CN104852891A - Secret key generation method, equipment and system - Google Patents

Secret key generation method, equipment and system Download PDF

Info

Publication number
CN104852891A
CN104852891A CN201410057184.5A CN201410057184A CN104852891A CN 104852891 A CN104852891 A CN 104852891A CN 201410057184 A CN201410057184 A CN 201410057184A CN 104852891 A CN104852891 A CN 104852891A
Authority
CN
China
Prior art keywords
key
identifier
location server
equipment
subscriber equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410057184.5A
Other languages
Chinese (zh)
Other versions
CN104852891B (en
Inventor
何文裕
何承东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201410057184.5A priority Critical patent/CN104852891B/en
Priority to PCT/CN2014/080987 priority patent/WO2015123953A1/en
Publication of CN104852891A publication Critical patent/CN104852891A/en
Application granted granted Critical
Publication of CN104852891B publication Critical patent/CN104852891B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides a Secret key generation method, equipment and system and relates to the communication field. A session key is derived step by step, and confidentiality and integrity are provided for data transmission between user equipment and a router in a UIP network. The method provided by the embodiment of the invention comprises the steps that an objective router receives a switching request message sent by a source router and sends an access request message to a position server; the objective router receives an access response message sent by the position server, wherein the access response message contains related equipment secret keys, the related equipment secret keys are derived by the position server according to random values, a root key and one or more of the following parameters: equipment identifiers of user equipment, an identifier of the domain of the position server and an identifier of the objective router; and the objective router derives the session key according to the related equipment secret keys in the access response message.

Description

A kind of method of secret generating, equipment and system
Technical field
The present invention relates to the communications field, particularly relate to a kind of method of secret generating, equipment and system.
Background technology
For a long time, internet protocol address (Internet Protocol Address, be called for short IP address) serve as the dual role of identifier (i.e. host identities identify) and finger URL (i.e. network location identifier), this makes being separated of in ICP/IP protocol architectural framework transport layer and network layer thorough not, to realize end host move and certain limitation is brought in the aspect such as to ensure communication safety; Need the identifier of IP address to be separated with finger URL to solve the problem, wherein, user identity agreement (User Identity Protocol, UIP) is exactly a kind of scheme realizing the identifier of IP address to be separated with finger URL.
Fig. 1 is the network architecture schematic diagram of UIP, as shown in Figure 1, UIP network is made up of one or more UIP territory, a UIP territory is by a subscriber location servers (SubscriberLocation Server, be called for short SLS), one or more router (Domain Router, be called for short DR) composition, wherein, router in UIP territory and between different UIP territory interlinks, UIP interlinks between location server and router in territory, wherein, router preserves the mapping relations of the user identifier (User ID) of subscriber equipment and the finger URL (Locator) of subscriber equipment, realize user data to forward and message address conversion, location server preserves the mapping relations of UserID and subscriber equipment current router (i.e. source router), subscriber equipment (UserEquipment, UE) by wireless access network access UIP territory, as shown in Figure 1, user face (the User Plane of what solid line represented is UIP network, UP), transmission be business datum, that dotted line represents is UIP network-based control face (Control Plane, CP), transmission is control signal.
But, in UIP network, between subscriber equipment and router, directly carry out transfer of data, confidentiality, integrality can not be provided for the transfer of data between subscriber equipment and router.
Summary of the invention
Embodiments of the invention provide a kind of method, equipment and system of secret generating, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality.
For achieving the above object, embodiments of the invention adopt following technical scheme:
First aspect, the embodiment of the present invention provides a kind of method of secret generating, comprising:
Object router receives the handover request message that source router sends, and wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment;
Described object router sends access request message to location server, and wherein, described access request comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router;
Described object router receives the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by described location server according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key; Described root key is obtained according to described user identifier by location server;
Described object router derives session key according to the equipment association key in described access response message.
In conjunction with first aspect, in the first possible implementation of first aspect, described object router derives session key according to the equipment association key in described access response message, comprising:
Described object router derives temporary key according to the equipment association key in described access response message;
Described object router derives session key according to described temporary key.
In conjunction with the first possible implementation of first aspect or first aspect, in the implementation that the second of first aspect is possible, described equipment association key is by described location server according to random value, and the device identifier of root key and described subscriber equipment derives from;
Described object router derives session key according to the equipment association key in described access response message, comprising:
Described object router derives temporary key according to described equipment association key and count value; Wherein, described count value has described object router to obtain;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
Described object router according to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key;
Or,
Described object router is according to described equipment association key, and the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key and count value;
Or,
Described object router derives temporary key according to described equipment association key;
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key.
In conjunction with the first possible implementation of first aspect or first aspect, in the third possible implementation of first aspect, described equipment association key by described location server according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive from;
Described object router derives session key according to the described equipment association key in described access response message, comprising:
Described object router derives temporary key according to described equipment association key and count value;
Session key is derived according to described temporary key;
Or,
Described object router derives temporary key according to described equipment association key;
Session key is derived according to described temporary key and count value.
In conjunction with first aspect to any one implementation in the third possible implementation of first aspect, in the 4th kind of possible implementation of first aspect, described method also comprises:
Described object router receives the authentication request message that described location server sends; Wherein, described authentication request message comprises the identifier in territory residing for described random value and described location server;
Described object router sends authentication request message to described subscriber equipment, wherein, described random value is comprised in described authentication request message, the identifier in territory residing for described location server and the identifier of described object router, to make described subscriber equipment return authentication response message and to generate equipment association key and session key.
Second aspect, the embodiment of the present invention provides a kind of method of secret generating, comprising:
Location server receives the access request message that object router sends, and wherein, described access request message comprises the user identifier of subscriber equipment, the device identifier of subscriber equipment and the identifier of described object router;
Described location server sends authentication request message to described object router, wherein, described authentication request message comprises the identifier in territory residing for random value and described location server, described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key;
Described location server receives the authentication response message that described object router sends, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router; Described root key is obtained according to described user identifier by location server;
Described location server sends access response message to described object router, and wherein, described access response message comprises described equipment association key.
In conjunction with second aspect, in the first possible implementation of second aspect, described location server is according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, comprising:
Described location server is according to root key, and the device identifier of described random value and described subscriber equipment derives described equipment association key;
Or,
Described location server is according to root key, and described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive described equipment association key.
The third aspect, the embodiment of the present invention provides a kind of method of secret generating, comprising:
Subscriber equipment receives the authentication request message that object router sends, and wherein, described authentication request message comprises described random value, the identifier in territory residing for described location server and the identifier of described object router;
Described subscriber equipment is according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key.
In conjunction with the third aspect, in the first possible implementation of the third aspect, described subscriber equipment is according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key, comprising:
Described subscriber equipment is according to root key, and the device identifier of described random value and described subscriber equipment derives equipment association key;
Described subscriber equipment derives temporary key according to described equipment association key and count value;
Described subscriber equipment is according to described temporary key, and the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
Described subscriber equipment is according to root key, and the device identifier of described random value and described subscriber equipment derives equipment association key;
Described subscriber equipment according to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Described subscriber equipment derives session key according to described temporary key;
Or,
Described subscriber equipment is according to root key, and the device identifier of described random value and described subscriber equipment derives equipment association key;
Described subscriber equipment is according to described equipment association key, and the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Described subscriber equipment derives session key according to described temporary key and count value;
Or,
Described subscriber equipment is according to root key, and the device identifier of described random value and described subscriber equipment derives equipment association key;
Described subscriber equipment derives temporary key according to described equipment association key;
Described subscriber equipment according to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
Described subscriber equipment according to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key;
Described subscriber equipment derives temporary key according to described equipment association key and count value;
Described subscriber equipment derives session key according to described temporary key;
Or,
Described subscriber equipment according to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key;
Described subscriber equipment derives temporary key according to described equipment association key;
Described subscriber equipment derives session key according to described temporary key and count value.
Fourth aspect, the embodiment of the present invention provides a kind of object router, comprising:
Receiver module, for receiving the handover request message that source router sends, wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment;
Sending module, for when described receiver module receives handover request message, send access request message to location server, wherein, described access request message comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router;
Described receiver module, also for receiving the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by described location server according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router;
Generation module: during for receiving access response message at described receiver module, derive session key according to described equipment association key.
In conjunction with fourth aspect, in the first possible implementation of fourth aspect, described generation module specifically for:
Temporary key is derived according to described equipment association key;
Session key is derived according to described temporary key.
In conjunction with the first possible implementation of fourth aspect or fourth aspect, in the implementation that the second of fourth aspect is possible, described equipment association key is by described location server according to random value, and the device identifier of root key and described subscriber equipment derives from;
Accordingly, described generation module specifically for:
Temporary key is derived according to described equipment association key and count value; Wherein, described count value has described object router to obtain;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
According to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key;
Or,
According to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key and count value;
Or,
Temporary key is derived according to described equipment association key;
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key.
In conjunction with the first possible implementation of fourth aspect or fourth aspect, in the third possible implementation of fourth aspect, described equipment association key by described location server according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive from
Accordingly, described generation module specifically for:
Temporary key is derived according to described equipment association key and count value;
Session key is derived according to described temporary key;
Or,
Temporary key is derived according to described equipment association key;
Session key is derived according to described temporary key and count value.
In conjunction with fourth aspect to any one implementation in the third possible implementation of fourth aspect, in the 4th kind of possible implementation of fourth aspect,
Described receiver module also for: receive described location server send authentication request message; Wherein, described authentication request message comprises the identifier in territory residing for described random value and described location server;
Described sending module also for: when described receiver module receives authentication request message, authentication request message is sent to described subscriber equipment, wherein, described authentication request message comprises the identifier in territory residing for described random value, described location server and the identifier of described object router, to make described subscriber equipment return authentication response message and to generate equipment association key and session key.
5th aspect, the embodiment of the present invention provides a kind of location server, comprising:
Receiver module, for receiving the access request message that object router sends, wherein, described access request message comprises the user identifier of subscriber equipment, the device identifier of subscriber equipment and the identifier of described object router;
Sending module, for when described receiver module receives access request message, send authentication request message to described object router, wherein, described authentication request message comprises the identifier in territory residing for random value and described location server; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key;
Described receiver module, also for receiving the authentication response message that described object router sends;
Generation module, for when described receiver module receives authentication response message, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router; Described root key is obtained according to described user identifier by location server;
Described sending module, also for when described generation module generates equipment association key, send access response message to described object router, wherein, described access response message comprises described equipment association key.
In conjunction with the 5th aspect, in the first the possible implementation in the 5th,
Described generation module specifically for:
According to root key, the device identifier of described random value and described subscriber equipment derives described equipment association key;
Or,
According to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive described equipment association key.
6th aspect, the embodiment of the present invention provides a kind of subscriber equipment, comprising:
Receiver module: for receiving the authentication request message that object router sends, wherein, described authentication request message comprises described random value, the identifier in territory residing for described location server and the identifier of described object router;
Generation module: for when described receiver module receives authentication request message, according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key.
In conjunction with the 6th aspect, in the first the possible implementation in the 6th,
Described generation module specifically for:
According to root key, the device identifier of described random value and described subscriber equipment derives equipment association key;
Temporary key is derived according to described equipment association key and count value;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
According to root key, described random value, and the device identifier of described subscriber equipment derives equipment association key;
According to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key;
Or,
According to root key, the device identifier of described random value and described subscriber equipment derives equipment association key;
According to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key and count value;
Or,
According to root key, the device identifier of described random value and described subscriber equipment derives equipment association key;
Temporary key is derived according to described equipment association key;
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
According to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key;
Temporary key is derived according to described equipment association key and count value;
Session key is derived according to described temporary key;
Or,
According to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key;
Temporary key is derived according to described equipment association key;
Session key is derived according to described temporary key and count value.
7th aspect, the embodiment of the present invention provides a kind of key generation system, comprise: source router, object router as described in fourth aspect to any one in the 4th kind of possible implementation of fourth aspect, the location server as described in any one in the first possible implementation of the 5th aspect to the 5th aspect and the subscriber equipment as described in any one in the first possible implementation of the 6th aspect to the 6th aspect.
As from the foregoing, the embodiment of the present invention provides a kind of method, equipment and system of secret generating, and object router receives the handover request message that source router sends, wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment; Described object router sends access request message to location server, and wherein, described access request message comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router; Described object router receives the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by described location server according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key; Described root key is obtained according to described user identifier by location server; Described object router derives session key according to the equipment association key in described access response message.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained with these accompanying drawings.
Fig. 1 is the schematic diagram of the network architecture of UIP;
Fig. 2 is the ID model schematic of UIP network;
Fig. 3 is the schematic diagram of the mobile management at UIP networking;
The structural representation of the UIP netkey grade that Fig. 4 provides for the embodiment of the present invention;
The flow chart of the method for a kind of secret generating that Fig. 5 provides for the embodiment of the present invention;
The flow chart of the method for a kind of secret generating that Fig. 6 provides for the embodiment of the present invention;
The flow chart of the method for a kind of secret generating that Fig. 7 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Fig. 8 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Fig. 9 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 10 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 11 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 12 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 13 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 14 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 15 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 16 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 17 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 18 provides for the embodiment of the present invention;
The flow chart of the method for the another kind of secret generating that Figure 19 provides for the embodiment of the present invention;
The structure chart of a kind of object router that Figure 20 provides for the embodiment of the present invention;
The structure chart of a kind of location server that Figure 21 provides for the embodiment of the present invention;
The structure chart of a kind of subscriber equipment that Figure 22 provides for the embodiment of the present invention;
The structure chart of the another kind of object router that Figure 23 provides for the embodiment of the present invention;
The structure chart of the another kind of location server that Figure 24 provides for the embodiment of the present invention;
The structure chart of the another kind of subscriber equipment that Figure 25 provides for the embodiment of the present invention;
The structure chart of a kind of key generation system that Figure 26 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
The method of the secret generating that the embodiment of the present invention provides is applicable to user identity protocol network (User Identity Protocol is called for short UIP network), can also be applicable to any one and realize in the networking of Security Data Transmission; The embodiment of the present invention does not limit this, and the embodiment of the present invention is only described for UIP network.
Embodiment one
The flow chart of the method for a kind of secret generating that Fig. 5 provides for the embodiment of the present invention, as shown in Figure 5, can comprise the following steps:
501: object router receives the handover request message that source router sends, wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment.
Wherein, source router and object router are relative concepts, according to subscriber equipment (UserEquipment, UE) switch instances is determined, source router is the router carrying out data communication before described UE switches with described UE, and object router is the router carrying out data communication after described UE switches with described UE; Wherein, UE is switched to move to the overlay area of another router from the overlay area of a router described in; In the embodiment of the present invention, source router and object router can in same UIP territories or in different UIP territories, and when source router and object router are in same UIP territory, UE is in the state of movement in territory; When source router and object router are in different UIP territories, UE is in the state of movement between territory; Such as, Fig. 2 is the schematic diagram of subscriber equipment mobile management in UIP network, as shown in Figure 2, the situation of movement connecting the UE of UIP network can have following two kinds: mobile in (1) territory, as UE to move to the overlay area of router one from the overlay area of router two, wherein, router two is source router, router for the purpose of router one; (2) move between territory, as UE to move to the overlay area of router three from the overlay area of router two, wherein, router two is source router, router for the purpose of router three.
In one embodiment of the invention, when UE moves to the overlay area of object router from the overlay area of source router, object router receives the handover request message that source router sends, wherein, described handoff request message contains the user identifier of described subscriber equipment, the device identifier of described subscriber equipment, or, described handover request comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and finger URL.
Wherein, the user identifier (User ID) of described subscriber equipment, the device identifier (Device ID) of described subscriber equipment and finger URL (Locator) they are three identifiers (identification, ID) that UIP procotol divides; User ID is distributed by operator, forever constant; Device ID is distributed by equipment manufacturers or operator, and as international mobile device identification code (International Mobile Station Equipment Identity, IMEI), a User ID can associate multiple Device ID; Loctaor is generally IP address, and distributed by operator or subscriber equipment appointment, a Device ID can associate multiple Locator; The user identifier of described subscriber equipment, the device identifier of described subscriber equipment and finger URL can carry out being kept in source router in the initialization procedure of data communication at UE and source router; Such as, Fig. 3 is the schematic diagram of the ID model of UIP network, as shown in Figure 3, for the scene of user's multiple devices, the ID of UIP network can be divided into a user identifier (User ID), multiple device identifier (Device ID) and multiple finger URL (Locator).
502: described object router sends access request message to location server, and wherein, described access request message comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router.
Wherein, the identifier of described object router is kept in described object router, for identifying described object router.
Described location server is home location server and/or the vision location server of described subscriber equipment; The home location server of described subscriber equipment is the location server in home domain, and described vision location server is the location server in visit territory; Wherein, the UIP territory of described home domain belonging to the user that arranges when user and operator contract, in the communication process of subscriber equipment, home domain is uniquely constant; Described visit territory is the territory residing when being in roaming state of UE; Described roaming state refers to that the current residing UIP territory of UE is not home domain; Such as, as shown in Figure 2, suppose that the home domain of UE is UIP territory-1, then location server SLS-1 is home location server, when UE moves to the overlay area of the router three in UIP territory-2, when namely leaving home domain, UE is in roaming state, UIP territory-2 is visit territory, and location server SLS-2 is vision location server.
In one embodiment of the invention, object router can according to the situation in the current residing territory of described UE, sends access request message to the home location server of described subscriber equipment and/or vision location server;
Wherein, the mobility of UE and the situation in UIP territory in UIP network according to Fig. 2, the situation of movement of UE can be any one situation in following five kinds of situation of movement: mobile in the territory of home domain, move between the territory in visit territory, visit territory to home domain territory between move, home domain to visit territory territory between move, visit territory to visit territory territory between move, therefore, the current residing territory of described UE can be home domain or visit territory.
Exemplary, when the current residing territory of described UE is home domain,
Described object router sends access request information to home location server.
Exemplary, when the current residing territory of described UE is visit territory,
Described object router sends access request information to vision location server, sends described access request information to make described vision location server to described home location server.
503: described object router receives the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by described location server according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key.
Wherein, described root key is the shared key of the home location server of UE described in UE and UIP network and described UE, be kept in described UE and described home location server, and described root key is corresponding with the user identifier (User ID) of described UE, each UE has unique root key, is obtained, for deriving equipment association key according to described user identifier inquiry by location server, described root key K can be preset by operator, and the embodiment of the present invention does not limit this.
The identifier in identifier territory residing for home location server in territory residing for described location server, is kept in the home location server of described UE, for identifying the home domain of described UE; In one embodiment of the invention, the identifier in territory residing for described location server can send to described object router by the home location server of described subscriber equipment, can also be obtained by the configuration mode of described object router by other, the embodiment of the present invention does not limit this.
In one embodiment of the invention, described equipment association key (Kdev) can by the attribution server of described UE according to random value (nonce), one or more in root key and following parameter derive from: the device identifier (Device ID) of described subscriber equipment, the identifier (Domain ID) in territory residing for described location server, the identifier (DRID) of described object router, realize under the scene of the many equipment of user, different equipment has different equipment association key Kdev.
Exemplary, described equipment association key Kdev can by described home location server according to random value, the device identifier (Domain ID) of root key and described subscriber equipment, adopt cipher key derivation function (Key derivation function, KDF) derive from, such as, Kdev=KDF (K, Device ID, nonce);
Or, by described home location server according to described random value nonce, root key K, the device identifier (Device ID) of described subscriber equipment, the identifier (Domain ID) in territory residing for location server and the identifier (DR ID) of object router, adopt cipher key derivation function (Key derivation function, KDF) to derive from, such as, Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID).
In one embodiment of the invention, described object router according to the situation according to the current residing territory of described UE, can receive the home location server of described subscriber equipment and/or the access response message of vision location server transmission.
Exemplary, when the current residing territory of described UE is home domain,
Described object router receives the access response message that described home location server sends.
Exemplary, when the current residing territory of described UE is visit territory,
Described object router receives the access response message that described vision location server sends; Wherein, described access response message is that described home location server sends to described vision location server.
504: described object router derives session key according to the equipment association key in described access response message.
In one embodiment of the invention, described object router derives temporary key according to the equipment association key in described access response message; Session key is derived according to described temporary key.Such as, the structural representation of the UIP netkey grade that Fig. 4 provides for the embodiment of the present invention, as shown in Figure 4, the key packet of UIP network is containing root key K, equipment association key Kdev, temporary key Kdev ' and session key Ksession; Described equipment association key Kdev is derived from by root key K; described temporary key Kdev ' is derived from by described equipment association key Kdev; described session key Ksession is derived from by described temporary key Kdev '; derive session key step by step, for the purpose of transfer of data between router and subscriber equipment confidentiality, integrity protection are provided.
Exemplary, described equipment association key is by described location server according to random value, and the device identifier of root key and described subscriber equipment derives from; Such as, described equipment association key Kdev=KDF (K, Device ID, nonce);
Accordingly, described object router can derive session key by the method described in following (1)-(4), is described respectively below to these four kinds of methods:
(1) described object router derives temporary key according to described equipment association key and count value, such as, and Kdev '=KDF (Kdev, counter); Wherein, described count value has described object router to obtain, and count value counter is that the counter that in UIP grid, router and subscriber equipment are safeguarded produces;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', Domain ID, DR ID).
(2) described object router is according to described equipment association key, count value, and the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, Kdev '=KDF (Kdev, counter, Domain ID, DR ID);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ').
(3) described object router is according to described equipment association key, and the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, and Kdev '=KDF (Kdev, Domain ID, DR ID);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter);
(4) described object router derives temporary key according to described equipment association key, such as, and Kdev '=KDF (Kdev);
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', counter, Domain ID, DR ID).
Exemplary, described equipment association key by described location server according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive from; Such as, described equipment association key Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID),
Accordingly, described object router can derive session key by two kinds, following (1)-(2) method, is described respectively below to these two kinds of methods:
(1) described object router derives temporary key according to described equipment association key and count value, such as, and Kdev '=KDF (Kdev, counter);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(2) described object router derives temporary key according to described equipment association key, such as, and Kdev '=KDF (Kdev);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter).
Further, said method also comprises:
Described object router receives the authentication request message that described location server sends; Wherein, described authentication request message comprises the identifier in territory residing for described random value and described location server;
Described object router sends authentication request message to described subscriber equipment, wherein, described authentication request message comprises the identifier in territory residing for described random value, described location server and the identifier of described object router, to make described subscriber equipment return authentication response message and to generate equipment association key and session key.
As from the foregoing, the embodiment of the present invention provides a kind of method of secret generating, and object router receives the handover request message that source router sends, and wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment; Described object router sends access request message to location server, and wherein, described access request message comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router; Described object router receives the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by described location server according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key; Described root key is obtained according to described user identifier by location server; Described object router derives session key according to the equipment association key in described access response message.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment two
The method flow diagram of a kind of secret generating that Fig. 6 provides for the embodiment of the present invention, as shown in Figure 6, can comprise the following steps:
601: location server receives the access request message that object router sends, and wherein, described access request message comprises the user identifier of subscriber equipment, the device identifier of subscriber equipment and the identifier of described object router.
Wherein, described location server comprises home location server and/or vision location server;
In one embodiment of the invention, when the current residing territory of described UE is home domain, described location server is the home location server of subscriber equipment;
Home location server receives the access request message that object router sends.
When the current residing territory of UE is visit territory, described location server is homing position device and the vision location server of subscriber equipment;
Vision location server receives the access request message that object router sends, and sends described access request message to make described vision location server to home location server.
602: described location server sends authentication request message to described object router, and wherein, described authentication request message comprises the identifier in territory residing for random value and described location server; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key;
In one embodiment of the invention, when the current residing territory of described UE is home domain, described location server is the home location server of subscriber equipment;
Home location server sends authentication request message to described object router.
When the current residing territory of described UE is visit territory, described location server is homing position device and the vision location server of subscriber equipment;
Vision location server sends described authentication request to object router; Wherein, described authentication request message is sent to vision location server by home location server.
603: described location server receives the authentication response message that described object router sends, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router.
In one embodiment of the invention, when the current residing territory of described UE is home domain, described location server is the home location server of subscriber equipment;
Described home location server receives the authentication response message that described object router sends, and derives from equipment association key according to two kinds, following (1)-(2) mode.
When the current residing territory of described UE is visit territory, described location server is homing position device and the vision location server of subscriber equipment;
Described vision location server receives the authentication response message that described object router sends;
Described vision location server sends described authentication response message to described home location server;
Described home location server receives the authentication response message that described vision location server sends, and derives from equipment association key according to two kinds, following (1)-(2) mode.
Below these two kinds of modes are described respectively:
(1) home location server is according to root key, and the device identifier of described random value and described subscriber equipment derives described equipment association key, such as, and equipment association key Kdev=KDF (K, Device ID, nonce);
(2) home location server is according to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive described equipment association key, such as, and equipment association key Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID).
604: described location server sends access response message to described object router, wherein, comprises described equipment association key in described access response message.
In one embodiment of the invention, when the current residing territory of described UE is home domain, described location server is the home location server of subscriber equipment;
Described home location server sends access response message to described object router.
When the current residing territory of described UE is visit territory, described location server is homing position device and the vision location server of subscriber equipment;
Described home location server sends access response message to described vision location server;
Described vision location server receives the access response message that described home location server sends, and sends described access response message to described object router.
As from the foregoing, the embodiment of the present invention provides a kind of method of key agreement, and location server receives the access request message that object router sends, and wherein, described access request message comprises the user identifier of subscriber equipment and the device identifier of subscriber equipment; Described location server sends authentication request message to described object router, wherein, described authentication request message comprises the identifier in territory residing for random value and described location server, described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key; Described location server receives the authentication response message that described object router sends, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router.So, location server derives from forming apparatus association key, to make object router according to described equipment association key session key generation, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between terminal use and router, the defect of integrality.
Embodiment three
The method flow diagram of a kind of secret generating that Fig. 7 provides for the embodiment of the present invention, as shown in Figure 7, can comprise the following steps:
701: subscriber equipment receives the authentication request message that object router sends, and wherein, described authentication request message comprises described random value, the identifier in territory residing for described location server and the identifier of described object router.
702: described subscriber equipment is according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key.
In one embodiment of the invention, subscriber equipment can derive session key according to six kinds, following (1)-(6) mode; Below these six kinds of modes are described respectively:
(1) subscriber equipment is according to random value, and the device identifier of root key and described subscriber equipment derives equipment association key, such as, and Kdev=KDF (K, DeviceID, nonce);
Described subscriber equipment derives temporary key according to described equipment association key and count value, such as, and Kdev '=KDF (Kdev, counter);
Described subscriber equipment is according to described temporary key, and the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', Domain ID, DR ID);
(2) subscriber equipment is according to random value, root key, and the device identifier of described subscriber equipment derives equipment association key, such as, and Kdev=KDF (K, DeviceID, nonce);
According to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, Kdev '=KDF (Kdev, counter, DomainID, DR ID);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(3) subscriber equipment is according to random value, root key, and the device identifier of described subscriber equipment derives equipment association key, such as, and Kdev=KDF (K, DeviceID, nonce);
According to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, and Kdev '=KDF (Kdev, Domain ID, DR ID);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter);
(4) subscriber equipment is according to random value, root key, and the device identifier of described subscriber equipment derives equipment association key, such as, and Kdev=KDF (K, DeviceID, nonce);
Temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', counter, Domain ID, DR ID);
(5) subscriber equipment is according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key, such as, and Kdev=KDF (K, Device ID, nonce, DomainID, DR ID);
Temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(6) subscriber equipment is according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key, such as, and Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID);
Temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter).
As from the foregoing, the embodiment of the present invention provides a kind of method of secret generating, and subscriber equipment receives the authentication request message that object router sends, wherein, described authentication request message comprises described random value, the identifier in territory residing for described location server and the identifier of described object router; Described subscriber equipment is according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive temporary key according to described equipment association key, derive session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP networking between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between terminal use and router, the defect of integrality.
Be specifically described a kind of key generation method that the embodiment of the present invention provides below, wherein, in following embodiment, router DR represents, location server SLS represents, subscriber equipment UE represents.
Embodiment four
A kind of key generation method flow chart that Fig. 8 provides for the embodiment of the present invention, described method is applied under UE is in the scene of home domain, and the SLS shown in Fig. 8 is ownership SLS, as shown in Figure 8, can comprise the following steps:
801: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
802: object DR to SLS sends access request message; Wherein, described access request message comprises User ID, Device ID, DR ID;
803:SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
804:SLS sends authentication request message to object DR; Wherein, described authentication request message comprises nonce, Domain ID; Described Domain ID is kept in SLS;
805: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
806:UE sends authentication response message to object DR, to make object DR, authentication response message is fed back to SLS;
807: object DR sends authentication response message to SLS; Wherein, described authentication response message is for notifying that SLS completes verification process;
808:SLS obtains the shared root key K of SLS and UE according to the User ID inquiry of UE;
809:SLS generates equipment association key Kdev=KDF(K, Device ID, nonce);
810:SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
811: object DR generates temporary key Kdev '=KDF(Kdev, counter) and session key Ksession=KDF(Kdev ', Domain ID, DR ID);
812:UE generates equipment association key Kdev=KDF(K, Device ID, nonce), temporary key Kdev '=KDF(Kdev, counter) and session key Ksession=KDF(Kdev ', Domain ID, DR ID);
Further, during owing to moving to the coverage of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
813: object DR to SLS sends update request message; Wherein, described update request message comprises the DR ID of object DR;
814:SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
815:SLS sends to object DR and upgrades response message; Wherein, described renewal response message is for notifying that object DR information updating completes;
The mapping relations of User ID and the Locator of 816: object DR preservation UE;
817: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 812 is the process of UE generation key, and for the purpose of step 809-811, DR generates the process of key, and step 812 and step 809-811 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides a kind of method, equipment and system of secret generating, and object DR receives the handover request message that source DR sends, and wherein, described handoff request message contains the user identifier of UE, the device identifier of described UE; Described object DR sends access request message to SLS, wherein, the user identifier of described UE and the device identifier of described UE is comprised in described access request, described SLS is the ownership SLS of described UE, and wherein, described access response message comprises equipment association key, described in described equipment association key, SLS is according to random value, one or more in root key and following parameter derive from: the device identifier of described UE, the domain identifier in territory residing for object DR, the identifier of object DR; Described object DR derives temporary key according to the equipment association key in described access response message, derives session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP network between UE and DR provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment five
A kind of key generation method flow chart that Fig. 9 provides for the embodiment of the present invention, described method is applied under UE is in the scene of home domain, and now, the SLS shown in Fig. 9 is ownership SLS, as shown in Figure 9, can comprise the following steps:
901: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
902: object DR to SLS sends access request message; Wherein, described access request message comprises User ID, Device ID, DR ID;
903:SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
904:SLS sends authentication request message to object DR; Wherein, described authentication request message comprises nonce, Domain ID, and described Domain ID is kept in SLS;
905: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
906:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to SLS;
907: object DR sends authentication response message to SLS; Wherein, described authentication response message is for notifying that SLS completes verification process;
908:SLS obtains the shared root key K of SLS and UE according to the User ID inquiry of UE;
909:SLS generates equipment association key Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID);
910:SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
911: object DR generates temporary key Kdev '=KDF(Kdev, counter) and session key Ksession=KDF (Kdev ');
912:UE generates equipment association key Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID), temporary key Kdev '=KDF(Kdev, counter) and session key Ksession=KDF (Kdev ');
Further, during owing to moving to the overlay area of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
913: object DR to SLS sends update request message; Wherein, described update request message comprises the DR ID of object DR;
914:SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
915:SLS sends to object DR and upgrades response message; Wherein, described renewal response message is for notifying that object DR information updating completes;
The mapping relations of 916: object DR preservation User ID and Locator;
917: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 912 is the process of UE generation key, and for the purpose of step 909-911, DR generates the process of key, and step 912 and step 909-911 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides a kind of method, equipment and system of secret generating, and object DR receives the handover request message that source DR sends, and wherein, described handoff request message contains the user identifier of UE, the device identifier of described UE; Described object DR sends access request message to SLS, wherein, the user identifier of described UE and the device identifier of described UE is comprised in described access request, described SLS is the ownership SLS of described UE, and wherein, described access response message comprises equipment association key, described in described equipment association key, SLS is according to random value, one or more in root key and following parameter derive from: the device identifier of described UE, the domain identifier in territory residing for object DR, the identifier of object DR; Described object DR derives temporary key according to the equipment association key in described access response message, derives session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP network between UE and DR provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment six
The another kind of key generation method flow chart that Figure 10 provides for the embodiment of the present invention, described method is applied under UE is in the scene of home domain, and now, the SLS shown in Figure 10 is ownership SLS, as shown in Figure 10, can comprise the following steps:
1001: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1002: object DR to SLS sends access request message; Wherein, described access request message comprises User ID, Device ID, DR ID;
1003:SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1004:SLS sends authentication request message to object DR; Wherein, described authentication request message comprises nonce, Domain ID; Described Domain ID is kept in SLS;
1005: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1006:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to SLS;
1007: object DR sends authentication response message to SLS; Wherein, described authentication response message is for notifying that SLS completes verification process;
1008:SLS obtains the shared root key K of SLS and UE according to the User ID inquiry of UE;
1009:SLS generates equipment association key Kdev=KDF(K, Device ID, nonce);
1010:SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1011: object DR generates temporary key Kdev '=KDF(Kdev, counter, DomainID, DR ID) and session key Ksession=KDF(Kdev ');
1012:UE generates equipment association key Kdev=KDF(K, Device ID, nonce), temporary key Kdev '=KDF(Kdev, counter, Domain ID, DR ID) and session key Ksession=KDF(Kdev ');
Further, during owing to moving to the moving range of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method also comprises:
1013: object DR to SLS sends update request message; Wherein, described update request message comprises the DR ID of object DR;
1014:SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1015:SLS sends to object DR and upgrades response message; Wherein, described renewal response message is for notifying that object DR information updating completes;
The mapping relations of 1016: object DR preservation User ID and Locator;
1017: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1012 is the process of UE generation key, and for the purpose of step 1009-1011, DR generates the process of key, and step 1012 and step 1009-1011 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides a kind of method of secret generating, and object DR receives the handover request message that source DR sends, and wherein, described handoff request message contains the user identifier of UE, the device identifier of described UE; Described object DR sends access request message to SLS, wherein, the user identifier of described UE and the device identifier of described UE is comprised in described access request, wherein, described access response message comprises equipment association key, and described in described equipment association key, SLS is according to random value, and one or more in root key and following parameter derive from: the device identifier of described UE, the domain identifier in territory residing for object DR, the identifier of object DR; Described object DR derives temporary key according to the equipment association key in described access response message, derives session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP network between UE and DR provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between terminal use and DR, the defect of integrality.
Embodiment seven
The another kind of key generation method flow chart that Figure 11 provides for the embodiment of the present invention, described method is applied under UE is in the scene of home domain, and now, the SLS shown in Figure 11 is ownership SLS, as shown in figure 11, can comprise the following steps:
1101: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1102: object DR to SLS sends access request message; Wherein, described access request message comprises User ID, Device ID, DR ID;
1103:SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1104:SLS sends authentication request message to object DR; Wherein, described authentication request message comprises nonce, Domain ID; Described Domain ID is kept in SLS;
1105: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1106:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to SLS;
1107: object DR sends authentication response message to SLS; Wherein, described authentication response message is for notifying that SLS completes verification process;
1108:SLS obtains the shared root key K of SLS and UE according to the User ID inquiry of UE;
1109:SLS generates equipment association key Kdev=KDF(K, Device ID, nonce, Domain ID, DR ID);
1110:SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1111: object DR generates temporary key Kdev '=KDF(Kdev) and session key Ksession=KDF(Kdev ', counter);
1112:UE generates equipment association key Kdev=KDF(K, Device ID, nonce, Domain ID, DR ID), temporary key Kdev '=KDF(Kdev) and session key Ksession=KDF(Kdev ', counter);
Further, during owing to moving to the overlay area of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1113: object DR to SLS sends update request message; Wherein, described update request message comprises the DR ID of object DR;
1114:SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1115:SLS sends to object DR and upgrades response message; Wherein, described renewal response message is for notifying that object DR information updating completes;
The mapping relations of 1116: object DR preservation User ID and Locator;
1117: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1112 is the process of UE generation key, and for the purpose of step 1109-1111, DR generates the process of key, and step 1112 and step 1109-1111 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides a kind of method, equipment and system of secret generating, and object DR receives the handover request message that source DR sends, and wherein, described handoff request message contains the user identifier of UE, the device identifier of described UE; Described object DR sends access request message to SLS, wherein, the user identifier of described UE and the device identifier of described UE is comprised in described access request, described SLS is the ownership SLS of described UE, and wherein, described access response message comprises equipment association key, described in described equipment association key, SLS is according to random value, one or more in root key and following parameter derive from: the device identifier of described UE, the domain identifier in territory residing for object DR, the identifier of object DR; Described object DR derives temporary key according to the equipment association key in described access response message, derives session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP network between UE and DR provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between terminal use and DR, the defect of integrality.
Embodiment eight
The another kind of key generation method flow chart that Figure 12 provides for the embodiment of the present invention, described method is applied under UE is in the scene of home domain, and now, the SLS shown in Figure 12 is ownership SLS, as shown in figure 12, can comprise the following steps:
1201: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1202: object DR to SLS sends access request message; Wherein, described access request message comprises User ID, Device ID, DR ID;
1203:SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1204:SLS sends authentication request message to object DR; Wherein, described authentication request message comprises nonce, Domain ID; Described Domain ID is kept in SLS;
1205: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1206:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to SLS;
1207: object DR sends authentication response message to SLS; Wherein, described authentication response message is for notifying that SLS completes verification process;
1208:SLS obtains the shared root key K of SLS and UE according to the User ID inquiry of UE;
1209:SLS generates equipment association key Kdev=KDF(K, Device ID, nonce);
1210:SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1211: object DR generates temporary key Kdev '=KDF(Kdev, Domain ID, DR ID) and session key Ksession=KDF(Kdev ', counter);
1212:UE generates equipment association key Kdev=KDF(K, Device ID, nonce), temporary key Kdev '=KDF(Kdev, Domain ID, DR ID) and session key Ksession=KDF(Kdev ', counter);
Further, during owing to moving to the coverage of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1213: object DR to SLS sends update request message; Wherein, described update request message comprises the DR ID of object DR;
1214:SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1215:SLS sends to object DR and upgrades response message; Wherein, described renewal response message is for notifying that object DR information updating completes;
The mapping relations of 1216: object DR preservation User ID and Locator;
1217: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1212 is the process of UE generation key, and for the purpose of step 1209-1211, DR generates the process of key, and step 1212 and step 1209-1211 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides a kind of method, equipment and system of secret generating, and object DR receives the handover request message that source DR sends, and wherein, described handoff request message contains the user identifier of UE, the device identifier of described UE; Described object DR sends access request message to SLS, wherein, the user identifier of described UE and the device identifier of described UE is comprised in described access request, described SLS is the ownership SLS of described UE, and wherein, described access response message comprises equipment association key, described in described equipment association key, SLS is according to random value, one or more in root key and following parameter derive from: the device identifier of described UE, the domain identifier in territory residing for object DR, the identifier of object DR; Described object DR derives temporary key according to the equipment association key in described access response message, derives session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP network between UE and DR provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between UE and DR, the defect of integrality.
Embodiment nine
The another kind of key generation method flow chart that Figure 13 provides for the embodiment of the present invention, described method is applied under UE is in the scene of home domain, and now, the SLS shown in Figure 13 is ownership SLS, as shown in figure 13, can comprise the following steps:
1301: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1302: object DR to SLS sends access request message; Wherein, described access request message comprises User ID, Device ID, DR ID;
1303:SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1304:SLS sends authentication request message to object DR; Wherein, described authentication request message comprises nonce, Domain ID; Described Domain ID is kept in SLS;
1305: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1306:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to SLS;
1307: object DR sends authentication response message to SLS; Wherein, described authentication response message is for notifying that SLS completes verification process;
1308:SLS obtains the shared root key K of SLS and UE according to the User ID inquiry of UE;
1309:SLS generates equipment association key Kdev=KDF(K, Device ID, nonce);
1310:SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1311: object DR generates temporary key Kdev '=KDF(Kdev) and session key Ksession=KDF(Kdev ', counter, Domain ID, DR ID);
1312:UE generates equipment association key Kdev=KDF(K, Device ID, nonce), temporary key Kdev '=KDF(Kdev) and session key Ksession=KDF(Kdev ', counter, Domain ID, DR ID);
Further, during owing to moving to the moving range of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1313: object DR to SLS sends update request message; Wherein, described update request message comprises the DR ID of object DR;
1314:SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1315:SLS sends to object DR and upgrades response message; Wherein, described renewal response message is for notifying that object DR information updating completes;
The mapping relations of 1316: object DR preservation User ID and Locator;
1317: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1312 is the process of UE generation key, and for the purpose of step 1309-1311, DR generates the process of key, and step 1312 and step 1309-1311 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides the method for another kind of secret generating, as from the foregoing, the embodiment of the present invention provides a kind of method, equipment and system of secret generating, object DR receives the handover request message that source DR sends, wherein, described handoff request message contains the user identifier of UE, the device identifier of described UE; Described object DR sends access request message to SLS, and wherein, comprise the user identifier of described UE and the device identifier of described UE in described access request, described SLS is the ownership SLS of described UE; Described object DR receives the access response message that described SLS sends, wherein, described access response message comprises equipment association key, described in described equipment association key, SLS is according to random value, one or more in root key and following parameter derive from: the device identifier of described UE, the domain identifier in territory residing for object DR, the identifier of object DR; Described object DR derives temporary key according to the equipment association key in described access response message, derives session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP network between UE and DR provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between UE and DR, the defect of integrality.
Embodiment ten
The method flow diagram of the another kind of secret generating that Figure 14 provides for the embodiment of the present invention, described method is applicable to UE and is in visit territory, under namely UE is in the scene of roaming state, as shown in figure 14, comprises the following steps:
1401: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1402: object DR sends access request message to visit SLS; Wherein, described access request message comprises User ID, Device ID, DR ID; The SLS in described visit SLS territory residing for described object DR;
1403: visit SLS sends access request message to ownership SLS; Wherein, described access request message comprises User ID, Device ID, DR ID;
1404: ownership SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1405: ownership SLS sends authentication request message to visit SLS; Wherein, described authentication request message comprises described random value nonce, Domain ID; Described Domain ID is kept in ownership SLS;
1406: visit SLS sends authentication request message to object DR; Described authentication request message comprises nonce, Domain ID;
1407: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1408:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to visit SLS;
1409: object DR sends authentication response message to visit SLS; To make visit SLS, authentication response message is fed back to ownership SLS;
1410: visit SLS sends authentication response message to ownership SLS; Wherein, described authentication response message is for notifying that ownership SLS completes verification process;
1411: ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE;
1412: ownership SLS generates equipment association key Kdev=KDF(K, Device ID, nonce);
1413: ownership SLS sends access response message to visit SLS; Wherein, described access response message comprises described equipment association key Kdev;
1414: visit SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1415: object DR generates temporary key Kdev '=KDF(Kdev, counter) and session key Ksession=KDF(Kdev ', Domain ID, DR ID);
1416:UE generates equipment association key Kdev=KDF(K, Device ID, nonce), temporary key Kdev '=KDF(Kdev, counter) and session key Ksession=KDF(Kdev ', Domain ID, DR ID);
Further, during owing to moving to the coverage of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1417: object DR sends update request message to visit SLS; Wherein, described update request message comprises the DR ID of object DR;
1418: object DR sends update request message to ownership SLS; Wherein, described update request message comprises the DR ID of object DR;
1419: ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1420: ownership SLS sends renewal response message to visit SLS, and wherein, described renewal response message is for notifying that object DR information updating completes;
1421: visit SLS sends renewal response message to object DR;
The mapping relations of 1422: object DR preservation User ID and Locator;
1423: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1416 is the process of UE generation key, and for the purpose of step 1411-1415, DR generates the process of key, and step 1416 and step 1411-1415 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides the method for another kind of secret generating, and source DR sends handover request message to object DR; Object DR sends access request message to visit SLS; Visit SLS sends access request message to ownership SLS; Ownership SLS generates a random value nonce; Ownership SLS sends authentication request message to visit SLS; Visit SLS sends authentication request message to object DR; Object DR sends authentication request message to UE; UE sends authentication response message to object DR; Object DR sends authentication response message to visit SLS; Visit SLS sends authentication response message to ownership SLS; Ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE; Ownership SLS generates equipment association key; Ownership SLS sends access response message to visit SLS; Visit SLS sends access response message to object DR; Object DR generates temporary key and session key; UE generates equipment association key, temporary key and session key; Object DR sends update request message to visit SLS; Object DR sends update request message to ownership SLS; Ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations; Ownership SLS sends to visit SLS and upgrades response message, and visit SLS sends to object DR and upgrades response message; Object DR preserves the mapping relations of User ID and Locator; Object DR sends switching response message to source DR.So, derive session key step by step, for the transfer of data in UIP network between UE and DR provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between UE and DR, the defect of integrality.
Embodiment 11
The method flow diagram of the another kind of secret generating that Figure 15 provides for the embodiment of the present invention, described method is applicable to UE and is in visit territory, under namely UE is in the scene of roaming state, as shown in figure 15, comprises the following steps:
1501: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1502: object DR sends access request message to visit SLS; Wherein, described access request message comprises User ID, Device ID, DR ID; The SLS in described visit SLS territory residing for described object DR;
1503: visit SLS sends access request message to ownership SLS; Wherein, described access request message comprises User ID, Device ID, DR ID;
1504: ownership SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1505: ownership SLS sends authentication request message to visit SLS; Wherein, described authentication request message comprises described random value nonce, Domain ID; Described Domain ID is kept in ownership SLS;
1506: visit SLS sends authentication request message to object DR; Described authentication request message comprises nonce, Domain ID;
1507: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1508:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to visit SLS;
1509: object DR sends authentication response message to visit SLS; To make visit SLS, authentication response message is fed back to ownership SLS;
1510: visit SLS sends authentication response message to ownership SLS; Wherein, described authentication response message is for notifying that ownership SLS completes verification process;
1511: ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE;
1512: ownership SLS generates equipment association key Kdev=KDF(K, Device ID, nonce, Domain ID, DR ID);
1513: ownership SLS sends access response message to visit SLS; Wherein, described access response message comprises described equipment association key Kdev;
1514: visit SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1515: object DR generates temporary key Kdev '=KDF(Kdev, counter) and session key Ksession=KDF(Kdev ');
1516:UE generates equipment association key Kdev=KDF(K, Device ID, nonce, Domain ID, DR ID), temporary key Kdev '=KDF(Kdev, counter) and session key Ksession=KDF(Kdev ');
Further, when moving to the overlay area of object DR due to UE, in object DR, there is no the mapping relations of User ID and the Locator of described UE, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1517: object DR sends update request message to visit SLS; Wherein, described update request message comprises the DR ID of object DR;
1518: object DR sends update request message to ownership SLS; Wherein, described update request message comprises the DR ID of object DR;
1519: ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1520: ownership SLS sends renewal response message to visit SLS, and wherein, described renewal response message is for notifying that object DR information updating completes;
1521: visit SLS sends renewal response message to object DR;
The mapping relations of 1522: object DR preservation User ID and Locator;
1523: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1516 is the process of UE generation key, and for the purpose of step 1511-1515, DR generates the process of key, and step 1516 and step 1511-1515 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides the method for another kind of secret generating, and source DR sends handover request message to object DR; Object DR sends access request message to visit SLS; Visit SLS sends access request message to ownership SLS; Ownership SLS generates a random value nonce; Ownership SLS sends authentication request message to visit SLS; Visit SLS sends authentication request message to object DR; Object DR sends authentication request message to UE; UE sends authentication response message to object DR; Object DR sends authentication response message to visit SLS; Visit SLS sends authentication response message to ownership SLS; Ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE; Ownership SLS generates equipment association key; Ownership SLS sends access response message to visit SLS; Visit SLS sends access response message to object DR; Object DR generates temporary key and session key; UE generates equipment association key, temporary key and session key; Object DR sends update request message to visit SLS; Object DR sends update request message to ownership SLS; Ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations; Ownership SLS sends to visit SLS and upgrades response message, and visit SLS sends to object DR and upgrades response message; Object DR preserves the mapping relations of User ID and Locator; Object DR sends switching response message to source DR.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 12
The method of the another kind of secret generating that Figure 16 provides for the embodiment of the present invention, described method is applicable to UE and is in visit territory, under namely UE is in the scene of roaming state, as shown in figure 16, comprises the following steps:
1601: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1602: object DR sends access request message to visit SLS; Wherein, described access request message comprises User ID, Device ID, DR ID; The SLS in described visit SLS territory residing for described object DR;
1603: visit SLS sends access request message to ownership SLS; Wherein, described access request message comprises User ID, Device ID, DR ID;
1604: ownership SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1605: ownership SLS sends authentication request message to visit SLS; Wherein, described authentication request message comprises described random value nonce, Domain ID; Described Domain ID is kept in ownership SLS;
1606: visit SLS sends authentication request message to object DR; Described authentication request message comprises nonce, Domain ID;
1607: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1608:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to visit SLS;
1609: object DR sends authentication response message to visit SLS; To make visit SLS, authentication response message is fed back to ownership SLS;
1610: visit SLS sends authentication response message to ownership SLS; Wherein, described authentication response message is for notifying that ownership SLS completes verification process;
1611: ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE;
1612: ownership SLS generates equipment association key Kdev=KDF(K, Device ID, nonce);
1613: ownership SLS sends access response message to visit SLS; Wherein, described access response message comprises described equipment association key Kdev;
1614: visit SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1615: object DR generates temporary key Kdev '=KDF(Kdev, counter, DomainID, DR ID) and session key Ksession=KDF(Kdev ');
1616:UE generates equipment association key Kdev=KDF(K, Device ID, nonce), temporary key Kdev '=KDF(Kdev, counter, Domain ID, DR ID) and session key Ksession=KDF(Kdev ');
Further, when moving to the coverage of object DR due to UE, in object DR, there is no the mapping relations of User ID and the Locator of described UE, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1617: object DR sends update request message to visit SLS; Wherein, described update request message comprises the DR ID of object DR;
1618: object DR sends update request message to ownership SLS; Wherein, described update request message comprises the DR ID of object DR;
1619: ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1620: ownership SLS sends renewal response message to visit SLS, and wherein, described renewal response message is for notifying that object DR information updating completes;
1621: visit SLS sends renewal response message to object DR;
The mapping relations of 1622: object DR preservation User ID and Locator;
1623: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1616 is the process of UE generation key, and for the purpose of step 1611-1615, DR generates the process of key, and step 1616 and step 1611-1615 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides the method for another kind of secret generating, and source DR sends handover request message to object DR; Object DR sends access request message to visit SLS; Visit SLS sends access request message to ownership SLS; Ownership SLS generates a random value nonce; Ownership SLS sends authentication request message to visit SLS; Visit SLS sends authentication request message to object DR; Object DR sends authentication request message to UE; UE sends authentication response message to object DR; Object DR sends authentication response message to visit SLS; Visit SLS sends authentication response message to ownership SLS; Ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE; Ownership SLS generates equipment association key; Ownership SLS sends access response message to visit SLS; Visit SLS sends access response message to object DR; Object DR generates temporary key and session key; UE generates equipment association key, temporary key and session key; Object DR sends update request message to visit SLS; Object DR sends update request message to ownership SLS; Ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations; Ownership SLS sends to visit SLS and upgrades response message, and visit SLS sends to object DR and upgrades response message; Object DR preserves the mapping relations of User ID and Locator; Object DR sends switching response message to source DR.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 13
The method flow diagram of the another kind of secret generating that Figure 17 provides for the embodiment of the present invention, described method is applicable to UE and is in visit territory, under namely UE is in the scene of roaming state, as shown in figure 17, comprises the following steps:
1701: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1702: object DR sends access request message to visit SLS; Wherein, described access request message comprises User ID, Device ID, DR ID; The SLS in described visit SLS territory residing for described object DR;
1703: visit SLS sends access request message to ownership SLS; Wherein, described access request message comprises User ID, Device ID, DR ID;
1704: ownership SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1705: ownership SLS sends authentication request message to visit SLS; Wherein, described authentication request message comprises described random value nonce, Domain ID; Described Domain ID is kept in ownership SLS;
1706: visit SLS sends authentication request message to object DR; Described authentication request message comprises nonce, Domain ID;
1707: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1708:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to visit SLS;
1709: object DR sends authentication response message to visit SLS; To make visit SLS, authentication response message is fed back to ownership SLS;
1710: visit SLS sends authentication response message to ownership SLS; Wherein, described authentication response message is for notifying that ownership SLS completes verification process;
1711: ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE;
1712: ownership SLS generates equipment association key Kdev=KDF(K, Device ID, nonce, Domain ID, DR ID);
1713: ownership SLS sends access response message to visit SLS; Wherein, described access response message comprises described equipment association key Kdev;
1714: visit SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1715: object DR generates temporary key Kdev '=KDF(Kdev) and session key Ksession=KDF(Kdev ', counter);
1716:UE generates equipment association key Kdev=KDF(K, Device ID, nonce, Domain ID, DR ID), temporary key Kdev '=KDF(Kdev) and session key Ksession=KDF(Kdev ', counter);
Further, during owing to moving to the overlay area of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1717: object DR sends update request message to visit SLS; Wherein, described update request message comprises the DR ID of object DR;
1718: object DR sends update request message to ownership SLS; Wherein, described update request message comprises the DR ID of object DR;
1719: ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1720: ownership SLS sends renewal response message to visit SLS, and wherein, described renewal response message is for notifying that object DR information updating completes;
1721: visit SLS sends renewal response message to object DR;
The mapping relations of 1722: object DR preservation User ID and Locator;
1723: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1716 is the process of UE generation key, and for the purpose of step 1711-1715, DR generates the process of key, and step 1716 and step 1711-1715 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides the method for another kind of secret generating, and source DR sends handover request message to object DR; Object DR sends access request message to visit SLS; Visit SLS sends access request message to ownership SLS; Ownership SLS generates a random value nonce; Ownership SLS sends authentication request message to visit SLS; Visit SLS sends authentication request message to object DR; Object DR sends authentication request message to UE; UE sends authentication response message to object DR; Object DR sends authentication response message to visit SLS; Visit SLS sends authentication response message to ownership SLS; Ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE; Ownership SLS generates equipment association key; Ownership SLS sends access response message to visit SLS; Visit SLS sends access response message to object DR; Object DR generates temporary key and session key; UE generates equipment association key, temporary key and session key; Object DR sends update request message to visit SLS; Object DR sends update request message to ownership SLS; Ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations; Ownership SLS sends to visit SLS and upgrades response message, and visit SLS sends to object DR and upgrades response message; Object DR preserves the mapping relations of User ID and Locator; Object DR sends switching response message to source DR.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 14
The method flow diagram of the another kind of secret generating that Figure 18 provides for the embodiment of the present invention, described method is applicable to UE and is in visit territory, under namely UE is in the scene of roaming state, as shown in figure 18, comprises the following steps:
1801: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1802: object DR sends access request message to visit SLS; Wherein, described access request message comprises User ID, Device ID, DR ID; The SLS in described visit SLS territory residing for described object DR;
1803: visit SLS sends access request message to ownership SLS; Wherein, described access request message comprises User ID, Device ID;
1804: ownership SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1805: ownership SLS sends authentication request message to visit SLS; Wherein, described authentication request message comprises described random value nonce, Domain ID; Described Domain ID is kept in ownership SLS;
1806: visit SLS sends authentication request message to object DR; Described authentication request message comprises nonce, Domain ID;
1807: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1808:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to visit SLS;
1809: object DR sends authentication response message to visit SLS; To make visit SLS, authentication response message is fed back to ownership SLS;
1810: visit SLS sends authentication response message to ownership SLS; Wherein, described authentication response message is for notifying that ownership SLS completes verification process;
1811: ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE;
1812: ownership SLS generates equipment association key Kdev=KDF(K, Device ID, nonce);
1813: ownership SLS sends access response message to visit SLS; Wherein, described access response message comprises described equipment association key Kdev;
1814: visit SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1815: object DR generates temporary key Kdev '=KDF(Kdev, Domain ID, DR ID) and session key Ksession=KDF(Kdev ', counter);
1816:UE generates equipment association key Kdev=KDF(K, Device ID, nonce), temporary key Kdev '=KDF(Kdev, Domain ID, DR ID) and session key Ksession=KDF(Kdev ', counter);
Further, during owing to moving to the coverage of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1817: object DR sends update request message to visit SLS; Wherein, described update request message comprises the DR ID of object DR;
1818: object DR sends update request message to ownership SLS; Wherein, described update request message comprises the DR ID of object DR;
1819: ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1820: ownership SLS sends renewal response message to visit SLS, and wherein, described renewal response message is for notifying that object DR information updating completes;
1821: visit SLS sends renewal response message to object DR;
The mapping relations of 1822: object DR preservation User ID and Locator;
1823: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1816 is the process of UE generation key, and for the purpose of step 1811-1815, DR generates the process of key, and step 1816 and step 1811-1815 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides the method for another kind of secret generating, and source DR sends handover request message to object DR; Object DR sends access request message to visit SLS; Visit SLS sends access request message to ownership SLS; Ownership SLS generates a random value nonce; Ownership SLS sends authentication request message to visit SLS; Visit SLS sends authentication request message to object DR; Object DR sends authentication request message to UE; UE sends authentication response message to object DR; Object DR sends authentication response message to visit SLS; Visit SLS sends authentication response message to ownership SLS; Ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE; Ownership SLS generates equipment association key; Ownership SLS sends access response message to visit SLS; Visit SLS sends access response message to object DR; Object DR generates temporary key and session key; UE generates equipment association key, temporary key and session key; Object DR sends update request message to visit SLS; Object DR sends update request message to ownership SLS; Ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations; Ownership SLS sends to visit SLS and upgrades response message, and visit SLS sends to object DR and upgrades response message; Object DR preserves the mapping relations of User ID and Locator; Object DR sends switching response message to source DR.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 15
The method flow diagram of the another kind of secret generating that Figure 19 provides for the embodiment of the present invention, described method is applicable to current being in of UE and visits territory, under namely UE is in the scene of roaming state, as shown in figure 19, comprises the following steps:
1901: source DR to object DR sends handover request message; Wherein, described handover request packets of information is containing User ID, Device ID;
1902: object DR sends access request message to visit SLS; Wherein, described access request message comprises User ID, Device ID, DR ID; The SLS in described visit SLS territory residing for described object DR;
1903: visit SLS sends access request message to ownership SLS; Wherein, described access request message comprises User ID, Device ID, DR ID;
1904: ownership SLS generates a random value nonce; Wherein, described random value nonce is used for certification UE and the equipment of generation association key Kdev;
1905: ownership SLS sends authentication request message to visit SLS; Wherein, described authentication request message comprises described random value nonce, Domain ID; Described Domain ID is kept in ownership SLS;
1906: visit SLS sends authentication request message to object DR; Described authentication request message comprises nonce, Domain ID;
1907: object DR sends authentication request message to UE; Wherein, authentication request message comprises nonce, Domain ID, DR ID, and to make UE according to nonce, Domain ID, DR ID, root key K and count value counter derives equipment association key Kdev, temporary key Kdev ', session key Ksession;
1908:UE sends authentication response message to object DR; To make object DR, authentication response message is fed back to visit SLS;
1909: object DR sends authentication response message to visit SLS; To make visit SLS, authentication response message is fed back to ownership SLS;
1910: visit SLS sends authentication response message to ownership SLS; Wherein, described authentication response message is for notifying that ownership SLS completes verification process;
1911: ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE;
1912: ownership SLS generates equipment association key Kdev=KDF(K, Device ID, nonce);
1913: ownership SLS sends access response message to visit SLS; Wherein, described access response message comprises described equipment association key Kdev;
1914: visit SLS sends access response message to object DR; Wherein, described access response message comprises described equipment association key Kdev;
1915: object DR generates temporary key Kdev '=KDF(Kdev) and session key Ksession=KDF(Kdev ', counter, Domain ID, DR ID);
1916:UE generates equipment association key Kdev=KDF(K, Device ID, nonce), temporary key Kdev '=KDF(Kdev) and session key Ksession=KDF(Kdev ', counter, Domain ID, DR ID);
Further, during owing to moving to the coverage of object DR as UE, the mapping relations of User ID and the Locator of described UE in object DR, are not had, UE and object DR does not also set up and contacts, therefore, set up to make described UE and object DR and contact, described method is further comprising the steps of:
1917: object DR sends update request message to visit SLS; Wherein, described update request message comprises the DR ID of object DR;
1918: object DR sends update request message to ownership SLS; Wherein, described update request message comprises the DR ID of object DR;
1919: ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations;
1920: ownership SLS sends renewal response message to visit SLS, and wherein, described renewal response message is for notifying that object DR information updating completes;
1921: visit SLS sends renewal response message to object DR;
The mapping relations of 1922: object DR preservation User ID and Locator;
1923: object DR to source DR sends switching response message; Wherein, described switching response message completes for notification source DR switching.
Wherein, it should be noted that, step 1916 is the process of UE generation key, and for the purpose of step 1911-1915, DR generates the process of key, and step 1916 and step 1911-1915 be order in no particular order.
As from the foregoing, the embodiment of the present invention provides the method for another kind of secret generating, and source DR sends handover request message to object DR; Object DR sends access request message to visit SLS; Visit SLS sends access request message to ownership SLS; Ownership SLS generates a random value nonce; Ownership SLS sends authentication request message to visit SLS; Visit SLS sends authentication request message to object DR; Object DR sends authentication request message to UE; UE sends authentication response message to object DR; Object DR sends authentication response message to visit SLS; Visit SLS sends authentication response message to ownership SLS; Ownership SLS obtains belonging to the shared root key K of SLS and UE according to the User ID inquiry of UE; Ownership SLS generates equipment association key; Ownership SLS sends access response message to visit SLS; Visit SLS sends access response message to object DR; Object DR generates temporary key and session key; UE generates equipment association key, temporary key and session key; Object DR sends update request message to visit SLS; Object DR sends update request message to ownership SLS; Ownership SLS preserves the DR ID of UE and current DR ID(and object DR) mapping relations; Ownership SLS sends to visit SLS and upgrades response message, and visit SLS sends to object DR and upgrades response message; Object DR preserves the mapping relations of User ID and Locator; Object DR sends switching response message to source DR.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 16
A kind of object router two 00 that Figure 20 provides for the embodiment of the present invention, as shown in figure 20, comprising:
Receiver module 2001: for receiving the handover request message that source router sends, wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment.
Wherein, source router and object router are relative concepts, according to subscriber equipment (UserEquipment, UE) switch instances is determined, source router is the router carrying out data communication before described UE switches with described UE, and object router is the router carrying out data communication after described UE switches with described UE; Wherein, UE is switched to move to the overlay area of another router from the overlay area of a router described in; In the embodiment of the present invention, source router and object router can in same UIP territories or in different UIP territories, and when source router and object router are in same UIP territory, UE is in the state of movement in territory; When source router and object router are in different UIP territories, UE is in the state of movement between territory; Such as, Fig. 2 is the schematic diagram of subscriber equipment mobile management in UIP network, as shown in Figure 2, the situation of movement connecting the UE of UIP network can have following two kinds: mobile in territory, as UE to move to the overlay area of router one from the overlay area of router two, wherein router two is source router, router for the purpose of router one; Move between territory, as UE to move to the overlay area of router three from the overlay area of router two, wherein, router two is source router, router for the purpose of router three.
In one embodiment of the invention, when UE moves to the overlay area of object router two 00 from the overlay area of source router, receiver module 2001 receives the handover request message that source router sends, wherein, described handoff request message contains the user identifier of described subscriber equipment, the device identifier of described subscriber equipment, or, described handoff request message contains the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and finger URL.
Wherein, the user identifier (User ID) of described subscriber equipment, the device identifier (Device ID) of described subscriber equipment and finger URL (Locator) they are three identifiers (identification, ID) that UIP procotol divides; User ID is distributed by operator, forever constant; Device ID is distributed by equipment manufacturers or operator, and as international mobile device identification code (International Mobile Station Equipment Identity, IMEI), a User ID can associate multiple Device ID; Loctaor is generally IP address, and distributed by operator or subscriber equipment appointment, a Device ID can associate multiple Locator; The user identifier of described subscriber equipment, the device identifier of described subscriber equipment and finger URL can carry out being kept in source router in the initialization procedure of data communication at UE and source router; Such as, Fig. 3 is the schematic diagram of the ID model of UIP network, as shown in Figure 3, for the scene of user's multiple devices, the ID of UIP network can be divided into a user identifier (User ID), multiple device identifier (Device ID) and multiple finger URL (Locator).
Sending module 2002: for when described receiver module receives handover request message, access request message is sent to location server, wherein, described access request message comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router.
Wherein, the identifier of described object router is kept in described object router, for identifying described object router.
Described location server is home location server and/or the vision location server of described subscriber equipment; The home location server of described subscriber equipment is the location server in home domain, and described vision location server is the location server in visit territory; Wherein, the UIP territory of described home domain belonging to the user that arranges when user and operator contract, in the communication process of subscriber equipment, home domain is uniquely constant; Described visit territory is the territory residing when being in roaming state of UE; Described roaming state refers to that the current residing UIP territory of UE is not home domain; Such as, as shown in Figure 2, suppose that the home domain of UE is UIP territory-1, then location server SLS-1 is home location server, when UE moves to the overlay area of the router three in UIP territory-2, when namely leaving home domain, UE is in roaming state, UIP territory-2 is visit territory, and location server SLS-2 is vision location server.
Described receiver module 2001 also for, receive the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by described location server according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the domain identifier in territory residing for described location server, the identifier of described object router.
Wherein, described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key;
Described root key is the shared key of the home location server of UE described in UE and UIP network and described UE, be kept in described UE and described home location server, and described root key is corresponding with the user identifier (User ID) of described UE, each UE has unique root key, obtained according to described user identifier inquiry by location server, for deriving equipment association key, described root key K can be preset by operator, and the embodiment of the present invention does not limit this.
The identifier in identifier territory residing for home location server in territory residing for described location server, is kept in the home location server of described UE, for identifying the home domain of described UE; In one embodiment of the invention, the identifier in territory residing for described location server can send to described object router by the home location server of described subscriber equipment, can also be obtained by the configuration mode of described object router by other, the embodiment of the present invention does not limit this.
Described equipment association key (Kdev) can by the attribution server of described UE according to random value (nonce), one or more in root key and following parameter derive from: the device identifier (Device ID) of described subscriber equipment, the identifier (Domain ID) in territory residing for described location server, the identifier (DR ID) of described object router, realize under the scene of the many equipment of user, different equipment has different equipment association key Kdev.
In one embodiment of the invention, described equipment association key Kdev can by described home location server according to random value, the device identifier (Domain ID) of root key and described subscriber equipment, adopt cipher key derivation function (Key derivation function, KDF) derive from, such as, Kdev=KDF (K, Device ID, nonce);
Or, by described home location server according to described random value nonce, root key K, the device identifier (Device ID) of described subscriber equipment, the identifier (Domain ID) in territory residing for location server and the identifier (DR ID) of object router, adopt cipher key derivation function (Key derivation function, KDF) to derive from, such as, Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID).
Generation module 2003, during for receiving access response message at described receiving element 2001, derives session key according to described equipment association key.
Further, sending module 2001 specifically for, according to the situation in the current residing territory of described UE, send access request message to the home location server of described subscriber equipment and/or vision location server.
In the embodiment of the present invention, the mobility of UE and the situation in UIP territory in UIP network according to Fig. 2, the situation of movement of UE can be any one situation in following five kinds of situation of movement: mobile in the territory of home domain, move between the territory in visit territory, visit territory to home domain territory between move, home domain to visit territory territory between move, visit territory to visit territory territory between move, therefore, the current residing territory of described UE can be home domain or visit territory.
Exemplary, when the current residing territory of described UE is home domain, sending module 2001 sends access request information to home location server.
Exemplary, when the current residing territory of described UE is visit territory, sending module 2001 sends access request information to vision location server, sends described access request information to make described vision location server to described home location server.
Further, generation module 2003 specifically for, derive temporary key according to the equipment association key in described access response message; Session key is derived according to described temporary key.Such as, the structural representation of the UIP netkey grade that Fig. 4 provides for the embodiment of the present invention, as shown in Figure 4, the key packet of UIP network is containing root key K, equipment association key Kdev, temporary key Kdev ' and session key Ksession; Described equipment association key Kdev is derived from by root key K; described temporary key Kdev ' is derived from by described equipment association key Kdev; described session key Ksession is derived from by described temporary key Kdev '; derive session key step by step, for the purpose of transfer of data between router and subscriber equipment confidentiality, integrity protection are provided.
Exemplary, described equipment association key is by described location server according to random value, and the device identifier of root key and described subscriber equipment derives from; Such as, described equipment association key Kdev=KDF (K, Device ID, nonce);
Described generation module 2003 specifically for, derive session key by four kinds, following (1)-(4) method, below these four kinds of methods be described respectively:
(1) temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter); Wherein, count value counter is the count value that a counter that in UIP grid, router and subscriber equipment are safeguarded produces;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', Domain ID, DR ID).
(2) according to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, Kdev '=KDF (Kdev, counter, Domain ID, DR ID);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ').
(3) according to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, and Kdev '=KDF (Kdev, Domain ID, DR ID);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter);
(4) temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', counter, Domain ID, DR ID).
Exemplary, described equipment association key by described location server according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive from; Such as, described equipment association key Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID);
Described generation module 2003 specifically for, derive session key by two kinds, following (1)-(2) method, below these two kinds of methods be described respectively:
(1) temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(2) temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter).
Further, described receiver module 2001 also for, receive described location server send authentication request message; Wherein authentication request message comprises the identifier in territory residing for described random value and described location server;
Described sending module 2002 also for, when described receiver module 2001 receives authentication request message, authentication request message is sent to described subscriber equipment, wherein, authentication request message comprises the identifier in territory residing for described random value, described location server and the identifier of described object router, to make described subscriber equipment return authentication response message and to generate equipment association key and session key.
As from the foregoing, the embodiment of the present invention provides a kind of object router two 00, receives the handover request message that source router sends, and wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment; Send access request message to location server, wherein, in described access request, comprise the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router; Receive the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by location server according to described random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router; Session key is derived according to the equipment association key in described access response message.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 17
A kind of location server 210 that Figure 21 provides for the embodiment of the present invention, as shown in figure 21, comprising:
Receiver module 2101, for receiving the access request message that object router sends, wherein, described access request message comprises the user identifier of subscriber equipment, the device identifier of subscriber equipment and the identifier of described object router.
Sending module 2102, for when described receiver module receives access request information, sends authentication request message to described object router, wherein, comprises the identifier in territory residing for random value and described location server in described authentication request; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key.
Described receiver module 2101 also for, receive described object router send authentication response message,
Generation module 2103, for receive at described receiver module described object router send authentication response message time, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router.
Described sending module 2102, also for when described generation module generates equipment association key, sends access response message to described object router, wherein, comprises described equipment association key in described access response message.
Further, described generation module 2103 specifically for, derive from equipment association key by two kinds, following (1)-(2) mode, below these two kinds of modes be described respectively:
(1) according to root key, the device identifier of described random value and described subscriber equipment derives described equipment association key, such as, and equipment association key Kdev=KDF (K, DeviceID, nonce);
(2) according to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive described equipment association key, such as, and equipment association key Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID).
As from the foregoing, the embodiment of the present invention provides a kind of object router two 30, receives the handover request message that source router sends, and wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment; Access request message is sent to location server, wherein, comprise the user identifier of described subscriber equipment and the device identifier of described subscriber equipment in described access request, described location server is home location server and/or the vision location server of described subscriber equipment; Receive the access response message that described location server sends, wherein, described access response message comprises equipment association key, described in described equipment association key, location server is according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the domain identifier in territory residing for object router, the identifier of object router; Derive temporary key according to the equipment association key in described access response message, derive session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid in the communication process of existing UIP network and there is no session key, confidentiality can not be provided for the transfer of data between terminal use and router, the defect of integrality.
Embodiment 18
A kind of subscriber equipment 220 that Figure 22 provides for the embodiment of the present invention, as shown in figure 22, comprising:
Receiver module 2201: for receiving the authentication request message that object router sends, wherein, described authentication request message comprises described random value, the identifier in territory residing for described location server and the identifier of described object router.
Generation module 2202: for when described receiver module receives authentication request message, according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key.
Further, described generation module 2202 specifically for, derive temporary key according to described equipment association key, derive session key according to described temporary key.
Exemplary, described generation module 2202 derives session key by six kinds, following (1)-(6) mode, is described respectively below to these six kinds of modes:
(1) according to random value, root key and device identifier derive equipment association key, such as, Kdev=KDF (K, DeviceID, nonce);
Temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter);
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', Domain ID, DR ID);
(2) according to random value, root key, and device identifier derive equipment association key, such as, Kdev=KDF (K, DeviceID, nonce);
According to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, Kdev '=KDF (Kdev, counter, DomainID, DR ID);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(3) according to random value, root key, and device identifier derive equipment association key, such as, Kdev=KDF (K, DeviceID, nonce);
According to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, and Kdev '=KDF (Kdev, Domain ID, DR ID);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter);
(4) according to random value, root key, and device identifier derive equipment association key, such as, Kdev=KDF (K, DeviceID, nonce);
Temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', counter, Domain ID, DR ID);
(5) according to random value, root key, device identifier, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key, such as, Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID);
Temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(6) according to random value, root key, device identifier, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key, such as, Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID);
Temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter).
As from the foregoing, the embodiment of the present invention provides a kind of subscriber equipment 220, receives the authentication request message that object router sends, wherein, described random value is comprised, the identifier in territory residing for described location server and the identifier of described object router in described authentication request message; According to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 19
See Figure 23, for the another kind of object router two 30 that the embodiment of the present invention provides, as shown in figure 23, this equipment comprises: processor 2301, memory 2302, communication unit 2303, at least one communication bus 2304, for realizing connection between these devices and intercoming mutually;
Processor 2301 may be a central processing unit (English: central processingunit, referred to as CPU);
Memory 2302 can be that (English: volatile memory), such as (English: random-access memory, abridges: RAM) random access memory volatile memory; Or nonvolatile memory is (English: non-volatile memory), such as read-only memory is (English: read-only memory, abbreviation: ROM), flash memory is (English: flashmemory), hard disk is (English: hard disk drive, abbreviation: HDD) or solid state hard disc (English: solid-state drive, abbreviation: SSD); Or the combination of the memory of mentioned kind, and provide instruction and data to processor 1001;
Described communication unit 2303, for receiving the handover request message that source router sends, wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment.
Wherein, source router and object router are relative concepts, according to subscriber equipment (UserEquipment, UE) switch instances is determined, source router is the router carrying out data communication before described UE switches with described UE, and object router is the router carrying out data communication after described UE switches with described UE; Wherein, UE is switched to move to the overlay area of another router from the overlay area of a router described in; In the embodiment of the present invention, source router and object router can in same UIP territories or in different UIP territories, and when source router and object router are in same UIP territory, UE is in the state of movement in territory; When source router and object router are in different UIP territories, UE is in the state of movement between territory; Such as, Fig. 2 is the schematic diagram of subscriber equipment mobile management in UIP network, as shown in Figure 2, the situation of movement connecting the UE of UIP network can have following two kinds: move between intradomain router, as UE to move to the overlay area of router one from the overlay area of router two, wherein router two is source router, router for the purpose of router one; Move between inter domain router, as UE to move to the overlay area of router three from the overlay area of router two, wherein, router two is source router, router for the purpose of router three.
In one embodiment of the invention, when UE moves to the overlay area of object router two 00 from the overlay area of source router, receiver module 2001 receives the handover request message that source router sends, wherein, described handoff request message contains the user identifier of described subscriber equipment, the device identifier of described subscriber equipment, or, described handoff request message contains the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and finger URL.
Wherein, the user identifier (User ID) of described subscriber equipment, the device identifier (Device ID) of described subscriber equipment and finger URL (Locator) they are three identifiers (identification, ID) that UIP procotol divides; User ID is distributed by operator, forever constant; Device ID is distributed by equipment manufacturers or operator, and as international mobile device identification code (International Mobile Station Equipment Identity, IMEI), a User ID can associate multiple Device ID; Loctaor is generally IP address, and distributed by operator or subscriber equipment appointment, a Device ID can associate multiple Locator; The user identifier of described subscriber equipment, the device identifier of described subscriber equipment and finger URL can carry out being kept in source router in the initialization procedure of data communication at UE and source router; Such as, Fig. 3 is the schematic diagram of the ID model of UIP network, as shown in Figure 3, for the scene of user's multiple devices, the ID of UIP network can be divided into a user identifier (User ID), multiple device identifier (Device ID) and multiple finger URL (Locator).
Described communication unit 2303, also for when receiving handover request message, send access request message to location server, wherein, described access request message comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router.
Wherein, the identifier of described object router is kept in described object router, for identifying described object router.
Described location server is home location server and/or the vision location server of described subscriber equipment; The home location server of described subscriber equipment is the location server in home domain, and described vision location server is the location server in visit territory; Wherein, the UIP territory of described home domain belonging to the user that arranges when user and operator contract, in the communication process of subscriber equipment, home domain is uniquely constant; Described visit territory is the territory residing when being in roaming state of UE; Described roaming state refers to that the current residing UIP territory of UE is not home domain; Such as, as shown in Figure 2, suppose that the home domain of UE is UIP territory-1, then location server SLS-1 is home location server, when UE moves to the overlay area of the router three in UIP territory-2, when namely leaving home domain, UE is in roaming state, UIP territory-2 is visit territory, and location server SLS-2 is vision location server.
Described communication unit 2303, also for receiving the access response message that described location server sends, wherein, described access response message comprises equipment association key, described in described equipment association key, location server is according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the domain identifier in territory residing for described location server, the identifier of described object router.
Wherein, described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key;
Described root key is the shared key of the home location server of UE described in UE and UIP network and described UE, be kept in described UE and described home location server, and described root key is corresponding with the user identifier (User ID) of described UE, each UE has unique root key, obtained according to described user identifier inquiry by location server, for deriving equipment association key, described root key K can be preset by operator, and the embodiment of the present invention does not limit this.
The identifier in identifier territory residing for home location server in territory residing for described location server, is kept in the home location server of described UE, for identifying the home domain of described UE; In one embodiment of the invention, the identifier in territory residing for described location server can send to described object router by the home location server of described subscriber equipment, can also be obtained by the configuration mode of described object router by other, the embodiment of the present invention does not limit this.
Described equipment association key (Kdev) can by the attribution server of described UE according to random value (nonce), one or more in root key and following parameter derive from: the device identifier (Device ID) of described subscriber equipment, the identifier (Domain ID) in territory residing for described location server, the identifier (DR ID) of described object router, realize under the scene of the many equipment of user, different equipment has different equipment association key Kdev.
In one embodiment of the invention, described equipment association key Kdev can by described home location server according to random value, the device identifier (Domain ID) of root key and described subscriber equipment, adopt cipher key derivation function (Key derivation function, KDF) derive from, such as, Kdev=KDF (K, Device ID, nonce);
Or, by described home location server according to described random value nonce, root key K, the device identifier (Device ID) of described subscriber equipment, the identifier (Domain ID) in territory residing for location server and the identifier (DR ID) of object router, adopt cipher key derivation function (Key derivation function, KDF) to derive from, such as, Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID).
Processor 2301, during for receiving access response message at described communication unit 2303, derives session key according to described equipment association key.
Further, described processor 2301, specifically for deriving temporary key according to the equipment association key in described access response message; Session key is derived according to described temporary key.
Exemplary, described equipment association key is by described location server according to random value, and the device identifier of root key and described subscriber equipment derives from; Such as, described equipment association key Kdev=KDF (K, Device ID, nonce);
Described processor 2301 specifically for, derive session key by four kinds, following (1)-(4) method, below these four kinds of methods be described respectively:
(1) temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter); Wherein, count value counter is the count value that a counter that in UIP grid, router and subscriber equipment are safeguarded produces;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', Domain ID, DR ID).
(2) according to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, Kdev '=KDF (Kdev, counter, Domain ID, DR ID);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ').
(3) according to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, and Kdev '=KDF (Kdev, Domain ID, DR ID);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter);
(4) temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', counter, Domain ID, DR ID).
Exemplary, described equipment association key by described location server according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive from; Such as, described equipment association key Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID);
Described processor 2301 specifically for, derive session key by two kinds, following (1)-(2) method, below these two kinds of methods be described respectively:
(1) temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(2) temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter).
Further, described communication unit 2303 also for, receive described location server send authentication request message; Wherein authentication request message comprises the identifier in territory residing for described random value and described location server;
Described communication unit 2303 also for, when described communication unit 2303 receives authentication request message, authentication request message is sent to described subscriber equipment, wherein, authentication request message comprises the identifier in territory residing for described random value, described location server and the identifier of described object router, to make described subscriber equipment return authentication response message and to generate equipment association key and session key.
As from the foregoing, the embodiment of the present invention provides another kind of object router two 30, receives the handover request message that source router sends, and wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment; Send access request message to location server, wherein, in described access request, comprise the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router; Receive the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by location server according to described random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router; Session key is derived according to the equipment association key in described access response message.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 20
The another kind of location server 240 that Figure 24 provides for the embodiment of the present invention, as shown in figure 24, this equipment comprises: processor 2401, memory 2402, communication unit 2403, at least one communication bus 2404, for realizing connection between these devices and intercoming mutually;
Processor 2401 may be a central processing unit (English: central processingunit, referred to as CPU);
Memory 2402 can be that (English: volatile memory), such as (English: random-access memory, abridges: RAM) random access memory volatile memory; Or nonvolatile memory is (English: non-volatile memory), such as read-only memory is (English: read-only memory, abbreviation: ROM), flash memory is (English: flashmemory), hard disk is (English: hard disk drive, abbreviation: HDD) or solid state hard disc (English: solid-state drive, abbreviation: SSD); Or the combination of the memory of mentioned kind, and provide instruction and data to processor 1001;
Described communication unit 2403, for receiving the access request message that object router sends, wherein, described access request message comprises the user identifier of subscriber equipment, the device identifier of subscriber equipment and the identifier of described object router.
Described communication unit 2403, also for when receiving access request message, send authentication request message to described object router, wherein, described authentication request message comprises the identifier in territory residing for random value and described location server; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key.
Described communication unit 2403, also for receiving the authentication response message that described object router sends.
Described processor 2401, for when communication unit 2403 receives authentication response message, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router.
Described communication unit 2403, also for when described processor 2401 generates equipment association key, send access response message to described object router, wherein, described access response message comprises described equipment association key.
Further, described processor 2401 specifically for, derive from equipment association key by two kinds, following (1)-(2) mode, below these two kinds of modes be described respectively:
(1) according to root key, the device identifier of described random value and described subscriber equipment derives described equipment association key, such as, and equipment association key Kdev=KDF (K, DeviceID, nonce).
(2) according to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive described equipment association key, such as, and equipment association key Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID).
As from the foregoing, the embodiment of the present invention provides another kind of location server 240, receive the access request that object router sends, wherein, the user identifier of subscriber equipment is comprised in described access request, the device identifier of subscriber equipment and the identifier of described object router, authentication request is sent to described object router, wherein, the identifier in territory residing for random value and described location server is comprised in described authentication request, described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key; Receive the authentication response message that described object router sends, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 21
The another kind of subscriber equipment 250 that Figure 25 provides for the embodiment of the present invention, as shown in figure 25, this equipment comprises: processor 2501, memory 2502, communication unit 2503, at least one communication bus 2504, for realizing connection between these devices and intercoming mutually;
Processor 2501 may be a central processing unit (English: central processingunit, referred to as CPU);
Memory 2502 can be that (English: volatile memory), such as (English: random-access memory, abridges: RAM) random access memory volatile memory; Or nonvolatile memory is (English: non-volatile memory), such as read-only memory is (English: read-only memory, abbreviation: ROM), flash memory is (English: flash memory), hard disk is (English: hard disk DRive, abbreviation: HDD) or solid state hard disc (English: solid-state DRive, abbreviation: SSD); Or the combination of the memory of mentioned kind, and provide instruction and data to processor 1001;
Described communication unit 2503, for receiving the authentication request message that object router sends, wherein, comprises described random value in described authentication request message, the identifier in territory residing for described location server and the identifier of described object router.
Described processor 2501, for when described communication unit 2503 receives authentication request message, according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key.
Further, described processor 2501 specifically for: derive temporary key according to described equipment association key, derive session key according to described temporary key.
Exemplary, described processor 2501 derives session key by six kinds, following (1)-(6) mode, is described respectively below to these six kinds of modes:
(1) according to random value, root key and device identifier derive equipment association key, such as, Kdev=KDF (K, DeviceID, nonce);
Temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter);
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', Domain ID, DR ID);
(2) according to random value, root key, and device identifier derive equipment association key, such as, Kdev=KDF (K, DeviceID, nonce);
According to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, Kdev '=KDF (Kdev, counter, DomainID, DR ID);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(3) according to random value, root key, and device identifier derive equipment association key, such as, Kdev=KDF (K, DeviceID, nonce);
According to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key, such as, and Kdev '=KDF (Kdev, Domain ID, DR ID);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter);
(4) according to random value, root key, and device identifier derive equipment association key, such as, Kdev=KDF (K, DeviceID, nonce);
Temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key, such as, Ksession=KDF (Kdev ', counter, Domain ID, DR ID);
(5) according to random value, root key, device identifier, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key, such as, Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID);
Temporary key is derived according to described equipment association key and count value, such as, Kdev '=KDF (Kdev, counter);
Session key is derived according to described temporary key, such as, Ksession=KDF (Kdev ');
(6) according to random value, root key, device identifier, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key, such as, Kdev=KDF (K, Device ID, nonce, Domain ID, DR ID);
Temporary key is derived according to described equipment association key, such as, Kdev '=KDF (Kdev);
Session key is derived according to described temporary key and count value, such as, Ksession=KDF (Kdev ', counter).
As from the foregoing, the embodiment of the present invention provides another kind of subscriber equipment 250, receives the authentication request message that object router sends, wherein, described random value is comprised, the identifier in territory residing for described location server and the identifier of described object router in described authentication request message; According to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive temporary key according to described equipment association key, derive session key according to described temporary key.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Embodiment 22
A kind of key generation system 26 that Figure 26 provides for the embodiment of the present invention, as shown in figure 26, comprising: subscriber equipment 261, source router 262, object router two 63 and location server 264.
Wherein, source router 262 and object router two 63 have identical function, subscriber equipment 261, and the function of object router two 63 and location server 264 is as subscriber equipment 250 above, described in object router two 30 and location server 240, do not repeat them here.
As from the foregoing, the embodiment of the present invention provides a kind of key generation system 26, and object router receives the handover request message that source router sends, and wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment; Described object router sends access request message to location server, wherein, comprises the user identifier of described subscriber equipment in described access request, the device identifier of described subscriber equipment and the identifier of described object router; Described object router receives the access response message that described location server sends, wherein, described access response message comprises equipment association key, described in described equipment association key, location server is according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the domain identifier in territory residing for described location server, the identifier of described object router; Described object router derives session key according to the equipment association key in described access response message.So, derive session key step by step, for the transfer of data in UIP network between subscriber equipment and router provides confidentiality, integrality; Avoid existing UIP network and can not provide confidentiality for the transfer of data between subscriber equipment and router, the defect of integrality.
Those skilled in the art can be well understood to, and for convenience and simplicity of description, the unit of foregoing description and the specific works process of system, with reference to the corresponding process in preceding method embodiment, can not repeat them here.
In several embodiments that the application provides, should be understood that, disclosed system, equipment and method, can realize by another way.Such as, apparatus embodiments described above is only schematic, such as, the division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of device or unit or communication connection can be electrical, machinery or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit comprises, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form that hardware also can be adopted to add SFU software functional unit realizes.
The above-mentioned integrated unit realized with the form of SFU software functional unit, can be stored in a computer read/write memory medium.Above-mentioned SFU software functional unit is stored in a storage medium, comprises the part steps of some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, portable hard drive, read-only memory (Read-OnlyMemory, be called for short ROM), random access memory (Random Access Memory, be called for short RAM), magnetic disc or CD etc. various can be program code stored medium.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is that the hardware (such as processor) that can carry out instruction relevant by program has come, this program can be stored in a computer-readable recording medium, and storage medium can comprise: read-only memory, random asccess memory, disk or CD etc.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (19)

1. a method for secret generating, is characterized in that, comprising:
Object router receives the handover request message that source router sends, and wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment;
Described object router sends access request message to location server, and wherein, described access request message comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router;
Described object router receives the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by described location server according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key; Described root key is obtained according to described user identifier by location server;
Described object router derives session key according to the equipment association key in described access response message.
2. method according to claim 1, is characterized in that, described object router derives session key according to the equipment association key in described access response message, comprising:
Described object router derives temporary key according to the equipment association key in described access response message;
Described object router derives session key according to described temporary key.
3. method according to claim 1 and 2, is characterized in that, described equipment association key is by described location server according to random value, and the device identifier of root key and described subscriber equipment derives from;
Described object router derives session key according to the equipment association key in described access response message and comprises:
Described object router derives temporary key according to described equipment association key and count value; Wherein, described count value has described object router to obtain;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
Described object router according to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key;
Or,
Described object router is according to described equipment association key, and the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key and count value;
Or,
Described object router derives temporary key according to described equipment association key;
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key.
4. method according to claim 1 and 2, it is characterized in that, described equipment association key by described location server according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive from;
Described object router derives session key according to the equipment association key in described access response message and comprises:
Described object router derives temporary key according to described equipment association key and count value;
Session key is derived according to described temporary key;
Or,
Described object router derives temporary key according to described equipment association key;
Session key is derived according to described temporary key and count value.
5. the method according to any one of claim 1-4, is characterized in that, described method also comprises:
Described object router receives the authentication request message that described location server sends; Wherein, described authentication request message comprises the identifier in territory residing for described random value and described location server;
Described object router sends authentication request message to described subscriber equipment, wherein, described authentication request message comprises the identifier in territory residing for described random value, described location server and the identifier of described object router, to make described subscriber equipment return authentication response message and to generate equipment association key and session key.
6. a method for secret generating, is characterized in that, comprising:
Location server receives the access request message that object router sends, and wherein, described access request message comprises the user identifier of subscriber equipment, the device identifier of subscriber equipment and the identifier of described object router;
Described location server sends authentication request message to described object router, and wherein, described authentication request message comprises the identifier in territory residing for random value and described location server; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key;
Described location server receives the authentication response message that described object router sends, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router; Described root key is obtained according to described user identifier by location server;
Described location server sends access response message to described object router, and wherein, described access response message comprises described equipment association key.
7. method according to claim 6, it is characterized in that, described location server is according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, comprising:
Described location server is according to root key, and the device identifier of described random value and described subscriber equipment derives described equipment association key;
Or,
Described location server is according to root key, and described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive described equipment association key.
8. a method for secret generating, is characterized in that, comprising:
Subscriber equipment receives the authentication request message that object router sends, and wherein, described authentication request message comprises described random value, the identifier in territory residing for described location server and the identifier of described object router;
Described subscriber equipment is according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key.
9. method according to claim 8, it is characterized in that, described subscriber equipment is according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key, comprising:
Described subscriber equipment is according to root key, and the device identifier of described random value and described subscriber equipment derives equipment association key;
Described subscriber equipment derives temporary key according to described equipment association key and count value;
Described subscriber equipment is according to described temporary key, and the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
Described subscriber equipment is according to root key, and the device identifier of described random value and described subscriber equipment derives equipment association key;
Described subscriber equipment according to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Described subscriber equipment derives session key according to described temporary key;
Or,
Described subscriber equipment is according to root key, and the device identifier of described random value and described subscriber equipment derives equipment association key;
Described subscriber equipment is according to described equipment association key, and the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Described subscriber equipment derives session key according to described temporary key and count value;
Or,
Described subscriber equipment is according to root key, and the device identifier of described random value and described subscriber equipment derives equipment association key;
Described subscriber equipment derives temporary key according to described equipment association key;
Described subscriber equipment according to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
Described subscriber equipment according to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key;
Described subscriber equipment derives temporary key according to described equipment association key and count value;
Described subscriber equipment derives session key according to described temporary key;
Or,
Described subscriber equipment according to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key;
Described subscriber equipment derives temporary key according to described equipment association key;
Described subscriber equipment derives session key according to described temporary key and count value.
10. an object router, is characterized in that, comprising:
Receiver module, for receiving the handover request message that source router sends, wherein, described handoff request message contains the user identifier of subscriber equipment, the device identifier of described subscriber equipment;
Sending module, for when described receiver module receives handover request message, send access request message to location server, wherein, described access request message comprises the user identifier of described subscriber equipment, the device identifier of described subscriber equipment and the identifier of described object router;
Described receiver module, also for receiving the access response message that described location server sends, wherein, described access response message comprises equipment association key, described equipment association key by described location server according to random value, one or more in root key and following parameter derive from: the device identifier of described subscriber equipment, the identifier in territory residing for described location server, the identifier of described object router; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key; Described root key is obtained according to described user identifier by location server;
Generation module: during for receiving access response message at described receiver module, derive session key according to described equipment association key.
11. object routers according to claim 10, is characterized in that, described generation module specifically for:
Temporary key is derived according to described equipment association key;
Session key is derived according to described temporary key.
12. object routers according to claim 10 or 11, is characterized in that, described equipment association key is by described location server according to random value, and the device identifier of root key and described subscriber equipment derives from;
Accordingly, described generation module specifically for:
Temporary key is derived according to described equipment association key and count value; Wherein, described count value has described object router to obtain;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
According to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key;
Or,
According to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key and count value;
Or,
Temporary key is derived according to described equipment association key;
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key.
13. object routers according to claim 10 or 11, it is characterized in that, described equipment association key by described location server according to random value, root key, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive from
Accordingly, described generation module specifically for:
Temporary key is derived according to described equipment association key and count value;
Session key is derived according to described temporary key;
Or,
Temporary key is derived according to described equipment association key;
Session key is derived according to described temporary key and count value.
14. object routers according to any one of claim 10-13, is characterized in that,
Described receiver module also for: receive described location server send authentication request message; Wherein, described authentication request message comprises the identifier in territory residing for described random value and described location server;
Described sending module also for: when described receiver module receives authentication request message, authentication request message is sent to described subscriber equipment, wherein, described authentication request message comprises the identifier in territory residing for described random value, described location server and the identifier of described object router, to make described subscriber equipment return authentication response message and to generate equipment association key and session key.
15. 1 kinds of location servers, is characterized in that, comprising:
Receiver module, for receiving the access request message that object router sends, wherein, described access request message comprises the user identifier of subscriber equipment, the device identifier of subscriber equipment and the identifier of described object router;
Sending module, for when described receiver module receives access request message, send authentication request message to described object router, wherein, described authentication request message comprises the identifier in territory residing for random value and described location server; Described random value is generated by described location server, for subscriber equipment described in certification and the equipment of generation association key;
Described receiver module, also for receiving the authentication response message that described object router sends;
Generation module, for when described receiver module receives authentication response message, according to root key, one or more in described random value and following parameter derive described equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router; Described root key is obtained according to described user identifier by location server;
Described sending module, also for when described generation module generates equipment association key, send access response message to described object router, wherein, described access response message comprises described equipment association key.
16. location servers according to claim 15, is characterized in that,
Described generation module specifically for:
According to root key, the device identifier of described random value and described subscriber equipment derives described equipment association key;
Or,
According to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive described equipment association key.
17. 1 kinds of subscriber equipmenies, is characterized in that, comprising:
Receiver module: for receiving the authentication request message that object router sends, wherein, described authentication request message comprises described random value, the identifier in territory residing for described location server and the identifier of described object router;
Generation module: for when described receiver module receives authentication request message, according to root key, one or more in described random value and following parameter derive equipment association key: the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router, derive session key according to described equipment association key.
18. subscriber equipmenies according to claim 17, is characterized in that,
Described generation module specifically for:
According to root key, the device identifier of described random value and described subscriber equipment derives equipment association key;
Temporary key is derived according to described equipment association key and count value;
According to described temporary key, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
According to root key, described random value, and the device identifier of described subscriber equipment derives equipment association key;
According to described equipment association key, count value, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key;
Or,
According to root key, the device identifier of described random value and described subscriber equipment derives equipment association key;
According to described equipment association key, the identifier in territory residing for described location server and the identifier of described object router derive temporary key;
Session key is derived according to described temporary key and count value;
Or,
According to root key, the device identifier of described random value and described subscriber equipment derives equipment association key;
Temporary key is derived according to described equipment association key;
According to described temporary key, count value, the identifier in territory residing for described location server and the identifier of described object router derive session key;
Or,
According to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key;
Temporary key is derived according to described equipment association key and count value;
Session key is derived according to described temporary key;
Or,
According to root key, described random value, the device identifier of described subscriber equipment, the identifier in territory residing for described location server and the identifier of described object router derive equipment association key;
Temporary key is derived according to described equipment association key;
Session key is derived according to described temporary key and count value.
19. 1 kinds of key generation system, it is characterized in that, comprise: source router, the object router as described in any one of claim 10-14, the location server as described in any one of claim 15-16 and the subscriber equipment as described in any one of claim 17-18.
CN201410057184.5A 2014-02-19 2014-02-19 A kind of method, equipment and system that key generates Active CN104852891B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201410057184.5A CN104852891B (en) 2014-02-19 2014-02-19 A kind of method, equipment and system that key generates
PCT/CN2014/080987 WO2015123953A1 (en) 2014-02-19 2014-06-27 Key generation method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410057184.5A CN104852891B (en) 2014-02-19 2014-02-19 A kind of method, equipment and system that key generates

Publications (2)

Publication Number Publication Date
CN104852891A true CN104852891A (en) 2015-08-19
CN104852891B CN104852891B (en) 2018-07-20

Family

ID=53852251

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410057184.5A Active CN104852891B (en) 2014-02-19 2014-02-19 A kind of method, equipment and system that key generates

Country Status (2)

Country Link
CN (1) CN104852891B (en)
WO (1) WO2015123953A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104917605A (en) * 2014-03-14 2015-09-16 华为技术有限公司 Key negotiation method and device during terminal device switching
CN105426772A (en) * 2015-10-29 2016-03-23 厦门雅迅网络股份有限公司 Method for securely storing root key required by encryption and authentication in FLASH
CN107950001A (en) * 2015-09-29 2018-04-20 华为技术有限公司 Send the server and method of geographical encryption message
CN108418679A (en) * 2017-02-10 2018-08-17 阿里巴巴集团控股有限公司 The method, apparatus and electronic equipment of key are handled under a kind of multiple data centers
CN111008390A (en) * 2019-12-13 2020-04-14 江苏芯盛智能科技有限公司 Root key generation protection method and device, solid state disk and storage medium
CN111093193A (en) * 2019-12-31 2020-05-01 中科芯集成电路有限公司 MAC layer communication security mechanism suitable for Lora network
CN111460455A (en) * 2020-03-20 2020-07-28 北京智芯微电子科技有限公司 Key negotiation method, safety guiding method and system for self-encryption solid state disk
CN113766497A (en) * 2020-06-01 2021-12-07 中国电信股份有限公司 Key distribution method, device, computer readable storage medium and base station

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101499959A (en) * 2008-01-31 2009-08-05 华为技术有限公司 Method, apparatus and system for configuring cipher key
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN102036220A (en) * 2009-09-25 2011-04-27 华为技术有限公司 Mobile management method and device
WO2013060224A1 (en) * 2011-10-26 2013-05-02 中兴通讯股份有限公司 Secure connection method, system and network element
WO2014006295A1 (en) * 2012-07-02 2014-01-09 Orange Implementing a security association during the attachment of an a terminal to an access network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1268093C (en) * 2002-03-08 2006-08-02 华为技术有限公司 Distribution method of wireless local area network encrypted keys
US8774411B2 (en) * 2009-05-29 2014-07-08 Alcatel Lucent Session key generation and distribution with multiple security associations per protocol instance
CN102833747B (en) * 2012-09-17 2015-02-25 北京交通大学 Method for distributing secret keys realizing authentication for access in separation mechanism mobility management system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101499959A (en) * 2008-01-31 2009-08-05 华为技术有限公司 Method, apparatus and system for configuring cipher key
CN101552983A (en) * 2008-04-01 2009-10-07 华为技术有限公司 Key generating method, key generating device, mobile management entity and user equipment
CN102036220A (en) * 2009-09-25 2011-04-27 华为技术有限公司 Mobile management method and device
WO2013060224A1 (en) * 2011-10-26 2013-05-02 中兴通讯股份有限公司 Secure connection method, system and network element
WO2014006295A1 (en) * 2012-07-02 2014-01-09 Orange Implementing a security association during the attachment of an a terminal to an access network

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104917605A (en) * 2014-03-14 2015-09-16 华为技术有限公司 Key negotiation method and device during terminal device switching
CN104917605B (en) * 2014-03-14 2018-06-19 华为技术有限公司 The method and apparatus of key agreement during a kind of terminal device switching
CN107950001A (en) * 2015-09-29 2018-04-20 华为技术有限公司 Send the server and method of geographical encryption message
CN107950001B (en) * 2015-09-29 2021-02-12 华为技术有限公司 Server and method for sending geographic encryption message
CN105426772A (en) * 2015-10-29 2016-03-23 厦门雅迅网络股份有限公司 Method for securely storing root key required by encryption and authentication in FLASH
CN105426772B (en) * 2015-10-29 2019-07-02 厦门雅迅网络股份有限公司 A method of root key needed for being authenticated in the encryption of FLASH secure storage
CN108418679A (en) * 2017-02-10 2018-08-17 阿里巴巴集团控股有限公司 The method, apparatus and electronic equipment of key are handled under a kind of multiple data centers
CN111008390A (en) * 2019-12-13 2020-04-14 江苏芯盛智能科技有限公司 Root key generation protection method and device, solid state disk and storage medium
CN111093193A (en) * 2019-12-31 2020-05-01 中科芯集成电路有限公司 MAC layer communication security mechanism suitable for Lora network
CN111460455A (en) * 2020-03-20 2020-07-28 北京智芯微电子科技有限公司 Key negotiation method, safety guiding method and system for self-encryption solid state disk
CN113766497A (en) * 2020-06-01 2021-12-07 中国电信股份有限公司 Key distribution method, device, computer readable storage medium and base station
CN113766497B (en) * 2020-06-01 2023-03-21 中国电信股份有限公司 Key distribution method, device, computer readable storage medium and base station

Also Published As

Publication number Publication date
WO2015123953A1 (en) 2015-08-27
CN104852891B (en) 2018-07-20

Similar Documents

Publication Publication Date Title
CN104852891A (en) Secret key generation method, equipment and system
JP6928143B2 (en) Network architecture and security with encrypted client device context
JP7048694B2 (en) Subscription concealment identifier
US10903987B2 (en) Key configuration method, key management center, and network element
KR102447299B1 (en) Network security architecture for cellular internet of things
CN105706390B (en) Method and apparatus for performing device-to-device communication in a wireless communication network
CN113490205B (en) Method and apparatus for network architecture and security with simplified mobility procedures
CN109964453B (en) Unified security architecture
KR20100021385A (en) Security protected non -access stratum protocol operation supporting method in mobile telecommunication system
CN114846764A (en) Method, apparatus and system for updating anchor keys in a communication network for encrypted communication with service applications
CN107683616B (en) Security improvements in cellular networks
US10285054B2 (en) Method and system for storing and accessing client device information in a distributed set of nodes
CN102348206B (en) Secret key insulating method and device
CN110099427A (en) A kind of method and system to distribution net equipment access network hotspot equipment
CN111147421A (en) Authentication method based on General Bootstrapping Architecture (GBA) and related equipment
CN104917605A (en) Key negotiation method and device during terminal device switching
US9306921B2 (en) Method and system for storing and accessing client device information in a distributed set of nodes
CN104883339A (en) User privacy protecting method, equipment and system thereof
CN102771150A (en) Method for interworking among wireless technologies
CN110881020B (en) Authentication method for user subscription data and data management network element
CN108494764B (en) Identity authentication method and device
EP4187954A1 (en) Safe communication method and apparatus
CN104954125A (en) Key agreement method, user equipment, router and location server
CN114946153A (en) Method, device and system for application key generation and management in a communication network in encrypted communication with a service application
EP3146742B1 (en) Exception handling in cellular authentication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant