CN106162631A

CN106162631A - A kind of methods, devices and systems of secure communication

Info

Publication number: CN106162631A
Application number: CN201510176166.3A
Authority: CN
Inventors: 余万涛
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2015-04-14
Filing date: 2015-04-14
Publication date: 2016-11-23

Abstract

A kind of method that the invention discloses secure communication, it is applied to network side node, the method includes: receiving after needs carry out the request message that sender's equipment that equipment D2D communicates by equipment sends with receiver equipment, from described request message, obtain the first information, send the request message carrying the described first information to described receiver equipment；After the response message receiving the instruction agreement that described receiver equipment returns, from described response message, obtain the second information；The shared key for described D2D communication is generated according to the described first information and the second information；Described shared key is sent respectively to described sender's equipment and receiver equipment, and described second information is sent to described sender's equipment.The present invention can set up security association with trusting relationship to ensure the high security that D2D communicates by dynamic certification mutually.The invention also discloses device and the system of a kind of secure communication.

Description

A kind of methods, devices and systems of secure communication

Technical field

The present invention relates to communication technical field, a kind of method of secure communication, device and System.

Background technology

In legacy cellular mobile communications network based on infrastructure, base station (BS, NB or eNB) As center control nodes, it it is the sole access point of mobile device acquisition network service.All of movement sets For all being led to by the upstream or downstream channel of cellular system base station specific with certain in network Letter.

Current 3GPP (The 3rd Generation Partnership Project, third generation affiliate Plan) LTE (Long Term Evolution, Long Term Evolution), and LTE-A (LTE Advanced, The evolution of LTE) in cordless communication network, D2D (Device-to-Device, device-to-device) is direct Subscriber equipment in communication can by share/reuse cordless communication network wireless link (up-link or Downlink) resource directly carry out P2P (Peer to Peer, point-to-point) communication.When multiple movements set For time closer to each other, support that the direct communication between mobile device can bring a lot to traditional cellular communication Benefit.These benefits include: longer device battery uses time, more efficient Radio Resource to use, Bigger signal cover and lower system interference level etc..Strengthen in this utilization D2D technology Cellular network in, on the one hand, the directly communication between mobile device can benefit from the concentration of cellular network Formula control structure；On the other hand, by utilizing high-quality D2D link (from the direct chain of device-to-device Road), the efficiency of transmission of conventional cellular network can be greatly improved.

In common network coverage application scenarios, mobile terminal device must carry out mutual certification with network, To ensure that mobile terminal device accesses and the safety communicated.For the mobile terminal device in close region, When carrying out D2D communication, it is necessary to assure the safety of communication between mobile terminal device.And this close on district In the scene that in territory, mobile terminal device directly communicates, between mobile terminal device, also must carry out mutual certification, But the mutual certification in this scene is not also standardized at present.

At present, correlation technique proposes to carry out D2D communication, this mode safety by pre-shared secret scheme Property higher, but, due to D2D communication be typically the most provisional, that is, any two mobile terminal sets When carrying out D2D between Bei and be generally difficult to prediction, therefore, pre-shared secret scheme cannot realize moving State certification.

Therefore, how security association is set up with trusting relationship to ensure that D2D communicates by dynamic certification mutually High security, be the secure communication technical issues that need to address between current mobile terminal device.

Summary of the invention

The technical problem to be solved is to provide the methods, devices and systems of a kind of secure communication, Security association can be set up with trusting relationship to ensure the high safety that D2D communicates by dynamic certification mutually Property.

In order to solve above-mentioned technical problem, a kind of method that the invention provides secure communication, it is applied to net Network side gusset, the method includes:

Need to carry out with receiver equipment the sending side terminal that equipment D2D communicates by equipment send out receiving After the request message sent, from described request message, obtain the first information, send to described receiving side terminal Carry the request message of the described first information；

After the response message receiving the instruction agreement that described receiver equipment returns, disappear from described response Breath obtains the second information；

The shared key for described D2D communication is generated according to the described first information and the second information；

Described shared key is sent respectively to described sender's equipment and receiver equipment, and by described Two information are sent to described sender's equipment.

Further, the method also includes following feature:

The described first information includes the identity information of sender's equipment, and described second information includes recipient The identity information of equipment；Or the described first information includes the identity information of sender's equipment and first dynamic Parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.

Further, the method also includes following feature:

The shared key for described D2D communication, bag is generated according to the described first information and the second information Include:

Using root key as seed key, the identity information of described sender's equipment and receiver equipment is made The scattering parameter of the key schedule for disposing, uses described key schedule to generate for described The shared key of D2D communication；Or

Using root key as seed key, by the identity information of described sender's equipment and receiver equipment with And the first dynamic parameter and the second dynamic parameter for ensureing key novelty generates as the key disposed The scattering parameter of algorithm, uses described key schedule to generate the shared key communicated for described D2D.

Further, the method also includes following feature:

Described key schedule includes that the first key schedule, described shared key include sharing and adds solution Decryption key, uses described key schedule to generate the shared key communicated for described D2D, including: Described first key schedule is used to generate the shared encryption and decryption key communicated for described D2D；Or

Described key schedule includes the first key schedule and the second key schedule, and described Shared key includes sharing encryption and decryption key and shared tegrity protection key, uses described key to generate and calculates Method generates the shared key for described D2D communication, including: use described first key schedule raw Become the shared encryption and decryption key for described D2D communication, use described second key schedule to generate and use In the shared tegrity protection key that described D2D communicates.

Further, the method also includes following feature:

Described first dynamic parameter includes the first random number, and described second dynamic parameter includes that second is random Number；Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D, And described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.

Further, the method also includes following feature:

Described network side node includes: base station, home signature user server HSS, D2D functional node ProSE Function or Serving GPRS Support Node SGSN.

Further, the method also includes following feature:

The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI of equipment Information, equipment international mobile subscriber identity IMSI information with need to carry out the application that D2D communicates Identity information.

Further, the method also includes following feature:

After the request message of the described first information is carried in the transmission of described receiver equipment, also include: connecing After receiving the response message of the instruction refusal that described receiver equipment returns, terminate described D2D communication process.

In order to solve above-mentioned technical problem, a kind of method that the invention provides secure communication, it is applied to set Standby sender's equipment to equipment communication, the method includes:

Needs carry out with receiver equipment equipment equipment D2D is communicated time, send to network side node and take Request message with the first information；

After the shared key receiving the transmission of described network side node and the second information, share based on described Key, the first information and the second information are mutually authenticated with described receiver equipment；

Wherein, described second information is sent to described network side node by described receiver equipment, then by institute State network side node and be sent to described sender's equipment.

Further, the method also includes following feature:

Include sharing encryption and decryption key in described shared key, the described first information includes sender's equipment When identity information and described second information include the identity information of receiver equipment, based on described shared key, The first information and the second information are mutually authenticated with described receiver equipment, including:

The identity information using described shared encryption and decryption double secret key sender's equipment is encrypted generation first and adds Confidential information, adds confidential information using described first and is sent to described receiver equipment as authentication information；

Receive that described receiver equipment sends after the second of certification adds confidential information, use described Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality The identity information of the receiver equipment preserved compares, and as the two is consistent, then confirms that described recipient sets For passing through certification；

Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key The identity information of receiver equipment generates after being encrypted.

Further, the method also includes following feature:

Include sharing encryption and decryption key in described shared key, the described first information includes sender's equipment Identity information and the first dynamic parameter and described second information include the identity information and second of receiver equipment During dynamic parameter, enter with described receiver equipment based on described shared key, the first information and the second information Row is mutually authenticated, including:

The identity information and the second dynamic parameter that use described shared encryption and decryption double secret key sender's equipment are carried out Encryption generates first and adds confidential information, adds confidential information using described first and is sent to described reception as authentication information Method, apparatus；

Receive that described receiver equipment sends after the second of certification adds confidential information, use described Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality Identity information and first dynamic parameter of the receiver equipment preserved compare, as the two is consistent, the most really Recognize described receiver equipment and pass through certification；

Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key The identity information of receiver equipment and the first dynamic parameter generate after being encrypted.

Further, the method also includes following feature:

Described shared key include sharing encryption and decryption key and shared tegrity protection key, described first Information includes that the identity information of sender's equipment and described second information include the identity information of receiver equipment Time, recognize each other mutually with described receiver equipment based on described shared key, the first information and the second information Card, including:

Described shared tegrity protection key is used to carry out the identity information of sender's equipment processing generation the One integrity protection information；Use identity information and the institute of described shared encryption and decryption double secret key sender's equipment State the first integrity protection information to be encrypted generation and first add confidential information, add confidential information by described first and make It is sent to described receiver equipment for authentication information；

Receive that described receiver equipment sends after the second of certification adds confidential information, use described Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key The identity information of the receiver equipment that this locality preserves is processed, generates the complete of described receiver equipment Property protection information, will the identity information and originally of the information that obtain and the local receiver equipment preserved after deciphering The integrity protection information of the receiver equipment that terminal generates compares, and as the two is consistent, then confirms institute State receiver equipment and pass through certification；

Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key The identity information of receiver equipment and the second integrity protection information generate after being encrypted, and described second Integrity protection information is that described receiver equipment uses described shared tegrity protection key to set recipient Standby identity information carries out processing generation.

Further, the method also includes following feature:

Described shared key include sharing encryption and decryption key and shared tegrity protection key, described first Information includes that the identity information of sender's equipment and the first dynamic parameter and described second information include recipient When the identity information of equipment and the second dynamic parameter, based on described shared key, the first information and the second letter Breath is mutually authenticated with described receiver equipment, including:

Use described shared tegrity protection key to the identity information of sender's equipment and the second dynamic parameter Carry out processing and generate the first integrity protection information；Use described shared encryption and decryption double secret key sender's equipment Identity information, the second dynamic parameter and described first integrity protection information be encrypted, raw after encryption Become first to add confidential information, add confidential information using described first and be sent to described receiver equipment as authentication information；

Receive that described receiver equipment sends after the second of certification adds confidential information, use described Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key Identity information and the first dynamic parameter to the receiver equipment that this locality preserves process, and connect described in generation The integrity protection information of debit's equipment, information and the local receiver equipment preserved that will obtain after deciphering Identity information, the integrity protection information of receiver equipment that generates of the first dynamic parameter and this terminal enters Row compares, and as the two is consistent, then confirms that described receiver equipment passes through certification；

Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key The identity information of receiver equipment, the first dynamic parameter and the second integrity protection information are raw after being encrypted Becoming, described second integrity protection information is that described receiver equipment uses described shared integrity protection The identity information of double secret key receiver equipment and the first dynamic parameter carry out processing generation.

Further, the method also includes following feature:

In order to solve above-mentioned technical problem, a kind of method that the invention provides secure communication, it is applied to set The standby receiver equipment to equipment communication, the method includes:

After receiving the request message carrying the first information that network side node sends, to described network side Node returns response message；Wherein, described response message carries the second information when instruction is agreed to；

Receive described network side node send shared key after, based on described shared key, first Information and the second information are mutually authenticated with described sender's equipment；

Wherein, the described first information is sent to described network side node by described sender's equipment, then by institute State network side node and be sent to described receiver equipment.

Further, the method also includes following feature:

Include sharing encryption and decryption key in described shared key, the described first information includes sender's equipment When identity information and described second information include the identity information of receiver equipment, based on described shared key, The first information and the second information are mutually authenticated with described sender's equipment, including:

Receive that described sender's equipment sends after the first of certification adds confidential information, use described Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality The identity information of the sender's equipment preserved compares, and as the two is consistent, then confirms that described sender sets Standby by certification, use the identity information of described shared encryption and decryption double secret key receiver equipment to be encrypted life Become second to add confidential information, add confidential information using described second and be sent to described sender's equipment as authentication information；

Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key The identity information of sender's equipment generates after being encrypted.

Further, the method also includes following feature:

Include sharing encryption and decryption key in described shared key, the described first information includes sender's equipment Identity information and the first dynamic parameter and described second information include the identity information and second of receiver equipment During dynamic parameter, enter with described sender's equipment based on described shared key, the first information and the second information Row is mutually authenticated, including:

Receive that described sender's equipment sends after the first of certification adds confidential information, use described Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality Identity information and second dynamic parameter of the sender's equipment preserved compare, as the two is consistent, the most really Recognize described sender's equipment and pass through certification, use the identity of described shared encryption and decryption double secret key receiver equipment Information and the first dynamic parameter are encrypted generation and second add confidential information, add described second confidential information as Authentication information is sent to described sender's equipment；

Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key The identity information of sender's equipment and the second dynamic parameter generate after being encrypted.

Further, the method also includes following feature:

Described shared key include sharing encryption and decryption key and shared tegrity protection key, described first Information includes that the identity information of sender's equipment and described second information include the identity information of receiver equipment Time, recognize each other mutually with described sender's equipment based on described shared key, the first information and the second information Card, including:

Receive that described sender's equipment sends after the first of certification adds confidential information, use described Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key The identity information of sender's equipment that this locality preserves is processed, generates the complete of described sender's equipment Property protection information, will the identity information and originally of the information that obtain and the local sender's equipment preserved after deciphering The integrity protection information of sender's equipment that terminal generates compares, and as the two is consistent, then confirms institute State sender's equipment and pass through certification, use the described shared tegrity protection key identity to receiver equipment Information carries out processing generation the second integrity protection information, uses described shared encryption and decryption double secret key recipient The identity information of equipment and described second integrity protection information are encrypted generation second and add confidential information, will Described second adds confidential information is sent to described sender's equipment as authentication information；

Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key The identity information of sender's equipment and the first integrity protection information generate after being encrypted, and described first Integrity protection information is that described sender's equipment uses described shared tegrity protection key to set sender Standby identity information carries out processing generation.

Further, the method also includes following feature:

Described shared key include sharing encryption and decryption key and shared tegrity protection key, described first Information includes that the identity information of sender's equipment and the first dynamic parameter and described second information include recipient When the identity information of equipment and the second dynamic parameter, based on described shared key, the first information and the second letter Breath is mutually authenticated with described sender's equipment, including:

Receive that described sender's equipment sends after the first of certification adds confidential information, use described Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key Identity information and the second dynamic parameter to sender's equipment that this locality preserves process, and generate described sending out Send the integrity protection information of method, apparatus, information and the local sender's equipment preserved that will obtain after deciphering Identity information, the integrity protection information of sender's equipment that generates of the second dynamic parameter and this terminal enters Row compares, and as the two is consistent, then confirms that described sender's equipment, by certification, uses described sharing completely Property the protection identity information of double secret key receiver equipment, the first dynamic parameter carry out processing that to generate second complete Property protection information, use the identity information of described shared encryption and decryption double secret key receiver equipment, described first Dynamic parameter and described second integrity protection information are encrypted generation and second add confidential information, by described the Two add confidential information is sent to described sender's equipment as authentication information；

Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key The identity information of sender's equipment, the second dynamic parameter and the first integrity protection information are raw after being encrypted Becoming, described first integrity protection information is that described sender's equipment uses described shared integrity protection The identity information of double secret key sender's equipment and the second dynamic parameter carry out processing generation.

Further, the method also includes following feature:

In order to solve above-mentioned technical problem, the invention provides the device of a kind of secure communication, be applied to net Network side gusset, including:

Communication module, for receive needs carry out what equipment D2D was communicated by equipment with receiver equipment After the request message that sender's equipment sends, from described request message, obtain the first information, connect to described Debit's equipment sends the request message carrying the described first information；Return receiving described receiver equipment Instruction agree to response message after, from described response message, obtain the second information；

Key management module, leads to for described D2D for generating according to the described first information and the second information The shared key of letter；Described shared key is sent respectively to described sender's equipment and receiver equipment, And described second information is sent to described sender's equipment.

Further, this device also includes following feature:

Key management module, leads to for described D2D for generating according to the described first information and the second information The shared key of letter, including:

Further, this device also includes following feature:

Key management module, for including the first key schedule, and institute at described key schedule State shared key include share encryption and decryption key time, use described key schedule generate for described The shared key of D2D communication, including: use described first key schedule to generate for described D2D The shared encryption and decryption key of communication；Or described key schedule include the first key schedule and Second key schedule, and described shared key includes sharing encryption and decryption key and shared integrity protection During key, described key schedule is used to generate the shared key communicated for described D2D, including: Use described first key schedule to generate the shared encryption and decryption key communicated for described D2D, use Described second key schedule generates the shared tegrity protection key for described D2D communication.

Further, this device also includes following feature:

Communication module, after send the request message carrying the described first information to described receiver equipment, Also include: after the response message receiving the instruction refusal that described receiver equipment returns, terminate described D2D communication process.

In order to solve above-mentioned technical problem, the invention provides the device of a kind of secure communication, be applied to set Standby sender's equipment to equipment communication, including:

Key management module, for needs carry out with receiver equipment equipment equipment D2D is communicated time, The request message carrying the first information is sent to network side node；Send receiving described network side node Shared key and the second information after, notify authentication module；

Authentication module, for based on described shared key, the first information and the second information and described recipient Equipment is mutually authenticated；

Further, this device also includes following feature:

Authentication module, for including sharing encryption and decryption key, described first information bag in described shared key Include the identity information of sender's equipment and time described second information includes the identity information of receiver equipment, base It is mutually authenticated with described receiver equipment in described shared key, the first information and the second information, bag Include:

Further, this device also includes following feature:

Authentication module, for including sharing encryption and decryption key, described first information bag in described shared key Include the identity information of sender's equipment and the first dynamic parameter and described second information includes receiver equipment When identity information and the second dynamic parameter, based on described shared key, the first information and the second information and institute State receiver equipment to be mutually authenticated, including:

Further, this device also includes following feature:

Authentication module, for including sharing encryption and decryption key and shared integrity protection in described shared key Key, the described first information include that the identity information of sender's equipment and described second information include recipient During the identity information of equipment, based on described shared key, the first information and the second information and described recipient Equipment is mutually authenticated, including:

Further, this device also includes following feature:

Authentication module, for including sharing encryption and decryption key and shared integrity protection in described shared key Key, the described first information include identity information and first dynamic parameter and described second of sender's equipment When information includes identity information and second dynamic parameter of receiver equipment, based on described shared key, One information and the second information are mutually authenticated with described receiver equipment, including:

Further, this device also includes following feature:

In order to solve above-mentioned technical problem, the invention provides the device of a kind of secure communication, be applied to set The standby receiver equipment to equipment communication, including:

Key management module, for disappearing in the request carrying the first information receiving network side node transmission After breath, return response message to described network side node；Wherein, described response message is when instruction is agreed to Carry the second information；After receiving the shared key that described network side node sends, notify authentication module；

Authentication module, for based on described shared key, the first information and the second information and described sender Equipment is mutually authenticated；

Further, this device also includes following feature:

Authentication module, for including sharing encryption and decryption key, described first information bag in described shared key Include the identity information of sender's equipment and time described second information includes the identity information of receiver equipment, base It is mutually authenticated with described sender's equipment in described shared key, the first information and the second information, bag Include:

Further, this device also includes following feature:

Authentication module, for including sharing encryption and decryption key, described first information bag in described shared key Include the identity information of sender's equipment and the first dynamic parameter and described second information includes receiver equipment When identity information and the second dynamic parameter, based on described shared key, the first information and the second information and institute State sender's equipment to be mutually authenticated, including:

Further, this device also includes following feature:

Authentication module, for including sharing encryption and decryption key and shared integrity protection in described shared key Key, the described first information include that the identity information of sender's equipment and described second information include recipient During the identity information of equipment, based on described shared key, the first information and the second information and described sender Equipment is mutually authenticated, including:

Further, this device also includes following feature:

Authentication module, for including sharing encryption and decryption key and shared integrity protection in described shared key Key, the described first information include identity information and first dynamic parameter and described second of sender's equipment When information includes identity information and second dynamic parameter of receiver equipment, based on described shared key, One information and the second information are mutually authenticated with described sender's equipment, including:

Receive that described sender's equipment sends after the first of certification adds confidential information, use described Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key Identity information and the second dynamic parameter to sender's equipment that this locality preserves process, and generate described sending out Send the integrity protection information of method, apparatus, information and the local sender's equipment preserved that will obtain after deciphering Identity information, the integrity protection information of sender's equipment that generates of the second dynamic parameter and this terminal enters Row compares, and as the two is consistent, then confirms that described sender's equipment, by certification, uses described sharing completely Property the protection identity information of double secret key receiver equipment, the first dynamic parameter carry out processing that to generate second complete Property protection information, use the identity information of described shared encryption and decryption double secret key receiver equipment, first dynamic Parameter and described second integrity protection information are encrypted generation second and add confidential information, add described second Confidential information is sent to described sender's equipment as authentication information；

Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key The identity information of sender's equipment, the second dynamic parameter and the first integrity protection information are raw after being encrypted Becoming, described first integrity protection information is that described sender's equipment uses described shared integrity protection The identity information of double secret key sender's equipment and the second dynamic parameter carry out processing generation

Further, this device also includes following feature:

Compared with prior art, the methods, devices and systems of a kind of secure communication that the present invention provides, if Needing to carry out equipment between Bei when communicating equipment D2D, network side node obtains the identity information of communicating pair, Identity information according to both devices or the identity information of both devices and for ensureing key novelty Dynamic parameter is that D2D communication generates shared key and is sent to communicating pair equipment, communicating pair equipment base Carry out the D2D mutual certification of communication in described shared key, set up security association and trusting relationship to ensure D2D The high security of communication.

Accompanying drawing explanation

Fig. 1 is the flow chart (network side node) of the method for a kind of secure communication of the embodiment of the present invention.

Fig. 2 is the flow chart (sender's equipment) of the method for a kind of secure communication of the embodiment of the present invention.

Fig. 3 is the flow chart (receiver equipment) of the method for a kind of secure communication of the embodiment of the present invention.

Fig. 4 is structural representation (the network side joint of the device of a kind of secure communication of the embodiment of the present invention Point).

Fig. 5 is that (sender sets for the structural representation of the device of a kind of secure communication of the embodiment of the present invention Standby).

Fig. 6 is that (recipient sets for the structural representation of the device of a kind of secure communication of the embodiment of the present invention Standby).

Fig. 7 is the structural representation of the system of a kind of secure communication of the embodiment of the present invention.

Fig. 8 is the information interaction figure of the method for a kind of secure communication of application example of the present invention.

Fig. 9 is the information interaction figure of the method for the another kind of secure communication of application example of the present invention.

Detailed description of the invention

For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing Embodiments of the invention are described in detail.It should be noted that in the case of not conflicting, this Shen Embodiment in please and the feature in embodiment can mutual combination in any.

As it is shown in figure 1, a kind of method embodiments providing secure communication, it is applied to network side Node, the method includes:

S10, needs to carry out with receiver equipment the sender that equipment D2D communicates by equipment set receiving After the request message that preparation is sent, from described request message, obtain the first information, to described receiver equipment Send the request message carrying the described first information；

S20, after the response message receiving the instruction agreement that described receiver equipment returns, from described sound Answer and message obtains the second information；

S30, generates the shared key for described D2D communication according to the described first information and the second information；

S40, is sent respectively to described sender's equipment and receiver equipment by described shared key, and by institute Second information of stating is sent to described sender's equipment；

Described method can also include following feature:

Wherein, described network side node includes: (Home Subscriber Server, ownership is signed for base station, HSS About client server), D2D functional node ProSE Function or SGSN (Serving GPRS Support Node, Serving GPRS Support Node)；

Wherein, the described first information includes the identity information of sender's equipment, and described second information includes The identity information of receiver equipment；Or the described first information includes the identity information and of sender's equipment One dynamic parameter, and described second information includes identity information and second dynamic parameter of receiver equipment；

Wherein, the identity information of described equipment include following at least one: the IMEI (International of equipment Mobile Equipment Identity, International Mobile Station Equipment Identification) information, the IMSI (International of equipment Mobile Subscriber Identification Number, international mobile subscriber identity) information and needing Carry out the identity information of the application of D2D communication；

Wherein, it is used for the shared close of described D2D communication according to the described first information and the generation of the second information Key, including:

Wherein, described key schedule includes the first key schedule, uses described key to generate and calculates Method generates the shared key for described D2D communication, including: use described first key schedule raw Become the shared encryption and decryption key for described D2D communication；Or

Described key schedule includes the first key schedule and the second key schedule, described common Enjoy key to include sharing encryption and decryption key and shared tegrity protection key；Use described key schedule Generate the shared key for described D2D communication, including: use described first key schedule to generate The shared encryption and decryption key communicated for described D2D, use described second key schedule generate for The shared tegrity protection key of described D2D communication；

Wherein, described first dynamic parameter includes the first random number, and described second dynamic parameter includes Two randoms number；Or the time correlation that described first dynamic parameter includes communicating with described D2D first time Between parameter, and the second time ginseng of time correlation that described second dynamic parameter includes communicating with described D2D Number.

Wherein, send the request message carrying the described first information to described receiver equipment after, also include: After the response message receiving the instruction refusal that described receiver equipment returns, terminate described D2D communication Process.

Wherein, described root key is by network side node management, maintenance；

Wherein, described sender's equipment and receiver equipment are through network A KA (Authentication And Key Agreement, certifiede-mail protocol agreement) equipment of certification.

As in figure 2 it is shown, a kind of method embodiments providing secure communication, it is applied to equipment pair Sender's equipment of equipment communication, the method includes:

S10, needs carry out with receiver equipment equipment equipment D2D is communicated time, to network side node Send the request message carrying the first information；

S20, after the shared key receiving the transmission of described network side node and the second information, based on described Shared key, the first information and the second information are mutually authenticated with described receiver equipment；

Wherein, described second information is sent to described network side node by described receiver equipment, then by institute State network side node and be sent to described sender's equipment；

Described method can also include following feature:

Wherein, described network side node includes: base station, home signature user server HSS, D2D merit Can node ProSE Function or Serving GPRS Support Node SGSN；

Wherein, the identity information of described equipment include following at least one: the international mobile device mark of equipment Know IMEI information, the international mobile subscriber identity IMSI information of equipment carries out D2D with needs and communicates The identity information of application；

Wherein, include sharing encryption and decryption key in described shared key, the described first information includes sender When the identity information of equipment and described second information include the identity information of receiver equipment, based on described common Enjoy key, the first information and the second information to be mutually authenticated with described receiver equipment, including:

Wherein, include sharing encryption and decryption key in described shared key, the described first information includes sender The identity information of equipment and the first dynamic parameter and described second information include the identity information of receiver equipment During with the second dynamic parameter, based on described shared key, the first information and the second information and described recipient Equipment is mutually authenticated, including:

Wherein, include sharing encryption and decryption key and shared tegrity protection key, institute in described shared key State the first information and include that the identity information of sender's equipment and described second information include the body of receiver equipment During part information, carry out with described receiver equipment based on described shared key, the first information and the second information It is mutually authenticated, including:

Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key The identity information of receiver equipment and the second integrity protection information generate after being encrypted, and described second Integrity protection information is that described receiver equipment uses described shared tegrity protection key to set recipient Standby identity information carries out processing generation；

Wherein, include sharing encryption and decryption key and shared tegrity protection key, institute in described shared key State the first information and include that the identity information of sender's equipment and the first dynamic parameter and described second information include When the identity information of receiver equipment and the second dynamic parameter, based on described shared key, the first information and Second information is mutually authenticated with described receiver equipment, including:

Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key The identity information of receiver equipment, the first dynamic parameter and the second integrity protection information are raw after being encrypted Becoming, described second integrity protection information is that described receiver equipment uses described shared integrity protection The identity information of double secret key receiver equipment and the first dynamic parameter carry out processing generation；

As it is shown on figure 3, a kind of method embodiments providing secure communication, it is applied to equipment pair The receiver equipment of equipment communication, the method includes:

S10, after receiving the request message carrying the first information that network side node sends, to described net Network side gusset returns response message；Wherein, described response message carries the second information when instruction is agreed to；

S20, receive described network side node send shared key after, based on described shared key, The first information and the second information are mutually authenticated with described sender's equipment；

Wherein, the described first information is sent to described network side node by described sender's equipment, then by institute State network side node and be sent to described receiver equipment；

Described method can also include following feature:

Wherein, include sharing encryption and decryption key in described shared key, the described first information includes sender When the identity information of equipment and described second information include the identity information of receiver equipment, based on described common Enjoy key, the first information and the second information to be mutually authenticated with described sender's equipment, including:

Wherein, include sharing encryption and decryption key in described shared key, the described first information includes sender The identity information of equipment and the first dynamic parameter and described second information include the identity information of receiver equipment During with the second dynamic parameter, based on described shared key, the first information and the second information and described sender Equipment is mutually authenticated, including:

Wherein, include sharing encryption and decryption key and shared tegrity protection key, institute in described shared key State the first information and include that the identity information of sender's equipment and described second information include the body of receiver equipment During part information, carry out with described sender's equipment based on described shared key, the first information and the second information It is mutually authenticated, including:

Wherein, include sharing encryption and decryption key and shared tegrity protection key, institute in described shared key State the first information and include that the identity information of sender's equipment and the first dynamic parameter and described second information include When the identity information of receiver equipment and the second dynamic parameter, based on described shared key, the first information and Second information is mutually authenticated with described sender's equipment, including:

As shown in Figure 4, embodiments provide the device of a kind of secure communication, be applied to network side Node, including:

Described device can also include following feature:

Wherein, the described first information includes the identity information of sender's equipment, and described second information includes The identity information of receiver equipment；Or the described first information includes the identity information and of sender's equipment One dynamic parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.

Wherein, key management module, for generating for described according to the described first information and the second information The shared key of D2D communication, including:

Wherein, key management module, for including the first key schedule at described key schedule, When described shared key includes sharing encryption and decryption key, described key schedule is used to generate for described The shared key of D2D communication, including: use described first key schedule to generate for described D2D The shared encryption and decryption key of communication；Or described key schedule include the first key schedule and Second key schedule, described shared key includes sharing encryption and decryption key and shared integrity protection is close During key, described key schedule is used to generate the shared key communicated for described D2D, including: make Generate the shared encryption and decryption key for described D2D communication with described first key schedule, use institute State the second key schedule and generate the shared tegrity protection key communicated for described D2D.

Wherein, described network side node includes: base station, home signature user server HSS, D2D merit Can node ProSE Function or Serving GPRS Support Node SGSN.

Wherein, the identity information of described equipment include following at least one: the international mobile device mark of equipment Know IMEI information, the international mobile subscriber identity IMSI information of equipment carries out D2D with needs and communicates The identity information of application.

Wherein, communication module, for sending the request carrying the described first information to described receiver equipment After message, also include: after the response message receiving the instruction refusal that described receiver equipment returns, Terminate described D2D communication process.

As it is shown in figure 5, embodiments provide the device of a kind of secure communication, it is applied to equipment pair Sender's equipment of equipment communication, including:

Described device can also include following feature:

Wherein, authentication module, for described shared key include share encryption and decryption key, described first Information includes that the identity information of sender's equipment and described second information include the identity information of receiver equipment Time, recognize each other mutually with described receiver equipment based on described shared key, the first information and the second information Card, including:

Wherein, authentication module, for described shared key include share encryption and decryption key, described first Information includes that the identity information of sender's equipment and the first dynamic parameter and described second information include recipient When the identity information of equipment and the second dynamic parameter, based on described shared key, the first information and the second letter Breath is mutually authenticated with described receiver equipment, including:

Wherein, authentication module, for including sharing encryption and decryption key and sharing complete in described shared key Property protection key, the described first information include that the identity information of sender's equipment and described second information include During the identity information of receiver equipment, based on described shared key, the first information and the second information with described Receiver equipment is mutually authenticated, including:

Wherein, authentication module, for including sharing encryption and decryption key and sharing complete in described shared key Property protection key, the described first information include the identity information of sender's equipment and the first dynamic parameter and institute When second information of stating includes identity information and second dynamic parameter of receiver equipment, based on described shared close Key, the first information and the second information are mutually authenticated with described receiver equipment, including:

As shown in Figure 6, embodiments provide the device of a kind of secure communication, be applied to equipment pair The receiver equipment of equipment communication, including:

Described device can also include following feature:

Wherein, authentication module, for described shared key include share encryption and decryption key, described first Information includes that the identity information of sender's equipment and described second information include the identity information of receiver equipment Time, recognize each other mutually with described sender's equipment based on described shared key, the first information and the second information Card, including:

Wherein, authentication module, for described shared key include share encryption and decryption key, described first Information includes that the identity information of sender's equipment and the first dynamic parameter and described second information include recipient When the identity information of equipment and the second dynamic parameter, based on described shared key, the first information and the second letter Breath is mutually authenticated with described sender's equipment, including:

Wherein, authentication module, for including sharing encryption and decryption key and sharing complete in described shared key Property protection key, the described first information include that the identity information of sender's equipment and described second information include During the identity information of receiver equipment, based on described shared key, the first information and the second information with described Sender's equipment is mutually authenticated, including:

Wherein, authentication module, for including sharing encryption and decryption key and sharing complete in described shared key Property protection key, the described first information include the identity information of sender's equipment and the first dynamic parameter and institute When second information of stating includes identity information and second dynamic parameter of receiver equipment, based on described shared close Key, the first information and the second information are mutually authenticated with described sender's equipment, including:

As it is shown in fig. 7, embodiments provide the system of a kind of secure communication, it is applied to equipment pair Equipment communication network, including: network side node, sender's equipment and receiver equipment.

Application example

As shown in Figure 8, the method for secure communication process between mobile device of setting up may comprise steps of:

Step S101, sender mobile terminal equipment sends solicited message to network side node, and this request is believed Breath includes the first information；

Wherein, wherein, the described first information includes the identity information of sender, or the described first information Identity information and a random number (the first random number) including sender；

The identity information of described sender mobile terminal equipment can be equipment identity information IMEI, it is also possible to It is subscriber identity information IMSI, it is also possible to be the identity information etc. needing to carry out the application of D2D communication；

Step S102, after network side node receives solicited message, gets the first information, to recipient Mobile terminal device sends the solicited message carrying the described first information.

Step S103, after recipient's mobile terminal device receives solicited message, sends to network side node and rings Answer message.

Wherein, when described response message represents agreement, described response message carries the second information；

Wherein, when described response message represents refusal, network side node receives described recipient and moves end After the response message of end equipment, terminate described D2D communication process；

Wherein, described second information includes the identity information of recipient, or, described second information includes The identity information of recipient and a random number (the second random number)；

The identity information of described recipient's mobile terminal device can be equipment identity information IMEI, it is also possible to It is subscriber identity information IMSI, it is also possible to be the identity information etc. needing to carry out the application of D2D communication；

Step S104, network side node, after receiving response message, generates on the network node and is used for The shared encryption and decryption key of D2D communication.

Wherein, include that the identity information of sender and described second information include receiving at the described first information During the identity information of side, network side node using root key as seed key, by described sender's equipment and The identity information of receiver equipment, as the scattering parameter of the key schedule disposed, uses described key Generating algorithm generates the shared encryption and decryption key for described D2D communication；Or

Wherein, identity information and first random number and described second of sender is included at the described first information When information includes identity information and second random number of recipient, network side node using root key as seed Key, by described sender's equipment and the identity information of receiver equipment and be used for ensureing key novelty The first random number and the second random number as the scattering parameter of key schedule disposed, use described Key schedule generates the shared encryption and decryption key for described D2D communication；

Step S105, network side node is by the shared encryption and decryption key generated and recipient's mobile terminal device Response message be sent to sender mobile terminal equipment.

Wherein, sender mobile terminal equipment gets the second information from described response message；

Step S106, the shared encryption and decryption key that network node generates is sent to recipient's mobile terminal and sets Standby.

Step S107, sender mobile terminal equipment utilization share encryption and decryption key generate authentication information, and It is sent to recipient's mobile terminal device；

Wherein, when the described first information includes the identity information of sender's equipment, sender mobile terminal Equipment uses the identity information of described shared encryption and decryption double secret key sender mobile terminal equipment to be encrypted life Become first to add confidential information, add confidential information using described first direct by D2D communication link as authentication information It is sent to described recipient's mobile terminal device；

Wherein, the identity information of sender's equipment and the first random number and described are included at the described first information When second information includes identity information and second random number of receiver equipment, sender mobile terminal equipment The identity information and the second random number that use described shared encryption and decryption double secret key sender mobile terminal equipment enter Row encryption generates first and adds confidential information, adds confidential information using described first and is communicated by D2D as authentication information Link is transmitted directly to described recipient's mobile terminal device；

Step S108, the certification that recipient's mobile terminal device receives from sender mobile terminal equipment is believed After breath, utilize shared encryption and decryption double secret key sender mobile terminal equipment to be authenticated, determining sender After mobile terminal device is by certification, utilizes and share encryption and decryption key generation authentication information, and be sent to send out The side's of sending mobile terminal device；

Wherein, include that the identity information of sender's equipment and described second information include at the described first information During the identity information of receiver equipment, recipient's mobile terminal device is sent out receiving described sender's equipment Send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key the first encryption Information is decrypted, and is entered by the identity information of the information obtained after deciphering with the local sender's equipment preserved Row compares, and as the two is consistent, then confirms that described sender mobile terminal equipment, by certification, uses described The identity information of shared encryption and decryption double secret key receiver equipment is encrypted generation second and adds confidential information, by institute State second to add confidential information and be transmitted directly to described sender as authentication information by D2D communication link and move Terminal unit；

Wherein, the identity information of sender's equipment and the first random number and described are included at the described first information When second information includes identity information and second random number of receiver equipment, recipient's mobile terminal device Receive described sender's equipment send after the first of certification adds confidential information, use described share Described in encryption and decryption double secret key, first adds confidential information and is decrypted, the information that will obtain after deciphering and local preservation The identity information of sender's equipment and the second random number compare, as the two is consistent, then confirm described Sender mobile terminal equipment passes through certification, uses described shared encryption and decryption double secret key recipient's mobile terminal The identity information of equipment and the first random number are encrypted generation second and add confidential information, by described second encryption Information is transmitted directly to described sender mobile terminal equipment as authentication information by D2D communication link；

Step S109, the certification that sender mobile terminal equipment receives from recipient's mobile terminal device is believed After breath, utilize shared encryption and decryption key to be authenticated, determining that recipient's mobile terminal device passes through certification After, both sides set up secure communication and connect；

Wherein, include that the identity information of sender's equipment and described second information include at the described first information During the identity information of receiver equipment, receive that described recipient's mobile terminal device sends for recognizing After the second of card adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information and solve Close, the identity information of the information obtained after deciphering with the local recipient's mobile terminal device preserved is carried out Relatively, as the two is consistent, then confirm that described recipient's mobile terminal device passes through certification；

Wherein, the identity information of sender mobile terminal equipment and first random is included at the described first information When several and described second information includes identity information and second random number of receiver equipment, receiving State recipient's mobile terminal device send after the second of certification adds confidential information, use described share add Decruption key adds confidential information to described second and is decrypted, information and the local preservation that will obtain after deciphering Identity information and first random number of recipient's mobile terminal device compare, as the two is consistent, the most really Recognize described recipient's mobile terminal device and pass through certification.

Can also comprise the following steps as it is shown in figure 9, set up the method for secure communication process between mobile device:

Step S201, sender mobile terminal equipment sends solicited message to network side node, and this request is believed Breath includes the first information；

Wherein, the described first information includes the identity information of sender, or the described first information includes sending out The identity information of the side of sending and a random number (the first random number)；

Step S202, after network side node receives solicited message, gets the first information, to recipient Mobile terminal device sends the solicited message carrying the described first information.

Step S203, after recipient's mobile terminal device receives solicited message, sends to network side node and rings Answer message.

Step S204, network side node, after receiving response message, generates on the network node and is used for The shared encryption and decryption key of D2D communication and shared tegrity protection key.

Wherein, include that the identity information of sender and described second information include receiving at the described first information During the identity information of side, network side node using root key as seed key, by described sender's equipment and The identity information of receiver equipment, as the scattering parameter of the first key schedule disposed, uses described First key schedule generates the shared encryption and decryption key for described D2D communication；Network side node will Root key is as seed key, using the identity information of described sender's equipment and receiver equipment as deployment The scattering parameter of the second key schedule, use described second key schedule to generate for described The shared tegrity protection key of D2D communication；

Wherein, identity information and first random number and described second of sender is included at the described first information When information includes identity information and second random number of recipient, network side node using root key as seed Key, by random to described sender's equipment and the identity information of receiver equipment, the first random number and second Number, as the scattering parameter of the first key schedule disposed, uses described first key schedule raw Become the shared encryption and decryption key for described D2D communication；Network side node using root key as seed key, Using described sender's equipment and the identity information of receiver equipment, the first random number and the second random number as The scattering parameter of the second key schedule disposed, use described second key schedule generate for The shared tegrity protection key of described D2D communication；

Step S205, network side node by generate shared encryption and decryption key and shared tegrity protection key, And the response message of recipient's mobile terminal device is sent to sender mobile terminal equipment.

Step S206, shared encryption and decryption key and shared tegrity protection key that network node generates send out Deliver to recipient's mobile terminal device.

Step S207, encryption and decryption key and shared integrity protection are shared in sender mobile terminal equipment utilization Key generates authentication information, and is sent to recipient's mobile terminal device；

Wherein, when the described first information includes the identity information of sender's equipment, described having shared is used The identity information of whole property protection double secret key sender's equipment carries out processing generation the first integrity protection information, Use the identity information of described shared encryption and decryption double secret key sender's equipment and described first integrity protection letter Breath is encrypted generation first and adds confidential information, adds confidential information using described first and passes through D2D as authentication information Communication link is transmitted directly to described recipient's mobile terminal device；

Wherein, the identity information of sender's equipment and the first random number and described are included at the described first information When second information includes identity information and second random number of receiver equipment, use described shared integrity The identity information of protection double secret key sender's equipment and the second random number carry out processing generation the first integrity to be protected Protect information；Use the identity information of described shared encryption and decryption double secret key sender's equipment, the second random number and Described first integrity protection information is encrypted, and generates first and add confidential information, by described first after encryption Add confidential information to be transmitted directly to described recipient's mobile terminal as authentication information by D2D communication link and set Standby；

Step S208, the certification that recipient's mobile terminal device receives from sender mobile terminal equipment is believed After breath, utilize shared encryption and decryption key and shared tegrity protection key that sender mobile terminal equipment is entered Row certification, after determining that sender mobile terminal equipment is by certification, utilizes and shares encryption and decryption key and be total to Enjoy tegrity protection key and generate authentication information, and be sent to sender mobile terminal equipment；

Wherein, include that the identity information of sender's equipment and described second information include at the described first information During the identity information of receiver equipment, recipient's mobile terminal device is sent out receiving described sender's equipment Send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key the first encryption Information is decrypted, by the identity of sender's equipment that this locality is preserved by described shared tegrity protection key Information processes, and generates the integrity protection information of described sender's equipment, the letter that will obtain after deciphering The integrity of sender's equipment that the identity information of sender's equipment that breath preserves with this locality and this terminal generate Protection information compares, and as the two is consistent, then confirms that described sender mobile terminal equipment passes through certification, Use described shared tegrity protection key that the identity information of receiver equipment carries out process generation second complete Whole property protection information, uses the identity information and described the of described shared encryption and decryption double secret key receiver equipment Two integrity protection information are encrypted generation second and add confidential information, add confidential information as recognizing using described second Card information is transmitted directly to described sender mobile terminal equipment by D2D communication link；

Wherein, the identity information of sender's equipment and the first random number and described are included at the described first information When second information includes identity information and second random number of receiver equipment, recipient's mobile terminal device Receive described sender's equipment send after the first of certification adds confidential information, use described share Described in encryption and decryption double secret key, first adds confidential information and is decrypted, with described shared tegrity protection key to this Identity information and second random number of sender's equipment that ground preserves process, and generate described sender and set Standby integrity protection information, by the identity of sender's equipment that the information obtained after deciphering preserves with this locality The integrity protection information of sender's equipment that information, the second random number and this terminal generate compares, As the two is consistent, then confirm that described sender mobile terminal equipment, by certification, uses described sharing completely Property the protection identity information of double secret key receiver equipment, the first random number carry out processing and generate the second integrity Protection information, uses the identity information of described shared encryption and decryption double secret key receiver equipment, the first random number It is encrypted generation second with described second integrity protection information and adds confidential information, add secret letter by described second Breath is transmitted directly to described sender mobile terminal equipment as authentication information by D2D communication link；

Step S209, the certification that sender mobile terminal equipment receives from recipient's mobile terminal device is believed After breath, utilize shared encryption and decryption key and shared tegrity protection key to be authenticated, determining recipient After mobile terminal device is by certification, both sides set up secure communication and connect；

Wherein, include that the identity information of sender's equipment and described second information include at the described first information During the identity information of receiver equipment, receive that described recipient's mobile terminal device sends for recognizing After the second of card adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information and solve Close, at the described shared tegrity protection key identity information to the receiver equipment that this locality preserves Reason, generates the integrity protection information of described receiver equipment, the information obtained is protected with local after deciphering The integrity protection information of the receiver equipment that the identity information of the receiver equipment deposited and this terminal generate enters Row compares, and as the two is consistent, then confirms that described recipient's mobile terminal device passes through certification；

Wherein, the identity information of sender mobile terminal equipment and first random is included at the described first information When several and described second information includes identity information and second random number of receiver equipment, receiving State recipient's mobile terminal device send after the second of certification adds confidential information, use described share add Decruption key adds confidential information to described second and is decrypted, with described shared tegrity protection key to this locality Identity information and first random number of the receiver equipment preserved process, and generate described receiver equipment Integrity protection information, the identity of the information that obtain and the local receiver equipment preserved will believe after deciphering The integrity protection information of the receiver equipment that breath, the first random number and this terminal generate compares, as The two is consistent, then confirm that described recipient's mobile terminal device passes through certification.

The methods, devices and systems of a kind of secure communication that above-described embodiment provides, equipment room needs to carry out When equipment D2D is communicated by equipment, network side node obtains the identity information of communicating pair, sets according to both sides Standby identity information or the identity information of both devices and for ensureing that the dynamic parameter of key novelty is D2D communication generates shared key and is sent to communicating pair equipment, and communicating pair equipment is shared based on described Key carries out the D2D mutual certification of communication, sets up security association with trusting relationship to ensure the height that D2D communicates Safety.

One of ordinary skill in the art will appreciate that all or part of step in said method can pass through program Instructing related hardware to complete, described program can be stored in computer-readable recording medium, as read-only Memorizer, disk or CD etc..Alternatively, all or part of step of above-described embodiment can also use One or more integrated circuits realize, and correspondingly, each module/unit in above-described embodiment can use The form of hardware realizes, it would however also be possible to employ the form of software function module realizes.The present invention is not restricted to appoint The combination of the hardware and software of what particular form.

It should be noted that the present invention also can have other various embodiments, without departing substantially from the present invention spirit and In the case of its essence, those of ordinary skill in the art can make various corresponding change according to the present invention And deformation, but these change accordingly and deform the protection model that all should belong to appended claims of the invention Enclose.

Claims

1. a method for secure communication, is applied to network side node, and the method includes:

After receiving the request message needing to carry out the sending side terminal transmission that equipment D2D is communicated by equipment with receiver equipment, from described request message, obtain the first information, send the request message carrying the described first information to described receiving side terminal；

After the response message receiving the instruction agreement that described receiver equipment returns, from described response message, obtain the second information；

Described shared key is sent respectively to described sender's equipment and receiver equipment, and described second information is sent to described sender's equipment.

2. the method for claim 1, it is characterised in that:

The described first information includes the identity information of sender's equipment, and described second information includes the identity information of receiver equipment；Or the described first information includes identity information and first dynamic parameter of sender's equipment, and described second information includes identity information and second dynamic parameter of receiver equipment.

3. method as claimed in claim 2, it is characterised in that:

The shared key for described D2D communication is generated according to the described first information and the second information, including:

Using root key as seed key, using the identity information of described sender's equipment and receiver equipment as the scattering parameter of the key schedule disposed, described key schedule is used to generate the shared key communicated for described D2D；Or

Using root key as seed key, using described sender's equipment and the identity information of receiver equipment and be used for the scattering parameter ensureing the first dynamic parameter of key novelty and the second dynamic parameter as the key schedule disposed, described key schedule is used to generate the shared key communicated for described D2D.

4. method as claimed in claim 3, it is characterised in that:

Described key schedule includes the first key schedule, described shared key includes sharing encryption and decryption key, described key schedule is used to generate the shared key communicated for described D2D, including: use described first key schedule to generate the shared encryption and decryption key communicated for described D2D；Or

Described key schedule includes the first key schedule and the second key schedule; and described shared key includes sharing encryption and decryption key and shared tegrity protection key; described key schedule is used to generate the shared key communicated for described D2D; including: use described first key schedule to generate the shared encryption and decryption key communicated for described D2D, use described second key schedule to generate the shared tegrity protection key communicated for described D2D.

5. the method as described in Claims 2 or 3 or 4, it is characterised in that:

Described first dynamic parameter includes the first random number, and described second dynamic parameter includes the second random number；Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D, and described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.

Method the most as claimed in claim 1 or 2 or 3 or 4, it is characterised in that:

The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI information of equipment, international mobile subscriber identity IMSI information and the identity information needing to carry out the application that D2D communicates of equipment.

8. the method for claim 1, it is characterised in that:

After the request message of the described first information is carried in the transmission of described receiver equipment, also include: after the response message receiving the instruction refusal that described receiver equipment returns, terminate described D2D communication process.

9. a method for secure communication, is applied to sender's equipment that equipment is communicated by equipment, and the method includes:

Needs carry out with receiver equipment equipment equipment D2D is communicated time, send the request message carrying the first information to network side node；

After the shared key receiving the transmission of described network side node and the second information, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information；

Wherein, described second information is sent to described network side node by described receiver equipment, then is sent to described sender's equipment by described network side node.

10. method as claimed in claim 9, it is characterised in that:

11. methods as claimed in claim 10, it is characterised in that:

Described shared key include sharing encryption and decryption key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:

Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, the identity information of the information obtained after deciphering with the local receiver equipment preserved is compared, as the two is consistent, then confirm that described receiver equipment passes through certification；

Wherein, described second adds generation after the identity information that confidential information is the described receiver equipment described shared encryption and decryption double secret key receiver equipment of use is encrypted.

12. methods as claimed in claim 10, it is characterised in that:

Described shared key include sharing encryption and decryption key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:

The identity information and the second dynamic parameter that use described shared encryption and decryption double secret key sender's equipment are encrypted generation first and add confidential information, add confidential information using described first and are sent to described receiver equipment as authentication information；

Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, identity information and first dynamic parameter of the information obtained after deciphering with the local receiver equipment preserved are compared, as the two is consistent, then confirm that described receiver equipment passes through certification；

Wherein, described second to add confidential information be that described receiver equipment uses the identity information of described shared encryption and decryption double secret key receiver equipment and the first dynamic parameter to generate after being encrypted.

13. methods as claimed in claim 10, it is characterised in that:

Described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time; it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:

Described shared tegrity protection key is used to carry out the identity information of sender's equipment processing generation the first integrity protection information；The identity information and described first integrity protection information that use described shared encryption and decryption double secret key sender's equipment are encrypted generation first and add confidential information, add confidential information using described first and are sent to described receiver equipment as authentication information；

Receive described receiver equipment send after the second of certification adds confidential information; use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted; with described shared tegrity protection key, the identity information of the receiver equipment that this locality preserves is processed; generate the integrity protection information of described receiver equipment; the integrity protection information of receiver equipment identity information and this terminal of the information obtained after deciphering with the local receiver equipment preserved generated compares; as the two is consistent, then confirm that described receiver equipment passes through certification；

Wherein, described second to add confidential information be that described receiver equipment uses the identity information of described shared encryption and decryption double secret key receiver equipment and the second integrity protection information to generate after being encrypted, and described second integrity protection information is that described receiver equipment uses described shared tegrity protection key to carry out the identity information of receiver equipment processing and generate.

14. methods as claimed in claim 10, it is characterised in that:

Described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time; it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:

Described shared tegrity protection key is used to carry out processing generation the first integrity protection information to identity information and second dynamic parameter of sender's equipment；The identity information, the second dynamic parameter and described first integrity protection information that use described shared encryption and decryption double secret key sender's equipment are encrypted; generate first after encryption and add confidential information, add confidential information using described first and be sent to described receiver equipment as authentication information；

Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, with described shared tegrity protection key, identity information and first dynamic parameter of the receiver equipment that this locality preserves are processed, generate the integrity protection information of described receiver equipment, by the identity information of the receiver equipment that the information obtained after deciphering preserves with this locality, the integrity protection information of the receiver equipment that the first dynamic parameter and this terminal generate compares, as the two is consistent, then confirm that described receiver equipment passes through certification；

Wherein, described second adds generation after identity information, the first dynamic parameter and the second integrity protection information that confidential information is the described receiver equipment described shared encryption and decryption double secret key receiver equipment of use is encrypted, and described second integrity protection information is that described receiver equipment uses described shared tegrity protection key to carry out processing generation to identity information and first dynamic parameter of receiver equipment.

15. methods as described in arbitrary in claim 9-14, it is characterised in that:

16. methods as according to any one of claim 9-14, it is characterised in that:

The method of 17. 1 kinds of secure communications, is applied to the receiver equipment that equipment is communicated by equipment, and the method includes:

After receiving the request message carrying the first information that network side node sends, return response message to described network side node；Wherein, described response message carries the second information when instruction is agreed to；

After receiving the shared key that described network side node sends, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information；

Wherein, the described first information is sent to described network side node by described sender's equipment, then is sent to described receiver equipment by described network side node.

18. methods as claimed in claim 17, it is characterised in that:

19. methods as claimed in claim 18, it is characterised in that:

Described shared key include sharing encryption and decryption key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:

Receive described sender's equipment send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted, the identity information of the information obtained after deciphering with the local sender's equipment preserved is compared, as the two is consistent, then confirm that described sender's equipment passes through certification, the identity information using described shared encryption and decryption double secret key receiver equipment is encrypted generation second and adds confidential information, adds confidential information using described second and is sent to described sender's equipment as authentication information；

Wherein, described first adds generation after the identity information that confidential information is described sender's equipment described shared encryption and decryption double secret key sender's equipment of use is encrypted.

20. methods as claimed in claim 18, it is characterised in that:

Described shared key include sharing encryption and decryption key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:

Receive described sender's equipment send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted, identity information and second dynamic parameter of the information obtained after deciphering with the local sender's equipment preserved are compared, as the two is consistent, then confirm that described sender's equipment passes through certification, the identity information and the first dynamic parameter that use described shared encryption and decryption double secret key receiver equipment are encrypted generation second and add confidential information, add confidential information using described second and be sent to described sender's equipment as authentication information；

Wherein, described first to add confidential information be that described sender's equipment uses the identity information of described shared encryption and decryption double secret key sender's equipment and the second dynamic parameter to generate after being encrypted.

21. methods as claimed in claim 18, it is characterised in that:

Described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time; it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:

nullReceive described sender's equipment send after the first of certification adds confidential information，Use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted，The identity information of the sender's equipment preserved this locality with described shared tegrity protection key processes，Generate the integrity protection information of described sender's equipment，The integrity protection information of sender's equipment identity information and this terminal of the information obtained after deciphering with the local sender's equipment preserved generated compares，As the two is consistent，Then confirm that described sender's equipment passes through certification，Described shared tegrity protection key is used to carry out the identity information of receiver equipment processing generation the second integrity protection information，The identity information and described second integrity protection information that use described shared encryption and decryption double secret key receiver equipment are encrypted generation second and add confidential information，Add confidential information using described second and be sent to described sender's equipment as authentication information；

Wherein, described first to add confidential information be that described sender's equipment uses the identity information of described shared encryption and decryption double secret key sender's equipment and the first integrity protection information to generate after being encrypted, and described first integrity protection information is that described sender's equipment uses described shared tegrity protection key to carry out the identity information of sender's equipment processing and generate.

22. methods as claimed in claim 18, it is characterised in that:

Described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time; it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:

nullReceive described sender's equipment send after the first of certification adds confidential information，Use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted，Identity information and second dynamic parameter of the sender's equipment preserved this locality with described shared tegrity protection key process，Generate the integrity protection information of described sender's equipment，By the identity information of sender's equipment that the information obtained after deciphering preserves with this locality、The integrity protection information of sender's equipment that the second dynamic parameter and this terminal generate compares，As the two is consistent，Then confirm that described sender's equipment passes through certification，Use the described shared tegrity protection key identity information to receiver equipment、First dynamic parameter carries out processing generation the second integrity protection information，Use the identity information of described shared encryption and decryption double secret key receiver equipment、Described first dynamic parameter and described second integrity protection information are encrypted generation second and add confidential information，Add confidential information using described second and be sent to described sender's equipment as authentication information；

Wherein, described first adds generation after identity information, the second dynamic parameter and the first integrity protection information that confidential information is described sender's equipment described shared encryption and decryption double secret key sender's equipment of use is encrypted, and described first integrity protection information is that described sender's equipment uses described shared tegrity protection key to carry out processing generation to identity information and second dynamic parameter of sender's equipment.

23. methods as according to any one of claim 17-22, it is characterised in that:

24. methods as according to any one of claim 17-22, it is characterised in that:

The device of 25. 1 kinds of secure communications, is applied to network side node, including:

Communication module, for after receiving the request message needing to carry out sender's equipment transmission that equipment D2D is communicated by equipment with receiver equipment, from described request message, obtain the first information, send the request message carrying the described first information to described receiver equipment；After the response message receiving the instruction agreement that described receiver equipment returns, from described response message, obtain the second information；

Key management module, for generating the shared key for described D2D communication according to the described first information and the second information；Described shared key is sent respectively to described sender's equipment and receiver equipment, and described second information is sent to described sender's equipment.

26. devices as claimed in claim 25, it is characterised in that:

27. devices as claimed in claim 26, it is characterised in that:

Key management module, for generating the shared key for described D2D communication according to the described first information and the second information, including:

28. devices as claimed in claim 27, it is characterised in that:

Key management module, for including the first key schedule at described key schedule, and described shared key is when including sharing encryption and decryption key, described key schedule is used to generate the shared key communicated for described D2D, including: use described first key schedule to generate the shared encryption and decryption key communicated for described D2D；Or include the first key schedule and the second key schedule at described key schedule; and described shared key is when including sharing encryption and decryption key and shared tegrity protection key; described key schedule is used to generate the shared key communicated for described D2D; including: use described first key schedule to generate the shared encryption and decryption key communicated for described D2D, use described second key schedule to generate the shared tegrity protection key communicated for described D2D.

29. devices as described in claim 26 or 27 or 28, it is characterised in that:

30. devices as described in claim 25 or 26 or 27 or 28, it is characterised in that:

31. devices as described in claim 25 or 26 or 27 or 28, it is characterised in that:

32. devices as claimed in claim 25, it is characterised in that:

Communication module, after send the request message carrying the described first information to described receiver equipment, also includes: after the response message receiving the instruction refusal that described receiver equipment returns, terminate described D2D communication process.

The device of 33. 1 kinds of secure communications, is applied to sender's equipment that equipment is communicated by equipment, including:

Key management module, for needs carry out with receiver equipment equipment equipment D2D is communicated time, carry the request message of the first information to network side node transmission；After the shared key receiving the transmission of described network side node and the second information, notify authentication module；

Authentication module, for being mutually authenticated with described receiver equipment based on described shared key, the first information and the second information；

34. devices as claimed in claim 33, it is characterised in that:

35. devices as claimed in claim 34, it is characterised in that:

Authentication module, for described shared key include sharing encryption and decryption key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:

36. devices as claimed in claim 34, it is characterised in that:

Authentication module, for described shared key include sharing encryption and decryption key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:

37. devices as claimed in claim 34, it is characterised in that:

Authentication module; for described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time; it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:

38. devices as claimed in claim 34, it is characterised in that:

Authentication module; for described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time; it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:

39. devices as described in arbitrary in claim 33-38, it is characterised in that:

40. devices as according to any one of claim 33-38, it is characterised in that:

The device of 41. 1 kinds of secure communications, is applied to the receiver equipment that equipment is communicated by equipment, including:

Key management module, for after receiving the request message carrying the first information that network side node sends, returns response message to described network side node；Wherein, described response message carries the second information when instruction is agreed to；After receiving the shared key that described network side node sends, notify authentication module；

Authentication module, for being mutually authenticated with described sender's equipment based on described shared key, the first information and the second information；

42. devices as claimed in claim 41, it is characterised in that:

43. devices as claimed in claim 42, it is characterised in that:

Authentication module, for described shared key include sharing encryption and decryption key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:

44. devices as claimed in claim 42, it is characterised in that:

Authentication module, for described shared key include sharing encryption and decryption key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:

45. devices as claimed in claim 42, it is characterised in that:

Authentication module; for described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time; it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:

46. devices as claimed in claim 42, it is characterised in that:

Authentication module; for described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time; it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:

nullReceive described sender's equipment send after the first of certification adds confidential information，Use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted，Identity information and second dynamic parameter of the sender's equipment preserved this locality with described shared tegrity protection key process，Generate the integrity protection information of described sender's equipment，By the identity information of sender's equipment that the information obtained after deciphering preserves with this locality、The integrity protection information of sender's equipment that the second dynamic parameter and this terminal generate compares，As the two is consistent，Then confirm that described sender's equipment passes through certification，Use the described shared tegrity protection key identity information to receiver equipment、First dynamic parameter carries out processing generation the second integrity protection information，Use the identity information of described shared encryption and decryption double secret key receiver equipment、First dynamic parameter and described second integrity protection information are encrypted generation second and add confidential information，Add confidential information using described second and be sent to described sender's equipment as authentication information；

47. devices as according to any one of claim 41-46, it is characterised in that:

48. devices as according to any one of claim 41-46, it is characterised in that: