CN114339745B - Key distribution method, system and related equipment - Google Patents
Key distribution method, system and related equipment Download PDFInfo
- Publication number
- CN114339745B CN114339745B CN202111623599.0A CN202111623599A CN114339745B CN 114339745 B CN114339745 B CN 114339745B CN 202111623599 A CN202111623599 A CN 202111623599A CN 114339745 B CN114339745 B CN 114339745B
- Authority
- CN
- China
- Prior art keywords
- key
- akma
- terminal
- identifier
- session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000009826 distribution Methods 0.000 title claims abstract description 40
- 230000004044 response Effects 0.000 claims abstract description 48
- 238000013475 authorization Methods 0.000 claims abstract description 4
- 238000007726 management method Methods 0.000 claims description 109
- 230000006870 function Effects 0.000 claims description 28
- 230000008569 process Effects 0.000 claims description 16
- 238000003860 storage Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 6
- 238000013523 data management Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 22
- 230000007246 mechanism Effects 0.000 description 5
- 238000012795 verification Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005315 distribution function Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a key distribution method, a system and related equipment, and relates to the field of network security. The key distribution method comprises the following steps: the key management device responds to the application of establishing the secure session sent by the acquisition terminal, and acquires a session key from the AAnF network element; the key management device sends a secure session establishment response to the terminal; the key management device receives an application key acquisition request sent by a terminal, wherein the application key acquisition request comprises a user identifier and an application identifier of a terminal user; the key management device generates a device public key and a device private key corresponding to the user identifier and the application identifier; the key management device encrypts the device private key by using the session key; the key management device sends the encrypted equipment private key to the terminal so that the terminal adopts the session key to decrypt the encrypted equipment private key to obtain the equipment private key; the key management means sends the device public key to an authentication and authorization device of the application server.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, a system, and related devices for distributing a key.
Background
At present, a set of application layer authentication and key management method with simplified and lightweight flow is designed in the scene of the Internet of things, namely AKMA (Authentication and Key Management for Applications, identity authentication and key management of an application layer). AKMA is strongly bound with an operator, namely, the completion of master authentication is equivalent to the completion of service authentication, and the application completely trusts the authentication result of the operator and can directly derive a session key through a network master authentication key for carrying out secure communication.
Currently, many devices have a need to access multiple applications. For example, in a smart home scenario, where one device needs to install multiple sensing devices, access multiple applications and perform multiple authentications, AKMA security mechanisms cannot meet this requirement.
The industrial internet scene has higher requirements on the security of the equipment, and generally, the main authentication of the network layer is performed first, and then the secondary authentication of the application layer is performed. In the related art, there are two implementation methods of secondary authentication: the first method is that an initial application key is preset in the equipment; the second method is to add a cryptographic module in the device to generate a public-private key pair for application layer authentication.
Disclosure of Invention
The inventor finds that the first method in the related technology has the risk of large-scale initial key leakage after analysis; for the second method, many industrial devices are relatively old, have low performance, have limited computation, affect device performance if a cryptographic module is added to each device, and are costly.
One technical problem to be solved by the embodiment of the invention is as follows: how to improve the security of the application layer initial key acquisition under the condition of reducing the performance influence on the device.
According to a first aspect of some embodiments of the present invention, there is provided a key distribution method comprising: the method comprises the steps that a key management device responds to an application for establishing a secure session sent by an acquisition terminal, and a session key is acquired from an AAnF network element, wherein the session key is generated by the AAnF network element based on authentication of an application layer and an AKMA root key for key management, and the terminal generates the same session key based on the AKMA root key; the key management device sends a secure session establishment response to the terminal; the key management device receives an application key acquisition request sent by a terminal, wherein the application key acquisition request comprises a user identifier and an application identifier of a terminal user; the key management device generates a device public key and a device private key corresponding to the user identifier and the application identifier; the key management device encrypts the device private key by using the session key; the key management device sends the encrypted equipment private key to the terminal so that the terminal adopts the session key to decrypt the encrypted equipment private key to obtain the equipment private key; the key management device sends the device public key to the authentication equipment of the application server, so that the terminal and the authentication equipment adopt the device private key and the device public key respectively to execute the application layer security protection process.
In some embodiments, the key management device, in response to an application for establishing a secure session sent by the acquiring terminal, acquiring the session key from the AAnF network element includes: the method comprises the steps that a key management device receives an application for establishing a secure session sent by a terminal, wherein the application for establishing the secure session comprises an AKMA root key identifier pre-generated by the terminal; the key management device sends a session key acquisition request to the AAnF network element, wherein the session key acquisition request comprises an AKMA root key identification and the identification of the key management device, so that the AAnF network element determines an AKMA root key acquired in advance according to the AKMA root key identification and derives the session key based on the AKMA root key; the key management device receives a session key acquisition response sent by the AAnF network element, wherein the session key acquisition response comprises a session key.
In some embodiments, the key distribution method further comprises: the key management device receives an application key update request sent by a terminal, wherein the application key update request comprises a user identifier and an application identifier of a terminal user; the key management device updates a device public key and a device private key corresponding to the user identifier and the application identifier; the key management device encrypts the updated device private key using the session key; the key management device sends the encrypted updated device private key to the terminal so that the terminal adopts the session key to decrypt the encrypted updated device private key to obtain the updated device private key; the key management means sends the updated device public key to the authentication device of the application server.
In some embodiments, the key distribution method further comprises: after the terminal and the authentication server function AUSF complete the main authentication process, the terminal and the AUSF generate an AUSF basic key; the AUSF generates an AKMA root key and an AKMA root key identifier based on the AUSF basic key; the terminal generates an AKMA root key and an AKMA root key identifier which are the same as the AUSF based on the AUSF basic key; the AUSF sends an AKMA registration request to an AAnF network element, wherein the AKMA registration request comprises a user identifier, an AKMA root key and an AKMA root key identifier; the AUSF receives an AKMA registration response sent by the AAnF network element.
In some embodiments, the key distribution method further comprises: in the process of registering a terminal in a network, AUSF sends a main authentication request to a Unified Data Management (UDM), wherein the main authentication request comprises a user identifier of the terminal; the AUSF receives a main authentication response sent by the UDM, wherein the main authentication response comprises an authentication vector and an AKMA identifier, and the AKMA identifier indicates that the terminal subscribes to AKMA service.
In some embodiments, the key management device is deployed within the 5G core network 5GC or is accessed to the 5GC through a network open function NEF.
According to a second aspect of some embodiments of the present invention, there is provided a key management apparatus comprising: a session key obtaining module configured to obtain a session key from an AAnF network element in response to an application for establishing a secure session sent by the obtaining terminal, wherein the session key is generated by the AAnF network element based on an AKMA root key, and the terminal generates the same session key based on the AKMA root key; a response module configured to send a secure session establishment response to the terminal; the system comprises a request acquisition module, a request processing module and a storage module, wherein the request acquisition module is configured to receive an application key acquisition request sent by a terminal, and the application key acquisition request comprises a user identifier and an application identifier of a terminal user; the generation module is configured to generate a device public key and a device private key corresponding to the user identifier and the application identifier; an encryption module configured to encrypt a device private key using a session key; the sending module is configured to send the encrypted equipment private key to the terminal so that the terminal adopts the session key to decrypt the encrypted equipment private key to obtain the equipment private key; and sending the device public key to the authentication equipment of the application server so that the terminal and the authentication equipment can execute an application layer security protection process by adopting the device private key and the device public key respectively.
In some embodiments, the session key acquisition module is further configured to: receiving an application for establishing a secure session sent by a terminal, wherein the application for establishing the secure session comprises an AKMA root key identifier pre-generated by the terminal; transmitting a session key acquisition request to an AAnF network element, wherein the session key acquisition request comprises an AKMA root key identifier and an identifier of a key management device, so that the AAnF network element determines an AKMA root key acquired in advance according to the AKMA root key identifier and derives the session key based on the AKMA root key; receiving a session key acquisition response sent by the AAnF network element, wherein the session key acquisition response comprises a session key; and sending a secure session establishment response to the terminal.
In some embodiments, the key management device further comprises: and the storage module is configured to store the device public key and the device private key corresponding to the user identifier and the application identifier, and the AKMA root key identifier.
In some embodiments, the key management device further comprises: and the updating module is configured to update the device public key and the device private key corresponding to the user identifier and the application identifier after the key management device receives an application key updating request sent by the terminal, wherein the application key updating request comprises the user identifier and the application identifier of the terminal user.
According to a third aspect of some embodiments of the present invention, there is provided a key management apparatus comprising: a memory; and a processor coupled to the memory, the processor configured to perform any of the foregoing key distribution methods based on instructions stored in the memory.
According to a fourth aspect of some embodiments of the present invention, there is provided a key distribution system comprising: any one of the foregoing key management devices; the terminal is configured to generate an AKMA root key and an AKMA root key identifier based on the AUSF basic key after finishing a main authentication process with the AUSF; and, an AUSF configured to generate the same AKMA root key and AKMA root key identity as the terminal based on the same AUSF base key as the terminal; sending an AKMA registration request to an AAnF network element, wherein the AKMA registration request comprises a user identifier, an AKMA root key and an AKMA root key identifier; and receiving an AKMA registration response sent by the AAnF network element.
In some embodiments, the terminal is further configured to initiate a primary authentication request to the AUSF through the AMF network element; the AUSF is further configured to send a primary authentication request to the UDM, wherein the primary authentication request includes a user identification of the terminal; and receiving a main authentication response sent by the UDM, wherein the main authentication response comprises an authentication vector and an AKMA identifier, and the AKMA identifier indicates that the terminal subscribes to AKMA service.
In some embodiments, the key distribution system further comprises: and the AAnF network element is configured to determine an AKMA root key acquired in advance according to the AKMA root key identifier after acquiring a session key acquisition request sent by the key management device, and derive the session key based on the AKMA root key.
According to a fifth aspect of some embodiments of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements any of the foregoing key distribution methods.
Some of the embodiments of the above invention have the following advantages or benefits. The embodiment of the invention realizes the decoupling of the equipment and the application with the AKMA safety mechanism. One device can access various services and perform various authentications, and flexible configuration of the device and the application is realized. According to the embodiment, the terminal equipment can safely obtain the initial key of the application layer on line, the safety protection capability of the terminal is improved, the terminal can perform various safety capabilities such as authentication, signature verification, key negotiation, data encryption and the like of the application layer, and meanwhile the safety problem caused by key leakage when the initial key is generated and distributed on a large scale by the application layer is avoided.
Other features of the present invention and its advantages will become apparent from the following detailed description of exemplary embodiments of the invention, which proceeds with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
Fig. 1 illustrates a flow diagram of a key distribution method according to some embodiments of the invention.
Fig. 2 shows a flow diagram of a key distribution method according to further embodiments of the invention.
Fig. 3 illustrates a flow diagram of a key distribution method according to some embodiments of the invention.
Fig. 4 illustrates a schematic diagram of a key management apparatus according to some embodiments of the present invention.
Fig. 5 illustrates a schematic diagram of a key distribution system according to some embodiments of the invention.
Fig. 6 illustrates a network architecture diagram according to some embodiments of the invention.
Fig. 7 illustrates a schematic view of a scenario in accordance with some embodiments of the invention.
Fig. 8 is a schematic diagram showing the structure of a key management apparatus according to other embodiments of the present invention.
Fig. 9 is a schematic diagram showing the structure of a key management apparatus according to still other embodiments of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. The following description of at least one exemplary embodiment is merely exemplary in nature and is in no way intended to limit the invention, its application, or uses. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The relative arrangement of the components and steps, numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective parts shown in the drawings are not drawn in actual scale for convenience of description.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but should be considered part of the specification where appropriate.
In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further discussion thereof is necessary in subsequent figures.
Fig. 1 illustrates a flow diagram of a key distribution method according to some embodiments of the invention. As shown in fig. 1, the key distribution method of this embodiment includes steps S102 to S124.
The terminal performs a main authentication process by interacting with the device on the network side. After the primary authentication is completed, the terminal and the AAnF (AKMA anchor function) network element acquire the same AKMA root key.
In step S102, the AAnF network element generates a session key based on the AKMA root key.
In step S104, the terminal generates the same session key as the AAnF network element based on the AKMA root key.
In step S106, the key management device acquires an application sent by the terminal to establish a secure session.
In some embodiments, the key management device is deployed within a 5GC (5G core network) or is accessed through a network open function (Network Exposure Function, NEF for short).
In step S108, the key management device acquires a session key from the AAnF network element.
In step S110, the key management device transmits a secure session establishment response to the terminal.
In step S112, the key management device receives an application key acquisition request sent by the terminal, where the application key acquisition request includes a user identifier and an application identifier of the terminal user.
In some embodiments, the user identification of the end user is SUPI (Subscription Permanent Identifier, user permanent identifier) or sui (Subscription Concealed Identifier, user hidden identifier).
In some embodiments, the application key acquisition request may include a data network name (Data Network Name; simply: DNN) identification in addition to the user identification and the application identification, and one DNN may correspond to one or more application identifications.
In step S114, the key management apparatus generates a device public key and a device private key corresponding to the user identification and the application identification.
In step S116, the key management apparatus encrypts the device private key using the session key.
In step S118, the key management apparatus transmits the encrypted device private key to the terminal.
In step S120, the terminal decrypts the encrypted device private key with the session key to obtain the device private key.
Therefore, the secret key management device distributes the private key through a secure session channel with the terminal, so that the terminal can use a public-private key mechanism to perform security functions such as signature, signature verification, anti-repudiation, anti-replay, integrity protection and the like with authentication and authorization equipment of the application server, and the secret key management capability of an operator is opened.
In step S122, the key management apparatus transmits the device public key to the authentication device of the application server.
In step S124, the terminal and the authentication device use the device private key and the device public key, respectively, to execute security protection processes such as application layer authentication, signature verification, key negotiation, and data encryption.
The embodiment realizes decoupling of equipment and application with an AKMA safety mechanism. One device can access various services and perform various authentications, and flexible configuration of the device and the application is realized. According to the embodiment, the terminal equipment can safely obtain the initial key of the application layer on line, the safety protection capability of the terminal is improved, the terminal can perform various safety capabilities such as authentication, signature verification, key negotiation, data encryption and the like of the application layer, and meanwhile the safety problem caused by key leakage when the initial key is generated and distributed on a large scale by the application layer is avoided.
And, the above embodiments enhance the operator's ability to open. By opening key management capabilities to the vertical industry, vertical industry application costs are reduced.
In some embodiments, when the terminal loses the device private key, an update key may also be requested. For example, the key management device receives an application key update request sent by the terminal, wherein the application key update request comprises a user identifier and an application identifier of a terminal user; the key management device updates a user identifier and a device public key and a device private key corresponding to the application identifier; the key management device encrypts the updated device private key by using the session key; the key management device sends the encrypted updated device private key to the terminal so that the terminal adopts the session key to decrypt the encrypted updated device private key to obtain the updated device private key; the key management means sends the updated device public key to the authentication device of the application server.
Therefore, when the private key of the equipment is lost, the private key can be updated in time, and the safety is improved.
The main authentication procedure in the AKMA procedure of the present invention is described below with reference to fig. 2.
Fig. 2 shows a flow diagram of a key distribution method according to further embodiments of the invention. As shown in fig. 2, the key distribution method of this embodiment includes main authentication process steps S202 to S206 in addition to steps S102 to S124.
In step S202, the terminal sends a registration request carrying the user identifier to the AMF network element, so that the AMF network element initiates a primary authentication request carrying the user identifier to the AUSF (Authentication Server Function ).
In step S204, the AUSF sends a primary authentication request to the UDM (Unified Data Management ), wherein the primary authentication request includes a user identification of the terminal.
In step S206, the AUSF receives a primary authentication response sent by the UDM, where the primary authentication response includes an authentication vector and an AKMA identifier, and the AKMA identifier indicates that the terminal subscribes to an AKMA service.
After subscribing to the AKMA service, the AUSF derives an AKMA related key based on the AUSF base key.
After the primary authentication is completed, the terminal and the AUSF may generate an AKMA root key from the AUSF base key, for example, refer to steps S208 to S214.
In step S208, the AUSF generates the same AKMA root key and AKMA root key identification as the terminal based on the AUSF base key.
The AUSF basic key is generated by the terminal and the AUSF after the terminal and the AUSF complete the main authentication process.
In step S210, the terminal generates an AKMA root key and an AKMA root key identity identical to the AUSF based on the same AUSF base key as the AUSF.
In step S212, the AUSF sends an AKMA registration request to the AAnF network element, wherein the AKMA registration request includes a user identity, an AKMA root key, and an AKMA root key identity.
In step S214, the AUSF receives an AKMA registration response sent by the AAnF network element.
An embodiment in which the key management apparatus acquires a session key is described below with reference to fig. 3.
Fig. 3 illustrates a flow diagram of a key distribution method according to some embodiments of the invention. As shown in fig. 3, in this embodiment, step S106 is specifically step S1061, and step S108 specifically includes steps S1081 to S1083.
In step S1061, the key management device obtains an application for establishing a secure session sent by the terminal, where the application for establishing a secure session includes an AKMA root key identifier pre-generated by the terminal.
In step S1081, the key management device sends a session key acquisition request to the AAnF network element, where the session key acquisition request includes an AKMA root key identifier and an identifier of the key management device.
In step S1082, the AAnF network element determines the pre-acquired AKMA root key according to the AKMA root key identifier, and derives the session key based on the AKMA root key.
The AAnF network element stores the corresponding relation between the identification of the AKMA root key and the AKMA root key in advance. Therefore, in the signaling interaction flow, only the identification is required to be transmitted, and the secret key is not required to be transmitted, so that the safety is improved.
In step S1083, the key management device receives a session key acquisition response sent by the AAnF network element, where the session key acquisition response includes the session key.
An embodiment of the key management apparatus of the present invention is described below with reference to fig. 4.
Fig. 4 illustrates a schematic diagram of a key management apparatus according to some embodiments of the present invention. As shown in fig. 4, the key management apparatus 400 of this embodiment includes: a session key obtaining module 4100 configured to obtain a session key from an AAnF network element in response to an application for establishing a secure session sent by the obtaining terminal, wherein the session key is generated by the AAnF network element based on the AKMA root key, and the terminal generates the same session key based on the AKMA root key; a response module 4200 configured to send a secure session establishment response to the terminal; a request acquisition module 4300 configured to receive an application key acquisition request sent by a terminal, where the application key acquisition request includes a user identifier and an application identifier of a terminal user; a generation module 4400 configured to generate a device public key and a device private key corresponding to the user identifier and the application identifier; an encryption module 4500 configured to encrypt a device private key using a session key; a sending module 4600 configured to send the encrypted device private key to the terminal, so that the terminal decrypts the encrypted device private key with the session key to obtain the device private key; and sending the device public key to the authentication equipment of the application server so that the terminal and the authentication equipment can execute an application layer security protection process by adopting the device private key and the device public key respectively.
In some embodiments, the session key acquisition module 4100 is further configured to: receiving an application for establishing a secure session sent by a terminal, wherein the application for establishing the secure session comprises an AKMA root key identifier pre-generated by the terminal; transmitting a session key acquisition request to an AAnF network element, wherein the session key acquisition request comprises an AKMA root key identifier and an identifier of a key management device, so that the AAnF network element determines an AKMA root key acquired in advance according to the AKMA root key identifier and derives the session key based on the AKMA root key; receiving a session key acquisition response sent by the AAnF network element, wherein the session key acquisition response comprises a session key; and sending a secure session establishment response to the terminal.
In some embodiments, the key management device 400 further comprises: a storage module 4700 configured to store a device public key and a device private key corresponding to the user identification and the application identification, and an AKMA root key identification.
In some embodiments, the key management device further comprises: and the updating module 4800 is configured to update the device public key and the device private key corresponding to the user identifier and the application identifier after the key management device receives an application key updating request sent by the terminal, wherein the application key updating request comprises the user identifier and the application identifier of the terminal user.
An embodiment of the key distribution system of the present invention is described below with reference to fig. 5.
Fig. 5 illustrates a schematic diagram of a key distribution system according to some embodiments of the invention. As shown in fig. 5, the key distribution system 50 of this embodiment includes a key management device 510, and a specific implementation thereof may refer to the key management device 400 in the foregoing embodiment; a terminal 520 configured to generate an AKMA root key and an AKMA root key identifier based on the AUSF base key after completing a primary authentication procedure with the AUSF; an AUSF530 configured to generate the same AKMA root key and AKMA root key identity as the terminal based on the same AUSF base key as the terminal; sending an AKMA registration request to an AAnF network element, wherein the AKMA registration request comprises a user identifier, an AKMA root key and an AKMA root key identifier; and receiving an AKMA registration response sent by the AAnF network element.
In some embodiments, the terminal 520 is further configured to initiate a primary authentication request to the AUSF 530; the AUSF530 is further configured to send a primary authentication request to the UDM, wherein the primary authentication request includes a user identification of the terminal; and receiving a main authentication response sent by the UDM, wherein the main authentication response comprises an authentication vector and an AKMA identifier, and the AKMA identifier indicates that the terminal subscribes to AKMA service.
In some embodiments, the key distribution system 50 further comprises: the AAnF network element 540 is configured to determine an AKMA root key obtained in advance according to the AKMA root key identifier after obtaining the session key obtaining request sent by the key management apparatus, and derive the session key based on the AKMA root key.
Fig. 6 illustrates a network architecture diagram according to some embodiments of the invention. As shown in fig. 6, the network scenario to which some embodiments of the present invention relate may be divided into a user plane and a control plane. In the user plane, the terminal UE61 accesses the network through the gNB62 and accesses the authentication server DN-AAA64 of the application through the user plane function (User plane Function, abbreviated as UPF) 63, and in the process of establishing a connection, a flexible security mechanism can be further implemented by means of the access and mobility management function (Access and Mobility Management Function, abbreviated as AMF) 66, the session management function (Session Management Function, abbreviated as SMF) 67 and the key management device 60, as shown by the solid line in fig. 6. At the control plane, UE61 interacts with AUSF68 through AMF66 to perform an AKMA procedure, and UDM65, AUSF68, AAnF network element 69, key management apparatus 60 further interacts with UE61 to complete an AKMA-based private key distribution procedure, as shown by the dashed line in fig. 6.
Fig. 7 illustrates a schematic view of a scenario in accordance with some embodiments of the invention. As shown in fig. 7, in this scenario, an industrial device 710 includes a UE7101, a UE7102, and a UE7103; the key management device 720 includes a key generation function 7201, a key storage function 7202, a key distribution function 7203, a key update function 7204, and a secure API interface 7205; industry application server 730 includes applications 7301, 7302, and 7303. The industrial device 710 and the key management device 720 communicate through an AKMA secure session to enable the key management device 720 to conduct private key distribution, and the key management device 720 interacts with each application in the industry application server 730 through a TLS secure interface to enable the industry application server 730 to conduct public key acquisition.
The key management device 720 may further include an AApF function for performing two-way authentication with AAnF, requesting a session key through an AKMA root key identifier, establishing a secure session between the device and the key management module, and issuing a device private key. The key generation function is used for generating a public and private key pair of the equipment SM2 after the AKMA secure session is established; the key storage function is used for storing public and private key pairs of equipment, AKMA related identifiers and application service public keys of the data network; the secret key distributing function is used for distributing the device private key to the device through the AKMA secure session; the key updating function is used for providing key updating service for the terminal according to the key updating strategy; the secure open API interface is used to provide secure API interface call functionality to perform transport layer security protocol (Transport Layer Security, abbreviated TLS) based certificate authentication and authorization for various industry applications.
Fig. 8 is a schematic diagram showing the structure of a key management apparatus according to other embodiments of the present invention. As shown in fig. 8, the key management device 80 of this embodiment includes: a memory 810 and a processor 820 coupled to the memory 810, the processor 820 being configured to perform the key distribution method of any of the previous embodiments based on instructions stored in the memory 810.
The memory 810 may include, for example, system memory, fixed nonvolatile storage media, and so forth. The system memory stores, for example, an operating system, application programs, boot Loader (Boot Loader), and other programs.
Fig. 9 is a schematic diagram showing the structure of a key management apparatus according to still other embodiments of the present invention. As shown in fig. 9, the key management device 90 of this embodiment includes: memory 910 and processor 920 may also include input/output interfaces 930, network interfaces 940, storage interfaces 950, and so forth. These interfaces 930, 940, 950 and the memory 910 and the processor 920 may be connected by a bus 960, for example. The input/output interface 930 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, a touch screen, and the like. Network interface 940 provides a connection interface for various networking devices. The storage interface 950 provides a connection interface for external storage devices such as SD cards, U discs, and the like.
An embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program, characterized in that the program, when executed by a processor, implements any one of the foregoing key distribution methods.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flowchart and/or block of the flowchart illustrations and/or block diagrams, and combinations of flowcharts and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.
Claims (15)
1. A key distribution method, comprising:
the method comprises the steps that a key management device responds to an application for establishing a secure session sent by an acquisition terminal, and a session key is acquired from an Authentication and Key Management (AKMA) anchor point function (AAnF) network element of an application layer, wherein the session key is generated by the AAnF network element based on an AKMA root key, and the terminal generates the same session key based on the AKMA root key;
the key management device sends a secure session establishment response to the terminal;
the key management device receives an application key acquisition request sent by the terminal, wherein the application key acquisition request comprises a user identifier and an application identifier of the terminal user;
the key management device generates a device public key and a device private key corresponding to the user identifier and the application identifier;
the key management device encrypts the device private key using the session key;
the key management device sends the encrypted equipment private key to the terminal so that the terminal adopts the session key to decrypt the encrypted equipment private key to obtain the equipment private key;
the key management device sends the device public key to authentication equipment of an application server so that the terminal and the authentication equipment can execute an application layer security protection process by adopting the device private key and the device public key respectively.
2. The key distribution method according to claim 1, wherein the key management device, in response to an application for establishing a secure session sent by the acquisition terminal, acquiring the session key from the AAnF network element includes:
the key management device receives an application for establishing a secure session sent by the terminal, wherein the application for establishing the secure session comprises an AKMA root key identifier which is generated in advance by the terminal;
the key management device sends a session key acquisition request to the AAnF network element, wherein the session key acquisition request comprises the AKMA root key identification and the identification of the key management device, so that the AAnF network element determines the AKMA root key acquired in advance according to the AKMA root key identification and derives a session key based on the AKMA root key;
the key management device receives a session key acquisition response sent by the AAnF network element, wherein the session key acquisition response comprises the session key.
3. The key distribution method according to claim 1, further comprising:
the key management device receives an application key update request sent by the terminal, wherein the application key update request comprises a user identifier and an application identifier of the terminal user;
the key management device updates a device public key and a device private key corresponding to the user identifier and the application identifier;
the key management device encrypts the updated device private key using the session key;
the key management device sends the encrypted updated device private key to the terminal so that the terminal adopts the session key to decrypt the encrypted updated device private key to obtain the updated device private key;
the key management device sends the updated device public key to an authentication and authorization device of an application server.
4. The key distribution method according to claim 1, further comprising:
after a terminal and an authentication server function AUSF completes a main authentication process, the terminal and the AUSF generate an AUSF basic key;
the AUSF generates an AKMA root key and an AKMA root key identifier based on the AUSF basic key;
the terminal generates an AKMA root key and an AKMA root key identifier which are the same as the AUSF based on the AUSF basic key;
the AUSF sends an AKMA registration request to an AAnF network element, wherein the AKMA registration request comprises the user identifier, the AKMA root key and the AKMA root key identifier;
and the AUSF receives an AKMA registration response sent by the AAnF network element.
5. The key distribution method according to claim 1, further comprising:
in the process of registering a terminal in a network, AUSF sends a main authentication request to a Unified Data Management (UDM), wherein the main authentication request comprises a user identifier of the terminal;
the AUSF receives a main authentication response sent by the UDM, wherein the main authentication response comprises an authentication vector and an AKMA identifier, and the AKMA identifier indicates that the terminal subscribes to AKMA service.
6. The key distribution method according to claim 1, wherein the key management device is deployed within a 5G core network 5GC or is accessed to the 5GC through a network open function NEF.
7. A key management apparatus comprising:
a session key obtaining module, configured to obtain a session key from an AAnF network element in response to an application for establishing a secure session sent by a obtaining terminal, where the session key is generated by the AAnF network element based on an AKMA root key, and the terminal generates the same session key based on the AKMA root key;
a response module configured to send a secure session establishment response to the terminal;
the terminal comprises a request acquisition module and a request processing module, wherein the request acquisition module is configured to receive an application key acquisition request sent by the terminal, and the application key acquisition request comprises a user identifier and an application identifier of the terminal user;
the generation module is configured to generate a device public key and a device private key corresponding to the user identifier and the application identifier;
an encryption module configured to encrypt the device private key using the session key;
the sending module is configured to send the encrypted equipment private key to the terminal so that the terminal adopts the session key to decrypt the encrypted equipment private key to obtain the equipment private key; and sending the device public key to authentication equipment of an application server so that the terminal and the authentication equipment adopt the device private key and the device public key respectively to execute an application layer security protection process.
8. The key management device of claim 7, wherein the session key acquisition module is further configured to: receiving an application for establishing a secure session sent by the terminal, wherein the application for establishing the secure session comprises an AKMA root key identifier pre-generated by the terminal; sending a session key acquisition request to the AAnF network element, wherein the session key acquisition request comprises the AKMA root key identifier and the identifier of the key management device, so that the AAnF network element determines the AKMA root key acquired in advance according to the AKMA root key identifier, and derives a session key based on the AKMA root key; receiving a session key acquisition response sent by the AAnF network element, wherein the session key acquisition response comprises the session key; and sending a secure session establishment response to the terminal.
9. The key management apparatus of claim 8, further comprising:
and the storage module is configured to store a device public key and a device private key corresponding to the user identifier and the application identifier, and the AKMA root key identifier.
10. The key management apparatus of claim 8, further comprising:
and the updating module is configured to update the device public key and the device private key corresponding to the user identifier and the application identifier after the key management device receives an application key updating request sent by the terminal, wherein the application key updating request comprises the user identifier and the application identifier of the terminal user.
11. A key management apparatus comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the key distribution method of any of claims 1-3 based on instructions stored in the memory.
12. A key distribution system, comprising:
the key management device of any one of claims 7 to 11;
the terminal is configured to generate an AKMA root key and an AKMA root key identifier based on the AUSF basic key after finishing a main authentication process with the AUSF;
an AUSF configured to generate an AKMA root key and an AKMA root key identity identical to the terminal based on an AUSF base key identical to the terminal; sending an AKMA registration request to an AAnF network element, wherein the AKMA registration request comprises the user identifier, the AKMA root key and the AKMA root key identifier; and receiving an AKMA registration response sent by the AAnF network element.
13. The key distribution system of claim 12 wherein,
the terminal is further configured to initiate a primary authentication request to the AUSF through the AMF network element;
the AUSF is further configured to send a primary authentication request to the UDM, wherein the primary authentication request includes a user identification of the terminal; and receiving a main authentication response sent by the UDM, wherein the main authentication response comprises an authentication vector and an AKMA identifier, and the AKMA identifier indicates that the terminal subscribes to AKMA service.
14. The key distribution system of claim 12, further comprising:
and the AAnF network element is configured to determine the AKMA root key obtained in advance according to the AKMA root key identifier after obtaining the session key obtaining request sent by the key management device, and derive the session key based on the AKMA root key.
15. A computer readable storage medium having stored thereon a computer program which when executed by a processor implements the key distribution method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111623599.0A CN114339745B (en) | 2021-12-28 | 2021-12-28 | Key distribution method, system and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111623599.0A CN114339745B (en) | 2021-12-28 | 2021-12-28 | Key distribution method, system and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114339745A CN114339745A (en) | 2022-04-12 |
| CN114339745B true CN114339745B (en) | 2024-01-26 |
Family
ID=81015001
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111623599.0A Active CN114339745B (en) | 2021-12-28 | 2021-12-28 | Key distribution method, system and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114339745B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117062071A (en) * | 2022-05-06 | 2023-11-14 | 华为技术有限公司 | Authentication method, communication device, and computer-readable storage medium |
| CN114793184B (en) * | 2022-06-22 | 2022-11-08 | 广州万协通信息技术有限公司 | Security chip communication method and device based on third-party key management node |
| CN115766130B (en) * | 2022-11-02 | 2024-04-19 | 中国联合网络通信集团有限公司 | Conference encryption method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104283667A (en) * | 2013-07-01 | 2015-01-14 | 中国移动通信集团黑龙江有限公司 | Data transmission method, device and system thereof |
| CN106452764A (en) * | 2016-12-02 | 2017-02-22 | 武汉理工大学 | Method for automatically updating identification private key and password system |
| CN113163402A (en) * | 2020-01-23 | 2021-07-23 | 华为技术有限公司 | Communication method, device and system |
| WO2021147997A1 (en) * | 2020-01-23 | 2021-07-29 | 中国移动通信有限公司研究院 | Key generation method and device |
| CN113676901A (en) * | 2020-04-30 | 2021-11-19 | 华为技术有限公司 | Key management method, device and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100523357B1 (en) * | 2003-07-09 | 2005-10-25 | 한국전자통신연구원 | Key management device and method for providing security service in epon |
-
2021
- 2021-12-28 CN CN202111623599.0A patent/CN114339745B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104283667A (en) * | 2013-07-01 | 2015-01-14 | 中国移动通信集团黑龙江有限公司 | Data transmission method, device and system thereof |
| CN106452764A (en) * | 2016-12-02 | 2017-02-22 | 武汉理工大学 | Method for automatically updating identification private key and password system |
| CN113163402A (en) * | 2020-01-23 | 2021-07-23 | 华为技术有限公司 | Communication method, device and system |
| WO2021147997A1 (en) * | 2020-01-23 | 2021-07-29 | 中国移动通信有限公司研究院 | Key generation method and device |
| CN113676901A (en) * | 2020-04-30 | 2021-11-19 | 华为技术有限公司 | Key management method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114339745A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114339745B (en) | Key distribution method, system and related equipment | |
| US11812264B2 (en) | Resource access method and apparatus | |
| KR102424055B1 (en) | Apparatus and Method for Providing API Authentication using Two API Tokens | |
| CN110582768B (en) | Apparatus and method for providing secure database access | |
| CN112737779B (en) | Cryptographic machine service method, device, cryptographic machine and storage medium | |
| US20200412554A1 (en) | Id as service based on blockchain | |
| CN112005522A (en) | Cloud-based key management | |
| CN108927808B (en) | ROS node communication method, authentication method and device | |
| CN104756458A (en) | Method and apparatus for securing a connection in a communications network | |
| CN106571915A (en) | Terminal master key setting method and apparatus | |
| CN110740038B (en) | Blockchain and communication method, gateway, communication system and storage medium thereof | |
| CN101500008A (en) | Method for joining user domain and method for exchanging information in user domain | |
| CN112511295B (en) | Authentication method and device for interface calling, micro-service application and key management center | |
| CN110690969A (en) | Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties | |
| CN114785527B (en) | Data transmission method, device, equipment and storage medium | |
| CN115795446A (en) | Method for processing data in trusted computing platform and management device | |
| CN107682380B (en) | Cross authentication method and device | |
| CN106911625B (en) | Text processing method, device and system for safe input method | |
| CN112149134A (en) | Trusted application management method and device | |
| CN112131597A (en) | Method and device for generating encrypted information and intelligent equipment | |
| CN114554485B (en) | Asynchronous session key negotiation and application method, system, electronic equipment and medium | |
| CN112702420B (en) | Processing method and system for online and offline data interaction | |
| CN111107038B (en) | Encryption method, decryption method and device | |
| JP2006197640A (en) | Encrypted data distribution service system | |
| CN113055345B (en) | Block chain-based data security authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |