CN116321140A - Key updating method, information transmission method, device, medium and satellite network - Google Patents

Key updating method, information transmission method, device, medium and satellite network Download PDF

Info

Publication number
CN116321140A
CN116321140A CN202310270834.3A CN202310270834A CN116321140A CN 116321140 A CN116321140 A CN 116321140A CN 202310270834 A CN202310270834 A CN 202310270834A CN 116321140 A CN116321140 A CN 116321140A
Authority
CN
China
Prior art keywords
key
gateway
network element
receiving
updated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310270834.3A
Other languages
Chinese (zh)
Inventor
刘浩
王炜
董吉昌
张小翠
徐钧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Space Engineering Network Technology Development Hangzhou Co ltd
Original Assignee
Space Engineering Network Technology Development Hangzhou Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Space Engineering Network Technology Development Hangzhou Co ltd filed Critical Space Engineering Network Technology Development Hangzhou Co ltd
Priority to CN202310270834.3A priority Critical patent/CN116321140A/en
Publication of CN116321140A publication Critical patent/CN116321140A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/06Airborne or Satellite Networks

Abstract

The invention provides a key updating method, an information transmission device, a medium and a satellite network. The key updating method is applied to a satellite network, and the network comprises a server and a plurality of network elements interacted with the server; the method comprises the following steps: the server broadcasts an update signaling, wherein the update signaling comprises the key version numbers of the current update and the next update and random numbers thereof; the network element receives and responds to the update signaling, and updates the sending key of the network element based on the currently updated key version number and the random number in preset time, so as to keep the receiving key unchanged; after a preset time, the network element updates its received key based on the update signaling. The method realizes the dynamic update of the sending key and the receiving key of the network element by updating the sending key according to the update signaling containing two groups of key version numbers and random numbers thereof and updating the receiving key after the preset time, and ensures that the dynamic update of the sending key and the receiving key of the network element is not influenced by the state of the network element.

Description

Key updating method, information transmission method, device, medium and satellite network
Technical Field
The invention relates to the technical field of key updating of satellite networks, and particularly provides a key updating method, an information transmission device, a medium and a satellite network.
Background
The DVB-RCS2 is a satellite network standard, and is widely applied to satellite communication systems, wherein the DVB-RCS2 shares encrypted passwords between a user terminal and a network control center.
In the current satellite network system, in data transmission, when a user terminal is registered, a network control center generates an encrypted session key of the data transmission, and then the session key is sent to the user terminal after being encrypted by a password by the network control center;
in the prior art, the key updating mode is that the user terminal needs to register again, and then the network control center issues the newly generated session key to the user terminal; however, the key updating mode needs to trigger updating when the terminal is in an idle state, so that the user terminal cannot update the key in real time, and the flexibility of data transmission between the network control center and the user terminal is low.
Accordingly, there is a need in the art for a new key update scheme to address the above-described problems.
Disclosure of Invention
The present invention has been made to overcome the above-mentioned drawbacks, and provides a key updating method, an information transmission method, an apparatus, a medium, and a satellite network, which solve or at least partially solve the technical problem that a key cannot be updated in real time due to the limitation of the state of a terminal in key updating.
In a first aspect, the present invention provides a key updating method, the method being applied to a satellite network, the satellite network comprising a user home server and at least one network element in information interaction with the user home server, the network element using a receive key when data is received, the receive key comprising a first receive key and a second receive key, the network element using a transmit key when data is transmitted; the method comprises the following steps: the user attribution server broadcasts an update signaling, wherein the update signaling comprises two updated key version numbers and random numbers respectively corresponding to the two updated key version numbers, and the two updated key version numbers comprise a key version number which is required to be updated currently and a key version number which is required to be updated next time; the network element receives and responds to the update signaling, updates the sending key based on the key version number and the random number which are required to be updated currently in the update signaling in preset time, and maintains the receiving key unchanged, at the moment, the first receiving key is identical to the running key before updating, and the key version number and the random number in the second receiving key are respectively identical to the key version number and the random number which are required to be updated currently; after the preset time, the network element updates the receiving key based on two updated key version numbers in the received update signaling and random numbers corresponding to the two updated key version numbers respectively, at this time, the key version number and the random number in the first receiving key are the same as the key version number and the random number which are required to be updated currently, and the key version number and the random number in the second receiving key are the same as the key version number and the random number which are required to be updated next time.
In one technical scheme of the key updating method, the at least one network element comprises a network side network element and a terminal side network element, the network side network element at least comprises an authentication center, the terminal side network element comprises at least one user terminal authenticated by the authentication center, a root key is stored in the user terminal, and the root key is correspondingly stored in the authentication center.
In one technical solution of the above method for updating a key, the network element at the network side further includes a gateway, and the method further includes: the authentication center carries out key deduction based on the root key, the sending key or the receiving key of the authentication center, obtains the session key of the authentication center and sends the session key to the user attribution server; the user attribution server takes the received session key of the authentication center as the root key of the user attribution server, and the user attribution server performs key deduction based on the root key, the sending key or the receiving key of the user attribution server to obtain the session key of the user attribution server and sends the session key to a gateway; the gateway takes the received session key of the user home server as the root key of the gateway, and the gateway performs key deduction based on the root key, the sending key or the receiving key of the gateway to obtain the session key of the gateway.
In one technical solution of the above-mentioned key updating method, the gateway includes an IP gateway, a forward link gateway MCS and a reverse link gateway RCM, and the IP (internet protocol) gateway uses a received session key of the user home server as a root key of the IP gateway; the gateway performs key deduction based on the root key, the sending key or the receiving key of the gateway, and the obtaining the session key of the gateway includes: the IP gateway performs key deduction based on the root key, the sending key or the receiving key of the IP gateway, obtains the session key of the IP gateway and selectively sends the session key to the forward link gateway and the reverse link gateway respectively, wherein the session key of the IP gateway comprises: NAS (Non-Access-stratum) layer signaling ciphering keys, NAS layer signaling integrity protection keys, E-PDCP (extended packet data convergence protocol) ciphering keys, and forward link root keys sent to the forward link gateway and reverse link root keys sent to the reverse link gateway; the forward link gateway takes the received forward link root key as the root key of the forward link gateway, and performs key deduction based on the root key, the sending key or the receiving key of the forward link gateway to obtain a session key of the forward link gateway, wherein the session key of the forward link gateway comprises: AS (Access-stratum) layer signaling forward encryption keys, AS layer signaling forward integrity protection keys, and link layer forward data encryption keys; the reverse link gateway uses the received reverse link root key as the root key of the reverse link gateway, and performs key deduction based on the root key, the sending key or the receiving key of the reverse link gateway to obtain a session key of the reverse link gateway, wherein the session key of the reverse link gateway includes: an AS layer signaling reverse encryption key, an AS layer signaling reverse integrity protection key, and a link layer reverse data encryption key.
In one technical scheme of the above key updating method, the user home server broadcast update signaling includes periodic broadcast update signaling of the user home server, and a broadcast frequency of the user home server to the terminal side network element is far higher than a broadcast frequency of the user home server to the network side network element.
In one technical scheme of the above key updating method, the method further includes: presetting a plurality of rotated key version numbers and random numbers corresponding to the key version numbers; and generating update signaling based on the preset key version numbers of the multiple rotations and random number rotations corresponding to the key version numbers.
In a second aspect, the present invention provides an information transmission method, where the method is applied to a satellite network, where the network at least includes an IP gateway, a forward link gateway, a reverse link gateway, and a user terminal, where the user terminal corresponding keys include an E-PDCP ciphering key, a NAS layer signaling ciphering key, and a NAS layer signaling integrity protection key, the forward link gateway corresponding keys include an AS layer signaling forward ciphering key, an AS layer signaling forward integrity protection key, and a link layer forward data ciphering key, and the reverse link gateway corresponding keys include an AS layer signaling reverse ciphering key, an AS layer signaling reverse integrity protection key, and a link layer reverse data ciphering key; the method comprises the following steps: the forward link gateway performs information data transmission with the IP gateway based on the E-PDCP encrypted data, and performs AS layer signaling encryption and link layer BBframe (baseband frame) encrypted data based on the E-PDCP encrypted data, and performs information data transmission with the user terminal; the reverse link gateway performs information data transmission with the IP gateway based on the E-PDCP encrypted data, and performs information data transmission with the user terminal based on AS layer signaling encryption and link layer MAC (media Access control) encrypted data; wherein at least one key of the IP gateway, the forward link gateway, the reverse link gateway, and the user terminal corresponding key is updated based on the method of any one of the above.
In a third aspect, a control device is provided, the control device comprising a processor and a memory, the memory being adapted to store a plurality of program codes, the program codes being adapted to be loaded and run by the processor to perform the key updating method according to any one of the above-mentioned key updating methods.
In a fourth aspect, a computer readable storage medium is provided, in which a plurality of program codes are stored, the program codes being adapted to be loaded and run by a processor to perform the key updating method according to any one of the above-mentioned key updating methods.
In a fifth aspect, there is provided a satellite network comprising a user home server, at least one network element and the control device described above, the at least one network element comprising: the network side network element at least comprises an authentication center and a gateway, and the terminal side network element comprises at least one user terminal authenticated by the authentication center, wherein the user home server is used for broadcasting update signaling to the at least one network element respectively; the gateway is used for mutually transmitting data between the authentication center and at least one user terminal; the control device is used for executing the key updating method of any one of the above, and the control device interacts with the network side network element and/or the terminal side network element information respectively, so that the network side network element and/or the terminal side network element realize key updating based on the control device.
The technical scheme provided by the invention has at least one or more of the following beneficial effects: the network element updates the sending key of the network element according to the update signaling received from the user attribution server, and updates the receiving key after the preset time, so that the dynamic update of the sending key and the receiving key of the network element is realized, the dynamic update of the sending key and the receiving key of the network element is not influenced by the state of the network element, the stability of data transmission among the network elements in the satellite network is further ensured, the update mode in the prior art is avoided, the update can be triggered only when the terminal is in an idle state, the user terminal cannot update the key in real time, and the flexibility of data transmission between the network control center and the user terminal is further lower.
In the technical scheme of implementing the invention, the network element uses the sending key or the receiving key to deduce according to the root key of the network element to obtain the session key used by the data transmission of the network element, so that the session key is not involved in the data transmission of the satellite network, the security of the data transmission in the satellite network is improved, and the situation of data leakage caused by directly carrying out the data transmission on the session key in the prior art is avoided.
In the technical scheme of implementing the invention, by setting the preset time, when the key version numbers of the received network element and the data of the sent network element are different, the received network element can still decrypt the received data through the first receiving key or the second receiving key in the receiving keys, so that the flexibility of encryption or decryption in data transmission among the network elements is improved.
In the technical scheme of implementing the invention, the update signaling is periodically broadcast by the user attribution server, and the update signaling is a plurality of alternate key version numbers and random numbers corresponding to the key version numbers, so that the alternate of the update signaling can be regularly switched, the stable operation of the key deduction of each network element is ensured, the stability of data transmission of the satellite network is further improved, the time required by the key deduction during the dynamic update of the keys by each gateway is reduced, and the efficiency of the dynamic update of the keys is improved.
Drawings
The present disclosure will become more readily understood with reference to the accompanying drawings. As will be readily appreciated by those skilled in the art: the drawings are for illustrative purposes only and are not intended to limit the scope of the present invention. Moreover, like numerals in the figures are used to designate like parts, wherein:
FIG. 1 is a schematic diagram of an architecture of a prior art satellite network system;
FIG. 2 is a schematic diagram of a spatial network security architecture of the present invention;
FIG. 3 is a flow chart of the main steps of a key update method according to one embodiment of the invention;
fig. 4 is a flow chart of key derivation in a preset time period when a user terminal receives and responds to update signaling according to the present invention;
fig. 5 is a flow chart of key derivation after a preset time has elapsed after a user terminal receives and responds to update signaling according to the present invention;
fig. 6 is a schematic flow chart of key derivation in a preset time when a network element at the network side receives and responds to update signaling according to the present invention;
fig. 7 is a schematic flow chart of key derivation after a preset time elapses after a network element on the network side receives and responds to update signaling according to the present invention;
fig. 8 is a schematic diagram of a key hierarchy of key deduction performed by a network element at a network side or a network element at a terminal side according to the present invention;
FIG. 9 is a flow chart of a key update according to the present invention;
FIG. 10 is a schematic diagram of steps for updating a key according to the present invention;
fig. 11 is a schematic diagram of a user home server according to the present invention broadcasting update signaling to network side network elements and terminal side network elements, respectively;
Fig. 12 is a schematic diagram of data transmission with a terminal-side network element when the network-side network element first receives an update signaling according to the present invention;
fig. 13 is a schematic diagram of data transmission with a network element at a network side when the network element at a terminal side first receives an update signaling according to the present invention;
fig. 14 is a flow chart illustrating main steps of an information transmission method according to an embodiment of the present invention;
FIG. 15 is a schematic diagram of a spatial network layered encryption architecture in accordance with the present invention;
fig. 16 is a main structural diagram of a control device according to an embodiment of the present invention;
fig. 17 is a main structural block diagram of a satellite network according to an embodiment of the present invention.
List of reference numerals:
700: a control device; 701: a processor; 702: a memory; 703: program code; 800: a satellite network; 801: an authentication center; 802: a user attribution server; 803: a gateway; 804: and a user terminal.
Detailed Description
Some embodiments of the invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are merely for explaining the technical principles of the present invention, and are not intended to limit the scope of the present invention.
In the description of the present invention, a "module," "processor" may include hardware, software, or a combination of both. A module may comprise hardware circuitry, various suitable sensors, communication ports, memory, or software components, such as program code, or a combination of software and hardware. The processor may be a central processor, a microprocessor, an image processor, a digital signal processor, or any other suitable processor. The processor has data and/or signal processing functions. The processor may be implemented in software, hardware, or a combination of both. Non-transitory computer readable storage media include any suitable medium that can store program code, such as magnetic disks, hard disks, optical disks, flash memory, read-only memory, random access memory, and the like. The term "a and/or B" means all possible combinations of a and B, such as a alone, B alone or a and B. The term "at least one A or B" or "at least one of A and B" has a meaning similar to "A and/or B" and may include A alone, B alone or A and B. The singular forms "a", "an" and "the" include plural referents.
A schematic architecture of a conventional satellite network system is shown in fig. 1. The existing satellite network system consists of a ground section, a space section and a user section, wherein a gateway system of the ground section comprises an IP gateway, a forward link gateway and a reverse link gateway; the space segment comprises transparent satellites or low-orbit satellite constellations with regeneration functions; the user segment comprises a user terminal and a connected terminal network.
A schematic diagram of the spatial network security architecture of the present invention is shown in FIG. 2. The spatial network security architecture consists of four fields: the access domain security, the transmission domain security, the non-access layer attribution service domain security and the application domain security, and the access domain security ensures the access authentication and the security transmission between the user terminal and the transparent forwarding satellite gateway or the access satellite with the inter-satellite link; the transmission domain security ensures the point-to-point security of the inter-satellite links, the point-to-point security of the feeder links and the point-to-point transmission security between the ground gateways; the security of the network layer between the user terminal and the core network access anchor point IP gateway is ensured by the non-access layer home service domain security, including the bidirectional authentication and the encrypted transmission between the terminal and the IP gateway; application domain security is achieved by means of a mature transport layer protocol. In particular, the invention is mainly focused on two fields of access domain security and non-access layer home service domain security of a satellite network, and is mainly used for encryption and integrity protection in an access layer and a non-access layer.
Those skilled in the art will appreciate that the overall architecture shown in fig. 2 does not constitute a limitation of a satellite network, and in actual practice, the satellite network may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
The invention provides a key updating method which is applied to a satellite network, wherein the satellite network comprises a user home server and at least one network element which is in information interaction with the user home server, the network element uses a receiving key when receiving data, the receiving key comprises a first receiving key and a second receiving key, and the network element uses a sending key when transmitting data.
Referring to fig. 3, fig. 3 is a schematic flow chart of main steps of a key updating method according to an embodiment of the present invention. As shown in fig. 3, the key updating method in the embodiment of the present invention mainly includes the following steps S301 to S303.
Step S301: the user attribution server broadcasts an update signaling, wherein the update signaling comprises two updated key version numbers and random numbers respectively corresponding to the two updated key version numbers, and the two updated key version numbers comprise a key version number which is required to be updated currently and a key version number which is required to be updated next time;
Specifically, in some embodiments, the update signaling broadcast by the user home server includes periodic update signaling broadcast by the user home server, and the broadcast frequency of the user home server to the network element at the terminal side is far higher than the broadcast frequency of the user home server to the network element at the network side, so that when a new user terminal registers, the user home server can timely broadcast the current update signaling to the network element at the terminal side, so that the new user terminal can timely perform data transmission.
In the above embodiment, the update signaling is periodically broadcast by the user home server, and the update signaling is a plurality of rotated key version numbers and random numbers corresponding to the key version numbers, so that the rotation of the update signaling can be regularly switched, the stable operation of the key deduction of each network element is ensured, the stability of data transmission of the satellite network is further improved, the time required by the key deduction during the dynamic update of the key by each gateway is reduced, and the efficiency of the dynamic update of the key is improved.
Step S302: the network element receives and responds to the update signaling, updates the sending key based on the key version number and the random number which are required to be updated currently in the update signaling in preset time, and maintains the receiving key unchanged, at the moment, the first receiving key is identical to the running key before updating, and the key version number and the random number in the second receiving key are respectively identical to the key version number and the random number which are required to be updated currently;
Step S303: after the preset time, the network element updates the receiving key based on two updated key version numbers in the received update signaling and random numbers corresponding to the two updated key version numbers respectively, at this time, the key version number and the random number in the first receiving key are the same as the key version number and the random number which are required to be updated currently, and the key version number and the random number in the second receiving key are the same as the key version number and the random number which are required to be updated next time.
Specifically, in some embodiments, when the network element receives and responds to the update signaling, and the preset time elapses, the receiving key is updated, and the updated sending key is maintained unchanged.
In the above embodiment, by setting the preset time, when the key version numbers of the received network element and the data of the transmitted network element are different, the received network element can still decrypt the received data by using the first receiving key or the second receiving key in the receiving keys, so that the flexibility of encryption or decryption in data transmission between the network elements is improved.
Further, in some embodiments, the period of the user home server broadcast update signaling is higher than the preset time to facilitate stability of updates to the transmit key and the receive key.
Specifically, in some embodiments, the preset time is set to 10 minutes, or may be 1 minute, where the setting of the preset time is only illustrative, and in actual testing, a person skilled in the art may set the preset time according to actual needs, which is not described herein.
In the above embodiment, the network element updates the sending key of the network element according to the update signaling received from the user attribution server, and updates the receiving key after the preset time, so as to realize the dynamic update of the sending key and the receiving key of the network element, and make the dynamic update of the sending key and the receiving key of the network element not affected by the state of the network element, further ensure the stability of data transmission between the network elements in the satellite network, and avoid that the update mode in the prior art needs to trigger the update when the terminal is in an idle state, so that the user terminal cannot update the key in real time, and further make the flexibility of data transmission between the network control center and the user terminal lower.
Further, in some embodiments, the at least one network element includes a network-side network element and a terminal-side network element, where the network-side network element includes at least an authentication center, the terminal-side network element includes at least one user terminal authenticated by the authentication center, a root key is stored in the user terminal, and a root key of the user terminal is correspondingly stored in the authentication center.
Specifically, an embedded security module is arranged in the user terminal, a root key and an electronic serial number of the user terminal are arranged in the embedded security module, and the root key and the electronic serial number of the user terminal are correspondingly stored in the authentication center.
Referring to fig. 4, fig. 4 is a schematic flow chart of key derivation in a preset time when a user terminal receives and responds to update signaling according to the present invention. Specifically, the user terminal receives and responds to the update signaling, and the key deduction process in the preset time is similar to the key deduction process after the preset time.
As shown in fig. 4, in the key updating method in the embodiment of the present invention, the key deduction in the preset time after the user terminal receives and responds to the update signaling includes:
The user terminal carries out key deduction based on the root key of the user terminal and the updated sending key to obtain a first root key; the user terminal carries out key deduction based on the first root key and the updated sending key to obtain a second root key; the user terminal carries out key deduction based on the second root key and the updated sending key to obtain a third root key, a fourth root key and a first group of three session keys; the user terminal carries out key deduction based on the third root key and the updated sending key to obtain a second group of three session keys; and the user terminal performs key deduction based on the fourth key and the updated transmission key to obtain a third group of three session keys so as to realize that the user terminal performs deduction through the updated transmission key and the root key thereof and obtain 9 session keys for encrypting data when the user terminal transmits the data.
Further, referring to fig. 5, fig. 5 is a schematic flow chart of key derivation after a preset time elapses after the user terminal receives and responds to the update signaling according to the present invention. As shown in fig. 5, in the key updating method in the embodiment of the present invention, in the key deduction after the preset time and after receiving and responding to the update signaling, the difference between the key deduction after the preset time and the key deduction after receiving and responding to the update signaling by the user terminal is that: in the multi-round key deduction based on the root key, the user terminal uses the updated second receiving key of the receiving key to obtain 9 session keys for decrypting the data when the user terminal receives the data, wherein the specific deduction process is the same as the key deduction process, so that the description is omitted here.
Referring to fig. 6, fig. 6 is a schematic flow chart of key derivation in a preset time after a network element at the network side receives and responds to update signaling according to the present invention. Specifically, the network element at the network side receives and responds to the update signaling, and the key deduction process in the preset time is similar to the key deduction process after the preset time.
As shown in fig. 6, the network element at the network side further includes a gateway, and in the key updating method in the embodiment of the present invention, the key deduction performed by the network element at the network side in receiving and responding to the update signaling and within a preset time includes:
the authentication center carries out key deduction based on the root key of the authentication center and the updated sending key, a session key of the authentication center is obtained and sent to the user attribution server, wherein the session key of the authentication center is identical to the first root key; the user attribution server takes the received session key of the authentication center as a root key of the user attribution server, and the user attribution server carries out key deduction based on the root key of the user attribution server and the updated sending key to obtain the session key of the user attribution server and sends the session key to a gateway, wherein the session key of the user attribution server is identical with the second root key; the gateway takes the received session key of the user home server as the root key of the gateway, and the gateway carries out key deduction based on the root key of the gateway and the updated sending key to obtain the session key of the gateway.
Specifically, in some embodiments, the gateway includes an IP gateway, a forward link gateway, and a reverse link gateway, the IP gateway having the received session key of the user home server as a root key of the IP gateway; the gateway performs key deduction based on the root key of the gateway and the updated sending key, and the obtaining of the session key of the gateway includes: the IP gateway performs key deduction based on the root key of the IP gateway and the updated sending key, obtains a session key of the IP gateway and selectively sends the session key to the forward link gateway and the reverse link gateway respectively, wherein the session key of the IP gateway comprises: the method comprises the steps of enabling a NAS layer signaling ciphering key, a NAS layer signaling integrity protection key, an E-PDCP ciphering key, a forward link root key sent to a forward link gateway and a reverse link root key sent to a reverse link gateway, wherein the session key of the IP gateway is identical to a first group of three session keys, a third root key and a fourth root key respectively, the forward link root key is identical to the third root key, and the reverse link root key is identical to the fourth root key; the forward link gateway takes the received forward link root key as the root key of the forward link gateway, and performs key deduction based on the root key of the forward link gateway and the updated sending key to obtain a session key of the forward link gateway, wherein the session key of the forward link gateway comprises: the AS layer signaling forward encryption key, the AS layer signaling forward integrity protection key and the link layer forward data encryption key, specifically, the session keys of the forward link gateway are respectively the same AS the three session keys of the second group; the reverse link gateway takes the received reverse link root key as the root key of the reverse link gateway, and performs key deduction based on the root key of the reverse link gateway and the updated sending key to obtain a session key of the reverse link gateway, wherein the session key of the reverse link gateway comprises: the AS layer signaling reverse encryption key, the AS layer signaling reverse integrity protection key and the link layer reverse data encryption key are respectively the same AS the session keys of the third group, so that the network side network element can complete deduction through the updated sending key and the root key thereof, and 9 session keys for encrypting data when the network side network element sends the data are obtained.
Further, referring to fig. 7, fig. 7 is a schematic flow chart of key derivation after a preset time passes after receiving and responding to the update signaling by the network element at the network side according to the present invention. As shown in fig. 7, in the key updating method in the embodiment of the present invention, in the key deduction after the preset time when the network side network element receives and responds to the update signaling, the difference between the key deduction after the preset time when the network side network element receives and responds to the update signaling is that: in the multi-round key deduction based on the root key, the network element at the network side uses the second receiving key of the updated receiving key to obtain 9 session keys for decrypting the data when the network element at the network side receives the data.
Referring to fig. 8, fig. 8 is a schematic diagram of a key system for performing key deduction by a network element at a network side or a network element at a terminal side according to the present invention. As shown in fig. 8, the key deduction process of the network element at the network side is as follows:
the authentication center derives based on the root key Keyroot and the sending key or the receiving key, and obtains a session key of the authentication center: CK and IK are sent to the user home server;
the user attribution server deduces based on CK and IK and the sending key or the receiving key, and a session key of the user attribution server is obtained: the KeyASME sends the KeyASME to the IP gateway;
The IP gateway derives based on the KeyASME and the sending key or the receiving key, and obtains a session key of the IP gateway: NAS layer signaling encryption key: keynas_enc, NAS layer signaling integrity protection key: keynas_int, E-PDCP ciphering key: keyup_enc, forward link root key: keyMCS, reverse link root key: keyRCM, wherein KeyMCS is sent to the forward link gateway and KeyRCM is sent to the reverse link gateway;
the forward link gateway derives based on the KeyMCS and the sending key or the receiving key, and obtains an AS layer signaling forward encryption key: keyASF_enc, AS layer signaling forward integrity protection key: keyasf_int, link layer forward data encryption key: keyfl_enc;
the reverse link gateway derives based on the KeyRCM and the sending key or the receiving key, and obtains an AS layer signaling reverse encryption key: keyasr_enc, AS layer signaling reverse integrity protection key: keyasr_int, link layer reverse data encryption key: keyrl_enc.
The key deduction process of the terminal side network element is as follows:
the user terminal derives a first root key based on the root key Keyroot and the sending key or the receiving key: CK and IK;
the user terminal derives a second root key based on CK and IK and the sending key or the receiving key: keyASME;
The user terminal derives based on KeyASME and the sending key or the receiving key to obtain
The user terminal derives based on the KeyASME and the sending key or the receiving key, and obtains three session keys of the first group: keynas_enc, keynas_int, keyup_enc, third root key: keyMCS and fourth root key: keyRCM;
the user terminal derives based on the KeyMCS and the sending or receiving key, and obtains the three session keys of the second group: keyasf_enc, keyasf_int, keyfl_enc;
the user terminal derives based on the KeyRCM and the sending key or the receiving key, and obtains three session keys of the third group: keyasr_enc, keyasr_int, keyrl_enc.
Referring to fig. 9, fig. 9 is a schematic flow chart of a key update according to the present invention. As shown in fig. 9, in the present embodiment, a plurality of rotated key version numbers use a and B, and the key update steps are as follows:
the user attribution server broadcasts an update signaling A-B;
the user attribution server obtains Key Asme-A based on A deduction and sends the Key Asme-A to the IP gateway;
theIPgatewayderivesKeyNASme-AandupdatedsecretkeystoobtainKeyNAS_enc,KeyNAS_int,KeyUP_enc,twoencryptionversionnumbersKeyMCS-AandKeyRCM-A,andcorrespondinglyforwardstheencryptionversionnumberstotheforwardlinkgatewayandthereverselinkgateway;
The user terminal and the IP gateway are associated and registered;
and when the user terminal receives the new updating signaling, carrying out key deduction based on the new key version number to obtain a new three-layer key KeyNAS_enc, keyNAS_int, keyUP_enc and a forward and reverse link encryption key: keyasf_enc, keyasf_int, keyfl_enc and keyasr_enc, keyasr_int, keyrl_enc;
the forward link gateway derives KeyASF_enc, keyASF_int and KeyF_enc based on KeyMCS-A and the updated key;
thereverselinkgatewayderivesKeyASR_enc,KeyASR_intandKeyRL_encbasedonKeyRCM-Aandtheupdatedkey;
the user attribution server broadcasts an update signaling B-A;
the user attribution server obtains Key Asme-B based on B deduction and sends the Key Asme-B to the IP gateway;
the IP gateway derives new KeyNAS_enc, keyNAS_int, keyUP_enc, two encryption version numbers KeyMCS-B and KeyRCM-B based on KeyAsme-B and the updated secret key, and forwards the encryption version numbers to the forward link gateway and the reverse link gateway correspondingly;
the forward link gateway derives new KeyASF_enc, keyASF_int and KeyFL_enc based on KeyMCS-B and the updated key;
the reverse link gateway derives new keyasr_enc, keyasr_int, keyrl_enc based on KeyRCM-B and the updated key.
In the above embodiment, the network element uses the sending key or the receiving key to derive according to the root key of the network element, so as to obtain the session key used by the data transmission of the network element, so that the session key is not involved in the data transmission of the satellite network, the security of the data transmission in the satellite network is improved, and the situation of data leakage caused by directly transmitting the session key in the prior art is avoided.
Further, in some embodiments, the method further comprises: presetting a plurality of rotated key version numbers and random numbers corresponding to the key version numbers; and generating update signaling based on the preset key version numbers of the multiple rotations and random number rotations corresponding to the key version numbers.
Specifically, in some embodiments, the number of the preset key version numbers of the plurality of rotations may be 2, or may be 3 or 4, where the setting of the number of the preset key version numbers of the plurality of rotations is only illustrative, and in actual testing, a person skilled in the art may set the number according to actual needs, which is not repeated herein.
The following is a further explanation of the solution according to the invention in connection with application examples.
Referring to fig. 10, fig. 10 is a schematic diagram of the steps of a key update according to the present invention. As shown in fig. 10, in this embodiment, a plurality of rotated Key version numbers are denoted by numerals 0 to 7, a preset time is set to DeltaT, a sending Key is a sending Key, a receiving Key is a receiving Key, and the specific steps of Key update of the present invention are as follows:
when a first updating signaling is received, updating a sending key to 0, wherein the receiving key is 0, after DeltaT, the sending key is 0, and the receiving key is updated to 0 and 1, so that the first updating of the sending key and the receiving key is realized;
when receiving the new update signaling, updating the sending key to 1, sending the key update while maintaining the receiving key unchanged: 0 and 1, after DeltaT, the transmit key remains unchanged: 1, updating a receiving key to 1 and 2, and realizing the second updating of a sending key and a receiving key;
when new update signaling is received, the transmission key is updated to 2, the transmission key is updated and the reception key is maintained unchanged: 1 and 2, after DeltaT, the transmission key remains unchanged: 2, updating the receiving key to 2 and 3, and realizing the third updating of the sending key and the receiving key;
When receiving the new update signaling, updating the sending key to 3, sending the key update while maintaining the receiving key unchanged: 2 and 3, after DeltaT, the transmission key remains unchanged: 3, updating the receiving key to 3 and 4, and realizing fourth updating of the sending key and the receiving key;
similarly, the key update of the sending key and the receiving key is realized.
Referring to fig. 11, fig. 11 is a schematic diagram of a user home server according to the present invention broadcasting update signaling to a network element at a network side and a network element at a terminal side respectively. As shown in fig. 11, in this embodiment, the key version numbers of the multiple rotations use a and B, and the problem of asynchronization caused by different time between two network elements of the receiving end and the transmitting end in key switching is overcome by AB rotations, so as to realize seamless key switching. Specifically, in some embodiments, the signaling broadcast density of the user home server to the terminal side network element is far greater than the signaling broadcast density of the user home server to the network side network element, because the user terminal can be frequently on-line and off-line, and the gateway can remain unchanged in the power-on service state.
Referring to fig. 12, fig. 12 is a schematic diagram of data transmission with a terminal side network element when the network side network element first receives an update signaling according to the present invention. As shown in fig. 12, in this embodiment, the key version numbers of the multiple rotations use A0-B1-A2-B3, and the preset time is set as the following steps of data transmission with the network element at the terminal side when the network element at the DeltaT network side first receives the update signaling:
The network side network element needs to send data to the terminal side network element, at the moment, the sending key is A0, the receiving keys are A0 and B1, and the A0 is used for encrypting the sending data to reverse the sending data of the terminal side network element;
the terminal side network element receives the data encrypted by the A0, at the moment, the sending key is A0, the receiving keys are A0 and B1, the A0 in the receiving key is used for decrypting the data, and the A0 is used for encrypting the sending data to the network element at the reverse network side for sending the data;
the network side network element receives the update signaling, in the DeltaT time, the sending key is updated to B1, the receiving keys are A0 and B1, the network side network element receives the data encrypted by the A0, then the A0 in the receiving key is used for decrypting the data, and the B1 is used for encrypting the sending data to the network element at the reverse terminal side for sending the data;
the network element at the terminal side receives the update signaling, the sending key is updated to B1 in DeltaT time, the receiving keys are A0 and B1, the network element at the terminal side receives the data encrypted by the B1, then the B1 in the receiving key is used for decrypting the data, and the B1 is used for encrypting the sending data to the network element at the reverse network side for sending the data;
after the DeltaT time, the network side network element updates the sending key to B1, receives the keys B1 and A2, receives the data encrypted by the B1, decrypts the data by using the B1 in the receiving key, and encrypts the sending data by using the B1 to reverse the sending data by the network side network element;
After DeltaT time, the sending key of the terminal side network element is updated to B1, the receiving keys are B1 and A2, the terminal side network element receives data encrypted by the B1, decrypts the data by using the B1 in the receiving key, encrypts the sending data by using the B1 to reverse the sending data of the network element, and the like, so that seamless transmission between the terminal side network element and the network side network element is realized.
Referring to fig. 13, fig. 13 is a schematic diagram of data transmission with a network element at a network side when the network element at a terminal side first receives update signaling according to the present invention. As shown in fig. 13, in this embodiment, the key version numbers of the multiple rotations use A0-B1-A2-B3, and the preset time is set as the following steps of data transmission with the network element at the network side when the network element at the DeltaT terminal side first receives the update signaling:
the terminal side network element needs to send data to the network side network element, at the moment, the sending key is A0, the receiving key is A0 and B1, and the A0 is used for encrypting the sending data to the network side network element to send the data;
the network side network element receives the data encrypted by using the A0, at the moment, the sending key is A0, the receiving keys are A0 and B1, the A0 in the receiving key is used for decrypting the data, and the A0 is used for encrypting the sending data to the terminal side network element for sending the data;
The network element at the terminal side receives the update signaling, the sending key is updated to B1 in DeltaT time, the receiving keys are A0 and B1, the network element at the terminal side receives the data encrypted by the A0, then the data are decrypted by the A0 in the receiving key, and the sending data are encrypted by the B1 to send the data to the network element at the reverse network side;
the network side network element receives the update signaling, in the DeltaT time, the sending key is updated to B1, the receiving keys are A0 and B1, the network side network element receives the data encrypted by using the B1, then the B1 in the receiving key is used for decrypting the data, and the B1 is used for encrypting the sending data to the network element at the reverse terminal side for sending the data;
after DeltaT time, the terminal side network element updates the sending key to B1, receives the keys B1 and A2, receives the data encrypted by the B1, decrypts the data by using the B1 in the receiving key, and encrypts the sending data by using the B1 to reverse the sending data of the terminal side network element;
after DeltaT time, the network side network element updates the sending key to B1, receives the keys B1 and A2, receives the data encrypted by the B1, decrypts the data by using the B1 in the receiving key, encrypts the sending data by using the B1, and transmits the data to the terminal side network element, and the like, so that seamless transmission between the network side network element and the terminal side network element is realized.
The invention further provides an information transmission method, which is applied to a satellite network, wherein the network at least comprises an IP gateway, a forward link gateway, a reverse link gateway and a user terminal, the user terminal corresponding keys comprise an E-PDCP encryption key, a NAS layer signaling encryption key and a NAS layer signaling integrity protection key, the forward link gateway corresponding keys comprise an AS layer signaling forward encryption key, an AS layer signaling forward integrity protection key and a link layer forward data encryption key, and the reverse link gateway corresponding keys comprise an AS layer signaling reverse encryption key, an AS layer signaling reverse integrity protection key and a link layer reverse data encryption key.
Referring to fig. 14, fig. 14 is a flowchart illustrating main steps of an information transmission method according to an embodiment of the present invention. As shown in fig. 14, the information transmission method in the embodiment of the present invention mainly includes the following steps S601 to S602.
Step S601: the forward link gateway performs information data transmission with the IP gateway based on the E-PDCP encrypted data, and performs information data transmission with the user terminal based on AS layer signaling encryption and link layer BBframe encryption on the E-PDCP encrypted data;
Step S602: and the reverse link gateway performs information data transmission based on the E-PDCP encrypted data and the IP gateway, and performs information data transmission based on AS layer signaling encryption and link layer MAC encrypted data of the E-PDCP encrypted data and the user terminal, wherein at least one key of the corresponding keys of the IP gateway, the forward link gateway, the reverse link gateway and the user terminal is updated based on any one of the methods.
Referring to fig. 15, fig. 15 is a schematic diagram of a hierarchical encryption architecture of a spatial network according to the present invention. AS shown in fig. 15, the access layer implements link layer encryption and access layer AS signaling encryption and integrity protection, wherein in the link layer encryption, forward link layer encryption adopts link layer BBFrame encryption, and reverse link layer encryption adopts link layer MAC encryption; the non-access layer introduces an E-PDCP sublayer, wherein end-to-end data between the IP gateway and the terminal are encrypted by adopting E-PDCP and NAS signaling of the non-access layer, so that the functions of protecting the integrity of NAS signaling of the non-access layer, compressing a data message header and the like are realized, and the end-to-end data is encrypted by a link gateway in two layers on a transmission path through E-PDCP encryption and NAS signaling, namely, the end-to-end data is encrypted by an access layer MAC between the terminal and the access link gateway, thereby ensuring the safety of data transmission.
It should be noted that, although the foregoing embodiments describe the steps in a specific order, it will be understood by those skilled in the art that, in order to achieve the effects of the present invention, the steps are not necessarily performed in such an order, and may be performed simultaneously (in parallel) or in other orders, and these variations are within the scope of the present invention.
It will be appreciated by those skilled in the art that the present invention may implement all or part of the above-described methods according to the above-described embodiments, or may be implemented by means of a computer program for instructing relevant hardware, where the computer program may be stored in a computer readable storage medium, and where the computer program may implement the steps of the above-described embodiments of the method when executed by a processor. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable storage medium may include: any entity or device, medium, usb disk, removable hard disk, magnetic disk, optical disk, computer memory, read-only memory, random access memory, electrical carrier wave signals, telecommunications signals, software distribution media, and the like capable of carrying the computer program code. It should be noted that the computer readable storage medium may include content that is subject to appropriate increases and decreases as required by jurisdictions and by jurisdictions in which such computer readable storage medium does not include electrical carrier signals and telecommunications signals.
Further, the invention also provides a control device 700.
Referring to fig. 16, fig. 16 is a schematic view of the main structure of a control device according to an embodiment of the present invention. As shown in fig. 16, in one embodiment of a control device 700 according to the present invention, the control device 700 includes a processor 701 and a memory 702, the memory 702 may be configured to store program code 703 for performing the key updating method of the above-described method embodiment, and the processor 701 may be configured to execute the program code 703 in the memory 702, the program code 703 including, but not limited to, the program code 703 for performing the key updating method of the above-described method embodiment. For convenience of explanation, only those portions of the embodiments of the present invention that are relevant to the embodiments of the present invention are shown, and specific technical details are not disclosed, please refer to the method portions of the embodiments of the present invention. The control device 700 may be a control device 700 formed of various electronic devices.
Further, the invention also provides a computer readable storage medium. In one computer readable storage medium embodiment according to the present invention, the computer readable storage medium may be configured to store program code 703 for performing the key update method of the above-described method embodiment, which program code 703 may be loaded and executed by the processor 701 to implement the above-described key update method. For convenience of explanation, only those portions of the embodiments of the present invention that are relevant to the embodiments of the present invention are shown, and specific technical details are not disclosed, please refer to the method portions of the embodiments of the present invention. The computer readable storage medium may be a memory 702 device formed by various electronic devices, and optionally the computer readable storage medium in embodiments of the present invention is a non-transitory computer readable storage medium.
Further, the invention also provides a satellite network 800.
Referring to fig. 17, fig. 17 is a main block diagram of a satellite network according to an embodiment of the present invention. As shown in fig. 17, the satellite network 800 in the embodiment of the present invention mainly includes a user home server 802, at least one network element, and the control device 700 described above, where the at least one network element includes: the network-side network element comprises at least an authentication center 801 and a gateway 803, and the terminal-side network element comprises at least one user terminal 804 authenticated by the authentication center 801, wherein the user home server 802 is configured to broadcast update signaling to the at least one network element respectively; the gateway 803 is used for mutual transmission of data between the authentication center 801 and at least one user terminal 804; the control device 700 is configured to perform any one of the above-mentioned key updating methods, and the control device 700 interacts with the network-side network element and/or the terminal-side network element information respectively, so that the network-side network element and/or the terminal-side network element implement key updating based on the control device 700. In one embodiment, the description of the specific implementation functions may be described with reference to step S301 to step S303.
The technical principles of the foregoing satellite network for implementing the key updating method and the embodiment shown in fig. 3, the technical problems to be solved and the technical effects to be produced are similar, and those skilled in the art can clearly understand that, for convenience and brevity of description, the specific working process of the satellite network and the related description may refer to the description of the embodiment of the key updating method, which is not repeated herein.
Further, it should be understood that, since the respective modules are merely set to illustrate the functional units of the apparatus of the present invention, the physical devices corresponding to the modules may be the processor itself, or a part of software in the processor, a part of hardware, or a part of a combination of software and hardware. Accordingly, the number of individual modules in the figures is merely illustrative.
Those skilled in the art will appreciate that the various modules in the apparatus may be adaptively split or combined. Such splitting or combining of specific modules does not cause the technical solution to deviate from the principle of the present invention, and therefore, the technical solution after splitting or combining falls within the protection scope of the present invention.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will fall within the scope of the present invention.

Claims (10)

1. A method for updating a key, characterized in that the method is applied to a satellite network, the satellite network comprises a user home server and at least one network element which interacts with the user home server information, the network element uses a receiving key when receiving data, the receiving key comprises a first receiving key and a second receiving key, and the network element uses a sending key when transmitting data;
the method comprises the following steps:
the user attribution server broadcasts an update signaling, wherein the update signaling comprises two updated key version numbers and random numbers respectively corresponding to the two updated key version numbers, and the two updated key version numbers comprise a key version number which is required to be updated currently and a key version number which is required to be updated next time;
the network element receives and responds to the update signaling, updates the sending key based on the key version number and the random number which are required to be updated currently in the update signaling in preset time, and maintains the receiving key unchanged, at the moment, the first receiving key is identical to the running key before updating, and the key version number and the random number in the second receiving key are respectively identical to the key version number and the random number which are required to be updated currently;
After the preset time, the network element updates the receiving key based on two updated key version numbers in the received update signaling and random numbers corresponding to the two updated key version numbers respectively, at this time, the key version number and the random number in the first receiving key are the same as the key version number and the random number which are required to be updated currently, and the key version number and the random number in the second receiving key are the same as the key version number and the random number which are required to be updated next time.
2. The key updating method according to claim 1, wherein the at least one network element includes a network-side network element and a terminal-side network element, the network-side network element includes at least an authentication center, the terminal-side network element includes at least one user terminal that has been authenticated by the authentication center, a root key is stored in the user terminal, and the root key of the user terminal is correspondingly stored in the authentication center.
3. The key updating method according to claim 2, wherein the network-side network element further comprises a gateway, the method further comprising:
the authentication center carries out key deduction based on the root key of the authentication center, the updated sending key or the receiving key, obtains a session key of the authentication center and sends the session key to the user attribution server;
The user attribution server takes the received session key of the authentication center as the root key of the user attribution server, and the user attribution server performs key deduction based on the root key of the user attribution server, the updated sending key or the receiving key to obtain the session key of the user attribution server and sends the session key to a gateway;
the gateway takes the received session key of the user home server as the root key of the gateway, and the gateway derives the session key of the gateway based on the root key of the gateway, the updated sending key or the receiving key.
4. A method of updating a key according to claim 3, wherein the gateway comprises an IP gateway, a forward link gateway and a reverse link gateway, the IP gateway having the received session key of the user home server as a root key of the IP gateway;
the gateway performs key deduction based on the root key of the gateway, the updated sending key or the receiving key, and the obtaining the session key of the gateway includes:
the IP gateway performs key deduction based on the root key of the IP gateway, the updated sending key or the receiving key, obtains the session key of the IP gateway and selectively sends the session key to the forward link gateway and the reverse link gateway respectively, wherein the session key of the IP gateway comprises: NAS layer signaling ciphering key, NAS layer signaling integrity protection key, E-PDCP ciphering key, forward link root key sent to forward link gateway, and reverse link root key sent to reverse link gateway;
The forward link gateway takes the received forward link root key as the root key of the forward link gateway, and performs key deduction based on the root key of the forward link gateway, the updated sending key or the receiving key to obtain a session key of the forward link gateway, wherein the session key of the forward link gateway comprises: an AS layer signaling forward encryption key, an AS layer signaling forward integrity protection key, and a link layer forward data encryption key;
the reverse link gateway takes the received reverse link root key as the root key of the reverse link gateway, and performs key deduction based on the root key of the reverse link gateway, the updated sending key or the receiving key to obtain a session key of the reverse link gateway, wherein the session key of the reverse link gateway comprises: an AS layer signaling reverse encryption key, an AS layer signaling reverse integrity protection key, and a link layer reverse data encryption key.
5. A key updating method according to claim 3, wherein the user home server broadcast update signalling comprises periodic broadcast update signalling by the user home server, and wherein the broadcast frequency by the user home server to the terminal side network element is substantially higher than the broadcast frequency by the user home server to the network side network element.
6. The method of updating a key according to claim 1, wherein the method further comprises:
presetting a plurality of rotated key version numbers and random numbers corresponding to the key version numbers;
and generating update signaling based on the preset key version numbers of the multiple rotations and random number rotations corresponding to the key version numbers.
7. The information transmission method is characterized in that the method is applied to a satellite network, the network at least comprises an IP gateway, a forward link gateway, a reverse link gateway and a user terminal, the user terminal corresponding keys comprise an E-PDCP encryption key, a NAS layer signaling encryption key and a NAS layer signaling integrity protection key, the forward link gateway corresponding keys comprise an AS layer signaling forward encryption key, an AS layer signaling forward integrity protection key and a link layer forward data encryption key, and the reverse link gateway corresponding keys comprise an AS layer signaling reverse encryption key, an AS layer signaling reverse integrity protection key and a link layer reverse data encryption key; the method comprises the following steps:
the forward link gateway performs information data transmission based on the E-PDCP encrypted data and the IP gateway, and performs AS layer signaling encryption and link layer BBFrame encrypted data and the user terminal based on the E-PDCP encrypted data, so AS to realize encryption of the information data transmission between the forward link gateway and the IP gateway and two-layer encryption of the information data transmission between the user terminal and the forward link gateway;
The reverse link gateway performs information data transmission based on the E-PDCP encrypted data and the IP gateway, and performs AS layer signaling encryption and link layer MAC encrypted data and the user terminal based on the E-PDCP encrypted data, so AS to realize encryption of information data transmission between the reverse link gateway and the IP gateway and two layers of encryption of information data transmission between the user terminal and the reverse link gateway;
wherein at least one key of the IP gateway, the forward link gateway, the reverse link gateway and the user terminal corresponding key is updated based on the method of any of claims 1-6.
8. A control device comprising a processor and a memory, the memory being adapted to store a plurality of program codes, characterized in that the program codes are adapted to be loaded and executed by the processor to perform the key updating method of any one of claims 1 to 6.
9. A computer readable storage medium, in which a plurality of program codes are stored, characterized in that the program codes are adapted to be loaded and executed by a processor to perform the key updating method of any one of claims 1 to 6.
10. A satellite network comprising a subscriber home server, at least one network element and the control apparatus of claim 8, the at least one network element comprising: the network side network element at least comprises an authentication center and a gateway, and the terminal side network element comprises at least one user terminal authenticated by the authentication center, wherein the user home server is used for broadcasting update signaling to the at least one network element respectively; the gateway is used for mutually transmitting data between the authentication center and at least one user terminal; the control device is configured to perform the key updating method according to any one of claims 1 to 6, and the control device interacts with the network-side network element and/or the terminal-side network element information respectively, so that the network-side network element and/or the terminal-side network element implement key updating based on the control device.
CN202310270834.3A 2023-03-20 2023-03-20 Key updating method, information transmission method, device, medium and satellite network Pending CN116321140A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310270834.3A CN116321140A (en) 2023-03-20 2023-03-20 Key updating method, information transmission method, device, medium and satellite network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310270834.3A CN116321140A (en) 2023-03-20 2023-03-20 Key updating method, information transmission method, device, medium and satellite network

Publications (1)

Publication Number Publication Date
CN116321140A true CN116321140A (en) 2023-06-23

Family

ID=86786661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310270834.3A Pending CN116321140A (en) 2023-03-20 2023-03-20 Key updating method, information transmission method, device, medium and satellite network

Country Status (1)

Country Link
CN (1) CN116321140A (en)

Similar Documents

Publication Publication Date Title
US11316677B2 (en) Quantum key distribution node apparatus and method for quantum key distribution thereof
US8935529B2 (en) Methods and systems for end-to-end secure SIP payloads
US8687544B2 (en) Apparatus for distributing data traffic in heterogeneous wireless networks
KR101299837B1 (en) Trust establishment from forward link only to non-forward link only devices
US5748736A (en) System and method for secure group communications via multicast or broadcast
US9800420B2 (en) eMBMS over LAN
CN108111305B (en) Multi-type quantum terminal compatible converged network access system and method
Mink et al. Quantum key distribution (QKD) and commodity security protocols: Introduction and integration
JPH11331310A (en) Data transmission control method and data transmission system
CN102088441B (en) Data encryption transmission method and system for message-oriented middleware
JP2008533910A (en) How to integrate QKD with IPSec
US11689360B2 (en) Quantum key distribution method, device, and system
CN110808834B (en) Quantum key distribution method and quantum key distribution system
JP2022516352A (en) One-time pad encryption hub
Liyanage et al. Securing virtual private LAN service by efficient key management
Cruickshank et al. Securing multicast in DVB-RCS satellite systems
CN102905199A (en) Implement method and device of multicast service and device thereof
US8254580B2 (en) Key distribution in a hierarchy of nodes
US8311217B2 (en) Data transmission method and terminal
CN116321140A (en) Key updating method, information transmission method, device, medium and satellite network
WO2023158459A2 (en) System and method for implementing quantum-secure wireless networks
KR100888075B1 (en) An encryption and decryption system for multicast using a personal symmetric key
CN101087188B (en) MBS authentication secret key management method and system in wireless network
JP2008066882A (en) Encryption key distribution apparatus, and encryption key distribution method
JP5162931B2 (en) Content distribution method, relay node, data communication program, and recording medium recording the program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination