiment of the invention provides; Core net node is according to the PKI sign of carrying in the request message that subscriber equipment sent; Confirm that the PKI sign in request message identifies under the situation inequality with the pairing PKI of the local digital signature PKI of preserving; Just send local said digital signature PKI of preserving and corresponding PKI sign thereof to subscriber equipment; Can not only realize issuing of digital signature PKI, also can realize the digital signature PKI of preserving in the subscriber equipment is upgraded, remedy in the 3GPP standard the not defective of specific definition digital signature implementation method.
The embodiment of the invention also provides a kind of core net node equipment that is applied to the public alarm system, and as shown in Figure 4, this equipment comprises: receiver module 41 is used to receive the request message that comprises the PKI sign that subscriber equipment sends; First determination module 42, the PKI sign of the request message that is used for confirming that receiver module 41 is received is inequality with the pairing PKI sign of the local digital signature PKI of preserving; Sending module 43; The PKI sign that is used for confirming request messages when first determination module 42 and the local pairing PKI of preserving of digital signature PKI identify when inequality, issue local said digital signature PKI of preserving and corresponding PKI sign thereof through non-access layer information or access layer information to subscriber equipment.
The corresponding method of above-mentioned each module is described in detail in above-mentioned, repeats no more at this.
The core net node equipment that the embodiment of the invention provides; Because sending module can confirm that PKI sign and the local pairing PKI of preserving of digital signature PKI in the request message identifies when inequality at first determination module; The digital signature PKI that issues to subscriber equipment through non-access layer information or access layer information; Can not only realize issuing of digital signature PKI; Also can realize the digital signature PKI of preserving in the subscriber equipment is upgraded, remedy in the 3GPP standard the not defective of specific definition digital signature implementation method.
Embodiment 3
The method that is applied to the realization digital signature among the PWS comprises: subscriber equipment receives and preserves the digital signature PKI that core net node issues through non-access layer information or access layer information; Said subscriber equipment is verified respectively at least one digital signature in the alarm information that receives according to the digital signature PKI of Digital Signature Algorithm and preservation.
When in 3GPP, realizing PWS, above-mentioned non-access layer information (being NAS message) can be for Non-Access Stratum safe mode command NAS Security Mode Command message, adhere to acceptances (Attach Accept) message, location area updating is accepted (TAU Accept) message or Routing Area Update acceptance (RAU Accept) message.Access layer information (being AS message) can be the Access Layer Security Mode Command message.
In addition; Above-mentioned Digital Signature Algorithm can be pre-configured in the subscriber equipment or by subscriber equipment and select to obtain according to the Digital Signature Algorithm sign; Wherein, Digital Signature Algorithm sign can be arranged in the alert message in the alarm information or in the security parameter in the alarm information.
When the Digital Signature Algorithm sign is arranged in the alert message; For example in the LTE system, can sign be put into to write replacement request (WRITE-REPLACE Request) message or write replacement and indicate in the 10th field (SIB10) in (WRITE-REPLACE Indication) message.Also can sign be put into eNB (base station of evolution, Evolution Node B) issues in the 10th field (SIB10) in the broadcast of UE.Wherein, In the LTE system; WRITE-REPLACE Request message or WRITE-REPLACE Indication message send to MME (mobile management entity, Mobility Management Entity) by CBC (CBC, Cell Broadcast Center); Be transmitted to eNB by MME again, eNB sends to UE with the form of broadcast again with the alarm information in WRITE-REPLACE Request message or the WRITE-REPLACE Indication message.
SIB10 in the above-mentioned message of the Digital Signature Algorithm sign (Signature algorithm Identifier) that is provided with is described below:
Wherein, the memory space that Signature algorithm Identifier takies is an octet, its specific definition such as following table:
8 7 6 5 4 3 2 1
Signature?algorithm
0 (reservation) octet1
Identifier
Signature algorithm Identifier has taken low 4 of octet octet1, can express 16 kinds of Digital Signature Algorithms, high 4 reservations.
When Signature algorithm Identifier is arranged at security parameter; Promptly alarm security information (Warning-Security-Information) when interior; Can be in security parameter data structure shown in Figure 5 deposit Digital Signature Algorithm sign (Signature algorithm Identifier) in the octet 8 of the shared octet 8~octet 50 of digital signature, and remaining octet 9~octet 50 is still deposited digital signature.
The Warning-Security-Information of the Digital Signature Algorithm sign that is provided with is as shown in Figure 6; Digital Signature Algorithm sign (Signature algorithm Identifier) has taken low 4 of octet 8; Can express 16 kinds of Digital Signature Algorithms, high 4 reservations.The Digital Signature Algorithm sign is arranged in the security parameter; Only need in the entity of signing, increase a Digital Signature Algorithm sign step is set; Can not increase the extra process of CBC, MME and eNB, therefore, can not increase the processing burden of each equipment in the LTE system.
Need to prove that Signature algorithm Identifier is not limited to above-mentioned two kinds of set-up modes, and can define other length and form, as long as can the algorithm of digital signature be distinguished.
Present embodiment is before the digital signature PKI that subscriber equipment receives and the preservation core net node issues through non-access layer information or access layer information; Can comprise also sending a request message that this request message is: adhere to (Attach) request message, location area updating (TAU) request message or Routing Area Update (RAU) request message to core net node.The method that a kind of UE in the LTE system is received and preserves the digital signature PKI that MME issues through non-access layer information or access layer information with reference to Fig. 7 below is elaborated.
701, UE sends a request message to MME, and this message is Attach request message, TAU request message or RAU request message.
702, may be optional between UE and the MME carry out a flow process, i.e. ESP AKA flow process based on the AKA agreement.
703, UE receives the Non-Access Stratum Security Mode Command message that MME sends, and promptly NAS Security ModeCommand message includes the digital signature PKI that MME preserves in this message.
704, UE preserves MME and issues its up-to-date digital signature PKI.
705, UE sends the Non-Access Stratum safe mode to MME and accomplishes message, i.e. NAS Security ModeComplete message.
706, message is accepted in the request of UE reception MME transmission, and it is Attach Accept message, TAU Accept message or RAU Accept message that message is accepted in this request.
In addition; The up-to-date digital signature PKI that MME preserves also can be included in Attach Accept message, TAU Accept message or the RAU Accept message; At this moment, the UE step of preserving up-to-date digital signature PKI need be placed on the request of reception and accepts to carry out after the messages step.For UMTS system or gsm system, SGSN or MSC also can send up-to-date digital signature PKI and give UE in Attach Accept message, LAU Accept message or RAU Accept message.
Present embodiment has been done improvement on the basis of digital signature public key acquisition store method shown in Figure 7; Another kind of digital signature public key acquisition store method as shown in Figure 8 has been proposed; This method has defined a PKI sign; Each PKI sign is only corresponding with a digital signature PKI, and UE also preserves the PKI sign corresponding with this digital signature PKI when the digital signature PKI is preserved in this locality.Detailed description to this method is following.
801, UE sends Attach Request message or location area updating request message to MME, and promptly Attach request message or TAU request message comprise in this message with UE and go up the corresponding PKI sign of the digital signature PKI of preserving PKSI.
802, may be optional between UE and the MME carry out a flow process, i.e. EPS AKA flow process based on the AKA agreement.
803, MME judges whether the up-to-date PKI sign that the PKSI in Attach request message or the TAU request message preserves with oneself is consistent, if inconsistent then in step subsequently, issue up-to-date PKI sign to UE and reach the up-to-date digital signature PKI corresponding with this sign.
804, UE receives the Non-Access Stratum Security Mode Command message that MME sends; Be NAS Security ModeCommand message; When the judged result in step 603 when being inconsistent, include up-to-date digital signature PKI and corresponding PKSI that MME preserves in this message.
805, when the judged result in the step 603 when being inconsistent, UE preserves MME and issues its up-to-date digital signature PKI and corresponding PKSI.
806, UE sends the Non-Access Stratum safe mode to MME and accomplishes message, i.e. NAS Security ModeComplete message.
807, message is accepted in the request of UE reception MME transmission, i.e. Attach Accept message or TAUAccept message.
In addition; The up-to-date digital signature PKI that MME preserves also can be included in Attach Accep message or the TAU Accept message; At this moment, UE preserves up-to-date digital signature PKI and corresponding PKSI step and need be placed on the request of transmission and accept to carry out after the messages step.
In order to prevent that the go-between from attacking above-mentioned request message; MME is when sending the PKSI of up-to-date digital signature PKI and correspondence to UE; Can the PKSI that comprise in Attach request message or the TAU request message be returned to UE; UE is before the PKSI of the up-to-date digital signature PKI of preserving the MME transmission and correspondence; Earlier this PKSI that returns is verified, explain then that as if different Attach request message or TAU request message are attacked, and do not preserve up-to-date digital signature PKI and corresponding PKSI that MME sends with the PKSI that oneself preserves.
When considering that UE roams into the another one network, it is identical with the PKSI of present network the used PKSI of another one network to occur, but digital signature PKI condition of different.At this moment, need in the request message of above-mentioned steps 801, increase the current network of network sign of living in of UE (PLMN ID).
Also need correspondingly increase the step that network identity is judged in the above-mentioned steps 803; Promptly MME judge the PKI of preserving among PKI sign and the MME in Attach request message or the TAU request message identify whether identical before; Comprise that also MME judges whether the PLMN ID in Attach request message or the TAU request message is identical with MME network of network sign of living in; If identical, carry out above-mentioned MME and judge that whether identical the PKI of preserving among PKI sign and the MME in Attach request message or the TAU request message identify step; If it is different; Then need not carry out the step that above-mentioned MME judges that the PKI sign of preserving among PKI sign and the MME in Attach request message or the TAU request message is whether identical, and directly in step subsequently, send the up-to-date digital signature PKI of its preservation and the PKSI of correspondence to UE by MME.
MME sends outside the PKSI of up-to-date digital signature PKI and correspondence to UE in the above-mentioned steps 804, also can send the PLMN ID of current network of living in, and PLMN ID can be used as the part of PKSI and sends.
Outside in the above-mentioned steps 805 up-to-date digital signature PKI and corresponding PKSI being preserved, also comprise: the PLMN ID of the current network of living in of UE is carried out related preservation together with up-to-date digital signature PKI and corresponding PKSI.The PLMN ID of the current network of living in of UE can be issued by MME or obtained from system information by UE as stated.
Need to prove that for UMTS system or gsm system, SGSN or MSC can send up-to-date digital signature PKI and PKSI and network identity and give UE in AttachAccept message, LAU Accept message or RAU Accept message.
Present embodiment has been done improvement on the basis of digital signature public key acquisition store method shown in Figure 7, proposed a kind of digital signature public key acquisition store method again, and is as shown in Figure 9.
901, UE sends a request message to MME, i.e. AttachAccept message or TAU request message.
902, may be optional between UE and the MME carry out a flow process, i.e. EPS AKA flow process based on the AKA agreement.
903, eNB receives the Access Layer Security Mode Command message that MME sends, and promptly AS Security ModeCommand message includes the up-to-date digital signature PKI that MME preserves in this message.
904, eNB transmits AS Security Mode Command message to UE.
905, UE preserves eNB and issues its up-to-date digital signature PKI.
906, UE sends the Access Layer safe mode to eNB and accomplishes message, i.e. AS Security ModeComplete message.
907, eNB transmits AS Security Mode Complete message to MME.
908, UE receives the MME request of sending and accepts message, i.e. Attach Accept message or TAU Accept message.
The main difference of this method and digital signature public key acquisition store method shown in Figure 7 be that MME uses AS Security Mode Command earlier up-to-date digital signature PKI to be sent to eNB, again by eNB with this forwards to UE.
In addition, the up-to-date digital signature PKI that MME preserves also can be included in Attach Accept message or the TAU Accept message, and at this moment, the step of the digital signature PKI that the UE preservation is up-to-date need be placed on the request of transmission and accept to carry out after the messages step.
Present embodiment has been done improvement on the basis of digital signature public key acquisition store method shown in Figure 8, proposed a kind of digital signature public key acquisition store method once more, and is shown in figure 10.
1001, UE sends a request message to MME, and promptly Attach request message or TAU request message comprise in this message with UE and go up the corresponding PKI sign of the digital signature PKI of preserving PKSI.
1002, may be optional between UE and the MME carry out a flow process, i.e. EPS AKA flow process based on the AKA agreement.
1003, MME judges whether the up-to-date PKI sign that the PKSI in Attach request message or the TAU request message preserves with oneself is consistent, if inconsistent then in step subsequently, issue up-to-date PKI sign to UE and reach the up-to-date digital signature PKI corresponding with this sign.
1004, eNB receives the Access Layer Security Mode Command message that MME sends; Be AS Security ModeCommand message; When the judged result in step 1003 when being inconsistent, include up-to-date digital signature PKI and corresponding PKSI that MME preserves in this message.
1005, eNB transmits AS Security Mode Command message to UE.
1006, when the judged result in the step 1003 when being inconsistent, UE preserves MME and issues its up-to-date digital signature PKI and corresponding PKSI.
1007, UE sends the Access Layer safe mode to eNB and accomplishes message, i.e. AS Security ModeComplete message.
1008, eNB transmits AS Security Mode Complete message to MME.
1009, message is accepted in the request of UE reception MME transmission, i.e. Attach Accept message or TAU Accept message.
The main difference of this method and digital signature public key acquisition store method shown in Figure 8 be MME use AS Security Mode Command earlier will up-to-date digital signature PKI and corresponding PKI identify and send to eNB, again by eNB with this forwards to UE.
In addition; The up-to-date digital signature PKI that MME preserves also can be included in Attach Accept message or the TAU Accept message; At this moment, UE preserves up-to-date digital signature PKI and corresponding PKSI step and need be placed on the request of transmission and accept to carry out after the messages step.
In order to prevent that the go-between from attacking Attach request message or TAU request message; MME is passing through eNB when UE sends the PKSI of up-to-date digital signature PKI and correspondence; Can the PKSI that comprise in Attach request message or the TAU request message be returned to UE; UE is before the PKSI of the up-to-date digital signature PKI of preserving the MME transmission and correspondence; Earlier this PKSI that returns is verified, explain then that as if different Attach request message or TAU request message are attacked, and do not preserve up-to-date digital signature PKI and corresponding PKSI that MME sends with the PKSI that oneself preserves.
When considering that UE roams into the another one network, it is identical with the PKSI of present network the used PKSI of another one network to occur, but digital signature PKI condition of different.At this moment, need in the Attach of above-mentioned steps 1001 request message or TAU request message, increase current network of network sign PLMNID of living in.
Also need correspondingly increase the step that network identity is judged in the above-mentioned steps 1003; Promptly MME judge the PKI of preserving among PKI sign and the MME in Attach request message or the TAU request message identify whether identical before; Comprise that also MME judges whether the PLMN ID in Attach request message or the TAU request message is identical with MME network of network sign of living in; If identical, carry out above-mentioned MME and judge that whether identical the PKI of preserving among PKI sign and the MME in Attach request message or the TAU request message identify step; If it is different; Then need not carry out the step that above-mentioned MME judges that the PKI sign of preserving among PKI sign and the MME in Attach request message or the TAU request message is whether identical, and directly in step subsequently, send the up-to-date digital signature PKI of its preservation and the PKSI of correspondence to UE by MME.
In the above-mentioned steps 1004,1005, MME sends outside the PKSI of up-to-date digital signature PKI and correspondence to UE through eNB, also can send the PLMN ID of current network of living in, and PLMN ID can be used as the part of PKSI and sends.
Outside in the above-mentioned steps 1006 up-to-date digital signature PKI and corresponding PKSI being preserved, also comprise: the PLMN ID of the current network of living in of UE is carried out related preservation together with up-to-date digital signature PKI and corresponding PKSI.The PLMN ID of the current network of living in of UE can be issued by MME or obtained from system information by UE as stated.
When in 3GPP, realizing PWS, may be responsible for by CBC or CBE the signature of alarm information.CBC belongs to the inner entity of core net, and CBE is not in the 3GPP network range.And realize or realize by CBE by CBC when also confirming at present the signature of warning message in the 3GPP standard.
When CBC is responsible for signature alarm message; Owing in each core net, all be responsible for signature by CBC entity independently; Even and sharing at network under the scene of (Network sharing); A plurality of networks also can be selected a public CBC simultaneously, therefore for UE, can verify alarm information according to the digital signature PKI that issues.
When CBE is responsible for the signature of alarm information; Because in one network; May exist a plurality of CBE (such as in China; The entity of issue alarm information comprises seismological bureau, tsunami center, flood control command centre etc.), UE need be known the pairing CBE entity of received alarm information and this alarm information is verified employed digital signature PKI so.
Therefore present embodiment has been done improvement on the basis of digital signature public key acquisition store method shown in Figure 7; A kind of digital signature public key acquisition store method (referring to Figure 11) has been proposed; Can make UE go up the digital signature PKI and the CBE that preserve is mapped; Thereby can know the pairing PKI of this digital signature, adopt this public key verifications signature.
1101, UE sends a request message to MME, and this message is Attach request message, TAU request message or RAU request message, the Cell Broadcast Entity that comprises in this request message sign.
Particularly, this Cell Broadcast Entity sign is used for distinguishing different CBE, can CBE all in the network be numbered, and makes the corresponding unique Cell Broadcast Entity sign of each CBE.
1102, may be optional between UE and the MME carry out a flow process, i.e. ESP AKA flow process based on the AKA agreement.
1103, UE receives the Non-Access Stratum Security Mode Command message that MME sends; Be NAS Security ModeCommand message, include digital signature PKI and this Cell Broadcast Entity sign of the corresponding above-mentioned Cell Broadcast Entity sign of MME preservation in this message.Wherein, the digital signature PKI of respective cell broadcast entity sign represent to generate this digital signature PKI Cell Broadcast Entity be designated this Cell Broadcast Entity sign.
1104, UE carries out the association preservation with Cell Broadcast Entity sign and the digital signature PKI that MME issues this UE.
1105, UE sends the Non-Access Stratum safe mode to MME and accomplishes message, i.e. NAS Security ModeComplete message.
1106, message is accepted in the request of UE reception MME transmission, and it is Attach Accept message, TAU Accept message or RAU Accept message that message is accepted in this request.
In addition; The digital signature PKI of Cell Broadcast Entity sign and this Cell Broadcast Entity sign can be included in Attach Accept message, TAU Accept message or the RAUAccept message in the corresponding requests message that MME preserves; Perhaps also can be included in the message of redetermination, the message of this redetermination is used to issue new digital signature PKI.When Cell Broadcast Entity sign and digital signature PKI were included in Attach Accept message, TAU Accept message or the RAU Accept message, the step that UE preserves the digital signature PKI need be placed on the request of reception and accept to carry out after the messages step.For UMTS system or gsm system, SGSN or MSC also can send up-to-date digital signature PKI and give UE in Attach Accept message, LAU Accept message or RAU Accept message.
When the Cell Broadcast Entity sign is not preserved in UE this locality; UE can obtain at least one Cell Broadcast Entity sign and corresponding digital signature PKI thereof from the core net node request through non-access layer information or access layer information; As UE during to MME request digital signature PKI; Cell Broadcast Entity sign in the request message maybe be not only one; After MME receives request message, can the digital signature PKI of preserving on it corresponding to all Cell Broadcast Entity signs in the request message be handed down to UE according to corresponding relation.
Need to prove: since MME can from before the PWS message flow know the employed digital signature PKI of alarm information digital signature and generate the Cell Broadcast Entity sign of the CBE of this digital signature; MME can also be known the PKI sign corresponding with this digital signature PKI; Therefore; The up-to-date digital signature PKI that UE can use when MME asks certain Cell Broadcast Entity that alarm information is signed uses when perhaps asking certain Cell Broadcast Entity that alarm information is signed in a plurality of digital signature with certain PKI and identifies corresponding digital signature PKI.
In addition; For digital signature public key acquisition store method shown in Figure 11; Request message wherein also can comprise the PKI sign; Therefore employed each digital signature PKI when this PKI sign is used to distinguish a certain CBE signature alarm message, can uniquely confirm a digital signature PKI with Cell Broadcast Entity sign and PKI sign.
After receiving the request message that has Cell Broadcast Entity sign and PKI sign as MME; Can judge whether the PKI sign in the request message is identical with local PKI sign corresponding to said Cell Broadcast Entity sign of preserving; If it is inequality; Then issue the PKI sign and the digital signature PKI of Cell Broadcast Entity sign in the corresponding requests message, and issue this Cell Broadcast Entity sign simultaneously through non-access layer information or access layer information.
Subsequently, UE carries out related preservation with the Cell Broadcast Entity sign that MME issues with corresponding PKI sign and digital signature PKI.
For digital signature public key acquisition store method shown in Figure 11, request message wherein can comprise Cell Broadcast Entity sign, to PKI sign and the current network of network sign of living in of subscriber equipment that should the Cell Broadcast Entity sign., core net node can judge earlier whether the network identity in the request message is identical with the current network of network sign of living in of core net node after receiving this request message; If inequality, then through non-access layer information or access layer information issue digital signature PKI corresponding to Cell Broadcast Entity sign in the request message, to PKI sign and this Cell Broadcast Entity sign that should the digital signature PKI.If it is identical; Can continue to judge whether the PKI sign in the request message is identical with the local PKI sign corresponding to Cell Broadcast Entity sign in the request message of preserving of MME; If it is inequality; Then MME through non-access layer information or access layer information issue PKI sign corresponding to Cell Broadcast Entity sign in the request message, to digital signature PKI and this Cell Broadcast Entity sign that should the PKI sign, if identical then need not carry out above-mentioned digital signature PKI and issue step.
The Cell Broadcast Entity sign that UE will receive from MME, to PKI sign that should the Cell Broadcast Entity sign, digital signature PKI and the local network of network sign of living in of UE that should the PKI sign be preserved promptly so-called related the preservation as one group of related data.Wherein, UE network of network sign of living in is issued to subscriber equipment by core net node through non-access layer information or access layer information or is obtained from system information by subscriber equipment.
For the store method that obtains of digital signature PKI shown in Figure 7, UE can once obtain two up-to-date digital signature PKIs from MME.Promptly ought not consider under the situation of Cell Broadcast Entity sign; Preserve update date among the MME near two of the current time up-to-date digital signature PKIs; MME is last also can to preserve corresponding with these two digital signature PKIs respectively PKI sign; UE just can obtain these two nearest digital signature PKIs from MME through request message, also can obtain corresponding PKI sign simultaneously.When considering the Cell Broadcast Entity sign; All preserve two up-to-date digital signature PKIs on corresponding each Cell Broadcast Entity sign MME; Also can preserve corresponding with these two digital signature PKIs respectively PKI sign; UE can ask MME two up-to-date digital signature to be issued together once issuing in the flow process through request message, perhaps will issue together corresponding to two up-to-date digital signature of Cell Broadcast Entity sign in the request message.
In the method for the realization digital signature of present embodiment, the method that digital signature is verified can comprise the steps.
The 1st goes on foot, according to digital signature PKI and the Digital Signature Algorithm preserved the digital signature in the said alarm information is verified.
The 2nd goes on foot, does not pass through as if checking, to the up-to-date digital signature PKI of core net node request, and adopts said up-to-date digital signature PKI and said Digital Signature Algorithm that the digital signature in the said alarm information is verified once more.
Obtaining in the store method of above-mentioned digital signature PKI; Can preserve two up-to-date this situation of digital signature PKI for UE; UE is during to the digital signature authentication in the alarm information, can adopt local two digital signature PKIs preserving respectively digital signature verify.If in alarm information, carry digital signature corresponding PKI sign of employed digital signature PKI when generating, then when this PKI sign is preserved in UE this locality, can adopt the digital signature PKI that should PKI identifies is verified digital signature.If in alarm information, except the PKI sign, also carry the Cell Broadcast Entity sign; And UE preserve this locality to should Cell Broadcast Entity the digital signature PKI of sign and PKI sign, then UE can adopt equally digital signature PKI that should the PKI sign is verified this digital signature.
Digital signature in the alarm information can be two, and these two digital signature can adopt the corresponding digital signature private key of the up-to-date digital signature PKIs of local two of preserving respectively to the acquisition of signing of said alarm information by CBC CBC or Cell Broadcast Entity CBE.When subscriber equipment is verified these two digital signature; Subscriber equipment is verified respectively two digital signature according to Digital Signature Algorithm and the local digital signature PKI of preserving; Obstructed out-of-date when verifying; Also can after receiving this up-to-date digital signature PKI, respectively two digital signature be verified once more to the up-to-date digital signature PKI of core net node request with above-mentioned Digital Signature Algorithm and this up-to-date digital signature PKI.
Can preserve two up-to-date this situation of digital signature PKI for UE; And two corresponding PKIs signs of employed digital signature PKI when in alarm information, except two digital signature, also carrying these two digital signature generations; Then when these two PKI signs are preserved in UE this locality, can adopt the digital signature PKI of corresponding these two PKI signs respectively two digital signature to be verified.If also carry Cell Broadcast Entity sign in the alarm information, then preserve should the Cell Broadcast Entity sign and the digital signature PKI of PKI sign when UE this locality, with these digital signature PKIs these two digital signature are verified respectively.
One or two digital signature in the alarm information is verified with the digital signature PKI that UE preserves no matter be; Still two digital signature PKIs preserving with UE are verified one or two digital signature in the alarm information; Obstructed out-of-date when verifying; When promptly all digital signature all get nowhere, can pass through access layer information or non-access layer information to one or two up-to-date digital signature PKI of said core net node request when using all digital signature PKIs that satisfy condition to verify.
Need to prove that for UMTS system or gsm system, SGSN or MSC can send up-to-date digital signature PKI and PKSI and network identity and give UE in AttachAccept message, LAU Accept message or RAU Accept message.
In the method for the realization digital signature that the embodiment of the invention provides; Core net node issues up-to-date digital signature PKI through non-access layer information or access layer information to subscriber equipment; Simultaneously; Subscriber equipment is preserved this up-to-date digital signature PKI, and subscriber equipment is through Digital Signature Algorithm and the digital signature PKI preserved in this locality, and the digital signature in the alarm information of receiving that can achieve a butt joint is verified; In addition; Digital Signature Algorithm can be pre-configured in the subscriber equipment or subscriber equipment is selected to obtain according to the Digital Signature Algorithm sign, embodiment of the invention specific definition the issuing of system of selection and digital signature PKI of Digital Signature Algorithm, update method, remedied in the 3GPP standard the not defective of specific definition digital signature implementation method.
Embodiment 4
The method that is applied to the realization digital signature in the public alarm system that present embodiment provides is the improvement to the digital signature implementation method of embodiment 3, and different with embodiment 3 is: comprise the PKI sign in the alarm information; After UE receives alarm information; Judge earlier the pairing PKI sign of the local digital signature PKI of preserving whether with alarm information in the PKI sign identical; If it is different; To up-to-date digital signature PKI of core net node request and corresponding PKI sign, and preserve this up-to-date digital signature PKI and corresponding PKI sign; UE verifies the digital signature in the alarm information according to Digital Signature Algorithm and the local digital signature PKI of preserving again then.
The method of in the above-mentioned digital signature implementation method digital signature being verified also can comprise: obstructed out-of-date when verifying; UE is to the up-to-date digital signature PKI of core net node request, and adopts up-to-date digital signature PKI and Digital Signature Algorithm to identify pairing Digital Signature Algorithm the digital signature in the alarm information is verified once more.
The method to set up of PKI sign is identical with the method to set up of Digital Signature Algorithm sign among the embodiment 3 in the alarm information, and it is interior or be arranged in the security parameter to be arranged at alert message.In the time of in being arranged at alert message, can revise the SIB10 in the broadcast that SIB10 and eNB in the WRITE-REPLACE Request/Indication message issue UE; In the time of in being arranged at security parameter, can take same octet, with being used for the storage of public keys sign as high 4 of the octet 8 that keeps the position among Fig. 6 with Digital Signature Algorithm sign.
Need to prove that the method to set up of PKI sign is not limited to above-mentioned two kinds of set-up modes, and can define other length and form, as long as can the PKI of digital signature be distinguished.
In order to simplify processing, the PKI sign can be defined as and increase progressively, and identifies if UE receives the also little PKI of PKI sign that a ratio oneself is preserved, then think the alarm information received victim distort.When the value of PKI sign during to maximum, begin from minimum value again again, if UE receive the PKI sign be minimum value and with the PKI of own reservation at present identify different, the PKI that please look for novelty to core net node of UE then.
In the implementation method of the digital signature that the embodiment of the invention provides; Core net node issues up-to-date digital signature PKI through non-access layer information or access layer information to subscriber equipment; Simultaneously; Subscriber equipment is preserved this up-to-date digital signature PKI and is reached the digital signature PKI in this locality preservation through Digital Signature Algorithm; Can realize that subscriber equipment verifies the digital signature in the alarm information that receives, the present invention has at length defined the issuing of digital signature PKI, update method, has remedied in the 3GPP standard the not defective of specific definition digital signature implementation method.The present invention is mainly used in the public alarm system.
Through digital signature public key acquisition store method shown in Figure 11 among the embodiment 1 the digital signature PKI on the UE can be mapped with CBE; In this case; Comprise this CBE corresponding district broadcast entity sign in the alarm information that CBE sends; This sign can be arranged in the plaintext of alarm information according to actual needs, perhaps is arranged in the security parameter that alarm information carries.
After receiving the alarm information that has Cell Broadcast Entity sign as UE, can find out the digital signature PKI of Cell Broadcast Entity sign in the corresponding alarm information, verify with digital signature to this alarm information.If the pairing Cell Broadcast Entity sign of the digital signature PKI that UE preserves is inequality with the Cell Broadcast Entity sign in the alarm information; Be not preserve the corresponding digital signature PKI of Cell Broadcast Entity sign in the alarm information on the UE, then need obtain corresponding digital signature PKI to the MME request.Concrete requesting method can be similar to digital signature public key acquisition store method shown in Figure 11, in request message, carries the Cell Broadcast Entity sign.
After MME had issued the up-to-date digital signature PKI of Cell Broadcast Entity sign in the corresponding alarm information, UE adopted this up-to-date digital signature PKI that the digital signature in the alarm information is verified.
Certainly, when checking was not for the first time passed through, UE can also ask MME to issue up-to-date digital signature PKI once more.
Alarm information can also for: comprise Cell Broadcast Entity sign and PKI sign; Employed each digital signature PKI when this PKI sign is used to distinguish a certain CBE signature alarm message; Therefore, can uniquely confirm a digital signature PKI with Cell Broadcast Entity sign and PKI sign.
After receiving the alarm information that has Cell Broadcast Entity sign and PKI sign as MME; Can judge local Cell Broadcast Entity sign of whether preserving in the alarm information earlier; If not then directly obtain corresponding up-to-date digital signature PKI of this Cell Broadcast Entity sign and PKI sign to the MME request; If local Cell Broadcast Entity sign of preserving in the alarm information; Then further judge local whether identical in PKI sign that should the Cell Broadcast Entity sign and the alarm information of preserving; If identical then carry out verification step,, then obtain corresponding up-to-date digital signature PKI of this Cell Broadcast Entity sign and PKI sign to the MME request if inequality.
Then, UE verifies the digital signature in the alarm information according to this up-to-date digital signature PKI.
Certainly, when checking was not for the first time passed through, UE can also ask MME to issue up-to-date digital signature PKI once more.
Embodiment 5
Present embodiment provides a kind of subscriber equipment that is applied in the public alarm system, and is shown in figure 12, and this equipment comprises: receiver module 1201 is used to receive and preserve the digital signature PKI that core net node issues through non-access layer information or access layer information; Authentication module 1202, the digital signature PKI that is used for receiving according to Digital Signature Algorithm and said receiver module is verified the digital signature of the alarm information that receives.This equipment also can comprise: request module 1203 is used for sending a request message to core net node.
Wherein, Can comprise the current network of network sign of living in of said subscriber equipment in the described request message; Said receiver module 1201 also can be used for: receive under the network identity of core net node in the request message of confirming the described request module and the current network of network sign of living in of the said core net node situation inequality, digital signature PKI that issues through non-access layer information or access layer information and corresponding PKI thereof identify; Said equipment also can comprise the related module 1204 of preserving, and can be used for the said digital signature PKI that issues through non-access layer information or access layer information and corresponding PKI sign thereof identified with the current network of network of living in of said subscriber equipment carrying out related preservation; Wherein, the current network of network sign of living in of said subscriber equipment is issued to said subscriber equipment by said core net node through non-access layer information or access layer information or is obtained from system information by said subscriber equipment.
In addition, also can comprise the corresponding PKI sign of said digital signature PKI that said receiver module receives in the request message of described request module 1203; Said receiver module 1201 also can be used for: receive under the PKI sign of preserving in PKI sign and the said core net node in the network identity of core net node in the request message of confirming the described request module and the described request message identical with the current network of network sign of living in of the said core net node situation inequality, issue the digital signature PKI and corresponding PKI identifies through non-access layer information or access layer information.
Said non-access layer information or access layer information also can comprise the PKI sign in the described request message; Said receiver module 1201 also can be used for: before preserving digital signature PKI that core net node issues through non-access layer information or access layer information and corresponding PKI sign thereof, confirm that the PKI sign in the request message of described request module identifies identical with PKI in the request message that said non-access layer information or access layer information comprise.
In addition, can comprise the Cell Broadcast Entity sign that said subscriber equipment is preserved in the request message of described request module 1203; Said receiver module also is used to receive said Cell Broadcast Entity sign and the corresponding digital signature PKI thereof that core net node issues through non-access layer information or access layer information; The related module 1204 of preserving can be used for issuing said Cell Broadcast Entity sign through non-access layer information or access layer information and carrying out related preservation with corresponding its said digital signature PKI said.
Also can comprise PKI sign in the request message corresponding to said Cell Broadcast Entity sign; Said receiver module 1201 also is used for receiving core net node under the PKI sign that identifies corresponding to said Cell Broadcast Entity that the PKI sign of confirming described request message and said core net node are preserved situation inequality, issues said Cell Broadcast Entity sign and corresponding PKI sign and digital signature PKI thereof through non-access layer information or access layer information; The said related module 1204 of preserving also is used for issuing through non-access layer information or access layer information with said that said Cell Broadcast Entity sign identifies with corresponding its said PKI and said digital signature PKI carries out related preservation.
Can comprise the corresponding PKI sign of said digital signature PKI that current network of network sign of living in of said subscriber equipment and said receiver module receive in the request message; Said receiver module 1201 also is used for receiving under core net node preserves in the PKI sign in the identical and described request message and the said core net node in the current network of network sign of living in of the network identity of confirming described request message and said core net node corresponding to the PKI sign of the said Cell Broadcast Entity sign situation inequality, and the digital signature PKI, PKI sign and the said Cell Broadcast Entity that issue corresponding to said Cell Broadcast Entity sign through non-access layer information or access layer information identify; Said receiver module 1201 also is used for receiving core net node and identifies under the situation inequality at the network identity of confirming described request message and the current network of network of living in of said core net node, issues digital signature PKI, PKI sign and said Cell Broadcast Entity sign corresponding to said Cell Broadcast Entity sign through non-access layer information or access layer information; The related module 1204 of preserving; Can said Cell Broadcast Entity sign, digital signature PKI and the PKI sign that issues through non-access layer information or access layer information be carried out related preservation with the current network of network sign of living in of said subscriber equipment; Wherein, the current network of network sign of living in of said subscriber equipment is issued to said subscriber equipment by said core net node through non-access layer information or access layer information or is obtained from system information by said subscriber equipment.
The above-mentioned digital signature PKI that issues through non-access layer information or access layer information can comprise two up-to-date digital signature PKIs.
Can comprise two digital signature in the alarm information, said two digital signature adopt the digital signature private key corresponding with two up-to-date digital signature PKIs of the local preservation of said CBC respectively to the acquisition of signing of said alarm information by CBC; Said authentication module 1202 also can be used for: according to Digital Signature Algorithm and the local digital signature PKI of preserving said two digital signature in the said alarm information are verified respectively.
The said digital signature PKI that subscriber equipment is preserved can comprise two up-to-date digital signature PKIs, and then said authentication module 1202 also is used for: according to Digital Signature Algorithm and said two up-to-date digital signature PKIs said two digital signature of said alarm information are verified respectively.
Authentication module 1202 also can be used for: after the said said digital signature PKI that receives according to Digital Signature Algorithm and said receiver module is verified the digital signature in the said alarm information; If said checking is not passed through; Then to the up-to-date digital signature PKI of said core net node request, and adopt said up-to-date digital signature PKI and said Digital Signature Algorithm that the digital signature in the said alarm information is verified again.
Said authentication module 1202 also is used for: after the said said digital signature PKI that receives according to Digital Signature Algorithm and said receiver module is verified the digital signature of said alarm information; If said checking is not passed through; Then pass through non-access layer information or access layer information to the up-to-date digital signature PKI of said core net node request, and adopt said up-to-date digital signature PKI and said Digital Signature Algorithm that the digital signature in the said alarm information is verified again.
When also comprising the PKI sign in the alarm information; Said subscriber equipment also can comprise: PKI update module 1205; Be used for before the digital signature of the received alarm information of the said said digital signature PKI that receives according to Digital Signature Algorithm and said receiver module is verified; Confirm that pairing PKI sign of said digital signature PKI that said receiver module receives and PKI in the said alarm information identify when inequality, to up-to-date digital signature PKI of said core net node request and corresponding PKI sign; Receive and preserve the said up-to-date digital signature PKI that issues from said core net node and corresponding PKI sign; Said authentication module 1202 also is used for: according to said up-to-date digital signature PKI and corresponding PKI sign the digital signature of the alarm information that receives is verified.
When also comprising the PKI sign in the alarm information; Subscriber equipment also can not comprise above-mentioned PKI update module 1205; And comprise that determination module, this determination module are used for confirming that the pairing PKI sign of said digital signature PKI that said receiver module receives identifies identical with the PKI of said alarm information.
Can comprise the Cell Broadcast Entity sign in the alarm information; The PKI update module; Be used in before said digital signature PKI according to Digital Signature Algorithm and preservation verifies the digital signature in the alarm information that receives, confirm that the pairing Cell Broadcast Entity sign of digital signature PKI of said preservation is inequality with the Cell Broadcast Entity sign in the said alarm information; To said core net node request corresponding to said alarm information in the up-to-date digital signature PKI of Cell Broadcast Entity sign; Receive and preserve that said core net node issues, corresponding to the up-to-date digital signature PKI of Cell Broadcast Entity sign in the said alarm information; Said authentication module also is used for: according to said up-to-date digital signature PKI the digital signature of said alarm information is verified.
Also comprise PKI sign in the alarm information corresponding to said Cell Broadcast Entity sign; Said PKI update module; Also be used in before said digital signature PKI according to Digital Signature Algorithm and preservation verifies the digital signature in the alarm information that receives; Confirm that the pairing Cell Broadcast Entity sign of the digital signature PKI of said preservation is identical with Cell Broadcast Entity sign in the said alarm information, and the pairing PKI sign of the digital signature PKI of said preservation identifies with PKI in the said alarm information inequality; To said core net node request corresponding to said alarm information in digital signature PKI Cell Broadcast Entity, up-to-date and PKI sign; Receive and preserve the said up-to-date digital signature PKI and the PKI sign that issue from said core net node.
The performed method of above-mentioned each module specifies in embodiment 1 and embodiment 3, repeats no more at this.
Present embodiment proposes a kind of core net node equipment that is applied to the public alarm system again, and shown in figure 13, this equipment comprises: receiver module 1301 is used to receive the request message that comprises the PKI sign that subscriber equipment sends; First determination module 1302, the PKI sign of the request message that is used for confirming that said receiver module is received is inequality with the pairing PKI sign of the local digital signature PKI of preserving; Sending module 1303; The PKI sign that is used for confirming request message when first determination module and the local pairing PKI of preserving of digital signature PKI identify when inequality, issue local said digital signature PKI of preserving and corresponding PKI sign thereof through non-access layer information or access layer information to said subscriber equipment.
Wherein, Also comprise the PKI sign in the described request message in non-access layer information that said sending module 1303 sends or the access layer information; So that under the PKI sign of said subscriber equipment in the confirming described request message situation identical, preserve digital signature PKI that said core net node equipment issues through non-access layer information or access layer information and corresponding PKI thereof and identify with PKI sign in the request message that said non-access layer information or access layer information comprise.
When also comprising network identity in the request message that said receiver module 1301 receives; Said equipment also can comprise second determination module 1304; Be used for before the pairing PKI sign of the digital signature PKI that PKI identifies and preserve this locality that said first determination module 1302 is confirmed request message is inequality, confirming that the network identity in the described request message identifies identical with local network of network of living in.
When also comprising network identity in the request message that said receiver module receives; Do not comprise above-mentioned second determination module 1304; And comprise the 3rd determination module; Be used for before the pairing PKI sign of the digital signature PKI that PKI identifies and preserve this locality that said first determination module 1302 is confirmed request message is inequality, confirming that network identity and the local network of network of living in the described request message identifies inequality; Also comprise in then said non-access layer information or the access layer information: the local network of network sign of living in of said subscriber equipment equipment, so that said subscriber equipment carries out related preservation with the said network identity in said non-access layer information or the access layer information with said digital signature PKI and corresponding PKI sign thereof.
Also can comprise the Cell Broadcast Entity sign in the request message; Said first determination module 1302 is used for also confirming that the PKI sign of described request message is inequality with local PKI sign corresponding to said Cell Broadcast Entity sign of preserving; Also comprise in then said non-access layer information or the access layer information: the local digital signature PKI of preserving of said core net node, PKI sign and said Cell Broadcast Entity sign corresponding to said Cell Broadcast Entity sign, so that said subscriber equipment carries out related preservation with the said Cell Broadcast Entity sign in said non-access layer information or the access layer information with said digital signature PKI and PKI sign.
The method that above-mentioned each module is carried out is described in detail in embodiment 2 and embodiment 4, repeats no more at this.
In subscriber equipment that the embodiment of the invention provides and the core net node equipment; Because core net node issues up-to-date digital signature PKI through non-access layer information or access layer information to subscriber equipment; And authentication module reaches the digital signature PKI of preserving in this locality through Digital Signature Algorithm; Can realize that subscriber equipment verifies the digital signature in the alarm information that receives; The embodiment of the invention can be carried out the digital signature PKI and issued, and has remedied in the 3GPP standard the not defective of specific definition digital signature implementation method.
Through the description of above execution mode, the those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential common hardware, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding; The part that technical scheme of the present invention contributes to prior art in essence in other words can be come out with the embodied of software product, and this computer software product is stored in the storage medium that can read, like the floppy disk of computer; Hard disk or CD etc.; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
The embodiment of the invention is mainly used in the public alarm system.
The above; Be merely embodiment of the present invention, but protection scope of the present invention is not limited thereto, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses; Can expect easily changing or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of said claim.
Claims (49)
1. a method that realizes digital signature is characterized in that, is applied to comprise in the public alarm system:
Subscriber equipment receives and preserves the digital signature PKI that core net node issues through non-access layer information or access layer information;
Said subscriber equipment is verified the digital signature in the alarm information that receives according to the digital signature PKI of Digital Signature Algorithm and preservation.
2. method according to claim 1 is characterized in that, said access layer information is the Access Layer Security Mode Command message, and said non-access layer information is one of following any message:
The Non-Access Stratum Security Mode Command message;
Adhere to and accept message;
Location area updating is accepted message;
Routing Area Update is accepted message.
3. method according to claim 1; It is characterized in that; Said Digital Signature Algorithm is pre-configured in the subscriber equipment or by said subscriber equipment and selects to obtain according to the Digital Signature Algorithm sign; Wherein, said Digital Signature Algorithm sign is arranged in the alert message in the said alarm information or in the security parameter in the said alarm information.
4. method according to claim 1; It is characterized in that; Before the digital signature PKI that said subscriber equipment receives and the preservation core net node issues through non-access layer information or access layer information; Also comprise: said subscriber equipment sends a request message to core net node, wherein, comprises the corresponding PKI sign of digital signature PKI of said preservation in the described request message;
Said subscriber equipment receives and preserves core net node and comprises through the digital signature PKI that non-access layer information or access layer information issue:
The PKI sign of said subscriber equipment reception core net node in confirming described request message identifies under the situation inequality with the PKI that said core net node is preserved, and issues PKI sign and the corresponding digital signature PKI thereof that said core net node is preserved through non-access layer information or access layer information;
Said subscriber equipment carries out the association preservation with said PKI sign and the corresponding digital signature PKI thereof that issues through non-access layer information or access layer information.
5. method according to claim 4 is characterized in that, said non-access layer information or access layer information also comprise the PKI sign in the described request message;
Said subscriber equipment is preserved before digital signature PKI that core net node issues through non-access layer information or access layer information and the corresponding PKI sign thereof, also comprises:
Said subscriber equipment confirms that the PKI sign in the request message that PKI identifies with said non-access layer information or access layer information comprise in the described request message is identical.
6. method according to claim 1; It is characterized in that; Before the digital signature PKI that said subscriber equipment receives and the preservation core net node issues through non-access layer information or access layer information; Also comprise: said subscriber equipment sends a request message to core net node, wherein, comprises the corresponding PKI sign of digital signature PKI of current network of network sign of living in of said subscriber equipment and said preservation in the described request message;
Said subscriber equipment receives and preserves core net node and comprises through the digital signature PKI that non-access layer information or access layer information issue:
Said subscriber equipment receives under the PKI sign of preserving in PKI sign and the said core net node in the network identity of core net node in confirming described request message and the described request message identical with the current network of network sign of living in of the said core net node situation inequality, issues the digital signature PKI and corresponding PKI identifies through non-access layer information or access layer information;
Said subscriber equipment receives network identity and the said core net node current of living in network of network of core net node in confirming described request message and identifies under the situation inequality, issues digital signature PKI and corresponding PKI sign thereof through non-access layer information or access layer information;
Said subscriber equipment identifies the said digital signature PKI that issues through non-access layer information or access layer information and corresponding PKI sign thereof and carries out related preservation with the current network of network of living in of said subscriber equipment; Wherein, the current network of network sign of living in of said subscriber equipment is issued to said subscriber equipment by said core net node through non-access layer information or access layer information or is obtained from system information by said subscriber equipment.
7. method according to claim 1; It is characterized in that; Before the digital signature PKI that said subscriber equipment receives and the preservation core net node issues through non-access layer information or access layer information; Also comprise: said subscriber equipment sends a request message to core net node, wherein, comprises the Cell Broadcast Entity sign that said subscriber equipment is preserved in the described request message;
Said subscriber equipment receives and preserves core net node and comprises through the digital signature PKI that non-access layer information or access layer information issue:
Said subscriber equipment receives said Cell Broadcast Entity sign and the corresponding digital signature PKI thereof that core net node issues through non-access layer information or access layer information;
Said subscriber equipment issues said Cell Broadcast Entity sign through non-access layer information or access layer information and carries out related preservation with corresponding its said digital signature PKI said.
8. method according to claim 7 is characterized in that, also comprises the PKI sign corresponding to said Cell Broadcast Entity sign in the described request message;
Said subscriber equipment receives and preserves core net node and comprises through the digital signature PKI that non-access layer information or access layer information issue:
The PKI sign of said subscriber equipment reception core net node in definite described request message identifies under the situation inequality with the PKI that identifies corresponding to said Cell Broadcast Entity that said core net node is preserved, and issues said Cell Broadcast Entity sign and corresponding PKI sign and digital signature PKI thereof through non-access layer information or access layer information;
Said subscriber equipment issues through non-access layer information or access layer information with said that said Cell Broadcast Entity sign identifies with corresponding its said PKI and said digital signature PKI carries out related preservation.
9. method according to claim 1; It is characterized in that; Before the digital signature PKI that said subscriber equipment receives and the preservation core net node issues through non-access layer information or access layer information; Also comprise: said subscriber equipment sends a request message to core net node, wherein, comprises Cell Broadcast Entity sign, corresponding its PKI sign and the current network of network sign of living in of said subscriber equipment in the described request message;
Said subscriber equipment receives and preserves core net node and comprises through the digital signature PKI that non-access layer information or access layer information issue:
Said subscriber equipment receive preserve in PKI sign and the said core net node in the network identity of core net node in confirming described request message and the described request message identical with the current network of network sign of living in of said core net node corresponding under the PKI sign of the said Cell Broadcast Entity sign situation inequality, the digital signature PKI, PKI sign and the said Cell Broadcast Entity that issue corresponding to said Cell Broadcast Entity sign through non-access layer information or access layer information identify;
Said subscriber equipment receives network identity and the said core net node current of living in network of network of core net node in confirming described request message and identifies under the situation inequality, issues digital signature PKI, PKI sign and said Cell Broadcast Entity sign corresponding to said Cell Broadcast Entity sign through non-access layer information or access layer information;
Said subscriber equipment carries out related preservation with said Cell Broadcast Entity sign, digital signature PKI and the PKI sign that issues through non-access layer information or access layer information with the current network of network sign of living in of said subscriber equipment; Wherein, the current network of network sign of living in of said subscriber equipment is issued to said subscriber equipment by said core net node through non-access layer information or access layer information or is obtained from system information by said subscriber equipment.
10. according to each described method of claim 1~3, it is characterized in that the said digital signature PKI that issues through non-access layer information or access layer information comprises two up-to-date digital signature PKIs.
11. according to claim 1 or 3 described methods; It is characterized in that; Comprise two digital signature in the said alarm information; Said two digital signature adopt the digital signature private key corresponding with two up-to-date digital signature PKIs of the local preservation of said Cell Broadcast CB equipment respectively to the acquisition of signing of said alarm information by Cell Broadcast CB equipment, and wherein, said Cell Broadcast CB equipment is CBC or Cell Broadcast Entity;
Said subscriber equipment is verified the digital signature in the alarm information that receives according to the said digital signature PKI of Digital Signature Algorithm and preservation and is comprised:
Said subscriber equipment is verified respectively said two digital signature in the said alarm information according to the said digital signature PKI of Digital Signature Algorithm and preservation.
12. method according to claim 11; It is characterized in that; If the said digital signature PKI that said subscriber equipment is preserved comprises two up-to-date digital signature PKIs, said subscriber equipment is verified respectively said two digital signature in the said alarm information according to the said digital signature PKI of Digital Signature Algorithm and preservation and is comprised:
Said subscriber equipment is verified respectively said two digital signature in the said alarm information according to Digital Signature Algorithm and said two up-to-date digital signature PKIs.
13. method according to claim 1 is characterized in that, after said said digital signature PKI according to Digital Signature Algorithm and preservation is verified the digital signature in the said alarm information, also comprises:
If said checking is not passed through,, and adopt said up-to-date digital signature PKI and said Digital Signature Algorithm that the digital signature in the said alarm information is verified once more then to the up-to-date digital signature PKI of said core net node request.
14. method according to claim 13 is characterized in that, the digital signature PKI up-to-date to said core net node request comprises:
Through non-access layer information or access layer information to the up-to-date digital signature PKI of said core net node request.
15. method according to claim 1 is characterized in that, also comprises the PKI sign in the said alarm information;
, said digital signature PKI according to Digital Signature Algorithm and preservation also comprises before verifying the digital signature in the alarm information that receives:
Said subscriber equipment confirms that the pairing PKI sign of the digital signature PKI of said preservation is inequality with the PKI sign in the said alarm information;
Said subscriber equipment is to up-to-date digital signature PKI of said core net node request and corresponding PKI sign;
Said subscriber equipment receives and preserves the said up-to-date digital signature PKI that issues from said core net node and corresponding PKI sign;
Said digital signature PKI according to Digital Signature Algorithm and preservation is verified the digital signature in the alarm information that receives and is comprised:
According to said up-to-date digital signature PKI the digital signature in the said alarm information is verified.
16. method according to claim 1 is characterized in that, also comprises the PKI sign in the said alarm information;
, said digital signature PKI according to Digital Signature Algorithm and preservation also comprises before verifying the digital signature in the alarm information that receives:
Said subscriber equipment confirms that the pairing PKI of the digital signature PKI of said preservation sign identifies identical with PKI in the said alarm information.
17., it is characterized in that said PKI sign is arranged in the alert message in the said alarm information or in the security parameter in the said alarm information according to claim 15 or 16 described methods.
18. method according to claim 1 is characterized in that, also comprises the Cell Broadcast Entity sign in the said alarm information;
, said digital signature PKI according to Digital Signature Algorithm and preservation also comprises before verifying the digital signature in the alarm information that receives:
Said subscriber equipment confirms that the pairing Cell Broadcast Entity sign of the digital signature PKI of said preservation is inequality with the Cell Broadcast Entity sign in the said alarm information;
Said subscriber equipment to said core net node request corresponding to said alarm information in the up-to-date digital signature PKI of Cell Broadcast Entity sign;
That said subscriber equipment receives and preserves is that said core net node issues, corresponding to the up-to-date digital signature PKI of Cell Broadcast Entity sign in the said alarm information;
Said digital signature PKI according to Digital Signature Algorithm and preservation is verified the digital signature in the alarm information that receives and is comprised:
According to said up-to-date digital signature PKI the digital signature in the said alarm information is verified.
19. method according to claim 18 is characterized in that, also comprises the PKI sign corresponding to said Cell Broadcast Entity sign in the said alarm information;
, said digital signature PKI according to Digital Signature Algorithm and preservation also comprises before verifying the digital signature in the alarm information that receives:
Said subscriber equipment confirms that the pairing Cell Broadcast Entity of the digital signature PKI of said preservation sign is identical with Cell Broadcast Entity sign in the said alarm information, and the pairing PKI sign of the digital signature PKI of said preservation identifies inequality with PKI in the said alarm information;
Said subscriber equipment to said core net node request corresponding to said alarm information in digital signature PKI Cell Broadcast Entity, up-to-date and PKI sign;
Said subscriber equipment receives and preserves said up-to-date digital signature PKI and the PKI sign that issues from said core net node.
20. a method that realizes digital signature is characterized in that, is applied to comprise in the public alarm system:
Core net node receives the request message that comprises the PKI sign that subscriber equipment sends;
Said core net node confirms that the PKI sign in the described request message is inequality with the pairing PKI sign of the local digital signature PKI of preserving;
Said core net node issues local said digital signature PKI of preserving and corresponding PKI sign thereof through non-access layer information or access layer information to said subscriber equipment.
21. method according to claim 20 is characterized in that, said access layer information is the Access Layer Security Mode Command message, and said non-access layer information is one of following any message:
The Non-Access Stratum Security Mode Command message;
Adhere to and accept message;
Location area updating is accepted message;
Routing Area Update is accepted message.
22. method according to claim 20; It is characterized in that; Also comprise the PKI sign in the described request message in said non-access layer information or the access layer information; So that under the PKI sign of said subscriber equipment in the confirming described request message situation identical, preserve digital signature PKI that said core net node issues through non-access layer information or access layer information and corresponding PKI thereof and identify with PKI sign in the request message that said non-access layer information or access layer information comprise.
23. according to claim 21 or 22 described methods, it is characterized in that, also comprise network identity in the described request message;
Said core net node confirm PKI sign in the described request message with the pairing PKI sign of the local digital signature PKI of preserving inequality before, also comprise;
Said core net node confirms that the network identity in the described request message is identical with local network of network sign of living in.
24. according to claim 20 or 21 described methods, it is characterized in that, also comprise network identity in the described request message;
Said core net node confirm PKI sign in the described request message with the pairing PKI sign of the local digital signature PKI of preserving inequality before, also comprise: said core net node confirms that the network identity in the described request message identifies inequality with local network of network of living in;
Also comprise in then said non-access layer information or the access layer information: the local network of network sign of living in of said subscriber equipment, so that said subscriber equipment carries out related preservation with the said network identity in said non-access layer information or the access layer information with said digital signature PKI and corresponding PKI sign thereof.
25., it is characterized in that according to claim 20 or 21 described methods, also comprise the Cell Broadcast Entity sign in the described request message, said PKI sign is corresponding to said Cell Broadcast Entity sign;
Said core net node confirms that the PKI in the described request message identifies the pairing PKI of the digital signature PKI of preserving with this locality and identifies inequality comprising: said core net node confirms that the PKI in the described request message identifies the PKI of preserving with this locality that identifies corresponding to said Cell Broadcast Entity and identifies inequality;
Said core net node comprises to the PKI sign that said subscriber equipment issues local said digital signature PKI of preserving and correspondence thereof through non-access layer information or access layer information: said core net node issues the digital signature PKI corresponding to said Cell Broadcast Entity sign, the PKI preserved this locality through non-access layer information or access layer information to said subscriber equipment and identifies and said Cell Broadcast Entity sign, carries out related preservation so that said subscriber equipment identifies the said Cell Broadcast Entity in said non-access layer information or the access layer information with said digital signature PKI and PKI sign.
26. a subscriber equipment is characterized in that, is applied to comprise in the public alarm system:
Receiver module is used to receive and preserve the digital signature PKI that core net node issues through non-access layer information or access layer information;
Authentication module, the said digital signature PKI that is used for receiving according to Digital Signature Algorithm and said receiver module is verified the digital signature of the alarm information that receives.
27. subscriber equipment according to claim 26 is characterized in that, the access layer information that is used to be handed down to the said digital signature PKI of said receiver module is the Access Layer Security Mode Command message;
The non-access layer information that is used to be handed down to the said digital signature PKI of said receiver module is one of following any message:
The Non-Access Stratum Security Mode Command message;
Adhere to and accept message;
Location area updating is accepted message;
Routing Area Update is accepted message.
28. subscriber equipment according to claim 26; It is characterized in that; Said Digital Signature Algorithm is pre-configured in the said subscriber equipment or by said subscriber equipment and selects to obtain according to the Digital Signature Algorithm sign; Wherein, said Digital Signature Algorithm sign is arranged in the alert message in the said alarm information or in the security parameter in the said alarm information.
29. subscriber equipment according to claim 26 is characterized in that, said subscriber equipment also comprises:
Request module is used for sending a request message to core net node, wherein, comprises the corresponding PKI sign of digital signature PKI of said preservation in the described request message;
Said receiver module also is used for receiving core net node under the PKI sign that the PKI sign and the said core net node of the request message of definite described request module are preserved situation inequality, issues the PKI sign of said core net node preservation and the digital signature PKI of correspondence thereof through non-access layer information or access layer information;
The related module of preserving is used for said PKI sign and the corresponding digital signature PKI thereof that issues through non-access layer information or access layer information carried out the association preservation.
30. subscriber equipment according to claim 29 is characterized in that, said non-access layer information or access layer information also comprise the PKI sign in the described request message;
Said receiver module also was used for before preserving digital signature PKI that core net node issues through non-access layer information or access layer information and corresponding PKI sign thereof, confirmed that the PKI sign in the request message of described request module identifies identical with PKI in the request message that said non-access layer information or access layer information comprise.
31. subscriber equipment according to claim 26 is characterized in that, said subscriber equipment also comprises:
Request module is used for sending a request message to core net node, wherein, comprises the corresponding PKI sign of said digital signature PKI that current network of network sign of living in of said subscriber equipment and said receiver module receive in the described request message;
Said receiver module also is used for receiving under PKI sign that core net node preserves in the PKI sign in and the described request message identical with the current network of network sign of living in of said core net node and the said core net node at the network identity of the request message of confirming the described request module situation inequality, issues the digital signature PKI and corresponding PKI identifies through non-access layer information or access layer information;
Said receiver module also is used for receiving core net node and identifies under the situation inequality at the network identity of confirming described request message and the current network of network of living in of said core net node, issues digital signature PKI and corresponding PKI sign thereof through non-access layer information or access layer information;
The related module of preserving is used for the said digital signature PKI that issues through non-access layer information or access layer information and corresponding PKI sign thereof identified with the current network of network of living in of said subscriber equipment and carries out related preservation;
Wherein, the current network of network sign of living in of said subscriber equipment is issued to said subscriber equipment by said core net node through non-access layer information or access layer information or is obtained from system information by said subscriber equipment.
32. subscriber equipment according to claim 26 is characterized in that, said subscriber equipment also comprises:
Request module is used for sending a request message to core net node, wherein, comprises the Cell Broadcast Entity sign that said subscriber equipment is preserved in the described request message;
Said receiver module also is used to receive said Cell Broadcast Entity sign and the corresponding digital signature PKI thereof that core net node issues through non-access layer information or access layer information;
The related module of preserving is used for issuing said Cell Broadcast Entity sign through non-access layer information or access layer information and carrying out related preservation with corresponding its said digital signature PKI said.
33. subscriber equipment according to claim 32 is characterized in that, also comprises the PKI sign corresponding to said Cell Broadcast Entity sign in the described request message;
Said receiver module also is used for receiving core net node under the PKI sign that identifies corresponding to said Cell Broadcast Entity that the PKI sign of confirming described request message and said core net node are preserved situation inequality, issues said Cell Broadcast Entity sign and corresponding PKI sign and digital signature PKI thereof through non-access layer information or access layer information;
The said related module of preserving also is used for issuing through non-access layer information or access layer information with said that said Cell Broadcast Entity sign identifies with corresponding its said PKI and said digital signature PKI carries out related preservation.
34. subscriber equipment according to claim 26 is characterized in that, said subscriber equipment also comprises:
Request module is used for sending a request message to core net node, wherein, comprises Cell Broadcast Entity sign, corresponding its PKI sign and the current network of network sign of living in of said subscriber equipment in the described request message;
Said receiver module also is used for receiving under core net node preserves in the PKI sign in the identical and described request message and the said core net node in the current network of network sign of living in of the network identity of confirming described request message and said core net node corresponding to the PKI sign of the said Cell Broadcast Entity sign situation inequality, and the digital signature PKI, PKI sign and the said Cell Broadcast Entity that issue corresponding to said Cell Broadcast Entity sign through non-access layer information or access layer information identify;
Said receiver module also is used for receiving core net node and identifies under the situation inequality at the network identity of confirming described request message and the current network of network of living in of said core net node, issues digital signature PKI, PKI sign and said Cell Broadcast Entity sign corresponding to said Cell Broadcast Entity sign through non-access layer information or access layer information;
The related module of preserving; Said Cell Broadcast Entity sign, digital signature PKI and the PKI sign that issues through non-access layer information or access layer information carried out related preservation with the current network of network sign of living in of said subscriber equipment; Wherein, the current network of network sign of living in of said subscriber equipment is issued to said subscriber equipment by said core net node through non-access layer information or access layer information or is obtained from system information by said subscriber equipment.
35., it is characterized in that the digital signature PKI that issues through non-access layer information or access layer information comprises two up-to-date digital signature PKIs according to each described subscriber equipment of claim 26~28.
36. according to claim 26 or 28 described subscriber equipmenies; It is characterized in that; Comprise two digital signature in the said alarm information, said two digital signature adopt the digital signature private key corresponding with two up-to-date digital signature PKIs of the local preservation of said Cell Broadcast CB equipment respectively to the acquisition of signing of said alarm information by Cell Broadcast CB equipment; Said Cell Broadcast CB equipment is CBC or Cell Broadcast Entity;
Said authentication module also is used for: the said digital signature PKI according to Digital Signature Algorithm and said receiver module receive is verified respectively said two digital signature of said alarm information.
37. subscriber equipment according to claim 36 is characterized in that, if the said digital signature PKI that said subscriber equipment is preserved comprises two up-to-date digital signature PKIs;
Said authentication module also is used for: according to Digital Signature Algorithm and said two up-to-date digital signature PKIs said two digital signature of said alarm information are verified respectively.
38. subscriber equipment according to claim 26 is characterized in that, said authentication module also is used for:
After the said said digital signature PKI that receives according to Digital Signature Algorithm and said receiver module is verified the digital signature in the said alarm information; If said checking is not passed through; Then to the up-to-date digital signature PKI of said core net node request, and adopt said up-to-date digital signature PKI and said Digital Signature Algorithm that the digital signature in the said alarm information is verified again.
39. according to the described subscriber equipment of claim 38; It is characterized in that; Said authentication module also is used for: after the said said digital signature PKI that receives according to Digital Signature Algorithm and said receiver module is verified the digital signature of said alarm information; If said checking is not passed through; Then pass through non-access layer information or access layer information to the up-to-date digital signature PKI of said core net node request, and adopt said up-to-date digital signature PKI and said Digital Signature Algorithm that the digital signature in the said alarm information is verified again.
40. subscriber equipment according to claim 26 is characterized in that, also comprises the PKI sign in the said alarm information;
Said subscriber equipment also comprises:
The PKI update module; Be used for before the said said digital signature PKI that receives according to Digital Signature Algorithm and said receiver module is verified the digital signature of the alarm information that receives; Confirm that pairing PKI sign of said digital signature PKI that said receiver module receives and PKI in the said alarm information identify when inequality, to up-to-date digital signature PKI of said core net node request and corresponding PKI sign; Receive and preserve the said up-to-date digital signature PKI that issues from said core net node and corresponding PKI sign;
Said authentication module also is used for: according to said up-to-date digital signature PKI the digital signature of the alarm information that receives is verified.
41. subscriber equipment according to claim 26 is characterized in that, also comprises the PKI sign in the said alarm information;
Said subscriber equipment also comprises determination module, is used for confirming that the pairing PKI sign of said digital signature PKI that said receiver module receives identifies identical with the PKI of said alarm information.
42. subscriber equipment according to claim 26 is characterized in that, also comprises the Cell Broadcast Entity sign in the said alarm information, said subscriber equipment also comprises:
The PKI update module; Be used for before said digital signature PKI according to Digital Signature Algorithm and preservation is verified the digital signature of the alarm information that receives, confirming that the pairing Cell Broadcast Entity sign of digital signature PKI of said preservation is inequality with the Cell Broadcast Entity sign in the said alarm information; To said core net node request corresponding to said alarm information in the up-to-date digital signature PKI of Cell Broadcast Entity sign; Receive and preserve that said core net node issues, corresponding to the up-to-date digital signature PKI of Cell Broadcast Entity sign in the said alarm information;
Said authentication module also is used for: according to said up-to-date digital signature PKI the digital signature of said alarm information is verified.
43. according to the described subscriber equipment of claim 42, it is characterized in that, also comprise PKI sign in the said alarm information corresponding to said Cell Broadcast Entity sign;
Said PKI update module; Also be used for before said digital signature PKI according to Digital Signature Algorithm and preservation is verified the digital signature of the alarm information that receives; Confirm that the pairing Cell Broadcast Entity sign of the digital signature PKI of said preservation is identical with Cell Broadcast Entity sign in the said alarm information, and the pairing PKI sign of the digital signature PKI of said preservation identifies with PKI in the said alarm information inequality; To said core net node request corresponding to said alarm information in digital signature PKI Cell Broadcast Entity, up-to-date and PKI sign; Receive and preserve the said up-to-date digital signature PKI and the PKI sign that issue from said core net node.
44. a core net node equipment is characterized in that, is applied to comprise in the public alarm system:
Receiver module is used to receive the request message that comprises the PKI sign that subscriber equipment sends;
First determination module, the PKI sign of the request message that is used for confirming that said receiver module is received is inequality with the pairing PKI sign of the local digital signature PKI of preserving;
Sending module; The PKI sign that is used for confirming request message when first determination module and the local pairing PKI of preserving of digital signature PKI identify when inequality, issue local said digital signature PKI of preserving and corresponding PKI sign thereof through non-access layer information or access layer information to said subscriber equipment.
45., it is characterized in that the access layer information that said sending module adopted is the Access Layer Security Mode Command message according to the described core net node equipment of claim 44;
The non-access layer information that said sending module adopted is one of following any message:
The Non-Access Stratum Security Mode Command message;
Adhere to and accept message;
Location area updating is accepted message;
Routing Area Update is accepted message.
46. according to the described core net node equipment of claim 45; It is characterized in that; Also comprise the PKI sign in the described request message in non-access layer information that said sending module sends or the access layer information; So that under the PKI sign of said subscriber equipment in the confirming described request message situation identical, preserve digital signature PKI that said core net node equipment issues through non-access layer information or access layer information and corresponding PKI thereof and identify with PKI sign in the request message that said non-access layer information or access layer information comprise.
47. according to claim 45 or 46 described core net node equipment, it is characterized in that, also comprise network identity in the request message that said receiver module receives;
Said core net node equipment also comprises second determination module; Be used for before PKI sign that said first determination module is confirmed request message is inequality with the pairing PKI sign of the local digital signature PKI of preserving, confirming that the network identity in the described request message identifies identical with local network of network of living in.
48. according to claim 44 or 45 described core net node equipment, it is characterized in that, also comprise network identity in the request message that said receiver module receives;
Said core net node equipment also comprises the 3rd determination module; Be used for before PKI sign that said first determination module is confirmed request message is inequality with the pairing PKI sign of the local digital signature PKI of preserving, confirming that the network identity in the described request message identifies inequality with local network of network of living in;
Also comprise in then said non-access layer information or the access layer information: the local network of network sign of living in of said core net node equipment, so that said subscriber equipment carries out related preservation with the said network identity in said non-access layer information or the access layer information with said digital signature PKI and corresponding PKI sign thereof.
49., it is characterized in that according to claim 36 or 37 described core net node equipment, also comprise the Cell Broadcast Entity sign in the described request message, said PKI sign is corresponding to said Cell Broadcast Entity sign;
Said first determination module is used for also confirming that the PKI sign of described request message is inequality with local PKI sign corresponding to said Cell Broadcast Entity sign of preserving;
Also comprise in then said non-access layer information or the access layer information: the local digital signature PKI of preserving of said core net node, PKI sign and said Cell Broadcast Entity sign corresponding to said Cell Broadcast Entity sign, so that said subscriber equipment carries out related preservation with the said Cell Broadcast Entity sign in said non-access layer information or the access layer information with said digital signature PKI and PKI sign.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101775032A CN102611553A (en) | 2011-01-25 | 2011-06-28 | Method for realizing digital signature, user equipment and core network node equipment |
| CN201110323605.0A CN102611554B (en) | 2011-01-25 | 2011-10-21 | Method and equipment for realizing digital signature |
| CN201510317626.XA CN104935439B (en) | 2011-01-25 | 2011-10-21 | Realize the method and apparatus of digital signature |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110027475 | 2011-01-25 | ||
| CN201110027475.6 | 2011-01-25 | ||
| CN2011101775032A CN102611553A (en) | 2011-01-25 | 2011-06-28 | Method for realizing digital signature, user equipment and core network node equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102611553A true CN102611553A (en) | 2012-07-25 |
Family
ID=46528727
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011101775032A Pending CN102611553A (en) | 2011-01-25 | 2011-06-28 | Method for realizing digital signature, user equipment and core network node equipment |
| CN201110323605.0A Active CN102611554B (en) | 2011-01-25 | 2011-10-21 | Method and equipment for realizing digital signature |
| CN201510317626.XA Active CN104935439B (en) | 2011-01-25 | 2011-10-21 | Realize the method and apparatus of digital signature |
Family Applications After (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110323605.0A Active CN102611554B (en) | 2011-01-25 | 2011-10-21 | Method and equipment for realizing digital signature |
| CN201510317626.XA Active CN104935439B (en) | 2011-01-25 | 2011-10-21 | Realize the method and apparatus of digital signature |
Country Status (1)
| Country | Link |
|---|---|
| CN (3) | CN102611553A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014071569A1 (en) * | 2012-11-07 | 2014-05-15 | 华为技术有限公司 | Method, apparatus, ue and ca for updating ca public key |
| WO2014071585A1 (en) * | 2012-11-08 | 2014-05-15 | 华为技术有限公司 | Method and device for obtaining public key |
| CN104255044A (en) * | 2012-11-09 | 2014-12-31 | 华为技术有限公司 | Message validation method and terminal |
| CN105847013A (en) * | 2016-05-30 | 2016-08-10 | 上海欧冶金融信息服务股份有限公司 | Security verification method of digital signature |
| CN106256111A (en) * | 2014-03-20 | 2016-12-21 | 黑莓有限公司 | For the method verifying message |
| CN110225518A (en) * | 2018-07-13 | 2019-09-10 | Oppo广东移动通信有限公司 | Method, terminal device and the network equipment of message transmission |
| CN112512039A (en) * | 2020-12-04 | 2021-03-16 | 素泰智能科技(上海)有限公司 | Method for verifying validity of alarm information and terminal equipment |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210111902A1 (en) * | 2019-10-11 | 2021-04-15 | Qualcomm Incorporated | System information protection at a network function in the core network |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001043344A1 (en) * | 1999-12-13 | 2001-06-14 | Rsa Security Inc. | System and method for generating and managing attribute certificates |
| CN1207866C (en) * | 2001-09-28 | 2005-06-22 | 中国科学院研究生院 | Safe digital signature system and method |
| JP2010510744A (en) * | 2006-11-21 | 2010-04-02 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | Biometric fuzzy signature |
| CN101252431B (en) * | 2007-09-06 | 2011-07-27 | 广州信睿网络科技有限公司 | Realizing method of general-purpose digital signing scheme |
| CN101282222B (en) * | 2008-05-28 | 2011-09-28 | 胡祥义 | Digital signature method based on CSK |
-
2011
- 2011-06-28 CN CN2011101775032A patent/CN102611553A/en active Pending
- 2011-10-21 CN CN201110323605.0A patent/CN102611554B/en active Active
- 2011-10-21 CN CN201510317626.XA patent/CN104935439B/en active Active
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104137468A (en) * | 2012-11-07 | 2014-11-05 | 华为技术有限公司 | Method, apparatus, ue and ca for updating ca public key |
| JP2015535153A (en) * | 2012-11-07 | 2015-12-07 | ▲ホア▼▲ウェイ▼技術有限公司 | Method and apparatus for updating CA public key, UE and CA |
| WO2014071569A1 (en) * | 2012-11-07 | 2014-05-15 | 华为技术有限公司 | Method, apparatus, ue and ca for updating ca public key |
| WO2014071585A1 (en) * | 2012-11-08 | 2014-05-15 | 华为技术有限公司 | Method and device for obtaining public key |
| CN104255044B (en) * | 2012-11-09 | 2018-04-20 | 华为技术有限公司 | The method and terminal of a kind of information authentication |
| CN104255044A (en) * | 2012-11-09 | 2014-12-31 | 华为技术有限公司 | Message validation method and terminal |
| US10218513B2 (en) | 2012-11-09 | 2019-02-26 | Huawei Technologie Co., Ltd. | Method and terminal for message verification |
| CN106256111A (en) * | 2014-03-20 | 2016-12-21 | 黑莓有限公司 | For the method verifying message |
| CN106256111B (en) * | 2014-03-20 | 2019-11-08 | 黑莓有限公司 | Method for verifying message |
| CN105847013A (en) * | 2016-05-30 | 2016-08-10 | 上海欧冶金融信息服务股份有限公司 | Security verification method of digital signature |
| CN110225518A (en) * | 2018-07-13 | 2019-09-10 | Oppo广东移动通信有限公司 | Method, terminal device and the network equipment of message transmission |
| CN112512039A (en) * | 2020-12-04 | 2021-03-16 | 素泰智能科技(上海)有限公司 | Method for verifying validity of alarm information and terminal equipment |
| CN112512039B (en) * | 2020-12-04 | 2022-12-06 | 素泰智能科技(上海)有限公司 | Method for verifying validity of alarm information and terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102611554B (en) | 2015-05-13 |
| CN102611554A (en) | 2012-07-25 |
| CN104935439B (en) | 2018-08-14 |
| CN104935439A (en) | 2015-09-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102611553A (en) | Method for realizing digital signature, user equipment and core network node equipment | |
| CN106465106B (en) | Method and system for providing security from a radio access network | |
| CA3051938C (en) | Wireless communications | |
| CN105830476A (en) | Method and system for providing security from a radio access network | |
| CN101946536A (en) | Application specific master key selection in evolved networks | |
| US11785450B2 (en) | Method and system for providing non-access stratum (NAS) message protection | |
| JP2022517584A (en) | UE, communication system and method | |
| US20110135095A1 (en) | Method and system for generating key identity identifier when user equipment transfers | |
| WO2021197489A1 (en) | Communication system, method and apparatus | |
| US20150236851A1 (en) | Method and apparatus for updating ca public key, ue and ca | |
| WO2021087973A1 (en) | Wireless communication method for registration procedure | |
| CN108243631A (en) | A kind of method and apparatus for accessing network | |
| CN102892114A (en) | Method and device for checking equipment validity | |
| WO2012167637A1 (en) | Method and network entity for sending public warning system secret key message to terminal | |
| CN110891270B (en) | Selection method and device of authentication algorithm | |
| WO2021031053A1 (en) | Communication method, device, and system | |
| US20230354037A1 (en) | Methods and systems for identifying ausf and accessing related keys in 5g prose | |
| KR20190117136A (en) | Apparatus and method for security of information in wireless communication | |
| WO2021073382A1 (en) | Registration method and apparatus | |
| CN109729522A (en) | Eat dishes without rice or wine encryption method and device under fail soft mode | |
| CN115706997A (en) | Authorization verification method and device | |
| CN102318259A (en) | Method and apparatus for traffic count key management and key count management | |
| CN115380570B (en) | Communication method, device and system | |
| EP4090059A1 (en) | Device and method for providing emergency message in wireless communication system | |
| CN114208240B (en) | Data transmission method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120725 |