CN106162631A - A kind of methods, devices and systems of secure communication - Google Patents
A kind of methods, devices and systems of secure communication Download PDFInfo
- Publication number
- CN106162631A CN106162631A CN201510176166.3A CN201510176166A CN106162631A CN 106162631 A CN106162631 A CN 106162631A CN 201510176166 A CN201510176166 A CN 201510176166A CN 106162631 A CN106162631 A CN 106162631A
- Authority
- CN
- China
- Prior art keywords
- information
- equipment
- key
- sender
- shared
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
A kind of method that the invention discloses secure communication, it is applied to network side node, the method includes: receiving after needs carry out the request message that sender's equipment that equipment D2D communicates by equipment sends with receiver equipment, from described request message, obtain the first information, send the request message carrying the described first information to described receiver equipment;After the response message receiving the instruction agreement that described receiver equipment returns, from described response message, obtain the second information;The shared key for described D2D communication is generated according to the described first information and the second information;Described shared key is sent respectively to described sender's equipment and receiver equipment, and described second information is sent to described sender's equipment.The present invention can set up security association with trusting relationship to ensure the high security that D2D communicates by dynamic certification mutually.The invention also discloses device and the system of a kind of secure communication.
Description
Technical field
The present invention relates to communication technical field, a kind of method of secure communication, device and
System.
Background technology
In legacy cellular mobile communications network based on infrastructure, base station (BS, NB or eNB)
As center control nodes, it it is the sole access point of mobile device acquisition network service.All of movement sets
For all being led to by the upstream or downstream channel of cellular system base station specific with certain in network
Letter.
Current 3GPP (The 3rd Generation Partnership Project, third generation affiliate
Plan) LTE (Long Term Evolution, Long Term Evolution), and LTE-A (LTE Advanced,
The evolution of LTE) in cordless communication network, D2D (Device-to-Device, device-to-device) is direct
Subscriber equipment in communication can by share/reuse cordless communication network wireless link (up-link or
Downlink) resource directly carry out P2P (Peer to Peer, point-to-point) communication.When multiple movements set
For time closer to each other, support that the direct communication between mobile device can bring a lot to traditional cellular communication
Benefit.These benefits include: longer device battery uses time, more efficient Radio Resource to use,
Bigger signal cover and lower system interference level etc..Strengthen in this utilization D2D technology
Cellular network in, on the one hand, the directly communication between mobile device can benefit from the concentration of cellular network
Formula control structure;On the other hand, by utilizing high-quality D2D link (from the direct chain of device-to-device
Road), the efficiency of transmission of conventional cellular network can be greatly improved.
In common network coverage application scenarios, mobile terminal device must carry out mutual certification with network,
To ensure that mobile terminal device accesses and the safety communicated.For the mobile terminal device in close region,
When carrying out D2D communication, it is necessary to assure the safety of communication between mobile terminal device.And this close on district
In the scene that in territory, mobile terminal device directly communicates, between mobile terminal device, also must carry out mutual certification,
But the mutual certification in this scene is not also standardized at present.
At present, correlation technique proposes to carry out D2D communication, this mode safety by pre-shared secret scheme
Property higher, but, due to D2D communication be typically the most provisional, that is, any two mobile terminal sets
When carrying out D2D between Bei and be generally difficult to prediction, therefore, pre-shared secret scheme cannot realize moving
State certification.
Therefore, how security association is set up with trusting relationship to ensure that D2D communicates by dynamic certification mutually
High security, be the secure communication technical issues that need to address between current mobile terminal device.
Summary of the invention
The technical problem to be solved is to provide the methods, devices and systems of a kind of secure communication,
Security association can be set up with trusting relationship to ensure the high safety that D2D communicates by dynamic certification mutually
Property.
In order to solve above-mentioned technical problem, a kind of method that the invention provides secure communication, it is applied to net
Network side gusset, the method includes:
Need to carry out with receiver equipment the sending side terminal that equipment D2D communicates by equipment send out receiving
After the request message sent, from described request message, obtain the first information, send to described receiving side terminal
Carry the request message of the described first information;
After the response message receiving the instruction agreement that described receiver equipment returns, disappear from described response
Breath obtains the second information;
The shared key for described D2D communication is generated according to the described first information and the second information;
Described shared key is sent respectively to described sender's equipment and receiver equipment, and by described
Two information are sent to described sender's equipment.
Further, the method also includes following feature:
The described first information includes the identity information of sender's equipment, and described second information includes recipient
The identity information of equipment;Or the described first information includes the identity information of sender's equipment and first dynamic
Parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Further, the method also includes following feature:
The shared key for described D2D communication, bag is generated according to the described first information and the second information
Include:
Using root key as seed key, the identity information of described sender's equipment and receiver equipment is made
The scattering parameter of the key schedule for disposing, uses described key schedule to generate for described
The shared key of D2D communication;Or
Using root key as seed key, by the identity information of described sender's equipment and receiver equipment with
And the first dynamic parameter and the second dynamic parameter for ensureing key novelty generates as the key disposed
The scattering parameter of algorithm, uses described key schedule to generate the shared key communicated for described D2D.
Further, the method also includes following feature:
Described key schedule includes that the first key schedule, described shared key include sharing and adds solution
Decryption key, uses described key schedule to generate the shared key communicated for described D2D, including:
Described first key schedule is used to generate the shared encryption and decryption key communicated for described D2D;Or
Described key schedule includes the first key schedule and the second key schedule, and described
Shared key includes sharing encryption and decryption key and shared tegrity protection key, uses described key to generate and calculates
Method generates the shared key for described D2D communication, including: use described first key schedule raw
Become the shared encryption and decryption key for described D2D communication, use described second key schedule to generate and use
In the shared tegrity protection key that described D2D communicates.
Further, the method also includes following feature:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes that second is random
Number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D,
And described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
Further, the method also includes following feature:
Described network side node includes: base station, home signature user server HSS, D2D functional node
ProSE Function or Serving GPRS Support Node SGSN.
Further, the method also includes following feature:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI of equipment
Information, equipment international mobile subscriber identity IMSI information with need to carry out the application that D2D communicates
Identity information.
Further, the method also includes following feature:
After the request message of the described first information is carried in the transmission of described receiver equipment, also include: connecing
After receiving the response message of the instruction refusal that described receiver equipment returns, terminate described D2D communication process.
In order to solve above-mentioned technical problem, a kind of method that the invention provides secure communication, it is applied to set
Standby sender's equipment to equipment communication, the method includes:
Needs carry out with receiver equipment equipment equipment D2D is communicated time, send to network side node and take
Request message with the first information;
After the shared key receiving the transmission of described network side node and the second information, share based on described
Key, the first information and the second information are mutually authenticated with described receiver equipment;
Wherein, described second information is sent to described network side node by described receiver equipment, then by institute
State network side node and be sent to described sender's equipment.
Further, the method also includes following feature:
The described first information includes the identity information of sender's equipment, and described second information includes recipient
The identity information of equipment;Or the described first information includes the identity information of sender's equipment and first dynamic
Parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Further, the method also includes following feature:
Include sharing encryption and decryption key in described shared key, the described first information includes sender's equipment
When identity information and described second information include the identity information of receiver equipment, based on described shared key,
The first information and the second information are mutually authenticated with described receiver equipment, including:
The identity information using described shared encryption and decryption double secret key sender's equipment is encrypted generation first and adds
Confidential information, adds confidential information using described first and is sent to described receiver equipment as authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
The identity information of the receiver equipment preserved compares, and as the two is consistent, then confirms that described recipient sets
For passing through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment generates after being encrypted.
Further, the method also includes following feature:
Include sharing encryption and decryption key in described shared key, the described first information includes sender's equipment
Identity information and the first dynamic parameter and described second information include the identity information and second of receiver equipment
During dynamic parameter, enter with described receiver equipment based on described shared key, the first information and the second information
Row is mutually authenticated, including:
The identity information and the second dynamic parameter that use described shared encryption and decryption double secret key sender's equipment are carried out
Encryption generates first and adds confidential information, adds confidential information using described first and is sent to described reception as authentication information
Method, apparatus;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
Identity information and first dynamic parameter of the receiver equipment preserved compare, as the two is consistent, the most really
Recognize described receiver equipment and pass through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment and the first dynamic parameter generate after being encrypted.
Further, the method also includes following feature:
Described shared key include sharing encryption and decryption key and shared tegrity protection key, described first
Information includes that the identity information of sender's equipment and described second information include the identity information of receiver equipment
Time, recognize each other mutually with described receiver equipment based on described shared key, the first information and the second information
Card, including:
Described shared tegrity protection key is used to carry out the identity information of sender's equipment processing generation the
One integrity protection information;Use identity information and the institute of described shared encryption and decryption double secret key sender's equipment
State the first integrity protection information to be encrypted generation and first add confidential information, add confidential information by described first and make
It is sent to described receiver equipment for authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key
The identity information of the receiver equipment that this locality preserves is processed, generates the complete of described receiver equipment
Property protection information, will the identity information and originally of the information that obtain and the local receiver equipment preserved after deciphering
The integrity protection information of the receiver equipment that terminal generates compares, and as the two is consistent, then confirms institute
State receiver equipment and pass through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment and the second integrity protection information generate after being encrypted, and described second
Integrity protection information is that described receiver equipment uses described shared tegrity protection key to set recipient
Standby identity information carries out processing generation.
Further, the method also includes following feature:
Described shared key include sharing encryption and decryption key and shared tegrity protection key, described first
Information includes that the identity information of sender's equipment and the first dynamic parameter and described second information include recipient
When the identity information of equipment and the second dynamic parameter, based on described shared key, the first information and the second letter
Breath is mutually authenticated with described receiver equipment, including:
Use described shared tegrity protection key to the identity information of sender's equipment and the second dynamic parameter
Carry out processing and generate the first integrity protection information;Use described shared encryption and decryption double secret key sender's equipment
Identity information, the second dynamic parameter and described first integrity protection information be encrypted, raw after encryption
Become first to add confidential information, add confidential information using described first and be sent to described receiver equipment as authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key
Identity information and the first dynamic parameter to the receiver equipment that this locality preserves process, and connect described in generation
The integrity protection information of debit's equipment, information and the local receiver equipment preserved that will obtain after deciphering
Identity information, the integrity protection information of receiver equipment that generates of the first dynamic parameter and this terminal enters
Row compares, and as the two is consistent, then confirms that described receiver equipment passes through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment, the first dynamic parameter and the second integrity protection information are raw after being encrypted
Becoming, described second integrity protection information is that described receiver equipment uses described shared integrity protection
The identity information of double secret key receiver equipment and the first dynamic parameter carry out processing generation.
Further, the method also includes following feature:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes that second is random
Number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D,
And described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
Further, the method also includes following feature:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI of equipment
Information, equipment international mobile subscriber identity IMSI information with need to carry out the application that D2D communicates
Identity information.
In order to solve above-mentioned technical problem, a kind of method that the invention provides secure communication, it is applied to set
The standby receiver equipment to equipment communication, the method includes:
After receiving the request message carrying the first information that network side node sends, to described network side
Node returns response message;Wherein, described response message carries the second information when instruction is agreed to;
Receive described network side node send shared key after, based on described shared key, first
Information and the second information are mutually authenticated with described sender's equipment;
Wherein, the described first information is sent to described network side node by described sender's equipment, then by institute
State network side node and be sent to described receiver equipment.
Further, the method also includes following feature:
The described first information includes the identity information of sender's equipment, and described second information includes recipient
The identity information of equipment;Or the described first information includes the identity information of sender's equipment and first dynamic
Parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Further, the method also includes following feature:
Include sharing encryption and decryption key in described shared key, the described first information includes sender's equipment
When identity information and described second information include the identity information of receiver equipment, based on described shared key,
The first information and the second information are mutually authenticated with described sender's equipment, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
The identity information of the sender's equipment preserved compares, and as the two is consistent, then confirms that described sender sets
Standby by certification, use the identity information of described shared encryption and decryption double secret key receiver equipment to be encrypted life
Become second to add confidential information, add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment generates after being encrypted.
Further, the method also includes following feature:
Include sharing encryption and decryption key in described shared key, the described first information includes sender's equipment
Identity information and the first dynamic parameter and described second information include the identity information and second of receiver equipment
During dynamic parameter, enter with described sender's equipment based on described shared key, the first information and the second information
Row is mutually authenticated, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
Identity information and second dynamic parameter of the sender's equipment preserved compare, as the two is consistent, the most really
Recognize described sender's equipment and pass through certification, use the identity of described shared encryption and decryption double secret key receiver equipment
Information and the first dynamic parameter are encrypted generation and second add confidential information, add described second confidential information as
Authentication information is sent to described sender's equipment;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment and the second dynamic parameter generate after being encrypted.
Further, the method also includes following feature:
Described shared key include sharing encryption and decryption key and shared tegrity protection key, described first
Information includes that the identity information of sender's equipment and described second information include the identity information of receiver equipment
Time, recognize each other mutually with described sender's equipment based on described shared key, the first information and the second information
Card, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key
The identity information of sender's equipment that this locality preserves is processed, generates the complete of described sender's equipment
Property protection information, will the identity information and originally of the information that obtain and the local sender's equipment preserved after deciphering
The integrity protection information of sender's equipment that terminal generates compares, and as the two is consistent, then confirms institute
State sender's equipment and pass through certification, use the described shared tegrity protection key identity to receiver equipment
Information carries out processing generation the second integrity protection information, uses described shared encryption and decryption double secret key recipient
The identity information of equipment and described second integrity protection information are encrypted generation second and add confidential information, will
Described second adds confidential information is sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment and the first integrity protection information generate after being encrypted, and described first
Integrity protection information is that described sender's equipment uses described shared tegrity protection key to set sender
Standby identity information carries out processing generation.
Further, the method also includes following feature:
Described shared key include sharing encryption and decryption key and shared tegrity protection key, described first
Information includes that the identity information of sender's equipment and the first dynamic parameter and described second information include recipient
When the identity information of equipment and the second dynamic parameter, based on described shared key, the first information and the second letter
Breath is mutually authenticated with described sender's equipment, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key
Identity information and the second dynamic parameter to sender's equipment that this locality preserves process, and generate described sending out
Send the integrity protection information of method, apparatus, information and the local sender's equipment preserved that will obtain after deciphering
Identity information, the integrity protection information of sender's equipment that generates of the second dynamic parameter and this terminal enters
Row compares, and as the two is consistent, then confirms that described sender's equipment, by certification, uses described sharing completely
Property the protection identity information of double secret key receiver equipment, the first dynamic parameter carry out processing that to generate second complete
Property protection information, use the identity information of described shared encryption and decryption double secret key receiver equipment, described first
Dynamic parameter and described second integrity protection information are encrypted generation and second add confidential information, by described the
Two add confidential information is sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment, the second dynamic parameter and the first integrity protection information are raw after being encrypted
Becoming, described first integrity protection information is that described sender's equipment uses described shared integrity protection
The identity information of double secret key sender's equipment and the second dynamic parameter carry out processing generation.
Further, the method also includes following feature:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes that second is random
Number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D,
And described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
Further, the method also includes following feature:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI of equipment
Information, equipment international mobile subscriber identity IMSI information with need to carry out the application that D2D communicates
Identity information.
In order to solve above-mentioned technical problem, the invention provides the device of a kind of secure communication, be applied to net
Network side gusset, including:
Communication module, for receive needs carry out what equipment D2D was communicated by equipment with receiver equipment
After the request message that sender's equipment sends, from described request message, obtain the first information, connect to described
Debit's equipment sends the request message carrying the described first information;Return receiving described receiver equipment
Instruction agree to response message after, from described response message, obtain the second information;
Key management module, leads to for described D2D for generating according to the described first information and the second information
The shared key of letter;Described shared key is sent respectively to described sender's equipment and receiver equipment,
And described second information is sent to described sender's equipment.
Further, this device also includes following feature:
The described first information includes the identity information of sender's equipment, and described second information includes recipient
The identity information of equipment;Or the described first information includes the identity information of sender's equipment and first dynamic
Parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Further, this device also includes following feature:
Key management module, leads to for described D2D for generating according to the described first information and the second information
The shared key of letter, including:
Using root key as seed key, the identity information of described sender's equipment and receiver equipment is made
The scattering parameter of the key schedule for disposing, uses described key schedule to generate for described
The shared key of D2D communication;Or
Using root key as seed key, by the identity information of described sender's equipment and receiver equipment with
And the first dynamic parameter and the second dynamic parameter for ensureing key novelty generates as the key disposed
The scattering parameter of algorithm, uses described key schedule to generate the shared key communicated for described D2D.
Further, this device also includes following feature:
Key management module, for including the first key schedule, and institute at described key schedule
State shared key include share encryption and decryption key time, use described key schedule generate for described
The shared key of D2D communication, including: use described first key schedule to generate for described D2D
The shared encryption and decryption key of communication;Or described key schedule include the first key schedule and
Second key schedule, and described shared key includes sharing encryption and decryption key and shared integrity protection
During key, described key schedule is used to generate the shared key communicated for described D2D, including:
Use described first key schedule to generate the shared encryption and decryption key communicated for described D2D, use
Described second key schedule generates the shared tegrity protection key for described D2D communication.
Further, this device also includes following feature:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes that second is random
Number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D,
And described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
Further, this device also includes following feature:
Described network side node includes: base station, home signature user server HSS, D2D functional node
ProSE Function or Serving GPRS Support Node SGSN.
Further, this device also includes following feature:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI of equipment
Information, equipment international mobile subscriber identity IMSI information with need to carry out the application that D2D communicates
Identity information.
Further, this device also includes following feature:
Communication module, after send the request message carrying the described first information to described receiver equipment,
Also include: after the response message receiving the instruction refusal that described receiver equipment returns, terminate described
D2D communication process.
In order to solve above-mentioned technical problem, the invention provides the device of a kind of secure communication, be applied to set
Standby sender's equipment to equipment communication, including:
Key management module, for needs carry out with receiver equipment equipment equipment D2D is communicated time,
The request message carrying the first information is sent to network side node;Send receiving described network side node
Shared key and the second information after, notify authentication module;
Authentication module, for based on described shared key, the first information and the second information and described recipient
Equipment is mutually authenticated;
Wherein, described second information is sent to described network side node by described receiver equipment, then by institute
State network side node and be sent to described sender's equipment.
Further, this device also includes following feature:
The described first information includes the identity information of sender's equipment, and described second information includes recipient
The identity information of equipment;Or the described first information includes the identity information of sender's equipment and first dynamic
Parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Further, this device also includes following feature:
Authentication module, for including sharing encryption and decryption key, described first information bag in described shared key
Include the identity information of sender's equipment and time described second information includes the identity information of receiver equipment, base
It is mutually authenticated with described receiver equipment in described shared key, the first information and the second information, bag
Include:
The identity information using described shared encryption and decryption double secret key sender's equipment is encrypted generation first and adds
Confidential information, adds confidential information using described first and is sent to described receiver equipment as authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
The identity information of the receiver equipment preserved compares, and as the two is consistent, then confirms that described recipient sets
For passing through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment generates after being encrypted.
Further, this device also includes following feature:
Authentication module, for including sharing encryption and decryption key, described first information bag in described shared key
Include the identity information of sender's equipment and the first dynamic parameter and described second information includes receiver equipment
When identity information and the second dynamic parameter, based on described shared key, the first information and the second information and institute
State receiver equipment to be mutually authenticated, including:
The identity information and the second dynamic parameter that use described shared encryption and decryption double secret key sender's equipment are carried out
Encryption generates first and adds confidential information, adds confidential information using described first and is sent to described reception as authentication information
Method, apparatus;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
Identity information and first dynamic parameter of the receiver equipment preserved compare, as the two is consistent, the most really
Recognize described receiver equipment and pass through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment and the first dynamic parameter generate after being encrypted.
Further, this device also includes following feature:
Authentication module, for including sharing encryption and decryption key and shared integrity protection in described shared key
Key, the described first information include that the identity information of sender's equipment and described second information include recipient
During the identity information of equipment, based on described shared key, the first information and the second information and described recipient
Equipment is mutually authenticated, including:
Described shared tegrity protection key is used to carry out the identity information of sender's equipment processing generation the
One integrity protection information;Use identity information and the institute of described shared encryption and decryption double secret key sender's equipment
State the first integrity protection information to be encrypted generation and first add confidential information, add confidential information by described first and make
It is sent to described receiver equipment for authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key
The identity information of the receiver equipment that this locality preserves is processed, generates the complete of described receiver equipment
Property protection information, will the identity information and originally of the information that obtain and the local receiver equipment preserved after deciphering
The integrity protection information of the receiver equipment that terminal generates compares, and as the two is consistent, then confirms institute
State receiver equipment and pass through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment and the second integrity protection information generate after being encrypted, and described second
Integrity protection information is that described receiver equipment uses described shared tegrity protection key to set recipient
Standby identity information carries out processing generation.
Further, this device also includes following feature:
Authentication module, for including sharing encryption and decryption key and shared integrity protection in described shared key
Key, the described first information include identity information and first dynamic parameter and described second of sender's equipment
When information includes identity information and second dynamic parameter of receiver equipment, based on described shared key,
One information and the second information are mutually authenticated with described receiver equipment, including:
Use described shared tegrity protection key to the identity information of sender's equipment and the second dynamic parameter
Carry out processing and generate the first integrity protection information;Use described shared encryption and decryption double secret key sender's equipment
Identity information, the second dynamic parameter and described first integrity protection information be encrypted, raw after encryption
Become first to add confidential information, add confidential information using described first and be sent to described receiver equipment as authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key
Identity information and the first dynamic parameter to the receiver equipment that this locality preserves process, and connect described in generation
The integrity protection information of debit's equipment, information and the local receiver equipment preserved that will obtain after deciphering
Identity information, the integrity protection information of receiver equipment that generates of the first dynamic parameter and this terminal enters
Row compares, and as the two is consistent, then confirms that described receiver equipment passes through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment, the first dynamic parameter and the second integrity protection information are raw after being encrypted
Becoming, described second integrity protection information is that described receiver equipment uses described shared integrity protection
The identity information of double secret key receiver equipment and the first dynamic parameter carry out processing generation.
Further, this device also includes following feature:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes that second is random
Number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D,
And described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
Further, this device also includes following feature:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI of equipment
Information, equipment international mobile subscriber identity IMSI information with need to carry out the application that D2D communicates
Identity information.
In order to solve above-mentioned technical problem, the invention provides the device of a kind of secure communication, be applied to set
The standby receiver equipment to equipment communication, including:
Key management module, for disappearing in the request carrying the first information receiving network side node transmission
After breath, return response message to described network side node;Wherein, described response message is when instruction is agreed to
Carry the second information;After receiving the shared key that described network side node sends, notify authentication module;
Authentication module, for based on described shared key, the first information and the second information and described sender
Equipment is mutually authenticated;
Wherein, the described first information is sent to described network side node by described sender's equipment, then by institute
State network side node and be sent to described receiver equipment.
Further, this device also includes following feature:
The described first information includes the identity information of sender's equipment, and described second information includes recipient
The identity information of equipment;Or the described first information includes the identity information of sender's equipment and first dynamic
Parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Further, this device also includes following feature:
Authentication module, for including sharing encryption and decryption key, described first information bag in described shared key
Include the identity information of sender's equipment and time described second information includes the identity information of receiver equipment, base
It is mutually authenticated with described sender's equipment in described shared key, the first information and the second information, bag
Include:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
The identity information of the sender's equipment preserved compares, and as the two is consistent, then confirms that described sender sets
Standby by certification, use the identity information of described shared encryption and decryption double secret key receiver equipment to be encrypted life
Become second to add confidential information, add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment generates after being encrypted.
Further, this device also includes following feature:
Authentication module, for including sharing encryption and decryption key, described first information bag in described shared key
Include the identity information of sender's equipment and the first dynamic parameter and described second information includes receiver equipment
When identity information and the second dynamic parameter, based on described shared key, the first information and the second information and institute
State sender's equipment to be mutually authenticated, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
Identity information and second dynamic parameter of the sender's equipment preserved compare, as the two is consistent, the most really
Recognize described sender's equipment and pass through certification, use the identity of described shared encryption and decryption double secret key receiver equipment
Information and the first dynamic parameter are encrypted generation and second add confidential information, add described second confidential information as
Authentication information is sent to described sender's equipment;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment and the second dynamic parameter generate after being encrypted.
Further, this device also includes following feature:
Authentication module, for including sharing encryption and decryption key and shared integrity protection in described shared key
Key, the described first information include that the identity information of sender's equipment and described second information include recipient
During the identity information of equipment, based on described shared key, the first information and the second information and described sender
Equipment is mutually authenticated, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key
The identity information of sender's equipment that this locality preserves is processed, generates the complete of described sender's equipment
Property protection information, will the identity information and originally of the information that obtain and the local sender's equipment preserved after deciphering
The integrity protection information of sender's equipment that terminal generates compares, and as the two is consistent, then confirms institute
State sender's equipment and pass through certification, use the described shared tegrity protection key identity to receiver equipment
Information carries out processing generation the second integrity protection information, uses described shared encryption and decryption double secret key recipient
The identity information of equipment and described second integrity protection information are encrypted generation second and add confidential information, will
Described second adds confidential information is sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment and the first integrity protection information generate after being encrypted, and described first
Integrity protection information is that described sender's equipment uses described shared tegrity protection key to set sender
Standby identity information carries out processing generation.
Further, this device also includes following feature:
Authentication module, for including sharing encryption and decryption key and shared integrity protection in described shared key
Key, the described first information include identity information and first dynamic parameter and described second of sender's equipment
When information includes identity information and second dynamic parameter of receiver equipment, based on described shared key,
One information and the second information are mutually authenticated with described sender's equipment, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key
Identity information and the second dynamic parameter to sender's equipment that this locality preserves process, and generate described sending out
Send the integrity protection information of method, apparatus, information and the local sender's equipment preserved that will obtain after deciphering
Identity information, the integrity protection information of sender's equipment that generates of the second dynamic parameter and this terminal enters
Row compares, and as the two is consistent, then confirms that described sender's equipment, by certification, uses described sharing completely
Property the protection identity information of double secret key receiver equipment, the first dynamic parameter carry out processing that to generate second complete
Property protection information, use the identity information of described shared encryption and decryption double secret key receiver equipment, first dynamic
Parameter and described second integrity protection information are encrypted generation second and add confidential information, add described second
Confidential information is sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment, the second dynamic parameter and the first integrity protection information are raw after being encrypted
Becoming, described first integrity protection information is that described sender's equipment uses described shared integrity protection
The identity information of double secret key sender's equipment and the second dynamic parameter carry out processing generation
Further, this device also includes following feature:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes that second is random
Number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D,
And described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
Further, this device also includes following feature:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI of equipment
Information, equipment international mobile subscriber identity IMSI information with need to carry out the application that D2D communicates
Identity information.
Compared with prior art, the methods, devices and systems of a kind of secure communication that the present invention provides, if
Needing to carry out equipment between Bei when communicating equipment D2D, network side node obtains the identity information of communicating pair,
Identity information according to both devices or the identity information of both devices and for ensureing key novelty
Dynamic parameter is that D2D communication generates shared key and is sent to communicating pair equipment, communicating pair equipment base
Carry out the D2D mutual certification of communication in described shared key, set up security association and trusting relationship to ensure D2D
The high security of communication.
Accompanying drawing explanation
Fig. 1 is the flow chart (network side node) of the method for a kind of secure communication of the embodiment of the present invention.
Fig. 2 is the flow chart (sender's equipment) of the method for a kind of secure communication of the embodiment of the present invention.
Fig. 3 is the flow chart (receiver equipment) of the method for a kind of secure communication of the embodiment of the present invention.
Fig. 4 is structural representation (the network side joint of the device of a kind of secure communication of the embodiment of the present invention
Point).
Fig. 5 is that (sender sets for the structural representation of the device of a kind of secure communication of the embodiment of the present invention
Standby).
Fig. 6 is that (recipient sets for the structural representation of the device of a kind of secure communication of the embodiment of the present invention
Standby).
Fig. 7 is the structural representation of the system of a kind of secure communication of the embodiment of the present invention.
Fig. 8 is the information interaction figure of the method for a kind of secure communication of application example of the present invention.
Fig. 9 is the information interaction figure of the method for the another kind of secure communication of application example of the present invention.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing
Embodiments of the invention are described in detail.It should be noted that in the case of not conflicting, this Shen
Embodiment in please and the feature in embodiment can mutual combination in any.
As it is shown in figure 1, a kind of method embodiments providing secure communication, it is applied to network side
Node, the method includes:
S10, needs to carry out with receiver equipment the sender that equipment D2D communicates by equipment set receiving
After the request message that preparation is sent, from described request message, obtain the first information, to described receiver equipment
Send the request message carrying the described first information;
S20, after the response message receiving the instruction agreement that described receiver equipment returns, from described sound
Answer and message obtains the second information;
S30, generates the shared key for described D2D communication according to the described first information and the second information;
S40, is sent respectively to described sender's equipment and receiver equipment by described shared key, and by institute
Second information of stating is sent to described sender's equipment;
Described method can also include following feature:
Wherein, described network side node includes: (Home Subscriber Server, ownership is signed for base station, HSS
About client server), D2D functional node ProSE Function or SGSN (Serving GPRS Support
Node, Serving GPRS Support Node);
Wherein, the described first information includes the identity information of sender's equipment, and described second information includes
The identity information of receiver equipment;Or the described first information includes the identity information and of sender's equipment
One dynamic parameter, and described second information includes identity information and second dynamic parameter of receiver equipment;
Wherein, the identity information of described equipment include following at least one: the IMEI (International of equipment
Mobile Equipment Identity, International Mobile Station Equipment Identification) information, the IMSI (International of equipment
Mobile Subscriber Identification Number, international mobile subscriber identity) information and needing
Carry out the identity information of the application of D2D communication;
Wherein, it is used for the shared close of described D2D communication according to the described first information and the generation of the second information
Key, including:
Using root key as seed key, the identity information of described sender's equipment and receiver equipment is made
The scattering parameter of the key schedule for disposing, uses described key schedule to generate for described
The shared key of D2D communication;Or
Using root key as seed key, by the identity information of described sender's equipment and receiver equipment with
And the first dynamic parameter and the second dynamic parameter for ensureing key novelty generates as the key disposed
The scattering parameter of algorithm, uses described key schedule to generate the shared key communicated for described D2D.
Wherein, described key schedule includes the first key schedule, uses described key to generate and calculates
Method generates the shared key for described D2D communication, including: use described first key schedule raw
Become the shared encryption and decryption key for described D2D communication;Or
Described key schedule includes the first key schedule and the second key schedule, described common
Enjoy key to include sharing encryption and decryption key and shared tegrity protection key;Use described key schedule
Generate the shared key for described D2D communication, including: use described first key schedule to generate
The shared encryption and decryption key communicated for described D2D, use described second key schedule generate for
The shared tegrity protection key of described D2D communication;
Wherein, described first dynamic parameter includes the first random number, and described second dynamic parameter includes
Two randoms number;Or the time correlation that described first dynamic parameter includes communicating with described D2D first time
Between parameter, and the second time ginseng of time correlation that described second dynamic parameter includes communicating with described D2D
Number.
Wherein, send the request message carrying the described first information to described receiver equipment after, also include:
After the response message receiving the instruction refusal that described receiver equipment returns, terminate described D2D communication
Process.
Wherein, described root key is by network side node management, maintenance;
Wherein, described sender's equipment and receiver equipment are through network A KA (Authentication
And Key Agreement, certifiede-mail protocol agreement) equipment of certification.
As in figure 2 it is shown, a kind of method embodiments providing secure communication, it is applied to equipment pair
Sender's equipment of equipment communication, the method includes:
S10, needs carry out with receiver equipment equipment equipment D2D is communicated time, to network side node
Send the request message carrying the first information;
S20, after the shared key receiving the transmission of described network side node and the second information, based on described
Shared key, the first information and the second information are mutually authenticated with described receiver equipment;
Wherein, described second information is sent to described network side node by described receiver equipment, then by institute
State network side node and be sent to described sender's equipment;
Described method can also include following feature:
Wherein, described network side node includes: base station, home signature user server HSS, D2D merit
Can node ProSE Function or Serving GPRS Support Node SGSN;
Wherein, the described first information includes the identity information of sender's equipment, and described second information includes
The identity information of receiver equipment;Or the described first information includes the identity information and of sender's equipment
One dynamic parameter, and described second information includes identity information and second dynamic parameter of receiver equipment;
Wherein, the identity information of described equipment include following at least one: the international mobile device mark of equipment
Know IMEI information, the international mobile subscriber identity IMSI information of equipment carries out D2D with needs and communicates
The identity information of application;
Wherein, include sharing encryption and decryption key in described shared key, the described first information includes sender
When the identity information of equipment and described second information include the identity information of receiver equipment, based on described common
Enjoy key, the first information and the second information to be mutually authenticated with described receiver equipment, including:
The identity information using described shared encryption and decryption double secret key sender's equipment is encrypted generation first and adds
Confidential information, adds confidential information using described first and is sent to described receiver equipment as authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
The identity information of the receiver equipment preserved compares, and as the two is consistent, then confirms that described recipient sets
For passing through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment generates after being encrypted.
Wherein, include sharing encryption and decryption key in described shared key, the described first information includes sender
The identity information of equipment and the first dynamic parameter and described second information include the identity information of receiver equipment
During with the second dynamic parameter, based on described shared key, the first information and the second information and described recipient
Equipment is mutually authenticated, including:
The identity information and the second dynamic parameter that use described shared encryption and decryption double secret key sender's equipment are carried out
Encryption generates first and adds confidential information, adds confidential information using described first and is sent to described reception as authentication information
Method, apparatus;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
Identity information and first dynamic parameter of the receiver equipment preserved compare, as the two is consistent, the most really
Recognize described receiver equipment and pass through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment and the first dynamic parameter generate after being encrypted.
Wherein, include sharing encryption and decryption key and shared tegrity protection key, institute in described shared key
State the first information and include that the identity information of sender's equipment and described second information include the body of receiver equipment
During part information, carry out with described receiver equipment based on described shared key, the first information and the second information
It is mutually authenticated, including:
Described shared tegrity protection key is used to carry out the identity information of sender's equipment processing generation the
One integrity protection information;Use identity information and the institute of described shared encryption and decryption double secret key sender's equipment
State the first integrity protection information to be encrypted generation and first add confidential information, add confidential information by described first and make
It is sent to described receiver equipment for authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key
The identity information of the receiver equipment that this locality preserves is processed, generates the complete of described receiver equipment
Property protection information, will the identity information and originally of the information that obtain and the local receiver equipment preserved after deciphering
The integrity protection information of the receiver equipment that terminal generates compares, and as the two is consistent, then confirms institute
State receiver equipment and pass through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment and the second integrity protection information generate after being encrypted, and described second
Integrity protection information is that described receiver equipment uses described shared tegrity protection key to set recipient
Standby identity information carries out processing generation;
Wherein, include sharing encryption and decryption key and shared tegrity protection key, institute in described shared key
State the first information and include that the identity information of sender's equipment and the first dynamic parameter and described second information include
When the identity information of receiver equipment and the second dynamic parameter, based on described shared key, the first information and
Second information is mutually authenticated with described receiver equipment, including:
Use described shared tegrity protection key to the identity information of sender's equipment and the second dynamic parameter
Carry out processing and generate the first integrity protection information;Use described shared encryption and decryption double secret key sender's equipment
Identity information, the second dynamic parameter and described first integrity protection information be encrypted, raw after encryption
Become first to add confidential information, add confidential information using described first and be sent to described receiver equipment as authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key
Identity information and the first dynamic parameter to the receiver equipment that this locality preserves process, and connect described in generation
The integrity protection information of debit's equipment, information and the local receiver equipment preserved that will obtain after deciphering
Identity information, the integrity protection information of receiver equipment that generates of the first dynamic parameter and this terminal enters
Row compares, and as the two is consistent, then confirms that described receiver equipment passes through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment, the first dynamic parameter and the second integrity protection information are raw after being encrypted
Becoming, described second integrity protection information is that described receiver equipment uses described shared integrity protection
The identity information of double secret key receiver equipment and the first dynamic parameter carry out processing generation;
Wherein, described first dynamic parameter includes the first random number, and described second dynamic parameter includes
Two randoms number;Or the time correlation that described first dynamic parameter includes communicating with described D2D first time
Between parameter, and the second time ginseng of time correlation that described second dynamic parameter includes communicating with described D2D
Number.
As it is shown on figure 3, a kind of method embodiments providing secure communication, it is applied to equipment pair
The receiver equipment of equipment communication, the method includes:
S10, after receiving the request message carrying the first information that network side node sends, to described net
Network side gusset returns response message;Wherein, described response message carries the second information when instruction is agreed to;
S20, receive described network side node send shared key after, based on described shared key,
The first information and the second information are mutually authenticated with described sender's equipment;
Wherein, the described first information is sent to described network side node by described sender's equipment, then by institute
State network side node and be sent to described receiver equipment;
Described method can also include following feature:
Wherein, described network side node includes: base station, home signature user server HSS, D2D merit
Can node ProSE Function or Serving GPRS Support Node SGSN;
Wherein, the described first information includes the identity information of sender's equipment, and described second information includes
The identity information of receiver equipment;Or the described first information includes the identity information and of sender's equipment
One dynamic parameter, and described second information includes identity information and second dynamic parameter of receiver equipment;
Wherein, the identity information of described equipment include following at least one: the international mobile device mark of equipment
Know IMEI information, the international mobile subscriber identity IMSI information of equipment carries out D2D with needs and communicates
The identity information of application;
Wherein, include sharing encryption and decryption key in described shared key, the described first information includes sender
When the identity information of equipment and described second information include the identity information of receiver equipment, based on described common
Enjoy key, the first information and the second information to be mutually authenticated with described sender's equipment, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
The identity information of the sender's equipment preserved compares, and as the two is consistent, then confirms that described sender sets
Standby by certification, use the identity information of described shared encryption and decryption double secret key receiver equipment to be encrypted life
Become second to add confidential information, add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment generates after being encrypted.
Wherein, include sharing encryption and decryption key in described shared key, the described first information includes sender
The identity information of equipment and the first dynamic parameter and described second information include the identity information of receiver equipment
During with the second dynamic parameter, based on described shared key, the first information and the second information and described sender
Equipment is mutually authenticated, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
Identity information and second dynamic parameter of the sender's equipment preserved compare, as the two is consistent, the most really
Recognize described sender's equipment and pass through certification, use the identity of described shared encryption and decryption double secret key receiver equipment
Information and the first dynamic parameter are encrypted generation and second add confidential information, add described second confidential information as
Authentication information is sent to described sender's equipment;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment and the second dynamic parameter generate after being encrypted.
Wherein, include sharing encryption and decryption key and shared tegrity protection key, institute in described shared key
State the first information and include that the identity information of sender's equipment and described second information include the body of receiver equipment
During part information, carry out with described sender's equipment based on described shared key, the first information and the second information
It is mutually authenticated, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key
The identity information of sender's equipment that this locality preserves is processed, generates the complete of described sender's equipment
Property protection information, will the identity information and originally of the information that obtain and the local sender's equipment preserved after deciphering
The integrity protection information of sender's equipment that terminal generates compares, and as the two is consistent, then confirms institute
State sender's equipment and pass through certification, use the described shared tegrity protection key identity to receiver equipment
Information carries out processing generation the second integrity protection information, uses described shared encryption and decryption double secret key recipient
The identity information of equipment and described second integrity protection information are encrypted generation second and add confidential information, will
Described second adds confidential information is sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment and the first integrity protection information generate after being encrypted, and described first
Integrity protection information is that described sender's equipment uses described shared tegrity protection key to set sender
Standby identity information carries out processing generation.
Wherein, include sharing encryption and decryption key and shared tegrity protection key, institute in described shared key
State the first information and include that the identity information of sender's equipment and the first dynamic parameter and described second information include
When the identity information of receiver equipment and the second dynamic parameter, based on described shared key, the first information and
Second information is mutually authenticated with described sender's equipment, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key
Identity information and the second dynamic parameter to sender's equipment that this locality preserves process, and generate described sending out
Send the integrity protection information of method, apparatus, information and the local sender's equipment preserved that will obtain after deciphering
Identity information, the integrity protection information of sender's equipment that generates of the second dynamic parameter and this terminal enters
Row compares, and as the two is consistent, then confirms that described sender's equipment, by certification, uses described sharing completely
Property the protection identity information of double secret key receiver equipment, the first dynamic parameter carry out processing that to generate second complete
Property protection information, use the identity information of described shared encryption and decryption double secret key receiver equipment, first dynamic
Parameter and described second integrity protection information are encrypted generation second and add confidential information, add described second
Confidential information is sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment, the second dynamic parameter and the first integrity protection information are raw after being encrypted
Becoming, described first integrity protection information is that described sender's equipment uses described shared integrity protection
The identity information of double secret key sender's equipment and the second dynamic parameter carry out processing generation
Wherein, described first dynamic parameter includes the first random number, and described second dynamic parameter includes
Two randoms number;Or the time correlation that described first dynamic parameter includes communicating with described D2D first time
Between parameter, and the second time ginseng of time correlation that described second dynamic parameter includes communicating with described D2D
Number.
As shown in Figure 4, embodiments provide the device of a kind of secure communication, be applied to network side
Node, including:
Communication module, for receive needs carry out what equipment D2D was communicated by equipment with receiver equipment
After the request message that sender's equipment sends, from described request message, obtain the first information, connect to described
Debit's equipment sends the request message carrying the described first information;Return receiving described receiver equipment
Instruction agree to response message after, from described response message, obtain the second information;
Key management module, leads to for described D2D for generating according to the described first information and the second information
The shared key of letter;Described shared key is sent respectively to described sender's equipment and receiver equipment,
And described second information is sent to described sender's equipment.
Described device can also include following feature:
Wherein, the described first information includes the identity information of sender's equipment, and described second information includes
The identity information of receiver equipment;Or the described first information includes the identity information and of sender's equipment
One dynamic parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Wherein, key management module, for generating for described according to the described first information and the second information
The shared key of D2D communication, including:
Using root key as seed key, the identity information of described sender's equipment and receiver equipment is made
The scattering parameter of the key schedule for disposing, uses described key schedule to generate for described
The shared key of D2D communication;Or
Using root key as seed key, by the identity information of described sender's equipment and receiver equipment with
And the first dynamic parameter and the second dynamic parameter for ensureing key novelty generates as the key disposed
The scattering parameter of algorithm, uses described key schedule to generate the shared key communicated for described D2D.
Wherein, key management module, for including the first key schedule at described key schedule,
When described shared key includes sharing encryption and decryption key, described key schedule is used to generate for described
The shared key of D2D communication, including: use described first key schedule to generate for described D2D
The shared encryption and decryption key of communication;Or described key schedule include the first key schedule and
Second key schedule, described shared key includes sharing encryption and decryption key and shared integrity protection is close
During key, described key schedule is used to generate the shared key communicated for described D2D, including: make
Generate the shared encryption and decryption key for described D2D communication with described first key schedule, use institute
State the second key schedule and generate the shared tegrity protection key communicated for described D2D.
Wherein, described first dynamic parameter includes the first random number, and described second dynamic parameter includes
Two randoms number;Or the time correlation that described first dynamic parameter includes communicating with described D2D first time
Between parameter, and the second time ginseng of time correlation that described second dynamic parameter includes communicating with described D2D
Number.
Wherein, described network side node includes: base station, home signature user server HSS, D2D merit
Can node ProSE Function or Serving GPRS Support Node SGSN.
Wherein, the identity information of described equipment include following at least one: the international mobile device mark of equipment
Know IMEI information, the international mobile subscriber identity IMSI information of equipment carries out D2D with needs and communicates
The identity information of application.
Wherein, communication module, for sending the request carrying the described first information to described receiver equipment
After message, also include: after the response message receiving the instruction refusal that described receiver equipment returns,
Terminate described D2D communication process.
As it is shown in figure 5, embodiments provide the device of a kind of secure communication, it is applied to equipment pair
Sender's equipment of equipment communication, including:
Key management module, for needs carry out with receiver equipment equipment equipment D2D is communicated time,
The request message carrying the first information is sent to network side node;Send receiving described network side node
Shared key and the second information after, notify authentication module;
Authentication module, for based on described shared key, the first information and the second information and described recipient
Equipment is mutually authenticated;
Wherein, described second information is sent to described network side node by described receiver equipment, then by institute
State network side node and be sent to described sender's equipment.
Described device can also include following feature:
Wherein, the described first information includes the identity information of sender's equipment, and described second information includes
The identity information of receiver equipment;Or the described first information includes the identity information and of sender's equipment
One dynamic parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Wherein, authentication module, for described shared key include share encryption and decryption key, described first
Information includes that the identity information of sender's equipment and described second information include the identity information of receiver equipment
Time, recognize each other mutually with described receiver equipment based on described shared key, the first information and the second information
Card, including:
The identity information using described shared encryption and decryption double secret key sender's equipment is encrypted generation first and adds
Confidential information, adds confidential information using described first and is sent to described receiver equipment as authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
The identity information of the receiver equipment preserved compares, and as the two is consistent, then confirms that described recipient sets
For passing through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment generates after being encrypted.
Wherein, authentication module, for described shared key include share encryption and decryption key, described first
Information includes that the identity information of sender's equipment and the first dynamic parameter and described second information include recipient
When the identity information of equipment and the second dynamic parameter, based on described shared key, the first information and the second letter
Breath is mutually authenticated with described receiver equipment, including:
The identity information and the second dynamic parameter that use described shared encryption and decryption double secret key sender's equipment are carried out
Encryption generates first and adds confidential information, adds confidential information using described first and is sent to described reception as authentication information
Method, apparatus;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
Identity information and first dynamic parameter of the receiver equipment preserved compare, as the two is consistent, the most really
Recognize described receiver equipment and pass through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment and the first dynamic parameter generate after being encrypted.
Wherein, authentication module, for including sharing encryption and decryption key and sharing complete in described shared key
Property protection key, the described first information include that the identity information of sender's equipment and described second information include
During the identity information of receiver equipment, based on described shared key, the first information and the second information with described
Receiver equipment is mutually authenticated, including:
Described shared tegrity protection key is used to carry out the identity information of sender's equipment processing generation the
One integrity protection information;Use identity information and the institute of described shared encryption and decryption double secret key sender's equipment
State the first integrity protection information to be encrypted generation and first add confidential information, add confidential information by described first and make
It is sent to described receiver equipment for authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key
The identity information of the receiver equipment that this locality preserves is processed, generates the complete of described receiver equipment
Property protection information, will the identity information and originally of the information that obtain and the local receiver equipment preserved after deciphering
The integrity protection information of the receiver equipment that terminal generates compares, and as the two is consistent, then confirms institute
State receiver equipment and pass through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment and the second integrity protection information generate after being encrypted, and described second
Integrity protection information is that described receiver equipment uses described shared tegrity protection key to set recipient
Standby identity information carries out processing generation.
Wherein, authentication module, for including sharing encryption and decryption key and sharing complete in described shared key
Property protection key, the described first information include the identity information of sender's equipment and the first dynamic parameter and institute
When second information of stating includes identity information and second dynamic parameter of receiver equipment, based on described shared close
Key, the first information and the second information are mutually authenticated with described receiver equipment, including:
Use described shared tegrity protection key to the identity information of sender's equipment and the second dynamic parameter
Carry out processing and generate the first integrity protection information;Use described shared encryption and decryption double secret key sender's equipment
Identity information, the second dynamic parameter and described first integrity protection information be encrypted, raw after encryption
Become first to add confidential information, add confidential information using described first and be sent to described receiver equipment as authentication information;
Receive that described receiver equipment sends after the second of certification adds confidential information, use described
Share described in encryption and decryption double secret key second to add confidential information and be decrypted, with described shared tegrity protection key
Identity information and the first dynamic parameter to the receiver equipment that this locality preserves process, and connect described in generation
The integrity protection information of debit's equipment, information and the local receiver equipment preserved that will obtain after deciphering
Identity information, the integrity protection information of receiver equipment that generates of the first dynamic parameter and this terminal enters
Row compares, and as the two is consistent, then confirms that described receiver equipment passes through certification;
Wherein, described second add confidential information be described receiver equipment use described shared encryption and decryption double secret key
The identity information of receiver equipment, the first dynamic parameter and the second integrity protection information are raw after being encrypted
Becoming, described second integrity protection information is that described receiver equipment uses described shared integrity protection
The identity information of double secret key receiver equipment and the first dynamic parameter carry out processing generation.
Wherein, described first dynamic parameter includes the first random number, and described second dynamic parameter includes
Two randoms number;Or the time correlation that described first dynamic parameter includes communicating with described D2D first time
Between parameter, and the second time ginseng of time correlation that described second dynamic parameter includes communicating with described D2D
Number.
Wherein, the identity information of described equipment include following at least one: the international mobile device mark of equipment
Know IMEI information, the international mobile subscriber identity IMSI information of equipment carries out D2D with needs and communicates
The identity information of application.
As shown in Figure 6, embodiments provide the device of a kind of secure communication, be applied to equipment pair
The receiver equipment of equipment communication, including:
Key management module, for disappearing in the request carrying the first information receiving network side node transmission
After breath, return response message to described network side node;Wherein, described response message is when instruction is agreed to
Carry the second information;After receiving the shared key that described network side node sends, notify authentication module;
Authentication module, for based on described shared key, the first information and the second information and described sender
Equipment is mutually authenticated;
Wherein, the described first information is sent to described network side node by described sender's equipment, then by institute
State network side node and be sent to described receiver equipment.
Described device can also include following feature:
Wherein, the described first information includes the identity information of sender's equipment, and described second information includes
The identity information of receiver equipment;Or the described first information includes the identity information and of sender's equipment
One dynamic parameter, and described second information includes identity information and second dynamic parameter of receiver equipment.
Wherein, authentication module, for described shared key include share encryption and decryption key, described first
Information includes that the identity information of sender's equipment and described second information include the identity information of receiver equipment
Time, recognize each other mutually with described sender's equipment based on described shared key, the first information and the second information
Card, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
The identity information of the sender's equipment preserved compares, and as the two is consistent, then confirms that described sender sets
Standby by certification, use the identity information of described shared encryption and decryption double secret key receiver equipment to be encrypted life
Become second to add confidential information, add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment generates after being encrypted.
Wherein, authentication module, for described shared key include share encryption and decryption key, described first
Information includes that the identity information of sender's equipment and the first dynamic parameter and described second information include recipient
When the identity information of equipment and the second dynamic parameter, based on described shared key, the first information and the second letter
Breath is mutually authenticated with described sender's equipment, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, the information that will obtain after deciphering and this locality
Identity information and second dynamic parameter of the sender's equipment preserved compare, as the two is consistent, the most really
Recognize described sender's equipment and pass through certification, use the identity of described shared encryption and decryption double secret key receiver equipment
Information and the first dynamic parameter are encrypted generation and second add confidential information, add described second confidential information as
Authentication information is sent to described sender's equipment;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment and the second dynamic parameter generate after being encrypted.
Wherein, authentication module, for including sharing encryption and decryption key and sharing complete in described shared key
Property protection key, the described first information include that the identity information of sender's equipment and described second information include
During the identity information of receiver equipment, based on described shared key, the first information and the second information with described
Sender's equipment is mutually authenticated, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key
The identity information of sender's equipment that this locality preserves is processed, generates the complete of described sender's equipment
Property protection information, will the identity information and originally of the information that obtain and the local sender's equipment preserved after deciphering
The integrity protection information of sender's equipment that terminal generates compares, and as the two is consistent, then confirms institute
State sender's equipment and pass through certification, use the described shared tegrity protection key identity to receiver equipment
Information carries out processing generation the second integrity protection information, uses described shared encryption and decryption double secret key recipient
The identity information of equipment and described second integrity protection information are encrypted generation second and add confidential information, will
Described second adds confidential information is sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment and the first integrity protection information generate after being encrypted, and described first
Integrity protection information is that described sender's equipment uses described shared tegrity protection key to set sender
Standby identity information carries out processing generation.
Wherein, authentication module, for including sharing encryption and decryption key and sharing complete in described shared key
Property protection key, the described first information include the identity information of sender's equipment and the first dynamic parameter and institute
When second information of stating includes identity information and second dynamic parameter of receiver equipment, based on described shared close
Key, the first information and the second information are mutually authenticated with described sender's equipment, including:
Receive that described sender's equipment sends after the first of certification adds confidential information, use described
Share described in encryption and decryption double secret key first to add confidential information and be decrypted, with described shared tegrity protection key
Identity information and the second dynamic parameter to sender's equipment that this locality preserves process, and generate described sending out
Send the integrity protection information of method, apparatus, information and the local sender's equipment preserved that will obtain after deciphering
Identity information, the integrity protection information of sender's equipment that generates of the second dynamic parameter and this terminal enters
Row compares, and as the two is consistent, then confirms that described sender's equipment, by certification, uses described sharing completely
Property the protection identity information of double secret key receiver equipment, the first dynamic parameter carry out processing that to generate second complete
Property protection information, use the identity information of described shared encryption and decryption double secret key receiver equipment, first dynamic
Parameter and described second integrity protection information are encrypted generation second and add confidential information, add described second
Confidential information is sent to described sender's equipment as authentication information;
Wherein, described first add confidential information be described sender's equipment use described shared encryption and decryption double secret key
The identity information of sender's equipment, the second dynamic parameter and the first integrity protection information are raw after being encrypted
Becoming, described first integrity protection information is that described sender's equipment uses described shared integrity protection
The identity information of double secret key sender's equipment and the second dynamic parameter carry out processing generation
Wherein, described first dynamic parameter includes the first random number, and described second dynamic parameter includes
Two randoms number;Or the time correlation that described first dynamic parameter includes communicating with described D2D first time
Between parameter, and the second time ginseng of time correlation that described second dynamic parameter includes communicating with described D2D
Number.
Wherein, the identity information of described equipment include following at least one: the international mobile device mark of equipment
Know IMEI information, the international mobile subscriber identity IMSI information of equipment carries out D2D with needs and communicates
The identity information of application.
As it is shown in fig. 7, embodiments provide the system of a kind of secure communication, it is applied to equipment pair
Equipment communication network, including: network side node, sender's equipment and receiver equipment.
Application example
As shown in Figure 8, the method for secure communication process between mobile device of setting up may comprise steps of:
Step S101, sender mobile terminal equipment sends solicited message to network side node, and this request is believed
Breath includes the first information;
Wherein, wherein, the described first information includes the identity information of sender, or the described first information
Identity information and a random number (the first random number) including sender;
The identity information of described sender mobile terminal equipment can be equipment identity information IMEI, it is also possible to
It is subscriber identity information IMSI, it is also possible to be the identity information etc. needing to carry out the application of D2D communication;
Step S102, after network side node receives solicited message, gets the first information, to recipient
Mobile terminal device sends the solicited message carrying the described first information.
Step S103, after recipient's mobile terminal device receives solicited message, sends to network side node and rings
Answer message.
Wherein, when described response message represents agreement, described response message carries the second information;
Wherein, when described response message represents refusal, network side node receives described recipient and moves end
After the response message of end equipment, terminate described D2D communication process;
Wherein, described second information includes the identity information of recipient, or, described second information includes
The identity information of recipient and a random number (the second random number);
The identity information of described recipient's mobile terminal device can be equipment identity information IMEI, it is also possible to
It is subscriber identity information IMSI, it is also possible to be the identity information etc. needing to carry out the application of D2D communication;
Step S104, network side node, after receiving response message, generates on the network node and is used for
The shared encryption and decryption key of D2D communication.
Wherein, include that the identity information of sender and described second information include receiving at the described first information
During the identity information of side, network side node using root key as seed key, by described sender's equipment and
The identity information of receiver equipment, as the scattering parameter of the key schedule disposed, uses described key
Generating algorithm generates the shared encryption and decryption key for described D2D communication;Or
Wherein, identity information and first random number and described second of sender is included at the described first information
When information includes identity information and second random number of recipient, network side node using root key as seed
Key, by described sender's equipment and the identity information of receiver equipment and be used for ensureing key novelty
The first random number and the second random number as the scattering parameter of key schedule disposed, use described
Key schedule generates the shared encryption and decryption key for described D2D communication;
Step S105, network side node is by the shared encryption and decryption key generated and recipient's mobile terminal device
Response message be sent to sender mobile terminal equipment.
Wherein, sender mobile terminal equipment gets the second information from described response message;
Step S106, the shared encryption and decryption key that network node generates is sent to recipient's mobile terminal and sets
Standby.
Step S107, sender mobile terminal equipment utilization share encryption and decryption key generate authentication information, and
It is sent to recipient's mobile terminal device;
Wherein, when the described first information includes the identity information of sender's equipment, sender mobile terminal
Equipment uses the identity information of described shared encryption and decryption double secret key sender mobile terminal equipment to be encrypted life
Become first to add confidential information, add confidential information using described first direct by D2D communication link as authentication information
It is sent to described recipient's mobile terminal device;
Wherein, the identity information of sender's equipment and the first random number and described are included at the described first information
When second information includes identity information and second random number of receiver equipment, sender mobile terminal equipment
The identity information and the second random number that use described shared encryption and decryption double secret key sender mobile terminal equipment enter
Row encryption generates first and adds confidential information, adds confidential information using described first and is communicated by D2D as authentication information
Link is transmitted directly to described recipient's mobile terminal device;
Step S108, the certification that recipient's mobile terminal device receives from sender mobile terminal equipment is believed
After breath, utilize shared encryption and decryption double secret key sender mobile terminal equipment to be authenticated, determining sender
After mobile terminal device is by certification, utilizes and share encryption and decryption key generation authentication information, and be sent to send out
The side's of sending mobile terminal device;
Wherein, include that the identity information of sender's equipment and described second information include at the described first information
During the identity information of receiver equipment, recipient's mobile terminal device is sent out receiving described sender's equipment
Send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key the first encryption
Information is decrypted, and is entered by the identity information of the information obtained after deciphering with the local sender's equipment preserved
Row compares, and as the two is consistent, then confirms that described sender mobile terminal equipment, by certification, uses described
The identity information of shared encryption and decryption double secret key receiver equipment is encrypted generation second and adds confidential information, by institute
State second to add confidential information and be transmitted directly to described sender as authentication information by D2D communication link and move
Terminal unit;
Wherein, the identity information of sender's equipment and the first random number and described are included at the described first information
When second information includes identity information and second random number of receiver equipment, recipient's mobile terminal device
Receive described sender's equipment send after the first of certification adds confidential information, use described share
Described in encryption and decryption double secret key, first adds confidential information and is decrypted, the information that will obtain after deciphering and local preservation
The identity information of sender's equipment and the second random number compare, as the two is consistent, then confirm described
Sender mobile terminal equipment passes through certification, uses described shared encryption and decryption double secret key recipient's mobile terminal
The identity information of equipment and the first random number are encrypted generation second and add confidential information, by described second encryption
Information is transmitted directly to described sender mobile terminal equipment as authentication information by D2D communication link;
Step S109, the certification that sender mobile terminal equipment receives from recipient's mobile terminal device is believed
After breath, utilize shared encryption and decryption key to be authenticated, determining that recipient's mobile terminal device passes through certification
After, both sides set up secure communication and connect;
Wherein, include that the identity information of sender's equipment and described second information include at the described first information
During the identity information of receiver equipment, receive that described recipient's mobile terminal device sends for recognizing
After the second of card adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information and solve
Close, the identity information of the information obtained after deciphering with the local recipient's mobile terminal device preserved is carried out
Relatively, as the two is consistent, then confirm that described recipient's mobile terminal device passes through certification;
Wherein, the identity information of sender mobile terminal equipment and first random is included at the described first information
When several and described second information includes identity information and second random number of receiver equipment, receiving
State recipient's mobile terminal device send after the second of certification adds confidential information, use described share add
Decruption key adds confidential information to described second and is decrypted, information and the local preservation that will obtain after deciphering
Identity information and first random number of recipient's mobile terminal device compare, as the two is consistent, the most really
Recognize described recipient's mobile terminal device and pass through certification.
Can also comprise the following steps as it is shown in figure 9, set up the method for secure communication process between mobile device:
Step S201, sender mobile terminal equipment sends solicited message to network side node, and this request is believed
Breath includes the first information;
Wherein, the described first information includes the identity information of sender, or the described first information includes sending out
The identity information of the side of sending and a random number (the first random number);
The identity information of described sender mobile terminal equipment can be equipment identity information IMEI, it is also possible to
It is subscriber identity information IMSI, it is also possible to be the identity information etc. needing to carry out the application of D2D communication;
Step S202, after network side node receives solicited message, gets the first information, to recipient
Mobile terminal device sends the solicited message carrying the described first information.
Step S203, after recipient's mobile terminal device receives solicited message, sends to network side node and rings
Answer message.
Wherein, when described response message represents agreement, described response message carries the second information;
Wherein, when described response message represents refusal, network side node receives described recipient and moves end
After the response message of end equipment, terminate described D2D communication process;
Wherein, described second information includes the identity information of recipient, or, described second information includes
The identity information of recipient and a random number (the second random number);
The identity information of described recipient's mobile terminal device can be equipment identity information IMEI, it is also possible to
It is subscriber identity information IMSI, it is also possible to be the identity information etc. needing to carry out the application of D2D communication;
Step S204, network side node, after receiving response message, generates on the network node and is used for
The shared encryption and decryption key of D2D communication and shared tegrity protection key.
Wherein, include that the identity information of sender and described second information include receiving at the described first information
During the identity information of side, network side node using root key as seed key, by described sender's equipment and
The identity information of receiver equipment, as the scattering parameter of the first key schedule disposed, uses described
First key schedule generates the shared encryption and decryption key for described D2D communication;Network side node will
Root key is as seed key, using the identity information of described sender's equipment and receiver equipment as deployment
The scattering parameter of the second key schedule, use described second key schedule to generate for described
The shared tegrity protection key of D2D communication;
Wherein, identity information and first random number and described second of sender is included at the described first information
When information includes identity information and second random number of recipient, network side node using root key as seed
Key, by random to described sender's equipment and the identity information of receiver equipment, the first random number and second
Number, as the scattering parameter of the first key schedule disposed, uses described first key schedule raw
Become the shared encryption and decryption key for described D2D communication;Network side node using root key as seed key,
Using described sender's equipment and the identity information of receiver equipment, the first random number and the second random number as
The scattering parameter of the second key schedule disposed, use described second key schedule generate for
The shared tegrity protection key of described D2D communication;
Step S205, network side node by generate shared encryption and decryption key and shared tegrity protection key,
And the response message of recipient's mobile terminal device is sent to sender mobile terminal equipment.
Wherein, sender mobile terminal equipment gets the second information from described response message;
Step S206, shared encryption and decryption key and shared tegrity protection key that network node generates send out
Deliver to recipient's mobile terminal device.
Step S207, encryption and decryption key and shared integrity protection are shared in sender mobile terminal equipment utilization
Key generates authentication information, and is sent to recipient's mobile terminal device;
Wherein, when the described first information includes the identity information of sender's equipment, described having shared is used
The identity information of whole property protection double secret key sender's equipment carries out processing generation the first integrity protection information,
Use the identity information of described shared encryption and decryption double secret key sender's equipment and described first integrity protection letter
Breath is encrypted generation first and adds confidential information, adds confidential information using described first and passes through D2D as authentication information
Communication link is transmitted directly to described recipient's mobile terminal device;
Wherein, the identity information of sender's equipment and the first random number and described are included at the described first information
When second information includes identity information and second random number of receiver equipment, use described shared integrity
The identity information of protection double secret key sender's equipment and the second random number carry out processing generation the first integrity to be protected
Protect information;Use the identity information of described shared encryption and decryption double secret key sender's equipment, the second random number and
Described first integrity protection information is encrypted, and generates first and add confidential information, by described first after encryption
Add confidential information to be transmitted directly to described recipient's mobile terminal as authentication information by D2D communication link and set
Standby;
Step S208, the certification that recipient's mobile terminal device receives from sender mobile terminal equipment is believed
After breath, utilize shared encryption and decryption key and shared tegrity protection key that sender mobile terminal equipment is entered
Row certification, after determining that sender mobile terminal equipment is by certification, utilizes and shares encryption and decryption key and be total to
Enjoy tegrity protection key and generate authentication information, and be sent to sender mobile terminal equipment;
Wherein, include that the identity information of sender's equipment and described second information include at the described first information
During the identity information of receiver equipment, recipient's mobile terminal device is sent out receiving described sender's equipment
Send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key the first encryption
Information is decrypted, by the identity of sender's equipment that this locality is preserved by described shared tegrity protection key
Information processes, and generates the integrity protection information of described sender's equipment, the letter that will obtain after deciphering
The integrity of sender's equipment that the identity information of sender's equipment that breath preserves with this locality and this terminal generate
Protection information compares, and as the two is consistent, then confirms that described sender mobile terminal equipment passes through certification,
Use described shared tegrity protection key that the identity information of receiver equipment carries out process generation second complete
Whole property protection information, uses the identity information and described the of described shared encryption and decryption double secret key receiver equipment
Two integrity protection information are encrypted generation second and add confidential information, add confidential information as recognizing using described second
Card information is transmitted directly to described sender mobile terminal equipment by D2D communication link;
Wherein, the identity information of sender's equipment and the first random number and described are included at the described first information
When second information includes identity information and second random number of receiver equipment, recipient's mobile terminal device
Receive described sender's equipment send after the first of certification adds confidential information, use described share
Described in encryption and decryption double secret key, first adds confidential information and is decrypted, with described shared tegrity protection key to this
Identity information and second random number of sender's equipment that ground preserves process, and generate described sender and set
Standby integrity protection information, by the identity of sender's equipment that the information obtained after deciphering preserves with this locality
The integrity protection information of sender's equipment that information, the second random number and this terminal generate compares,
As the two is consistent, then confirm that described sender mobile terminal equipment, by certification, uses described sharing completely
Property the protection identity information of double secret key receiver equipment, the first random number carry out processing and generate the second integrity
Protection information, uses the identity information of described shared encryption and decryption double secret key receiver equipment, the first random number
It is encrypted generation second with described second integrity protection information and adds confidential information, add secret letter by described second
Breath is transmitted directly to described sender mobile terminal equipment as authentication information by D2D communication link;
Step S209, the certification that sender mobile terminal equipment receives from recipient's mobile terminal device is believed
After breath, utilize shared encryption and decryption key and shared tegrity protection key to be authenticated, determining recipient
After mobile terminal device is by certification, both sides set up secure communication and connect;
Wherein, include that the identity information of sender's equipment and described second information include at the described first information
During the identity information of receiver equipment, receive that described recipient's mobile terminal device sends for recognizing
After the second of card adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information and solve
Close, at the described shared tegrity protection key identity information to the receiver equipment that this locality preserves
Reason, generates the integrity protection information of described receiver equipment, the information obtained is protected with local after deciphering
The integrity protection information of the receiver equipment that the identity information of the receiver equipment deposited and this terminal generate enters
Row compares, and as the two is consistent, then confirms that described recipient's mobile terminal device passes through certification;
Wherein, the identity information of sender mobile terminal equipment and first random is included at the described first information
When several and described second information includes identity information and second random number of receiver equipment, receiving
State recipient's mobile terminal device send after the second of certification adds confidential information, use described share add
Decruption key adds confidential information to described second and is decrypted, with described shared tegrity protection key to this locality
Identity information and first random number of the receiver equipment preserved process, and generate described receiver equipment
Integrity protection information, the identity of the information that obtain and the local receiver equipment preserved will believe after deciphering
The integrity protection information of the receiver equipment that breath, the first random number and this terminal generate compares, as
The two is consistent, then confirm that described recipient's mobile terminal device passes through certification.
The methods, devices and systems of a kind of secure communication that above-described embodiment provides, equipment room needs to carry out
When equipment D2D is communicated by equipment, network side node obtains the identity information of communicating pair, sets according to both sides
Standby identity information or the identity information of both devices and for ensureing that the dynamic parameter of key novelty is
D2D communication generates shared key and is sent to communicating pair equipment, and communicating pair equipment is shared based on described
Key carries out the D2D mutual certification of communication, sets up security association with trusting relationship to ensure the height that D2D communicates
Safety.
One of ordinary skill in the art will appreciate that all or part of step in said method can pass through program
Instructing related hardware to complete, described program can be stored in computer-readable recording medium, as read-only
Memorizer, disk or CD etc..Alternatively, all or part of step of above-described embodiment can also use
One or more integrated circuits realize, and correspondingly, each module/unit in above-described embodiment can use
The form of hardware realizes, it would however also be possible to employ the form of software function module realizes.The present invention is not restricted to appoint
The combination of the hardware and software of what particular form.
It should be noted that the present invention also can have other various embodiments, without departing substantially from the present invention spirit and
In the case of its essence, those of ordinary skill in the art can make various corresponding change according to the present invention
And deformation, but these change accordingly and deform the protection model that all should belong to appended claims of the invention
Enclose.
Claims (48)
1. a method for secure communication, is applied to network side node, and the method includes:
After receiving the request message needing to carry out the sending side terminal transmission that equipment D2D is communicated by equipment with receiver equipment, from described request message, obtain the first information, send the request message carrying the described first information to described receiving side terminal;
After the response message receiving the instruction agreement that described receiver equipment returns, from described response message, obtain the second information;
The shared key for described D2D communication is generated according to the described first information and the second information;
Described shared key is sent respectively to described sender's equipment and receiver equipment, and described second information is sent to described sender's equipment.
2. the method for claim 1, it is characterised in that:
The described first information includes the identity information of sender's equipment, and described second information includes the identity information of receiver equipment;Or the described first information includes identity information and first dynamic parameter of sender's equipment, and described second information includes identity information and second dynamic parameter of receiver equipment.
3. method as claimed in claim 2, it is characterised in that:
The shared key for described D2D communication is generated according to the described first information and the second information, including:
Using root key as seed key, using the identity information of described sender's equipment and receiver equipment as the scattering parameter of the key schedule disposed, described key schedule is used to generate the shared key communicated for described D2D;Or
Using root key as seed key, using described sender's equipment and the identity information of receiver equipment and be used for the scattering parameter ensureing the first dynamic parameter of key novelty and the second dynamic parameter as the key schedule disposed, described key schedule is used to generate the shared key communicated for described D2D.
4. method as claimed in claim 3, it is characterised in that:
Described key schedule includes the first key schedule, described shared key includes sharing encryption and decryption key, described key schedule is used to generate the shared key communicated for described D2D, including: use described first key schedule to generate the shared encryption and decryption key communicated for described D2D;Or
Described key schedule includes the first key schedule and the second key schedule; and described shared key includes sharing encryption and decryption key and shared tegrity protection key; described key schedule is used to generate the shared key communicated for described D2D; including: use described first key schedule to generate the shared encryption and decryption key communicated for described D2D, use described second key schedule to generate the shared tegrity protection key communicated for described D2D.
5. the method as described in Claims 2 or 3 or 4, it is characterised in that:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes the second random number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D, and described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
Method the most as claimed in claim 1 or 2 or 3 or 4, it is characterised in that:
Described network side node includes: base station, home signature user server HSS, D2D functional node ProSE Function or Serving GPRS Support Node SGSN.
Method the most as claimed in claim 1 or 2 or 3 or 4, it is characterised in that:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI information of equipment, international mobile subscriber identity IMSI information and the identity information needing to carry out the application that D2D communicates of equipment.
8. the method for claim 1, it is characterised in that:
After the request message of the described first information is carried in the transmission of described receiver equipment, also include: after the response message receiving the instruction refusal that described receiver equipment returns, terminate described D2D communication process.
9. a method for secure communication, is applied to sender's equipment that equipment is communicated by equipment, and the method includes:
Needs carry out with receiver equipment equipment equipment D2D is communicated time, send the request message carrying the first information to network side node;
After the shared key receiving the transmission of described network side node and the second information, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information;
Wherein, described second information is sent to described network side node by described receiver equipment, then is sent to described sender's equipment by described network side node.
10. method as claimed in claim 9, it is characterised in that:
The described first information includes the identity information of sender's equipment, and described second information includes the identity information of receiver equipment;Or the described first information includes identity information and first dynamic parameter of sender's equipment, and described second information includes identity information and second dynamic parameter of receiver equipment.
11. methods as claimed in claim 10, it is characterised in that:
Described shared key include sharing encryption and decryption key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:
The identity information using described shared encryption and decryption double secret key sender's equipment is encrypted generation first and adds confidential information, adds confidential information using described first and is sent to described receiver equipment as authentication information;
Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, the identity information of the information obtained after deciphering with the local receiver equipment preserved is compared, as the two is consistent, then confirm that described receiver equipment passes through certification;
Wherein, described second adds generation after the identity information that confidential information is the described receiver equipment described shared encryption and decryption double secret key receiver equipment of use is encrypted.
12. methods as claimed in claim 10, it is characterised in that:
Described shared key include sharing encryption and decryption key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:
The identity information and the second dynamic parameter that use described shared encryption and decryption double secret key sender's equipment are encrypted generation first and add confidential information, add confidential information using described first and are sent to described receiver equipment as authentication information;
Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, identity information and first dynamic parameter of the information obtained after deciphering with the local receiver equipment preserved are compared, as the two is consistent, then confirm that described receiver equipment passes through certification;
Wherein, described second to add confidential information be that described receiver equipment uses the identity information of described shared encryption and decryption double secret key receiver equipment and the first dynamic parameter to generate after being encrypted.
13. methods as claimed in claim 10, it is characterised in that:
Described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time; it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:
Described shared tegrity protection key is used to carry out the identity information of sender's equipment processing generation the first integrity protection information;The identity information and described first integrity protection information that use described shared encryption and decryption double secret key sender's equipment are encrypted generation first and add confidential information, add confidential information using described first and are sent to described receiver equipment as authentication information;
Receive described receiver equipment send after the second of certification adds confidential information; use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted; with described shared tegrity protection key, the identity information of the receiver equipment that this locality preserves is processed; generate the integrity protection information of described receiver equipment; the integrity protection information of receiver equipment identity information and this terminal of the information obtained after deciphering with the local receiver equipment preserved generated compares; as the two is consistent, then confirm that described receiver equipment passes through certification;
Wherein, described second to add confidential information be that described receiver equipment uses the identity information of described shared encryption and decryption double secret key receiver equipment and the second integrity protection information to generate after being encrypted, and described second integrity protection information is that described receiver equipment uses described shared tegrity protection key to carry out the identity information of receiver equipment processing and generate.
14. methods as claimed in claim 10, it is characterised in that:
Described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time; it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:
Described shared tegrity protection key is used to carry out processing generation the first integrity protection information to identity information and second dynamic parameter of sender's equipment;The identity information, the second dynamic parameter and described first integrity protection information that use described shared encryption and decryption double secret key sender's equipment are encrypted; generate first after encryption and add confidential information, add confidential information using described first and be sent to described receiver equipment as authentication information;
Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, with described shared tegrity protection key, identity information and first dynamic parameter of the receiver equipment that this locality preserves are processed, generate the integrity protection information of described receiver equipment, by the identity information of the receiver equipment that the information obtained after deciphering preserves with this locality, the integrity protection information of the receiver equipment that the first dynamic parameter and this terminal generate compares, as the two is consistent, then confirm that described receiver equipment passes through certification;
Wherein, described second adds generation after identity information, the first dynamic parameter and the second integrity protection information that confidential information is the described receiver equipment described shared encryption and decryption double secret key receiver equipment of use is encrypted, and described second integrity protection information is that described receiver equipment uses described shared tegrity protection key to carry out processing generation to identity information and first dynamic parameter of receiver equipment.
15. methods as described in arbitrary in claim 9-14, it is characterised in that:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes the second random number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D, and described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
16. methods as according to any one of claim 9-14, it is characterised in that:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI information of equipment, international mobile subscriber identity IMSI information and the identity information needing to carry out the application that D2D communicates of equipment.
The method of 17. 1 kinds of secure communications, is applied to the receiver equipment that equipment is communicated by equipment, and the method includes:
After receiving the request message carrying the first information that network side node sends, return response message to described network side node;Wherein, described response message carries the second information when instruction is agreed to;
After receiving the shared key that described network side node sends, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information;
Wherein, the described first information is sent to described network side node by described sender's equipment, then is sent to described receiver equipment by described network side node.
18. methods as claimed in claim 17, it is characterised in that:
The described first information includes the identity information of sender's equipment, and described second information includes the identity information of receiver equipment;Or the described first information includes identity information and first dynamic parameter of sender's equipment, and described second information includes identity information and second dynamic parameter of receiver equipment.
19. methods as claimed in claim 18, it is characterised in that:
Described shared key include sharing encryption and decryption key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:
Receive described sender's equipment send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted, the identity information of the information obtained after deciphering with the local sender's equipment preserved is compared, as the two is consistent, then confirm that described sender's equipment passes through certification, the identity information using described shared encryption and decryption double secret key receiver equipment is encrypted generation second and adds confidential information, adds confidential information using described second and is sent to described sender's equipment as authentication information;
Wherein, described first adds generation after the identity information that confidential information is described sender's equipment described shared encryption and decryption double secret key sender's equipment of use is encrypted.
20. methods as claimed in claim 18, it is characterised in that:
Described shared key include sharing encryption and decryption key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:
Receive described sender's equipment send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted, identity information and second dynamic parameter of the information obtained after deciphering with the local sender's equipment preserved are compared, as the two is consistent, then confirm that described sender's equipment passes through certification, the identity information and the first dynamic parameter that use described shared encryption and decryption double secret key receiver equipment are encrypted generation second and add confidential information, add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first to add confidential information be that described sender's equipment uses the identity information of described shared encryption and decryption double secret key sender's equipment and the second dynamic parameter to generate after being encrypted.
21. methods as claimed in claim 18, it is characterised in that:
Described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time; it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:
nullReceive described sender's equipment send after the first of certification adds confidential information,Use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted,The identity information of the sender's equipment preserved this locality with described shared tegrity protection key processes,Generate the integrity protection information of described sender's equipment,The integrity protection information of sender's equipment identity information and this terminal of the information obtained after deciphering with the local sender's equipment preserved generated compares,As the two is consistent,Then confirm that described sender's equipment passes through certification,Described shared tegrity protection key is used to carry out the identity information of receiver equipment processing generation the second integrity protection information,The identity information and described second integrity protection information that use described shared encryption and decryption double secret key receiver equipment are encrypted generation second and add confidential information,Add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first to add confidential information be that described sender's equipment uses the identity information of described shared encryption and decryption double secret key sender's equipment and the first integrity protection information to generate after being encrypted, and described first integrity protection information is that described sender's equipment uses described shared tegrity protection key to carry out the identity information of sender's equipment processing and generate.
22. methods as claimed in claim 18, it is characterised in that:
Described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time; it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:
nullReceive described sender's equipment send after the first of certification adds confidential information,Use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted,Identity information and second dynamic parameter of the sender's equipment preserved this locality with described shared tegrity protection key process,Generate the integrity protection information of described sender's equipment,By the identity information of sender's equipment that the information obtained after deciphering preserves with this locality、The integrity protection information of sender's equipment that the second dynamic parameter and this terminal generate compares,As the two is consistent,Then confirm that described sender's equipment passes through certification,Use the described shared tegrity protection key identity information to receiver equipment、First dynamic parameter carries out processing generation the second integrity protection information,Use the identity information of described shared encryption and decryption double secret key receiver equipment、Described first dynamic parameter and described second integrity protection information are encrypted generation second and add confidential information,Add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first adds generation after identity information, the second dynamic parameter and the first integrity protection information that confidential information is described sender's equipment described shared encryption and decryption double secret key sender's equipment of use is encrypted, and described first integrity protection information is that described sender's equipment uses described shared tegrity protection key to carry out processing generation to identity information and second dynamic parameter of sender's equipment.
23. methods as according to any one of claim 17-22, it is characterised in that:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes the second random number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D, and described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
24. methods as according to any one of claim 17-22, it is characterised in that:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI information of equipment, international mobile subscriber identity IMSI information and the identity information needing to carry out the application that D2D communicates of equipment.
The device of 25. 1 kinds of secure communications, is applied to network side node, including:
Communication module, for after receiving the request message needing to carry out sender's equipment transmission that equipment D2D is communicated by equipment with receiver equipment, from described request message, obtain the first information, send the request message carrying the described first information to described receiver equipment;After the response message receiving the instruction agreement that described receiver equipment returns, from described response message, obtain the second information;
Key management module, for generating the shared key for described D2D communication according to the described first information and the second information;Described shared key is sent respectively to described sender's equipment and receiver equipment, and described second information is sent to described sender's equipment.
26. devices as claimed in claim 25, it is characterised in that:
The described first information includes the identity information of sender's equipment, and described second information includes the identity information of receiver equipment;Or the described first information includes identity information and first dynamic parameter of sender's equipment, and described second information includes identity information and second dynamic parameter of receiver equipment.
27. devices as claimed in claim 26, it is characterised in that:
Key management module, for generating the shared key for described D2D communication according to the described first information and the second information, including:
Using root key as seed key, using the identity information of described sender's equipment and receiver equipment as the scattering parameter of the key schedule disposed, described key schedule is used to generate the shared key communicated for described D2D;Or
Using root key as seed key, using described sender's equipment and the identity information of receiver equipment and be used for the scattering parameter ensureing the first dynamic parameter of key novelty and the second dynamic parameter as the key schedule disposed, described key schedule is used to generate the shared key communicated for described D2D.
28. devices as claimed in claim 27, it is characterised in that:
Key management module, for including the first key schedule at described key schedule, and described shared key is when including sharing encryption and decryption key, described key schedule is used to generate the shared key communicated for described D2D, including: use described first key schedule to generate the shared encryption and decryption key communicated for described D2D;Or include the first key schedule and the second key schedule at described key schedule; and described shared key is when including sharing encryption and decryption key and shared tegrity protection key; described key schedule is used to generate the shared key communicated for described D2D; including: use described first key schedule to generate the shared encryption and decryption key communicated for described D2D, use described second key schedule to generate the shared tegrity protection key communicated for described D2D.
29. devices as described in claim 26 or 27 or 28, it is characterised in that:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes the second random number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D, and described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
30. devices as described in claim 25 or 26 or 27 or 28, it is characterised in that:
Described network side node includes: base station, home signature user server HSS, D2D functional node ProSE Function or Serving GPRS Support Node SGSN.
31. devices as described in claim 25 or 26 or 27 or 28, it is characterised in that:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI information of equipment, international mobile subscriber identity IMSI information and the identity information needing to carry out the application that D2D communicates of equipment.
32. devices as claimed in claim 25, it is characterised in that:
Communication module, after send the request message carrying the described first information to described receiver equipment, also includes: after the response message receiving the instruction refusal that described receiver equipment returns, terminate described D2D communication process.
The device of 33. 1 kinds of secure communications, is applied to sender's equipment that equipment is communicated by equipment, including:
Key management module, for needs carry out with receiver equipment equipment equipment D2D is communicated time, carry the request message of the first information to network side node transmission;After the shared key receiving the transmission of described network side node and the second information, notify authentication module;
Authentication module, for being mutually authenticated with described receiver equipment based on described shared key, the first information and the second information;
Wherein, described second information is sent to described network side node by described receiver equipment, then is sent to described sender's equipment by described network side node.
34. devices as claimed in claim 33, it is characterised in that:
The described first information includes the identity information of sender's equipment, and described second information includes the identity information of receiver equipment;Or the described first information includes identity information and first dynamic parameter of sender's equipment, and described second information includes identity information and second dynamic parameter of receiver equipment.
35. devices as claimed in claim 34, it is characterised in that:
Authentication module, for described shared key include sharing encryption and decryption key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:
The identity information using described shared encryption and decryption double secret key sender's equipment is encrypted generation first and adds confidential information, adds confidential information using described first and is sent to described receiver equipment as authentication information;
Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, the identity information of the information obtained after deciphering with the local receiver equipment preserved is compared, as the two is consistent, then confirm that described receiver equipment passes through certification;
Wherein, described second adds generation after the identity information that confidential information is the described receiver equipment described shared encryption and decryption double secret key receiver equipment of use is encrypted.
36. devices as claimed in claim 34, it is characterised in that:
Authentication module, for described shared key include sharing encryption and decryption key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time, it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:
The identity information and the second dynamic parameter that use described shared encryption and decryption double secret key sender's equipment are encrypted generation first and add confidential information, add confidential information using described first and are sent to described receiver equipment as authentication information;
Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, identity information and first dynamic parameter of the information obtained after deciphering with the local receiver equipment preserved are compared, as the two is consistent, then confirm that described receiver equipment passes through certification;
Wherein, described second to add confidential information be that described receiver equipment uses the identity information of described shared encryption and decryption double secret key receiver equipment and the first dynamic parameter to generate after being encrypted.
37. devices as claimed in claim 34, it is characterised in that:
Authentication module; for described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time; it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:
Described shared tegrity protection key is used to carry out the identity information of sender's equipment processing generation the first integrity protection information;The identity information and described first integrity protection information that use described shared encryption and decryption double secret key sender's equipment are encrypted generation first and add confidential information, add confidential information using described first and are sent to described receiver equipment as authentication information;
Receive described receiver equipment send after the second of certification adds confidential information; use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted; with described shared tegrity protection key, the identity information of the receiver equipment that this locality preserves is processed; generate the integrity protection information of described receiver equipment; the integrity protection information of receiver equipment identity information and this terminal of the information obtained after deciphering with the local receiver equipment preserved generated compares; as the two is consistent, then confirm that described receiver equipment passes through certification;
Wherein, described second to add confidential information be that described receiver equipment uses the identity information of described shared encryption and decryption double secret key receiver equipment and the second integrity protection information to generate after being encrypted, and described second integrity protection information is that described receiver equipment uses described shared tegrity protection key to carry out the identity information of receiver equipment processing and generate.
38. devices as claimed in claim 34, it is characterised in that:
Authentication module; for described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time; it is mutually authenticated with described receiver equipment based on described shared key, the first information and the second information, including:
Described shared tegrity protection key is used to carry out processing generation the first integrity protection information to identity information and second dynamic parameter of sender's equipment;The identity information, the second dynamic parameter and described first integrity protection information that use described shared encryption and decryption double secret key sender's equipment are encrypted; generate first after encryption and add confidential information, add confidential information using described first and be sent to described receiver equipment as authentication information;
Receive described receiver equipment send after the second of certification adds confidential information, use described in described shared encryption and decryption double secret key second to add confidential information to be decrypted, with described shared tegrity protection key, identity information and first dynamic parameter of the receiver equipment that this locality preserves are processed, generate the integrity protection information of described receiver equipment, by the identity information of the receiver equipment that the information obtained after deciphering preserves with this locality, the integrity protection information of the receiver equipment that the first dynamic parameter and this terminal generate compares, as the two is consistent, then confirm that described receiver equipment passes through certification;
Wherein, described second adds generation after identity information, the first dynamic parameter and the second integrity protection information that confidential information is the described receiver equipment described shared encryption and decryption double secret key receiver equipment of use is encrypted, and described second integrity protection information is that described receiver equipment uses described shared tegrity protection key to carry out processing generation to identity information and first dynamic parameter of receiver equipment.
39. devices as described in arbitrary in claim 33-38, it is characterised in that:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes the second random number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D, and described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
40. devices as according to any one of claim 33-38, it is characterised in that:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI information of equipment, international mobile subscriber identity IMSI information and the identity information needing to carry out the application that D2D communicates of equipment.
The device of 41. 1 kinds of secure communications, is applied to the receiver equipment that equipment is communicated by equipment, including:
Key management module, for after receiving the request message carrying the first information that network side node sends, returns response message to described network side node;Wherein, described response message carries the second information when instruction is agreed to;After receiving the shared key that described network side node sends, notify authentication module;
Authentication module, for being mutually authenticated with described sender's equipment based on described shared key, the first information and the second information;
Wherein, the described first information is sent to described network side node by described sender's equipment, then is sent to described receiver equipment by described network side node.
42. devices as claimed in claim 41, it is characterised in that:
The described first information includes the identity information of sender's equipment, and described second information includes the identity information of receiver equipment;Or the described first information includes identity information and first dynamic parameter of sender's equipment, and described second information includes identity information and second dynamic parameter of receiver equipment.
43. devices as claimed in claim 42, it is characterised in that:
Authentication module, for described shared key include sharing encryption and decryption key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:
Receive described sender's equipment send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted, the identity information of the information obtained after deciphering with the local sender's equipment preserved is compared, as the two is consistent, then confirm that described sender's equipment passes through certification, the identity information using described shared encryption and decryption double secret key receiver equipment is encrypted generation second and adds confidential information, adds confidential information using described second and is sent to described sender's equipment as authentication information;
Wherein, described first adds generation after the identity information that confidential information is described sender's equipment described shared encryption and decryption double secret key sender's equipment of use is encrypted.
44. devices as claimed in claim 42, it is characterised in that:
Authentication module, for described shared key include sharing encryption and decryption key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time, it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:
Receive described sender's equipment send after the first of certification adds confidential information, use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted, identity information and second dynamic parameter of the information obtained after deciphering with the local sender's equipment preserved are compared, as the two is consistent, then confirm that described sender's equipment passes through certification, the identity information and the first dynamic parameter that use described shared encryption and decryption double secret key receiver equipment are encrypted generation second and add confidential information, add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first to add confidential information be that described sender's equipment uses the identity information of described shared encryption and decryption double secret key sender's equipment and the second dynamic parameter to generate after being encrypted.
45. devices as claimed in claim 42, it is characterised in that:
Authentication module; for described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include the identity information that the identity information of sender's equipment and described second information include receiver equipment time; it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:
nullReceive described sender's equipment send after the first of certification adds confidential information,Use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted,The identity information of the sender's equipment preserved this locality with described shared tegrity protection key processes,Generate the integrity protection information of described sender's equipment,The integrity protection information of sender's equipment identity information and this terminal of the information obtained after deciphering with the local sender's equipment preserved generated compares,As the two is consistent,Then confirm that described sender's equipment passes through certification,Described shared tegrity protection key is used to carry out the identity information of receiver equipment processing generation the second integrity protection information,The identity information and described second integrity protection information that use described shared encryption and decryption double secret key receiver equipment are encrypted generation second and add confidential information,Add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first to add confidential information be that described sender's equipment uses the identity information of described shared encryption and decryption double secret key sender's equipment and the first integrity protection information to generate after being encrypted, and described first integrity protection information is that described sender's equipment uses described shared tegrity protection key to carry out the identity information of sender's equipment processing and generate.
46. devices as claimed in claim 42, it is characterised in that:
Authentication module; for described shared key include sharing encryption and decryption key and shared tegrity protection key, the described first information include identity information and the second dynamic parameter that the identity information of sender's equipment and the first dynamic parameter and described second information include receiver equipment time; it is mutually authenticated with described sender's equipment based on described shared key, the first information and the second information, including:
nullReceive described sender's equipment send after the first of certification adds confidential information,Use described in described shared encryption and decryption double secret key first to add confidential information to be decrypted,Identity information and second dynamic parameter of the sender's equipment preserved this locality with described shared tegrity protection key process,Generate the integrity protection information of described sender's equipment,By the identity information of sender's equipment that the information obtained after deciphering preserves with this locality、The integrity protection information of sender's equipment that the second dynamic parameter and this terminal generate compares,As the two is consistent,Then confirm that described sender's equipment passes through certification,Use the described shared tegrity protection key identity information to receiver equipment、First dynamic parameter carries out processing generation the second integrity protection information,Use the identity information of described shared encryption and decryption double secret key receiver equipment、First dynamic parameter and described second integrity protection information are encrypted generation second and add confidential information,Add confidential information using described second and be sent to described sender's equipment as authentication information;
Wherein, described first adds generation after identity information, the second dynamic parameter and the first integrity protection information that confidential information is described sender's equipment described shared encryption and decryption double secret key sender's equipment of use is encrypted, and described first integrity protection information is that described sender's equipment uses described shared tegrity protection key to carry out processing generation to identity information and second dynamic parameter of sender's equipment.
47. devices as according to any one of claim 41-46, it is characterised in that:
Described first dynamic parameter includes the first random number, and described second dynamic parameter includes the second random number;Or described first dynamic parameter includes the very first time parameter of the time correlation communicated with described D2D, and described second dynamic parameter includes the second time parameter of the time correlation communicated with described D2D.
48. devices as according to any one of claim 41-46, it is characterised in that:
The identity information of described equipment include following at least one: the International Mobile Station Equipment Identification IMEI information of equipment, international mobile subscriber identity IMSI information and the identity information needing to carry out the application that D2D communicates of equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510176166.3A CN106162631A (en) | 2015-04-14 | 2015-04-14 | A kind of methods, devices and systems of secure communication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510176166.3A CN106162631A (en) | 2015-04-14 | 2015-04-14 | A kind of methods, devices and systems of secure communication |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106162631A true CN106162631A (en) | 2016-11-23 |
Family
ID=57337034
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510176166.3A Pending CN106162631A (en) | 2015-04-14 | 2015-04-14 | A kind of methods, devices and systems of secure communication |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106162631A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018072152A1 (en) * | 2016-10-19 | 2018-04-26 | 中兴通讯股份有限公司 | Secure communication method, apparatus, and system |
CN108521641A (en) * | 2018-03-29 | 2018-09-11 | 维沃移动通信有限公司 | A kind of D2D communications generate the methods, devices and systems of key |
CN111404667A (en) * | 2019-01-02 | 2020-07-10 | 中国移动通信有限公司研究院 | Key generation method, terminal equipment and network equipment |
CN112040486A (en) * | 2020-08-19 | 2020-12-04 | 广东以诺通讯有限公司 | Safe direct connection communication method and terminal based on 5GD2D service |
CN112449323A (en) * | 2019-08-14 | 2021-03-05 | 华为技术有限公司 | Communication method, device and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100169669A1 (en) * | 2008-12-31 | 2010-07-01 | Ned Smith | Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption |
CN103415010A (en) * | 2013-07-18 | 2013-11-27 | 中国联合网络通信集团有限公司 | D2D network authentication method and system |
WO2014037277A1 (en) * | 2012-09-06 | 2014-03-13 | Koninklijke Kpn N.V. | Establishing a device-to-device communication session |
WO2014059657A1 (en) * | 2012-10-19 | 2014-04-24 | Nokia Corporation | Method and device of generating a key for device-to-device communication between a first user equipment and a second user equipment |
CN103813309A (en) * | 2012-11-15 | 2014-05-21 | 中兴通讯股份有限公司 | SIP (session initiate protocol)-based inter-MIC (Multimedia Telephone Communication) device secure communication method, device and system |
-
2015
- 2015-04-14 CN CN201510176166.3A patent/CN106162631A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100169669A1 (en) * | 2008-12-31 | 2010-07-01 | Ned Smith | Method and apparatus for enforcing use of danbury key management services for software applied full volume encryption |
WO2014037277A1 (en) * | 2012-09-06 | 2014-03-13 | Koninklijke Kpn N.V. | Establishing a device-to-device communication session |
WO2014059657A1 (en) * | 2012-10-19 | 2014-04-24 | Nokia Corporation | Method and device of generating a key for device-to-device communication between a first user equipment and a second user equipment |
CN103813309A (en) * | 2012-11-15 | 2014-05-21 | 中兴通讯股份有限公司 | SIP (session initiate protocol)-based inter-MIC (Multimedia Telephone Communication) device secure communication method, device and system |
CN103415010A (en) * | 2013-07-18 | 2013-11-27 | 中国联合网络通信集团有限公司 | D2D network authentication method and system |
Non-Patent Citations (1)
Title |
---|
DAJIANG ZHANG,MIRKO CANO SIVERI: "TS 33.401:System Architecture Evolution (SAE); Security architecture", 《3GPP》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018072152A1 (en) * | 2016-10-19 | 2018-04-26 | 中兴通讯股份有限公司 | Secure communication method, apparatus, and system |
CN108521641A (en) * | 2018-03-29 | 2018-09-11 | 维沃移动通信有限公司 | A kind of D2D communications generate the methods, devices and systems of key |
CN111404667A (en) * | 2019-01-02 | 2020-07-10 | 中国移动通信有限公司研究院 | Key generation method, terminal equipment and network equipment |
CN111404667B (en) * | 2019-01-02 | 2023-05-09 | 中国移动通信有限公司研究院 | Key generation method, terminal equipment and network equipment |
CN112449323A (en) * | 2019-08-14 | 2021-03-05 | 华为技术有限公司 | Communication method, device and system |
CN112449323B (en) * | 2019-08-14 | 2022-04-05 | 华为技术有限公司 | Communication method, device and system |
CN112040486A (en) * | 2020-08-19 | 2020-12-04 | 广东以诺通讯有限公司 | Safe direct connection communication method and terminal based on 5GD2D service |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Alam et al. | Secure device-to-device communication in LTE-A | |
CN108781366B (en) | Authentication mechanism for 5G technology | |
US10943005B2 (en) | Secure authentication of devices for internet of things | |
ES2734989T3 (en) | Secure communications for computer devices that use proximity services | |
CN104871579B (en) | The method and apparatus of group communication safety management in mobile communication system | |
CN105706390B (en) | Method and apparatus for performing device-to-device communication in a wireless communication network | |
CN101931955B (en) | Authentication method, device and system | |
US20160065362A1 (en) | Securing peer-to-peer and group communications | |
CN102158860B (en) | Radio node network-accessing method and system as well as relay node | |
US11582233B2 (en) | Secure authentication of devices for Internet of Things | |
US20230379168A1 (en) | Relay ue and remote ue authorization | |
KR20130029103A (en) | Method and apparatus for binding subscriber authentication and device authentication in communication systems | |
CN109768861B (en) | Massive D2D anonymous discovery authentication and key agreement method | |
CN106162631A (en) | A kind of methods, devices and systems of secure communication | |
CN112804680B (en) | Mobile terminal equipment safety authentication method and system based on chaotic mapping | |
CN104205898A (en) | Method and system for group based service bootstrap in M2M environment | |
CN101895881B (en) | Method for realizing GBA secret key and pluggable equipment of terminal | |
US20240080316A1 (en) | Methods and apparatus for provisioning, authentication, authorization, and user equipment (ue) key generation and distribution in an on-demand network | |
Fujdiak et al. | Security in low-power wide-area networks: State-of-the-art and development toward the 5G | |
US11722890B2 (en) | Methods and systems for deriving cu-up security keys for disaggregated gNB architecture | |
JP2024507208A (en) | How to make a cellular network work | |
KR101431214B1 (en) | Mutual authentication method and system with network in machine type communication, key distribution method and system, and uicc and device pair authentication method and system in machine type communication | |
CN105578457B (en) | A kind of terminal authentication method, management terminal and application terminal | |
WO2023141914A1 (en) | Information protection method and device | |
WO2018072152A1 (en) | Secure communication method, apparatus, and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20161123 |