CN1878169A - Ub interface information interaction method in general guiding frame - Google Patents
Ub interface information interaction method in general guiding frame Download PDFInfo
- Publication number
- CN1878169A CN1878169A CN 200510136337 CN200510136337A CN1878169A CN 1878169 A CN1878169 A CN 1878169A CN 200510136337 CN200510136337 CN 200510136337 CN 200510136337 A CN200510136337 A CN 200510136337A CN 1878169 A CN1878169 A CN 1878169A
- Authority
- CN
- China
- Prior art keywords
- security
- bsf
- message
- function entity
- server function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses an Ub interface information interactive method in the general guide frame, which is characterized by the following: realizing B-TID safe protection on Ub interface to support front and back compatible publisher; establishing safe coalition between UE and BSF through safe ability negotiation; transmitting B-TID information through safe coalition in the defined parameter or head realm of original AKA negotiating information.
Description
Technical field
The present invention relates to the communication technology, particularly Ub interface information interaction method in the general guiding frame.
Background technology
Along with the fast development of mobile communication business, the application of mobile data and multimedia communication will be more and more widely, in the near future, even will become the main business that mobile communication is carried above traditional speech.And traditional second generation global system for mobile communications (Global System for mobileCommunication, abbreviation " GSM ") mobile communications network can't adapt to this new development trend, for this reason, GSM will progressively carry out the transition to 3-G (Generation Three mobile communication system).Wherein, third generation partner program (3rd Generation Partnership Project, abbreviation " 3GPP ") Wideband Code Division Multiple Access (WCDMA) (the Wideband Code Division Multiple Access of institute's standard, be called for short " WCDMA ")/universal mobile telecommunications system (Universal Mobile Telecommunications System, be called for short " UMTS ") constantly improve and the mature technique standard with it, with its flexible net framework, level and smooth evolution pattern, many advantages such as effective investment, and develop into the major technique of 3G (Third Generation) Moblie gradually, and accepted by increasing mobile communication carrier and equipment supplier.
The general guiding frame that in 3GPP, defines (Generic Bootstrapping Architecture, be called for short " GBA ") as shown in Figure 1, this framework is by internet protocol multimedia subsystem (IP MultimediaSubsystem, abbreviation " IMS ") subscriber equipment (User Equipment, be called for short " UE "), guide service functional entity (Bootstrapping Server Function, be called for short " BSF "), home signature user server (Home Subscriber Server, be called for short " HSS "), Subscription Locator Function (Subscription Locator Function, be called for short " SLF ") and Network Application Function (Network Application Function is called for short " NAF ") composition.UE is connected by the Ub interface with BSF; UE is connected by the Ua interface with NAF; BSF is connected by the Zh interface with HSS, is connected by the Zn interface with NAF, is connected by the Dz interface with SLF.
Wherein, BSF is used for generating the shared key K s of BSF and UE simultaneously at the authentication process of carrying out with UE identity verification mutually; HSS is a customer data base, and the subscription data of storage UE and configuration information etc. also have the function that produces authentication information simultaneously concurrently; SLF is used for when having a plurality of HSS, assists BSF to search corresponding HSS; NAF is used to UE that corresponding Network is provided.
When UE need use certain professional, before the NAF corresponding with this business gets in touch, need to carry out mutual authentication to BSF earlier.Use this service needed to carry out the mutual authentication process if UE knows, then directly send authentication request and carry out mutual authentication to BSF to BSF; If UE does not know to carry out with BSF the process of mutual authentication, when the NAF of this business correspondence contact,, and find that this UE does not also recognize each other the card process to BSF earlier if this NAF uses GBA, then notify this UE to carry out mutual authentication with identity verification to BSF.
UE and BSF carry out mutual authentication with the flow process of identity verification as shown in Figure 2.
In step 210, UE sends the GBA request message to BSF, and carries private user identity in this message, the request authentication.
In step 220, BSF by with the authentication vector information of obtaining this UE alternately of HSS, comprise checking sequence number (AUTN), random number (RAND), Integrity Key (IK), encryption key (CK) and expected result (XRES).
In step 230, BSF returns response message to UE, and comprises RAND and AUTN in response message.
In step 240, UE is by operation AKA (authentication and encryption key distribution) algorithm, and the validity of checking AUTN obtains IK and CK with the authentication network, and generates object information (RES).
In step 250, UE sends the GBA request message to BSF once more, and carries RES in the GBA request message.
In step 260, BSF is by judging whether the RES in the GBA request message is consistent with XRES, and UE is carried out authentication.
In step 270, BSF obtains root key (Ks) according to IK and CK, and for term of validity of Ks definition, so that Ks carries out regular update.
In step 280, BSF distributes a guiding Transaction Identifier (B-TID), is used to identify this authentication interacting transaction between BSF and the UE.The B-TID requirement that is distributed is associated with the private user identity of Ks, UE, so that BSF can find out corresponding Ks according to this B-TID later on.BSF sends to UE with form expressly together with the valid expiration date of B-TID and Ks then.
In step 290, UE preserves the term of validity of B-TID and Ks, also generates the shared Ks identical with the BSF side simultaneously.
The Ks that UE and BSF share is used for deriving the shared key K s_NAF between UE and NAF when UE and NAF communicate, make the Security Association of setting up intercommunication between UE and the NAF.
At present, can cause a series of problem if in step 280, send B-TID with clear-text way:
Can find the corresponding relation of private user identity and B-TID at an easy rate as the assailant, thereby UE is followed the trail of, when UE communicates by letter with NAF, seek an opportunity and attack the business of particular UE;
Can't guarantee that UE is with NAF when mutual, with the personal secrets of B-TID as casual user's sign;
Under visited network operator and home network operator are not same situation, thereby B-TID may leak to visited network operator and causes potential safety hazard or the like.
In order to address this problem, a scheme is that UE is before carrying out mutual authentication with BSF, set up Transport Layer Security (Transport Layer Security with BSF earlier, be called for short " TLS ") tunnel, mutual authentication process between UE and the BSF is all carried out in the TLS tunnel, and by the authentication symbol UE and BSF can be authenticated mutually at two ends, TLS tunnel, guarantee that with this B-TID is not leaked in transmission course.
But, the use of this scheme can cause UE and BSF to carry out mutual authentication must introduce another security authentication mechanism in the bootup process of identity verification, has increased network load, and, because TLS efficient is lower, therefore also will influence the efficient that UE carries out bootup process to a certain extent.In addition, when communicating by letter with BSF, the version of opposite end can't be known, therefore, the intercommunication of new and old edition can't be realized owing to UE.
Solution send B-TID with clear-text way and another program of causing a series of problems as shown in Figure 3.
The corresponding step 210 of step 310.Step 320 is to the corresponding step 220 of step 330.The corresponding step 230 of step 340 is to 260.In step 350, BSF distributes a B-TID, is used to identify this authentication interacting transaction between BSF and the UE.The B-TID requirement that is distributed is associated with the private user identity of Ks, UE, so that BSF can find out corresponding Ks according to this B-TID later on.In step 360, BSF sends to UE after this B-TID is encrypted.In step 370, the B-TID after UE will decipher preserves.In step 380, UE identifies as the casual user with B-TID, carries out service communication with BSF.
But, because in this scheme between UE and BSF is not to carry out in secure tunnel alternately, therefore, B-TID after BSF will encrypt sends in the process of UE, still may suffer the attack of intermediate, and UE is after receiving this B-TID, also can't discern this B-TID whether through assailant's forgery or distort.In addition, need set in advance in UE and BSF,, therefore, can't realize the intercommunication of new and old edition equally because UE when communicating by letter with BSF, can't be known the version (also just can't know the encryption and decryption mode of opposite end) of opposite end to the mode and the key of B-TID encryption and decryption.
Summary of the invention
In view of this, main purpose of the present invention is to provide Ub interface information interaction method in a kind of general guiding frame, makes that the safeguard protection problem of B-TID is resolved on the Ub interface, and the compatibility of version before and after supporting.
For achieving the above object, the invention provides Ub interface information interaction method in a kind of general guiding frame, comprise following steps:
Party A-subscriber's equipment and boortstrap server function entity are set up Security Association by mutual security capabilities information;
The described boortstrap server function entity of B uses described Security Association to send message to described subscriber equipment, wherein comprises the guiding Transaction Identifier.
Wherein, after the finishing alternately between described subscriber equipment and the boortstrap server function entity, delete described Security Association.
In this external described method, in the described steps A, the form transmission of described security capabilities information mechanism tabulation safe in utilization wherein comprises security protocol, security algorithm and corresponding priority level.
In this external described method, described security mechanism is tabulated and is transmitted in the designated parameter of the authentication message of universal guiding structure or header field.
In this external described method, described steps A further comprises following substep:
The described subscriber equipment of A1 sends the general guiding frame request message to described boortstrap server function entity, wherein carries the security mechanism tabulation that this subscriber equipment is supported;
The described boortstrap server function entity of A2 is responded challenge responses message to described subscriber equipment, wherein carries the security mechanism tabulation that this boortstrap server function entity is supported;
The described subscriber equipment of A3 calculates corresponding Integrity Key and encryption key according to described challenge responses message; Both sides of described subscriber equipment and boortstrap server function entity selection that all support and security protocol and security algorithm that priority is the highest are set up Security Association;
The described subscriber equipment of A4 sends the general guiding frame request message to described boortstrap server function entity, wherein carries the security mechanism tabulation after the negotiation;
The validity of parameter in the security mechanism tabulation after the negotiation that the inspection of the described boortstrap server function entity of A5 is received.
In this external described method, between described steps A 1 and A2, also comprise following steps:
Whether the boortstrap server function entity of the described security capabilities information reconciliation of described support comprises the security mechanism list parameter according in the general guiding frame request message from described subscriber equipment, judges whether subscriber equipment also supports described security capabilities information reconciliation.If then carry out described steps A 2, otherwise carry out the authorizing procedure of common universal guiding structure to A5.
In this external described method, between described steps A 2 and A3, also comprise following steps:
The subscriber equipment of the described security capabilities information reconciliation of described support judges according to the failure response message from described boortstrap server function entity whether the boortstrap server function entity also supports described security capabilities information reconciliation.If then carry out described steps A 3, otherwise carry out the authorizing procedure of common universal guiding structure to A5.
In this external described method, between described steps A 2 and A3, also comprise following steps:
The subscriber equipment of the described security capabilities information reconciliation of described support judges according to from machine-processed list parameter safe to carry whether in the challenge responses message of described boortstrap server function entity whether the boortstrap server function entity also supports described security capabilities information reconciliation.If then carry out described steps A 3, otherwise carry out the authorizing procedure of common universal guiding structure to A5.
In this external described method, message among the described step B is the success response message that described boortstrap server function entity sends to described subscriber equipment, comprise the guiding Transaction Identifier and the shared key term of validity as parameter in this message, this message adopts security protocol and security algorithm and the corresponding secret key encryption after consulting in the described Security Association;
Described subscriber equipment obtains guiding the Transaction Identifier and the shared key term of validity by described Security Association deciphering, and preserves this guiding Transaction Identifier and the shared key term of validity.
In this external described method, when adopting in the described Security Association security protocol after consulting and security algorithm to encrypt to described message, key is the combination of Integrity Key or encryption key or Integrity Key and encryption key or the root key that is calculated by Integrity Key and encryption key.
By relatively finding that the main distinction of technical scheme of the present invention and prior art is, sets up Security Association by negotiating safety capability between UE and BSF, alliance safe in utilization transmits information such as B-TID.
The negotiation information of Security Association in former AKA negotiation message designated parameter or header field in transmit.
Difference on this technical scheme, brought comparatively significantly beneficial effect, promptly because by information such as Security Association transmission B-TID, and the cipher mode in the Security Association obtains by dynamic negotiation, so with respect to the static encryption in the prior art or the mode of not encrypting, the chance that information such as B-TID are forged or distort significantly reduces.
Because by the negotiation information of former AKA negotiation message alliance safe to carry,, network is not almost increased added burden so do not increase any new message from the interaction flow between UE and BSF.
Because the negotiation information of Security Association is transmitted in the designated parameter of AKA negotiation message or header field; so support the UE of above-mentioned negotiating safety capability mechanism or BSF at initial stage that AKA consults; whether exist according to security mechanism list parameter or header field; just can know easily whether the opposite end supports above-mentioned negotiating safety capability mechanism; thereby can not support above-mentioned negotiating safety capability easily to return back to the interactive mode of legacy version when machine-processed in the opposite end, protected the existing investment of user and operator.
Description of drawings
Fig. 1 is the general guiding frame schematic diagram according to 3GPP definition in the prior art;
Fig. 2 is a flow chart of carrying out authentication process according to UE in the prior art;
Fig. 3 is the flow chart of in carrying out bootup process B-TID being encrypted according to UE in the prior art;
Fig. 4 is the normal flow figure of Ub interface information interaction in the first embodiment of the invention general guiding frame;
Fig. 5 is the new and old edition intercommunication flow chart of Ub interface information interaction in the general guiding frame second embodiment of the invention;
Fig. 6 is the new and old edition intercommunication flow chart of Ub interface information interaction in the 3rd execution mode general guiding frame of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
Core of the present invention is that the security mechanism tabulation that UE supports by carry this UE in the GBA request message that sends to BSF makes BSF know the security capabilities information of this UE.The security mechanism tabulation that BSF supports by carry this BSF in the challenge responses message that sends to UE makes UE know the security capabilities information of this BSF.UE and BSF set up Security Association after knowing the security capabilities information of opposite end, BSF sends to UE after the message that comprises the B-TID and the Ks term of validity is encrypted according to the security protocol of consulting in the Security Association, security algorithm and corresponding secret key.UE is after receiving this message, and the security protocol of consulting in the alliance safe in utilization, security algorithm and corresponding secret key are decrypted, and preserves the B-TID and the Ks term of validity after deciphering.
Performance when setting up Security Association simultaneously in order not influence BSF and a plurality of UE, the UE side can be after preserving the B-TID and the Ks term of validity, the Security Association of setting up between deletion and the BSF.
For the UE and the BSF that support above-mentioned negotiating safety capability mechanism, because the security mechanism list parameter is to be carried in GBA request message or the challenge responses message.Therefore, support that the BSF of above-mentioned negotiating safety capability mechanism can be by machine-processed list parameter safe to carry whether in the GBA request message, support that the UE of above-mentioned negotiating safety capability mechanism can be by whether machine-processed list parameter safe to carry or failure response message in the challenge responses message, know whether the opposite end supports above-mentioned negotiating safety capability mechanism, thereby adopt the agreement of respective version, realize the intercommunication of new and old edition.
The method of Ub interface information interaction as shown in Figure 4 in the first execution mode general guiding frame of the present invention.In the present embodiment, UE and BSF support above-mentioned negotiating safety capability mechanism.
In step 401, UE sends the GBA request message to BSF, and carries the security mechanism tabulation of private user identity and UE in this message.Specifically, UE need pass to BSF with the security capabilities information of self in order to set up Security Association with BSF, makes BSF can know that UE supports which algorithm and their corresponding priority level in which security protocol, the security protocol.And, be carried in the designated parameter or header field in the GBA request message by the security mechanism tabulation that will comprise security capabilities information, thereby reduce the burden that network is increased.Such as, by being carried at, the security mechanism tabulation is similar to Session initiation Protocol (Session Initation Protocol, in the header fields such as Require, Porxy-Requrie abbreviation " SIP ") or Security-client, the security capabilities information of UE is passed to BSF.
Then, enter in the step 402, BSF obtains Ciphering Key to HSS.This step is same as the prior art, BSF by with the authentication vector information of obtaining this UE alternately of HSS, as AUTN, RAND, IK, CK and XRES etc.
Then, enter step 403, BSF returns challenge responses message to UE, comprises the security mechanism tabulation of AUTN, RAND and BSF in this message.Specifically, BSF with AUTN in the authentication vector information and RAND, is carried in the lump in the challenge responses message together with the tabulation of the security mechanism of BSF self, and this message is returned to UE after receiving the authentication vector information of UE.Wherein, AUTN is used to verify the identity of BSF, RAND is used to make UE to obtain IK and the CK identical with the BSF side, and the security mechanism tabulation of BSF self is used to make UE to know the security capabilities information of BSF, comprises security protocol, the security algorithm in the security protocol and their corresponding priority level that BSF supports.The tabulation of the security mechanism of BSF self can be carried in the designated parameter or header field in the challenge responses message, such as, security mechanism tabulation is carried at is similar to Session initiation Protocol (Session Initation Protocol, abbreviation " SIP ") in the header fields such as Security-Server, the security capabilities information of BSF is passed to UE.
Then, enter step 404, UE is by operation AKA algorithm, and the validity of checking AUTN obtains IK and CK with the authentication network, and generates RES.Specifically, UE by to the identity of the validity check checking opposite end BSF of AUTN wherein, calculates IK and the CK identical with the BSF side according to wherein RAND, and generates RES after receiving the challenge responses message that BSF returns.
Then, enter step 405, UE and BSF set up Security Association.Because UE and BSF both sides know the security capabilities information of opposite end, therefore, can select both sides that all support and security protocol and security algorithm that priority is the highest, set up Security Association.Such as BSF knows that from the security mechanism tabulation that UE is carried at the GBA request message security protocol and security algorithm that UE supports have A, B and C, and A is than the priority height of B, and B is than the priority height of C; UE knows that from the security mechanism tabulation that BSF is carried at the challenge responses message security protocol and security algorithm that BSF supports have A, B and D, and A is than the priority height of B, and B is than the priority height of D.Therefore, UE and BSF are through consultation, can select security protocol and security algorithm A that both sides support and that priority is the highest, and use the combination of Integrity Key or encryption key or Integrity Key and encryption key or the root key that calculates by Integrity Key and encryption key as encryption key, set up Security Association.
Then, enter step 406, UE sends the GBA request message to BSF once more, and in this message, carry RES and consult after the security mechanism tabulation, the security mechanism tabulation after the negotiation can be carried in the designated parameter or header field in the GBA request message.Such as, the security mechanism tabulation after consulting is carried in the header fields such as Security-Client, Security-Verify that are similar to Session initiation Protocol (Session Initation Protocol, abbreviation " SIP ").
Wherein, RES is used to verify the identity of UE; Security mechanism tabulation after the negotiation is used for judging whether the security mechanism tabulation of UE and BSF is subjected to internuncial attack at transmittance process.
Then, enter step 407, BSF checks the validity of the security mechanism list parameter after consulting.
Then, enter step 408, BSF checks that the validity of RES is with authentication UE.This step is same as the prior art, and whether BSF is consistent with the XRES that obtains from HSS by judging the RES in the GBA request message, thereby UE is carried out authentication.
Then, enter step 409, BSF generates Ks according to IK that obtains from HSS and CK.
Then, enter step 410, BSF is carried at the term of validity of B-TID and Ks in the success response message and sends to UE.Specifically, BSF distributes a B-TID for this authentication interacting transaction between sign and the UE, this B-TID is associated with the private user identity of Ks, UE, so that BSF can find out corresponding Ks according to this B-TID later on, and, for term of validity of Ks definition, so that Ks carries out regular update.BSF is carried at the term of validity of this B-TID and Ks in the success response message, and the security protocol after consulting in the employing Security Association and security algorithm and corresponding encryption key encrypt this success response message, and the success response message after encrypting is sent to UE.During encryption, key is the combination of Integrity Key or encryption key or Integrity Key and encryption key or the root key that is calculated by Integrity Key and encryption key.
Then, enter step 411, UE carries out corresponding decryption oprerations by the security protocol after consulting in the Security Association and security algorithm and corresponding encryption key after receiving this success response message, obtain the term of validity of B-TID and Ks, and the term of validity of this B-TID and Ks is kept at the UE side.
Then, enter step 412, the Security Association between deletion UE and BSF.If BSF sets up Security Association with a plurality of UE simultaneously, then may cause influence to a certain degree to the performance of BSF.Therefore, preserved B-TID in the UE side, after the information such as the term of validity of Ks, the Security Association of setting up with BSF before deleting immediately.
In the present embodiment, because information such as B-TID pass to UE by Security Association, and the cipher mode in the Security Association obtains by dynamic negotiation, therefore, with respect to the static encryption in the prior art or the mode of not encrypting, the chance that information such as B-TID are forged or distort significantly reduces.In addition, because the security capabilities information of UE and BSF is to be carried in the former AKA negotiation message by the form that security mechanism is tabulated to pass to the other side, so, do not increase any new message from the interaction flow between UE and BSF, network is not almost increased added burden.
Need to prove, because as long as UE and BSF are known security capabilities information each other, can finish the negotiation of mutual security protocol and security algorithm, set up Security Association, therefore, after the Security Association between UE and BSF can be based upon the challenge responses message that UE receives BSF immediately, perhaps be based upon the challenge responses message that UE receives BSF after, BSF sends any one moment before the success response message, and does not influence essence of the present invention.
The method of Ub interface information interaction as shown in Figure 5 in the second execution mode general guiding frame of the present invention.In the present embodiment, UE is the redaction UE that supports above-mentioned negotiating safety capability mechanism, and BSF is the legacy version BSF that does not support above-mentioned negotiating safety capability mechanism.
In step 501, UE sends the GBA request message to BSF, and carries the security mechanism tabulation of private user identity and UE in this message.This step is identical with step 401, does not repeat them here.
In step 502, BSF obtains Ciphering Key to HSS.This step is identical with step 402.
In step 503, BSF returns challenge responses message to UE.Because the BSF in the present embodiment is the legacy version BSF that does not support above-mentioned negotiating safety capability mechanism, therefore, only comprises AUTN and RAND in challenge responses message, do not comprise the security mechanism tabulation of BSF.
In step 504, after UE receives challenge responses message, find not comprise in this message the security mechanism tabulation of BSF, thereby learn that this BSF for not supporting the legacy version BSF of above-mentioned negotiating safety capability mechanism, therefore carries out the authorizing procedure of common GBA.That is to say that identical with prior art from step 504 to step 509, corresponding step 240 is to step 290.
This shows that UE can know whether the opposite end supports above-mentioned negotiating safety capability mechanism by the challenge responses message that BSF returns.When the opposite end does not support that above-mentioned negotiating safety capability is machine-processed, can return back to the authorizing procedure of available technology adopting, thereby realize the intercommunication of new and old edition.
The method of Ub interface information interaction as shown in Figure 6 in the 3rd execution mode general guiding frame of the present invention.In the present embodiment, UE is the redaction UE that supports above-mentioned negotiating safety capability mechanism, and BSF is the legacy version BSF that does not support above-mentioned negotiating safety capability mechanism.
In step 601, UE sends the GBA request message to BSF, and carries the security mechanism tabulation of private user identity and UE in this message.This step is identical with step 401.
In step 602, BSF returns failed message to UE.Because BSF is the legacy version BSF that does not support above-mentioned negotiating safety capability mechanism, therefore, returns one " not supporting this operation " or other failure responses to UE, do not support security mechanism to consult with the BSF that notifies the UE network side.
UE is not after the BSF that learns network side supports that security capabilities mechanism is consulted, return back to the authorizing procedure of available technology adopting, promptly resend one and do not give BSF with the request message of " the security mechanism tabulation that UE supports " parameter, promptly carry out the authentication step of common GBA, promptly from step 603 to step 611 corresponding step 210 to step 290.
This shows that UE also can be known the opposite end for not supporting negotiating safety capability mechanism by the failed message that BSF returns, and return back to the authorizing procedure of available technology adopting, initiates authentication request again, thereby realize the intercommunication of new and old edition.
Need to prove, as UE is the legacy version UE that does not support above-mentioned negotiating safety capability mechanism, and BSF is when supporting the redaction BSF of above-mentioned negotiating safety capability mechanism, UE only comprises private user identity in the GBA request message that BSF sends, therefore, the parameter that BSF can carry from the GBA request message learns that UE does not support negotiating safety capability mechanism, thus after adopt flow process of the prior art in the step carried out.That is to say, as UE is the legacy version UE that does not support above-mentioned negotiating safety capability mechanism, and BSF is when supporting the redaction BSF of above-mentioned negotiating safety capability mechanism, and authorizing procedure between UE and BSF and authorizing procedure of the prior art are identical, thereby realizes the intercommunication of new and old edition.
Though pass through with reference to some of the preferred embodiment of the invention, the present invention is illustrated and describes, but those of ordinary skill in the art should be understood that and can do various changes to it in the form and details, and without departing from the spirit and scope of the present invention.
Claims (10)
1. Ub interface information interaction method in the general guiding frame is characterized in that, comprises following steps:
Party A-subscriber's equipment and boortstrap server function entity are set up Security Association by the security capabilities information reconciliation;
The described boortstrap server function entity of B uses described Security Association to send message to described subscriber equipment, wherein comprises the guiding Transaction Identifier.
2. Ub interface information interaction method in the general guiding frame according to claim 1 is characterized in that, after the finishing alternately between described subscriber equipment and the boortstrap server function entity, deletes described Security Association.
3. Ub interface information interaction method in the general guiding frame according to claim 1, it is characterized in that, in the described steps A, the form transmission of described security capabilities information mechanism tabulation safe in utilization wherein comprises security protocol, security algorithm and corresponding priority level.
4. Ub interface information interaction method in the general guiding frame according to claim 3 is characterized in that, described security mechanism is tabulated and transmitted in the designated parameter of the authentication message of universal guiding structure or header field.
5. Ub interface information interaction method in the general guiding frame according to claim 4 is characterized in that, described steps A further comprises following substep:
The described subscriber equipment of A1 sends the general guiding frame request message to described boortstrap server function entity, wherein carries the security mechanism tabulation that this subscriber equipment is supported;
The described boortstrap server function entity of A2 is responded challenge responses message to described subscriber equipment, wherein carries the security mechanism tabulation that this boortstrap server function entity is supported;
The described subscriber equipment of A3 calculates corresponding Integrity Key and encryption key according to described challenge responses message; Both sides of described subscriber equipment and boortstrap server function entity selection that all support and security protocol and security algorithm that priority is the highest are set up Security Association;
The described subscriber equipment of A4 sends the general guiding frame request message to described boortstrap server function entity, wherein carries the security mechanism tabulation after the negotiation;
The validity of parameter in the security mechanism tabulation after the negotiation that the inspection of the described boortstrap server function entity of A5 is received.
6. Ub interface information interaction method in the general guiding frame according to claim 5 is characterized in that, also comprises following steps between described steps A 1 and A2:
Whether the boortstrap server function entity of the described security capabilities information reconciliation of described support comprises the security mechanism list parameter according in the general guiding frame request message from described subscriber equipment, judges whether subscriber equipment also supports described security capabilities information reconciliation; If then carry out described steps A 2, otherwise carry out the authorizing procedure of common universal guiding structure to A5.
7. Ub interface information interaction method in the general guiding frame according to claim 5 is characterized in that, also comprises following steps between described steps A 2 and A3:
The subscriber equipment of the described security capabilities information reconciliation of described support judges according to the failure response message from described boortstrap server function entity whether the boortstrap server function entity also supports described security capabilities information reconciliation; If then carry out described steps A 3, otherwise carry out the authorizing procedure of common universal guiding structure to A5.
8. Ub interface information interaction method in the general guiding frame according to claim 5 is characterized in that, also comprises following steps between described steps A 2 and A3:
The subscriber equipment of the described security capabilities information reconciliation of described support judges according to from machine-processed list parameter safe to carry whether in the challenge responses message of described boortstrap server function entity whether the boortstrap server function entity also supports described security capabilities information reconciliation; If then carry out described steps A 3, otherwise carry out the authorizing procedure of common universal guiding structure to A5.
9. according to Ub interface information interaction method in each described general guiding frame in the claim 1 to 8, it is characterized in that, message among the described step B is the success response message that described boortstrap server function entity sends to described subscriber equipment, comprise the guiding Transaction Identifier and the shared key term of validity as parameter in this message, this message adopts security protocol and security algorithm and the corresponding secret key encryption after consulting in the described Security Association;
Described subscriber equipment obtains guiding the Transaction Identifier and the shared key term of validity by described Security Association deciphering, and preserves this guiding Transaction Identifier and the shared key term of validity.
10. Ub interface information interaction method in the general guiding frame according to claim 9, it is characterized in that, when adopting in the described Security Association security protocol after consulting and security algorithm to encrypt to described message, key is the combination of Integrity Key or encryption key or Integrity Key and encryption key or the root key that is calculated by Integrity Key and encryption key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510136337 CN1878169A (en) | 2005-12-31 | 2005-12-31 | Ub interface information interaction method in general guiding frame |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200510136337 CN1878169A (en) | 2005-12-31 | 2005-12-31 | Ub interface information interaction method in general guiding frame |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1878169A true CN1878169A (en) | 2006-12-13 |
Family
ID=37510461
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200510136337 Pending CN1878169A (en) | 2005-12-31 | 2005-12-31 | Ub interface information interaction method in general guiding frame |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1878169A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010003335A1 (en) * | 2008-07-11 | 2010-01-14 | 成都市华为赛门铁克科技有限公司 | Method, system and device for negotiating security association (sa) in ipv6 network |
| WO2014183535A1 (en) * | 2013-11-25 | 2014-11-20 | 中兴通讯股份有限公司 | Method and system for secure transmission of small data of mtc device group |
| WO2016041374A1 (en) * | 2014-09-18 | 2016-03-24 | 中兴通讯股份有限公司 | Method and device for acquiring sip signaling decryption parameters |
| CN106789076B (en) * | 2016-12-28 | 2020-01-14 | Tcl集团股份有限公司 | Interaction method and device for server and intelligent equipment |
| WO2022027673A1 (en) * | 2020-08-07 | 2022-02-10 | 华为技术有限公司 | Algorithm negotiation method in generic bootstrapping architecture and related apparatus |
-
2005
- 2005-12-31 CN CN 200510136337 patent/CN1878169A/en active Pending
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010003335A1 (en) * | 2008-07-11 | 2010-01-14 | 成都市华为赛门铁克科技有限公司 | Method, system and device for negotiating security association (sa) in ipv6 network |
| US8418242B2 (en) | 2008-07-11 | 2013-04-09 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, system, and device for negotiating SA on IPv6 network |
| CN101626374B (en) * | 2008-07-11 | 2013-08-28 | 成都市华为赛门铁克科技有限公司 | Method, system and equipment for negotiating security association (SA) in internet protocol version 6 (IPv6) network |
| WO2014183535A1 (en) * | 2013-11-25 | 2014-11-20 | 中兴通讯股份有限公司 | Method and system for secure transmission of small data of mtc device group |
| US9686683B2 (en) | 2013-11-25 | 2017-06-20 | Zte Corporation | Method and system for secure transmission of small data of MTC device group |
| WO2016041374A1 (en) * | 2014-09-18 | 2016-03-24 | 中兴通讯股份有限公司 | Method and device for acquiring sip signaling decryption parameters |
| US10419482B2 (en) | 2014-09-18 | 2019-09-17 | Zte Corporation | Method and apparatus for acquiring SIP signaling decryption parameters |
| CN106789076B (en) * | 2016-12-28 | 2020-01-14 | Tcl集团股份有限公司 | Interaction method and device for server and intelligent equipment |
| WO2022027673A1 (en) * | 2020-08-07 | 2022-02-10 | 华为技术有限公司 | Algorithm negotiation method in generic bootstrapping architecture and related apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10411884B2 (en) | Secure bootstrapping architecture method based on password-based digest authentication | |
| JP5579872B2 (en) | Secure multiple UIM authentication and key exchange | |
| CN1156196C (en) | Integrity check in communication system | |
| WO2017201809A1 (en) | Communication method and system for terminal | |
| CN1751533A (en) | Method for creating and distributing cryptographic keys in a mobile radio system, and corresponding mobile radio system | |
| CN1298194C (en) | Radio LAN security access method based on roaming key exchange authentication protocal | |
| CN101043328A (en) | Cipher key updating method of universal leading frame | |
| CN1969580A (en) | Security in a mobile communications system | |
| CN1697373A (en) | Method for negotiating about cipher key shared by users and application server | |
| CN1929371A (en) | Method for negotiating key share between user and peripheral apparatus | |
| CN1897523A (en) | System and method for realizing single-point login | |
| CN1700699A (en) | Method of providing a signing key for digitally signing verifying or encrypting data and mobile terminal | |
| CN1665183A (en) | Key agreement method in WAPI authentication mechanism | |
| CN104754581A (en) | Public key password system based LTE wireless network security certification system | |
| CN1753359A (en) | Method of implementing transmission syncML synchronous data | |
| CN1910882A (en) | Method and system for protecting data, related communication network and computer programme product | |
| CN1835436A (en) | General power authentication frame and method of realizing power auttientication | |
| CN1812611A (en) | Key setting method | |
| CN101039181A (en) | Method for preventing service function entity of general authentication framework from attack | |
| CN1819698A (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN1977559A (en) | Method and system for protecting information exchanged during communication between users | |
| CN101047505A (en) | Method and system for setting safety connection in network application PUSH service | |
| CN1921682A (en) | Method for enhancing key negotiation in universal identifying framework | |
| CN101052032A (en) | Business entity certifying method and device | |
| CN1878169A (en) | Ub interface information interaction method in general guiding frame |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20061213 |