WO2005078992A1 - A Method for Implementing Multimedia Broadcast Multicast Service Key Distribution - Google Patents

A Method for Implementing Multimedia Broadcast Multicast Service Key Distribution Download PDF

Info

Publication number
WO2005078992A1
WO2005078992A1 PCT/CN2005/000096 CN2005000096W WO2005078992A1 WO 2005078992 A1 WO2005078992 A1 WO 2005078992A1 CN 2005000096 W CN2005000096 W CN 2005000096W WO 2005078992 A1 WO2005078992 A1 WO 2005078992A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
user
broadcast
group
key
Prior art date
Application number
PCT/CN2005/000096
Other languages
French (fr)
Chinese (zh)
Inventor
Wenlin Zhang
Yingxin Huang
Hai Zhang
De Chen
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2005078992A1 publication Critical patent/WO2005078992A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04HBROADCAST COMMUNICATION
    • H04H60/00Arrangements for broadcast applications with a direct linking to broadcast information or broadcast space-time; Broadcast-related systems
    • H04H60/09Arrangements for device control with a direct linkage to broadcast information or to broadcast space-time; Arrangements for control of broadcast-related services
    • H04H60/14Arrangements for conditional access to broadcast information or to broadcast-related services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04HBROADCAST COMMUNICATION
    • H04H60/00Arrangements for broadcast applications with a direct linking to broadcast information or broadcast space-time; Broadcast-related systems
    • H04H60/09Arrangements for device control with a direct linkage to broadcast information or to broadcast space-time; Arrangements for control of broadcast-related services
    • H04H60/14Arrangements for conditional access to broadcast information or to broadcast-related services
    • H04H60/23Arrangements for conditional access to broadcast information or to broadcast-related services using cryptography, e.g. encryption, authentication, key distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Definitions

  • the present invention relates to key processing technology, and particularly to a method for implementing key distribution of multimedia broadcast / multicast services. Background of the invention
  • the third-generation mobile communication can provide higher data rate services than the second-generation mobile communication, thereby supporting a variety of business forms, such as: video calls, image downloads, high-speed Internet browsing And other services.
  • one type of service is characterized in that it can send to all users who have customized the service in the wireless network at the same time, such as sending weather forecasts, news clips, sports competition highlights, and so on. Therefore, the third-generation mobile communication introduces the concept of broadcast / multicast.
  • the so-called broadcast / multicast service refers to: one-to-multipoint unidirectional bearer service. Data is sent from one source entity to multiple receiving entities, and the service is transmitted. The principle is shown in Figure 1. Node 1 is the source entity.
  • Node 1 sends the data to be sent to the receiving entity node 10.
  • node 10 can use the source entity to copy the data into two copies and distribute it to the receiving entity node. 11 and 12; after receiving the data, node 11 then copies the data into two copies as the source entity and distributes it to the receiving entity nodes 111 and 112, and so on.
  • FIG. 2 is a schematic diagram of a wireless network structure supporting broadcast / multicast services.
  • a wireless network structure supporting broadcast / multicast services is broadcast / group.
  • Broadcast service server (BM-SC) 201 BM-SC 201 is connected to the gateway GPRS support node (GGSN, Gateway GPRS Support Node) 202 through the Gmb interface or Gi interface, and one BM-SC 201 can be connected to multiple GGSN 202;
  • GGSN 202 is connected to a serving GPRS support node (SGSN, Serving GPRS Support Node) 203 through a Gn / Gp interface, and one GGSN 202 can be connected to multiple SGSN 203;
  • SGSN 203 can be connected through an Iu interface It is connected to the Universal Mobile Telecommunications System (UMTS) Land Radio Access Network (UTRAN) 204, and then the UTRAN 204 is connected to the user terminal (UE) 206 through the Uu
  • UMTS Universal Mobile Telecommunications System
  • the enhanced radio access network (GERAN) 205 is connected, and then the GERAN 205 is connected to the UE 207 through the Um interface.
  • the broadcast / multicast service server is hereinafter referred to as a broadcast / multicast server, and the broadcast / multicast server may be a new functional entity in an existing wireless communication network, or may be an existing wireless communication network. A functional entity, or a combination of several functional entities.
  • the broadcast / multicast server In a certain area, users who have subscribed to broadcast / multicast services can enjoy the services of broadcast / multicast services. Then, in the broadcast / multicast service, in order to prevent users who have not subscribed to the broadcast / multicast service or have not paid to enjoy the service of the broadcast / multicast service, it is necessary to set only the broadcast / multicast service in the broadcast / multicast service. Keys known to users in the group and broadcast / multicast server. In this case, the broadcast / multicast server not only has the function of providing broadcast / multicast business services, but also has the function of key generation management.
  • the key shared by the broadcast / multicast server and all users in the group can be called the group shared key of the broadcast / multicast service.
  • the broadcast / multicast server sends the shared key to the users in the group.
  • the sending process is performed by the broadcast / multicast server one-to-one with the users in each group, and the shared key is usually encrypted when sending.
  • the users in the group and the broadcast / multicast server perform mutual authentication through authentication and key agreement protocol (AKA). During the mutual authentication process, the users in the group and the broadcast / multicast server generate and possess encryption at the same time.
  • Key (KEK) which is used to encrypt the shared key.
  • the encryption key of each user in the group is unique, that is, the encryption keys owned by the users in the group are different.
  • the broadcast / multicast server uses the encryption key corresponding to the users in each group to encrypt the shared key, and then sends the encrypted shared key to the corresponding users in the group.
  • the corresponding encryption key decrypts the shared key, and finally realizes the key sharing between the broadcast / multicast server and the users in the group.
  • the broadcast / multicast server uses the shared key to encrypt the broadcast / multicast service information and sends it to each user in the group.
  • the users in the group use Use the shared key to decrypt the broadcast / multicast service information, obtain the broadcast / multicast service information, and enjoy the service of the broadcast / multicast service.
  • the update process of the shared key is also performed one-to-one between the broadcast / multicast server and the users in the group.
  • the broadcast / multicast server initiates a shared key update process according to a trigger condition. After the update process is triggered, the broadcast / multicast server sends an updated shared key to each user in the group at the same time.
  • the update process is shown in steps 301 to 303 in FIG. 3. After the broadcast / multicast server updates the shared key, it sends a new key valid message to the user terminal, which indicates that the new shared key is already valid.
  • the user terminal After receiving the new key valid message, it can send a request key message to the broadcast / multicast server to request a new shared key; after receiving the request key message, the broadcast / multicast server sends the corresponding new shared key Send to the user terminal that initiated the request; after the user terminal successfully receives the new shared key, save the shared key and use it later.
  • the step of the broadcast / multicast server sending a new key valid message is optional.
  • the user terminal may send a request key message after receiving the new key valid message, or may actively initiate an update process at any time to send a request key message to the broadcast / multicast server.
  • the premise of actively initiating the update process is: the current user terminal has joined the broadcast / multicast service but does not have a new shared key; or the current user terminal has received some protected content, and these contents are carried out using the new shared key protection.
  • the process shown in Figure 3 is also applicable to a group user who has just joined the broadcast / multicast service. This user does not have a shared key.
  • the shared key currently owned by the broadcast / multicast server is a new shared key for the user.
  • this application is mainly directed to the case where step 301 exists.
  • the update process of the shared key has two points in time: one is the point in time when the new shared key becomes valid, after which the user terminal can apply for a new shared key to the network; The other is the time when the new shared key is enabled by the network.
  • the network uses the new shared key to protect the data, and the user terminal receives the data using the new shared key. If there are a large number of users in the group who can enjoy the broadcast / multicast service, all user terminals will apply to the network for a shared key after receiving a message indicating that the new key is valid. Then, there will be a phenomenon that a large number of user terminals send information to the network at the same time.
  • the broadcast / multicast server will also A large number of users request new shared keys at the same time and cannot be processed in time. How to avoid all user terminals from requesting new shared keys at the same time and try to improve the processing speed of the broadcast / multicast server for user requests has not yet been proposed. Summary of the invention
  • the main object of the present invention is to provide a method for implementing multimedia broadcast / multicast service key distribution, which can enable different users to initiate requests at different times as much as possible, thereby solving a large number of user terminals applying for a shared key from the network at the same time. The resulting network congestion problem.
  • a method for implementing multimedia broadcast / multicast service key distribution includes the following steps:
  • the network side allocates a time T to each group of users, and notifies the corresponding user terminal of the allocated time T;
  • a new key validity message is sent to all users in the group described in step a.
  • Each user terminal that receives the new key validity message starts the timing corresponding to its assigned time T.
  • step b When the timer in step b expires, the user terminal corresponding to the timer sends a request key message to the broadcast / multicast server; after receiving the request key message, the broadcast / multicast server sends the request key message to the user who initiated the request The terminal sends a new shared secret.
  • the message of updating the shared key and issuing a new key valid message on the network side in step b is specifically: the broadcast / multicast server updates the shared key; after that, the broadcast / multicast server proceeds to step a All users in the group issue a new key valid message.
  • step a and step b further includes: each user terminal generates a random number as an additional delay time after receiving the time T allocated to itself; then in step b, the message of receiving a new key valid message The user terminal starts a timer with a length of time T plus an additional delay time.
  • the method further includes: the user terminal corresponding to the timer generates a random number as an additional delay time, and continues to delay the length of the additional delay time to the broadcast / multicast monthly server. Send a request key message.
  • the method further includes: generating a random number as the additional delay time; after the timer expires in step c, after the timer continues to delay, the user terminal sends a broadcast / group to the broadcast / group.
  • the broadcast server sends a message asking for the key.
  • the method further includes: generating a random number as an additional delay time; after the timer expires in step c, and continuing to delay the additional delay time, the user terminal sends a broadcast / multicast to the broadcast / multicast The server sends a request key message.
  • the network side allocates time T to the group user when the group user joins the multimedia broadcast / multicast service; or for the group after the group user joins the multimedia broadcast / multicast service
  • the user allocates time T; or when a shared key is sent to a group user, the group user is allocated time T.
  • the network side allocating time T for users in each group is specifically: the broadcast / multicast server allocates time T for each group user.
  • the value of the time T lies in the length of time from the time when the new shared key is valid to the time when the broadcast / multicast server expects the user group to complete the centralized request for the shared key to work, and from the time when the request is initiated to the time when the user finally gets a new share
  • the difference between the lengths of time required by the keys is uniformly distributed in probability.
  • the time T may be generated by a random function, and sample points of the random function obey a uniform distribution in probability; it may also be generated by a modulo method or a HASH function method.
  • the additional delay time is generated within a time interval T x between the current discrete point to which the user terminal currently initiates and the next discrete point, and obeys the average of [0, ⁇ ⁇ ) in probability. Evenly distributed.
  • the method for implementing multimedia broadcast / multicast service key distribution provided by the present invention is because a timer is assigned to each user in the group, and uniformly-distributed timer values are set according to certain rules.
  • the arrival time of the router further determines the request initiation time of the corresponding user terminal. In this way, after receiving the new shared key valid message, many users in the same group can send the request key message to the network at a uniform and discrete time, thereby avoiding This improves network communication congestion, improves the processing speed of the broadcast / multicast server for user requests, reduces the processing capability requirements of each network node server for sudden services, and saves network costs.
  • Figure 1 is a schematic diagram of the transmission principle of a multicast service
  • Figure 2 is a schematic diagram of a wireless network structure supporting broadcast / multicast services
  • Figure 3 is a schematic flowchart of a shared key update process between a broadcast / multicast server and a group user;
  • FIG. 4 is a flowchart of implementing the method of the present invention.
  • FIG. 5 is a schematic diagram of relationships between various time points involved in the present invention.
  • FIG. 6 is a schematic diagram of the relationship between the discrete time points generated in the method of the present invention
  • FIG. 7 is a schematic diagram of the relationship between the additional delay time and the discrete time point.
  • the core idea of the present invention is: allocate a time to each user in the same group uniformly, and the distribution time of all users is evenly and discretely distributed, and the request initiation time of each user in the group can be further determined according to the allocation time.
  • the users in each group After receiving the message that the new key is valid, the users in each group send a request key message to the broadcast / multicast server at the time of the request initiation. After receiving the request, the broadcast / multicast server sends the request to the corresponding user. Returns the new shared secret.
  • each group The user's assigned time can be counted by a timer or counted by a counter.
  • Step 401 The network allocates a time T to each group user through point-to-point interaction with the group users, and notifies the corresponding time User terminal.
  • the network may be a mobile communication network or a wired communication network.
  • the broadcast / multicast server is used to complete the overall control, the entity that allocates time to each group user in the network is generally the broadcast / multicast server.
  • the broadcast / multicast server completes the time allocation through the point-to-point interaction process with each group user.
  • the broadcast / multicast server can allocate time to the group users in three cases: 1 When a When a group user joins the multimedia broadcast / multicast service; 2 When a group user joins the multimedia broadcast / multicast service; 3 When a shared key is sent to a group user, a new allocation is given to the group user For a time. In the third case, if the group user already has an allocated time, it means that the broadcast / multicast server needs to allocate another time for the group user, in other words, the allocated time can be updated.
  • the selection range of time T allocated to each user in step 401 needs to follow the following guidelines: Assume that from the point in time when the new shared key is valid to the point in time when the broadcast / multicast server wants the user group to complete the centralized request for shared key work The length is TA; the length of time required for a user to initiate a request and finally obtain a new shared key is TB; then, the range of time T should be selected to ensure that T is less than TA minus TB, that is, to ensure that users in the group want to concentrate on the network Get the shared key within the time period for which the shared key was requested. Within this selection range, T should be selected to ensure that the user sends a new shared key request to the network evenly between the two time points, TA and TB.
  • the time T can be generated by the following method:
  • the broadcast / multicast server uses a uniformly distributed random function with a range of [0, TA-TB) to generate the time T, that is, the sample points of the random function are uniformly distributed with probability.
  • the value of T can be continuous or discrete. If it is discrete, the interval between discrete points is fixed. Fixed T x .
  • the broadcast / multicast server generates a specific time ⁇ through a fixed function method, and the time T satisfies a uniform distribution in probability, such as a well-known function such as a modulus method and a HASH function method.
  • Steps 402 to 403 After the broadcast / multicast server updates the shared key, the network sends a new key valid message to all user terminals; after each user terminal receives the new key valid message sent by the network, it starts to act as its own key. A timer corresponding to the allocated time T; when the timer expires, the user terminal sends a request key message to the broadcast / multicast server; the broadcast / multicast server receives the request key cancellation
  • All user terminals mentioned here refer to: all users in the current group, that is, all legal users recorded in the broadcast / multicast server,
  • a random number may also be randomly generated by the user terminal currently initiating the request as the additional delay time T add , then,
  • the user terminal needs to continue to delay T add before sending a request key message to the broadcast / multicast server.
  • T + T add is used as the request initiation time of the user terminal.
  • the starting point of the timing is still the time when the user terminal receives the new key valid message.
  • the T add is generated within a time interval T x from the present discrete point to the next discrete point to which the user terminal belongs, as shown in FIG. 7, that is, the additional delay time T add obeys [0, T x ) in probability. Is uniformly distributed and is generated within the time period to which the user terminal o belongs.
  • the generation time of the T add can have two cases:
  • T add is used as the request initiation time of the user terminal.
  • this situation is further divided into three sub-5 cases: a) When the timer is started, the user terminal generates a random number as an additional delay Time T add ; b) after the timer expires, the user terminal generates a random number as an additional delay time T add ; c) at any time during the timer counting process, the user terminal generates a random number as an additional delay time T add .
  • the user terminal uses T + T add as the user terminal's request initiation time, but due to the additional delay time T add , each time a new key valid message is received It is generated randomly afterwards, so the value of T add is different each time, that is, in this case, the additional delay time T add is variable.
  • FIG. 5 is a schematic diagram of relationships between various time points involved in the present invention.
  • Time point 51 in FIG. 5 is a time point when user i joins a broadcast / multicast service; time point 52 is a time when user j joins a broadcast / group.
  • Time point 53 is the time point when the broadcast / multicast server notifies the user that the new key is valid;
  • Time point 54 is the time point when the user uses the new key;
  • Time point 55 is the user group expected by the broadcast / multicast server The point in time when the group completes the centralized request for shared key work.
  • FIG. 6 is a schematic diagram showing the relationship between discrete time points generated in the method of the present invention.
  • Figure 7 is a schematic diagram of the relationship between the additional delay time and the point of departure.
  • the users refer to users in a group
  • the user terminal refers to a terminal device corresponding to a corresponding group of users.
  • the time T allocated for the user terminal is directly used as the request initiation time of the user terminal, that is, the timer arrives at time D, and the user terminal sends a request key message to the broadcast / multicast server.
  • the specific process of implementing key distribution in this embodiment includes:
  • Step 11 When a user joins the multimedia broadcast / multicast service, the broadcast / multicast server allocates a time T to the user, and notifies the user who has joined the multimedia broadcast / multicast service of the allocated time T, and the user sets the duration for himself Is the timer of T.
  • This time T has the following characteristics: It is assumed that the broadcast / multicast server notifies the user that the new shared key of the group is valid, that is, the user in the group is notified that a key request message can be sent to the broadcast / multicast server
  • the server expects the time interval for the user group to complete the centralized request for shared key work to be TA; the time interval required for user M to initiate a request and broadcast / multicast server to process until user M finally obtains a new shared key is TB; then
  • the selection range of T must be ⁇ ( ⁇ - ⁇ ).
  • the broadcast / multicast server Because the broadcast / multicast server expects that the time when the user group completes the centralized request for the shared key and the time when the user uses the new key may overlap, the above range of values can ensure that all users in the group get the new shared key. The network then uses the new shared secret.
  • user i and user j respectively join the broadcast / multicast service, and the broadcast / multicast server uses a uniform, distributed, random function in the range [0, ⁇ - ⁇ ).
  • the values of Ti and ⁇ can be continuous or discrete. If the time points are discrete, the interval between two adjacent discrete points is fixed as T x , as shown in FIG. 6.
  • Step 12 Continue taking user i and user j as an example.
  • the broadcast / multicast server sends a message that the new key is valid to all users.
  • user i and user j do not immediately send the message to the broadcast / multicast server.
  • a request key message is sent, but the timers corresponding to Ti and ⁇ are immediately triggered.
  • the length of the timer started by user i is ti
  • the length of the timer started by user j is tj.
  • Step 13 User i and user j respectively send a request key message to the broadcast / multicast server to request a new shared key after their respective timers expire; after receiving the request, the broadcast / multicast server respectively sends requests to different The requesting user returned a new shared secret.
  • user i For user i, after the corresponding timer Ti expires, user i sends a broadcast / multicast The server sends a request key message; after receiving the request key message, the broadcast / multicast server interacts with user i and sends the key to user i.
  • user j when the corresponding timer ⁇ expires, user j also sends a request key message to the broadcast / multicast server; after receiving the request key message, the broadcast / multicast server performs a request with user j Interact and send the key to user j.
  • the new Ti or ' ⁇ can be sent by the broadcast / multicast server to the corresponding user i or user j during the above interaction process.
  • the server controls the key request time of all users, and it can adjust the user request time according to the requirement of uniform distribution of users. For any user, because they send the request key message to the broadcast / multicast server at different times, network congestion caused by sending the request key message at the same time can be avoided.
  • Embodiment two Embodiment two:
  • the user terminal currently initiating the request randomly generates an additional delay time T add , and the additional delay time T add is generated after the timer reaches the time T.
  • T + T add is used as the request initiation time of the user terminal, that is, T add is delayed after the timer reaches the time T, and then the user terminal sends a request key message to the broadcast / multicast server.
  • the specific process of implementing key distribution in this embodiment includes:
  • Steps 21 to 22 All descriptions are the same as steps 11 to 12 in the first embodiment.
  • Step 23 After the respective timers expire, the user i and the user j generate a random number as an additional delay time T add , such as T add , i or T add , j, and continue to delay T add , ⁇ T add , j, and then send a request key message to the broadcast / multicast server to request a new shared key; after receiving the request, the broadcast / multicast server returns a new shared key to different requesting users, respectively.
  • T add , i represents the additional delay time of the user i
  • T add , j represents the additional delay time of the user j, as shown in FIG. 7.
  • T add can also be generated by the broadcast / multicast server and sent to the user who currently initiates the request.
  • the additional delay time T add of each user is generated between the present discrete point and the next discrete point. That is, for the user i, T add , i is randomly generated within the time range of Ti + T ⁇ ), and the values of T add , i obey a uniform distribution of 0 ⁇ Ti ⁇ T x in probability. Similarly, for user j, T add , j is randomly generated within the time range of [Tj, Tj + T x ), and the values of T add , j obey a uniform distribution of 0 ⁇ T ⁇ in probability.
  • Example three Example three:
  • the user terminal currently initiating the request randomly generates an additional delay time.
  • T + T add is used as the request initiation time of the user terminal.
  • the value of the timer can be directly set to T + T add .
  • the user terminal sends a request to the broadcast / multicast server. Key message.
  • the specific process of implementing key distribution in this embodiment includes:
  • Step 31 When the user joins the multimedia broadcast / multicast service, the broadcast / multicast server allocates a time T to the user, and notifies the user who joined the multimedia broadcast / multicast service of the allocated time T; the user receives the time After T, a random number is generated randomly as an additional delay time T add ; then, the user sets a timer with a duration of T + T add .
  • the characteristics and generation method of time T are exactly the same as the characteristics and generation method of time T described in step 11 of the first embodiment.
  • the characteristic of the additional delay time T add is exactly the same as that described in step 23 of the second embodiment.
  • Step 32 The broadcast / multicast server sends a message that the new key is valid to all users.
  • the user who received the message does not immediately send a request key message to the broadcast / multicast server, but immediately triggers the timing set by itself. Device.
  • the length of the timer started by the user is T + T add .
  • Step 33 After the timer expires, send a request key message to the broadcast / multicast server to request a new shared key. After receiving the request, the broadcast / multicast server returns a new shared secret to different requesting users. key.
  • the additional delay time is T add , i, then after delay Ti + T add , i, user i sends a request key message to the broadcast / multicast server;
  • the additional delay time is T add , j, after delaying Tj + T add , j, user j sends a request key message to the broadcast / multicast server.

Abstract

A Method for Implementing Multimedia Broadcast Multicast Service Key Distribution. The method comprises: the network side locates a time interval T for each group users, and informs to the corresponding user terminal; the network side distributes the new key valid message after updating the shared key, and the user terminals which have received the new key valid message initiates a timer corresponding to the time interval T; the user terminals send a request key message to the broadcast/multicast server when the timer reaches the point; the broadcast/multicast server distributes the new shared key to the user terminals which have sent request after receiving the request key message. The present method ena~es the different user to send a request at different time point, which solves the network communication blocking problem brought by a large number of user terminals appling the new shared key to the network at the same time.

Description

一种实现多媒体广播 /组播业务密钥分发的方法 技术领域  Method for implementing multimedia broadcast / multicast service key distribution
本发明涉及密钥处理技术,尤指一种实现多媒体广播 /组播业务密钥分 发的方法。 发明背景  The present invention relates to key processing technology, and particularly to a method for implementing key distribution of multimedia broadcast / multicast services. Background of the invention
随着第三代移动通信技术的发展, 第三代移动通信可以提供比第二代 移动通信更高数据速率的服务,从而支持多种业务形式, 比如: 视频电话、 图片下载、 高速浏览 Internet 网络等服务。 其中, 有一类业务的特点是: 能够同时给无线网络中定制了该业务的所有用户进行发送, 比如: 发送天 气预报、 新闻短片、 体育比赛集锦等等。 于是, 第三代移动通信引入了广 播 /组播的概念, 所谓广播 /组播业务是指: 一点到多点的单向承载业务, 数据由一个源实体发送至多个接收实体, 该业务的传输原理如图 1所示, 节点 1为源实体, 节点 1将所要发送的数据发送给接收实体 节点 10; 节 点 10 收到数据后, 可作为源实体将数据复制为两份, 分发给接收实体 节点 11和 12; 节点 11收到数据后, 再作为源实体将数据复制为两份, 分 发给接收实体 节点 111和 112, 以此类推。  With the development of the third-generation mobile communication technology, the third-generation mobile communication can provide higher data rate services than the second-generation mobile communication, thereby supporting a variety of business forms, such as: video calls, image downloads, high-speed Internet browsing And other services. Among them, one type of service is characterized in that it can send to all users who have customized the service in the wireless network at the same time, such as sending weather forecasts, news clips, sports competition highlights, and so on. Therefore, the third-generation mobile communication introduces the concept of broadcast / multicast. The so-called broadcast / multicast service refers to: one-to-multipoint unidirectional bearer service. Data is sent from one source entity to multiple receiving entities, and the service is transmitted. The principle is shown in Figure 1. Node 1 is the source entity. Node 1 sends the data to be sent to the receiving entity node 10. After receiving the data, node 10 can use the source entity to copy the data into two copies and distribute it to the receiving entity node. 11 and 12; after receiving the data, node 11 then copies the data into two copies as the source entity and distributes it to the receiving entity nodes 111 and 112, and so on.
图 2为支持广播 /组播业务的无线网络结构示意图, 如图 2所示, 在现 有第三代合作伙伴计划 (3GPP )框架下, 支持广播 /组播业务的无线网络 结构为广播 /组播业务服务器(BM-SC ) 201 , BM-SC 201通过 Gmb接口 或 Gi接口与关口 GPRS支持节点 ( GGSN, Gateway GPRS Support Node ) 202相连,一个 BM-SC 201可与多个 GGSN 202相连; GGSN 202通过Gn/Gp 接口与服务 GPRS支持节点 (SGSN, Serving GPRS Support Node ) 203相 连, 一个 GGSN 202可与多个 SGSN 203相连; SGSN 203可通过 Iu接口 与通用移动通信系统 (UMTS ) 陆地无线接入网 (UTRAN ) 204相连, 然 后 UTRAN 204通过 Uu接口与用户终端 (UE ) 206相连, SGSN 203也可 通过 Iu/Gb接口与全球移动通信系统(GSM )增强无线接入网 (GERAN ) 205相连, 然后 GERAN 205通过 Um接口与 UE 207相连。 这里, 所述广 播 /组播业务服务器以下简称为广播 /组播服务器, 该广播 /组播服务器可以 是在现有无线通信网络中新增的功能实体, 也可以是现有无线通信网络中 的某个功能实体、 或某几个功能实体的组合。 FIG. 2 is a schematic diagram of a wireless network structure supporting broadcast / multicast services. As shown in FIG. 2, under the existing 3rd Generation Partnership Project (3GPP) framework, a wireless network structure supporting broadcast / multicast services is broadcast / group. Broadcast service server (BM-SC) 201, BM-SC 201 is connected to the gateway GPRS support node (GGSN, Gateway GPRS Support Node) 202 through the Gmb interface or Gi interface, and one BM-SC 201 can be connected to multiple GGSN 202; GGSN 202 is connected to a serving GPRS support node (SGSN, Serving GPRS Support Node) 203 through a Gn / Gp interface, and one GGSN 202 can be connected to multiple SGSN 203; SGSN 203 can be connected through an Iu interface It is connected to the Universal Mobile Telecommunications System (UMTS) Land Radio Access Network (UTRAN) 204, and then the UTRAN 204 is connected to the user terminal (UE) 206 through the Uu interface. ) The enhanced radio access network (GERAN) 205 is connected, and then the GERAN 205 is connected to the UE 207 through the Um interface. Herein, the broadcast / multicast service server is hereinafter referred to as a broadcast / multicast server, and the broadcast / multicast server may be a new functional entity in an existing wireless communication network, or may be an existing wireless communication network. A functional entity, or a combination of several functional entities.
在一定区域内 , 已订阅广播 /组播业务的用户能够享受广播 /组播业务 的服务。 那么, 在广播 /组播业务中, 为防止没有订阅广播 /组播业务或未 付费的用户享受到广播 /组播业务的服务, 就需要在广播 /组播业务中设置 只有广播 /组播业务群组内用户和广播 /组播服务器知道的密钥。 这种情况 下, 广播 /组播服务器不仅具有提供广播 /组播业务服务的功能, 还同时具 有密钥生成管理的功能。  In a certain area, users who have subscribed to broadcast / multicast services can enjoy the services of broadcast / multicast services. Then, in the broadcast / multicast service, in order to prevent users who have not subscribed to the broadcast / multicast service or have not paid to enjoy the service of the broadcast / multicast service, it is necessary to set only the broadcast / multicast service in the broadcast / multicast service. Keys known to users in the group and broadcast / multicast server. In this case, the broadcast / multicast server not only has the function of providing broadcast / multicast business services, but also has the function of key generation management.
广播 /组播服务器和群组内所有用户共享设置的密钥, 可称之为广播 / 组播业务的群组共享密钥, 广播 /组播服务器向群组内用户发送该共享密 钥, 该发送过程是广播 /组播服务器与每个群组内用户一对一进行的, 且发 送时通常要对该無享密钥加密。群组内用户和广播 /组播服务器之间通过鉴 权和密钥协商协议(AKA )进行互鉴权, 在互鉴权过程中, 群组内用户和 广播 /组播服务器同时生成并拥有加密密钥 (KEK ), 该加密密钥用来对共 享密钥进行加密。 群组内每个用户的加密密钥是唯一的, 即: 群组内用户 拥有的加密密钥各不相同。广播 /组播服务器采用与每个群组内用户相对应 的加密密钥加密共享密钥, 再将经过加密的共享密钥发送给相应的群組内 用户,.该群组内用.户使用相应的加密密钥对共享密钥解密, 最终实现广播 /組播服务器与群组内用户之间的密钥共享。 之后, 广播 /组播服务器使用 共'享密钥加密广播 /组播业务信息, 发送给群组内每个用户, 群组内用户使 用共享密钥解密广播 /组播业务信息, 获取广播 /组播业务信息, 享受广播 / 组播业务的服务。 The key shared by the broadcast / multicast server and all users in the group can be called the group shared key of the broadcast / multicast service. The broadcast / multicast server sends the shared key to the users in the group. The sending process is performed by the broadcast / multicast server one-to-one with the users in each group, and the shared key is usually encrypted when sending. The users in the group and the broadcast / multicast server perform mutual authentication through authentication and key agreement protocol (AKA). During the mutual authentication process, the users in the group and the broadcast / multicast server generate and possess encryption at the same time. Key (KEK), which is used to encrypt the shared key. The encryption key of each user in the group is unique, that is, the encryption keys owned by the users in the group are different. The broadcast / multicast server uses the encryption key corresponding to the users in each group to encrypt the shared key, and then sends the encrypted shared key to the corresponding users in the group. The corresponding encryption key decrypts the shared key, and finally realizes the key sharing between the broadcast / multicast server and the users in the group. After that, the broadcast / multicast server uses the shared key to encrypt the broadcast / multicast service information and sends it to each user in the group. The users in the group use Use the shared key to decrypt the broadcast / multicast service information, obtain the broadcast / multicast service information, and enjoy the service of the broadcast / multicast service.
为防止群组外的用户享受广播 /组播业务, 共享密钥需要经常更新, 共 享密钥的更新过程也是广播 /组播服务器和群组内用户间一对一进行的。一 般, 广播 /组播服务器根据触发条件发起共享密钥的更新过程, 触发更新过 程后, 广播 /组播服务器向群组内每个用户同时发送更新后的共享密钥。 该 更新过程如图 3中的步骤 301〜303所示,当广播 /组播服务器更新共享密钥 后, 向用户终端发送新密钥有效消息,该消息表示新的共享密钥已经有效; 用户终端收到新密钥有效消息后,可以向广播 /组播服务器发送请求密钥消 息, 请求一个新的共享密钥; 广播 /组播服务器收到请求密钥消息后, 将相 应的新共享密钥发送给发起请求的用户终端; 所述用户终端成功收到新的 共享密钥后, 将该共享密钥进行保存并在以后使用。  To prevent users outside the group from enjoying the broadcast / multicast service, the shared key needs to be updated frequently. The update process of the shared key is also performed one-to-one between the broadcast / multicast server and the users in the group. Generally, the broadcast / multicast server initiates a shared key update process according to a trigger condition. After the update process is triggered, the broadcast / multicast server sends an updated shared key to each user in the group at the same time. The update process is shown in steps 301 to 303 in FIG. 3. After the broadcast / multicast server updates the shared key, it sends a new key valid message to the user terminal, which indicates that the new shared key is already valid. The user terminal After receiving the new key valid message, it can send a request key message to the broadcast / multicast server to request a new shared key; after receiving the request key message, the broadcast / multicast server sends the corresponding new shared key Send to the user terminal that initiated the request; after the user terminal successfully receives the new shared key, save the shared key and use it later.
在图 3所示过程中, 广播 /组播服务器发出新密钥有效消息的步骤, 即 步骤 301是可选的。 用户终端可以在收到新密钥有效消息后发送请求密钥 消息, 也可以随时主动发起更新流程, 向广播 /组播服务器发送请求密钥消 息。 主动发起更新流程的前提是: 当前用户终端已经加入该广播 /组播业务 但没有新的共享密钥; 或者是当前用户终端已收到一些受保护的内容, 这 些内容使用新共享密钥进行了保护。 图 3所示过程同样适用于刚加入广播 /组播业务的群组用户, 该用户没有共享密钥, 广播 /组播服务器当前所拥 有的共享密钥对该用户而言就是新共享密钥。 但本申请主要针对的是步骤 301存在的情况。  In the process shown in FIG. 3, the step of the broadcast / multicast server sending a new key valid message, that is, step 301 is optional. The user terminal may send a request key message after receiving the new key valid message, or may actively initiate an update process at any time to send a request key message to the broadcast / multicast server. The premise of actively initiating the update process is: the current user terminal has joined the broadcast / multicast service but does not have a new shared key; or the current user terminal has received some protected content, and these contents are carried out using the new shared key protection. The process shown in Figure 3 is also applicable to a group user who has just joined the broadcast / multicast service. This user does not have a shared key. The shared key currently owned by the broadcast / multicast server is a new shared key for the user. However, this application is mainly directed to the case where step 301 exists.
从上述过程可以看出, 共享密钥的更新过程有两个时间点: 一个是新 共享密钥变为有效的时间点, 在该时间点后, 用户终端可以向网络申请新 的共享密钥; 另一个是网络启用新共享密钥的时间点, 该时间点以后, 网 络使用新共享密钥对数据进行保护, 用户终端使用新共享密钥接收数据。 如果群组内存在大量可享受广播 /组播业务服务的用户,所有用户终端 在收到表示新密钥有效的消息后, 都会向网络申请共享密钥。 那么, 就会 出现大量用户终端同时向网络发送信息的现象, 如此会导致无线通信网络 中的信息量在瞬间激增, 使无线通信网络的通信受到阻塞; 同时, 广播 / 组播服务器也会因为有大量用户同时请求新共享密钥而导致不能及时处 理。 如何能尽量避免所有用户终端同时请求新共享密钥, 提高广播 /组播服 务器对用户请求的处理速度, 目前还未提出有效的解决方案。 发明内容 It can be seen from the above process that the update process of the shared key has two points in time: one is the point in time when the new shared key becomes valid, after which the user terminal can apply for a new shared key to the network; The other is the time when the new shared key is enabled by the network. After this point in time, the network uses the new shared key to protect the data, and the user terminal receives the data using the new shared key. If there are a large number of users in the group who can enjoy the broadcast / multicast service, all user terminals will apply to the network for a shared key after receiving a message indicating that the new key is valid. Then, there will be a phenomenon that a large number of user terminals send information to the network at the same time. This will cause the amount of information in the wireless communication network to increase rapidly and block the communication of the wireless communication network. At the same time, the broadcast / multicast server will also A large number of users request new shared keys at the same time and cannot be processed in time. How to avoid all user terminals from requesting new shared keys at the same time and try to improve the processing speed of the broadcast / multicast server for user requests has not yet been proposed. Summary of the invention
有鉴于此,本发明的主要目的在于提供一种实现多媒体广播 /组播业务 密钥分发的方法, 可使不同用户尽量在不同时刻发起请求, 从而解决了大 量用户终端同时向网络申请共享密钥而产生的网络通信拥塞问题。  In view of this, the main object of the present invention is to provide a method for implementing multimedia broadcast / multicast service key distribution, which can enable different users to initiate requests at different times as much as possible, thereby solving a large number of user terminals applying for a shared key from the network at the same time. The resulting network congestion problem.
为达到上述目的, 本发明的技术方案是这样实现的:  To achieve the above object, the technical solution of the present invention is implemented as follows:
一种实现多媒体广播 /组播业务密钥分发的方法, 该方法包括以下步 骤:  A method for implementing multimedia broadcast / multicast service key distribution. The method includes the following steps:
a. 网绛侧为每个群組用户分配一个时间 T, 并将所分配的时间 T通知 相应的用户终端; .  a. The network side allocates a time T to each group of users, and notifies the corresponding user terminal of the allocated time T;
b. 网络侧更新共享密钥后向步驟 a所述群组内所有用户下发新密钥有 效消息, 每个收到新密钥有效消息的用户终端, 启动为自身所分配时间 T 对应的定时器;  b. After the network side updates the shared key, a new key validity message is sent to all users in the group described in step a. Each user terminal that receives the new key validity message starts the timing corresponding to its assigned time T. Device
' c 当步骤 b所述定时器到时后,该定时器对应的用户终端向广播 /组播 服务器发送请求密钥消息; 广播 /组播服务器收到请求密钥消息后, 向发起 请求的用户终端发送新共享密钥。  'c When the timer in step b expires, the user terminal corresponding to the timer sends a request key message to the broadcast / multicast server; after receiving the request key message, the broadcast / multicast server sends the request key message to the user who initiated the request The terminal sends a new shared secret.
上述方案中, 步骤 b所述网络侧更新共享密钥及下发新密钥有效消息 具体为: 广播 /组播服务器更新共享密钥; 之后, 广播 /组播服务器向步骤 a 所述群组内所有用户下发新密钥有效消息。 In the above solution, the message of updating the shared key and issuing a new key valid message on the network side in step b is specifically: the broadcast / multicast server updates the shared key; after that, the broadcast / multicast server proceeds to step a All users in the group issue a new key valid message.
上述方案中, 步骤 a与步骤 b之间进一步包括: 每个用户终端收到分 配给自身的时间 T后, 产生一随机数作为附加延迟时间; 则步骤 b中, 收 到新密钥有效消息的用户终端, 启动时间长度为时间 T加附加延迟时间的 定时器。 或者, 步骤 c中定时器到时后, 进一步包括: 该定时器对应的用 户终端产生一随机数作为附加延迟时间, 并继续延迟附加延迟时间的时长 后, 再向广播 /组播月良务器发送请求密钥消息。 或者, 步驟 b用户终端启动 定时器的同时, 进一步包括: 产生一随机数作为附加延迟时间; 则步骤 c 中定时器到时后, 继续延迟附加延迟时间的时长后, 用户终端再向广播 / 组播服务器发送清求密钥消息。 或者, 步骤 b用户终端启动定时器后, 进 一步包括: 产生一随机数作为附加延迟时间; 则步骤 c中定时器到时后, 继续延迟附加延迟时间的时长后,用户终端再向广播 /组播服务器发送请求 密钥消息。  In the above solution, between step a and step b further includes: each user terminal generates a random number as an additional delay time after receiving the time T allocated to itself; then in step b, the message of receiving a new key valid message The user terminal starts a timer with a length of time T plus an additional delay time. Alternatively, after the timer expires in step c, the method further includes: the user terminal corresponding to the timer generates a random number as an additional delay time, and continues to delay the length of the additional delay time to the broadcast / multicast monthly server. Send a request key message. Alternatively, when the user terminal starts the timer in step b, the method further includes: generating a random number as the additional delay time; after the timer expires in step c, after the timer continues to delay, the user terminal sends a broadcast / group to the broadcast / group. The broadcast server sends a message asking for the key. Alternatively, after the user terminal starts the timer in step b, the method further includes: generating a random number as an additional delay time; after the timer expires in step c, and continuing to delay the additional delay time, the user terminal sends a broadcast / multicast to the broadcast / multicast The server sends a request key message.
上述几种方棄中,所述网络侧在群组用户加入多媒体广播 /组播业务时 为该群组用户分^时间 T; 或在群组用户加入多媒体广播 /组播业务后为该 群组用户分配时间 T; 或在向群组用户发送共享密钥时为该群组用户分配 时间 T。 其中, 所述网络侧为每个群组内用户分配时间 Τ具体为: 广播 / 组播服务器为每个群组用户分配时间 Τ。  Among the foregoing parties, the network side allocates time T to the group user when the group user joins the multimedia broadcast / multicast service; or for the group after the group user joins the multimedia broadcast / multicast service The user allocates time T; or when a shared key is sent to a group user, the group user is allocated time T. Wherein, the network side allocating time T for users in each group is specifically: the broadcast / multicast server allocates time T for each group user.
其中, 所述时间 Τ的值位于: 从新共享密钥有效时间点到广播 /组播服 务器期望用户群组完成集中请求共享密钥工作时间点的时间长度, 与用户 从发起请求到最终得到新共享密钥需要的时间长度差值之间, 且在概率上 满足均匀分布。 所述时间 Τ可以通过随机函数产生, 该随机函数的样本点 在概率上服从均匀分布; 也可以通过取模法、 或 HASH函数法产生。  Wherein, the value of the time T lies in the length of time from the time when the new shared key is valid to the time when the broadcast / multicast server expects the user group to complete the centralized request for the shared key to work, and from the time when the request is initiated to the time when the user finally gets a new share The difference between the lengths of time required by the keys is uniformly distributed in probability. The time T may be generated by a random function, and sample points of the random function obey a uniform distribution in probability; it may also be generated by a modulo method or a HASH function method.
上述方案中, 所述附加延迟时间在当前发起请求用户终端所属的当前 离散点与下一离散点的时间间隔 Tx内产生, 且在概率上服从 [0, Τχ ) 的均 匀分布。 In the above scheme, the additional delay time is generated within a time interval T x between the current discrete point to which the user terminal currently initiates and the next discrete point, and obeys the average of [0, Τ χ ) in probability. Evenly distributed.
本发明所提供的实现多媒体广播 /组播业务密钥分发的方法,由于为群 组内的每个用户都分配一个定时器, 并根据一定规则统一设置服从均匀分 布的定时器的值, 根据定时器到达时刻进一步确定对应用户终端的请求发 起时刻,如此,可使同一群组内的众多用户在收到新共享密钥有效消息后, 以均匀离散的时刻向网络发送请求密钥消息, 从而避免了网络通信的拥 塞, 提高了广播 /组播服务器对用户请求的处理速度, 降低了各个网络节点 服务器对突发性业务的处理能力要求, 节约了网络成本。 附图简要说明  The method for implementing multimedia broadcast / multicast service key distribution provided by the present invention is because a timer is assigned to each user in the group, and uniformly-distributed timer values are set according to certain rules. The arrival time of the router further determines the request initiation time of the corresponding user terminal. In this way, after receiving the new shared key valid message, many users in the same group can send the request key message to the network at a uniform and discrete time, thereby avoiding This improves network communication congestion, improves the processing speed of the broadcast / multicast server for user requests, reduces the processing capability requirements of each network node server for sudden services, and saves network costs. Brief description of the drawings
图 1为组播业务的传输原理示意图;  Figure 1 is a schematic diagram of the transmission principle of a multicast service;
图 2为支持广播 /组播业务的无线网络结构示意图;  Figure 2 is a schematic diagram of a wireless network structure supporting broadcast / multicast services;
图 3 为广播 /组播服务器与群组用户之间共享密钥更新过程的流程示 意图;  Figure 3 is a schematic flowchart of a shared key update process between a broadcast / multicast server and a group user;
图 4为本发明方法的实现流程图;  FIG. 4 is a flowchart of implementing the method of the present invention;
图 5·为本发明中所涉及的各种时间点之间的关系示意图;  FIG. 5 is a schematic diagram of relationships between various time points involved in the present invention;
图 6为本发明方法中所产生的离散时间点之间的关系示意图; 图 7为附加延迟时间与离散时间点之间的关系示意图。 实施本发明的方式  FIG. 6 is a schematic diagram of the relationship between the discrete time points generated in the method of the present invention; FIG. 7 is a schematic diagram of the relationship between the additional delay time and the discrete time point. Mode of Carrying Out the Invention
本发明的核心思想是: 统一为同一群组内的每个用户分配一个时间, 所有用户的分配时间均匀离散分布, 根据该分配时间可进一步确定群组内 每个用户的请求发起时间。 每个群组内用户收到新密钥有效的消息后, 分 别在属于自己的请求发起时间向广播 /组播服务器发送请求密钥消息,广播 /組播服务器收到请求后, 向相应的用户返回新共享密钥。 这里, 每个群组 用户的分配时间可由定时器计时, 也可以由计数器计数得到。 The core idea of the present invention is: allocate a time to each user in the same group uniformly, and the distribution time of all users is evenly and discretely distributed, and the request initiation time of each user in the group can be further determined according to the allocation time. After receiving the message that the new key is valid, the users in each group send a request key message to the broadcast / multicast server at the time of the request initiation. After receiving the request, the broadcast / multicast server sends the request to the corresponding user. Returns the new shared secret. Here, each group The user's assigned time can be counted by a timer or counted by a counter.
本发明实现密钥分发的方法, 如图 4所示, 具体包括以下步驟: 步骤 401: 网络通过与群组用户的点到点交互, 分别为每个群组用户 分配一个时间 T, 并通知相应的用户终端。 As shown in FIG. 4 , the method for implementing key distribution according to the present invention specifically includes the following steps: Step 401: The network allocates a time T to each group user through point-to-point interaction with the group users, and notifies the corresponding time User terminal.
这里, 所述网络可以是移动通信网络, 也可以是有线通信网。 由于广 播 /组播服务器是用来完成整体控制的, 因此, 网络中给每个群组用户分配 时间的实体一般就是广播 /组播服务器。 广播 /組播服务器通过与每个群组 用户的点到点交互过程完成时间的分配, 其中, 广播 /组播月良务器可以在三 种情况下给群组用户分配时间: ①当某个群组用户加入多媒体广播 /組播业 务时; ②当某个群組用户加入多媒体广播 /組播业务后; ③将共享密钥发送 给某个群组用户的同时,给该群组用户新分配一个时间。对于第三种情况, 如果该群组用户已拥有一个分配时间,就说明广播 /组播服务器要重新为该 群组用户分配一个时间, 换句话说, 分配时间是可以更新的。  Here, the network may be a mobile communication network or a wired communication network. Because the broadcast / multicast server is used to complete the overall control, the entity that allocates time to each group user in the network is generally the broadcast / multicast server. The broadcast / multicast server completes the time allocation through the point-to-point interaction process with each group user. The broadcast / multicast server can allocate time to the group users in three cases: ① When a When a group user joins the multimedia broadcast / multicast service; ② When a group user joins the multimedia broadcast / multicast service; ③ When a shared key is sent to a group user, a new allocation is given to the group user For a time. In the third case, if the group user already has an allocated time, it means that the broadcast / multicast server needs to allocate another time for the group user, in other words, the allocated time can be updated.
对于步骤 401 中给每个用户分配的时间 T选择范围需要遵循如下准 则: 假定从新共享密钥有效的时间点, 到广播 /组播服务器希望用户群组完 成集中请求共享密钥工作的时间点的长度为 TA; 用户从发起请求到最终 得到新共享密钥需要的时间长度为 TB;那么,时间 T的选择范围要保证 T 小于 TA减去 TB, 即: 保证群组中的用户在网络希望集中请求共享密钥的 时间段内获得共享密钥。 在此选择范围内, T的选择要保证用户在两个时 间点 TA和 TB间均匀的向网络发起新共享密钥请求。  The selection range of time T allocated to each user in step 401 needs to follow the following guidelines: Assume that from the point in time when the new shared key is valid to the point in time when the broadcast / multicast server wants the user group to complete the centralized request for shared key work The length is TA; the length of time required for a user to initiate a request and finally obtain a new shared key is TB; then, the range of time T should be selected to ensure that T is less than TA minus TB, that is, to ensure that users in the group want to concentrate on the network Get the shared key within the time period for which the shared key was requested. Within this selection range, T should be selected to ensure that the user sends a new shared key request to the network evenly between the two time points, TA and TB.
为保证群组内用户均匀的向网络发起新共享密钥请求消息, 可通过如 下方法产生时间 T:  To ensure that users in the group evenly initiate new shared key request messages to the network, the time T can be generated by the following method:
广播 /组播服务器使用服从均匀分布的、范围是 [0, TA-TB )的随机函数 产生时间 T, 也就是说, 随机函数的样本点在概率上服从均匀分布。 T的 取值可以是连续的, 也可以是离散的, 如果是离散的, 离散点的间隔是固 定的 Tx。 或者, 广播 /组播服务器通过固定函数的方法产生具体的时间 τ, 该时间 Τ满足在概率上分布均匀,比如取模法、 HASH函数法等公知函数。 举个例子, 取模法可表示为: T= ( N mod a ) * ( TA-TB ) /a, 其中, N为 当前用户终端加入多媒体广播 /组播业务的顺序号, a为将 TA减 TB之差 5 均匀划分的时间段总数。 The broadcast / multicast server uses a uniformly distributed random function with a range of [0, TA-TB) to generate the time T, that is, the sample points of the random function are uniformly distributed with probability. The value of T can be continuous or discrete. If it is discrete, the interval between discrete points is fixed. Fixed T x . Alternatively, the broadcast / multicast server generates a specific time τ through a fixed function method, and the time T satisfies a uniform distribution in probability, such as a well-known function such as a modulus method and a HASH function method. For example, the modulo method can be expressed as: T = (N mod a) * (TA-TB) / a, where N is the sequence number of the current user terminal to join the multimedia broadcast / multicast service, and a is the subtraction of TA TB difference 5 Total number of evenly divided time periods.
步骤 402~403: 当广播 /组播服务器更新共享密钥后, 网络向所有用户 终端下发新密钥有效消息; 每个用户终端收到网絡发送的新密钥有效消息 后, 启动为自身所分配时间 T对应的定时器; 当定时器到时后, 用户终端 向广播 /组播服务器发送请求密钥消息; 广播 /组播服务器收到请求密钥消 Steps 402 to 403: After the broadcast / multicast server updates the shared key, the network sends a new key valid message to all user terminals; after each user terminal receives the new key valid message sent by the network, it starts to act as its own key. A timer corresponding to the allocated time T; when the timer expires, the user terminal sends a request key message to the broadcast / multicast server; the broadcast / multicast server receives the request key cancellation
10 息后, 向发起请求的用户终端发送新共享密钥。 这里所述的所有用户终端 是指:当前群组中的所有用户,即广播 /组播服务器中记录的所有合法用户,After the message is sent, send a new shared key to the user terminal that initiated the request. All user terminals mentioned here refer to: all users in the current group, that is, all legal users recorded in the broadcast / multicast server,
:. 这些用户中不包括刚离开网络的用户等非法用户。 :. These users do not include illegal users such as users who have just left the network.
为了更好地保证每个群组用户请求发起时间的离散性, 还可以由当前 发起请求的用户终端随机产生一个随机数, 作为附加延迟时间 Tadd, 那么,In order to better ensure the discreteness of the request initiation time of each group of users, a random number may also be randomly generated by the user terminal currently initiating the request as the additional delay time T add , then,
15 用户终端需要继续延迟 Tadd后, 再向广播 /组播服务器发送请求密钥消息。 15 The user terminal needs to continue to delay T add before sending a request key message to the broadcast / multicast server.
实际上, 就是将 T+Tadd作为该用户终端的请求发起时刻, 当然, 计时的起 始点依然是 用户终端收到新密钥有效消息的时刻。 该 Tadd在该用户终端 所属的本离散点到下一离散点的时间间隔 Tx内产生,如图 7所示,也就是 说, 附加延迟时间 Tadd在概率上服从 [0, Tx )的均匀分布, 且在该用户终端 o 所属的时间段内产生。 该 Tadd的产生时间可以有两种情况: In fact, T + T add is used as the request initiation time of the user terminal. Of course, the starting point of the timing is still the time when the user terminal receives the new key valid message. The T add is generated within a time interval T x from the present discrete point to the next discrete point to which the user terminal belongs, as shown in FIG. 7, that is, the additional delay time T add obeys [0, T x ) in probability. Is uniformly distributed and is generated within the time period to which the user terminal o belongs. The generation time of the T add can have two cases:
1 )在网络给每个群组用户统一分配时间 T的同时, 即: 用户终端收 : 到给自身分配的时间 T后, 就产生一个固定的附加延迟时间 Tadd, 以后每 次都直接将 T+ Tadd作为该用户终端的请求发起时刻。 1) While the network uniformly allocates time T to each group of users, that is, the user terminal receives: After the time T allocated to itself, a fixed additional delay time T add is generated, and T + is directly added each time thereafter. T add is used as the request initiation time of the user terminal.
2 )在用户终端收到新密钥有效消息后, 该情况又进一步分为三种子 5 情况: a )在启动定时器的同时, 该用户终端产生一个随机数作为附加延迟 时间 Tadd; b )在定时器到时后, 该用户终端产生一个随机数作为附加延迟 时间 Tadd; c )在定时器计时过程中的任意时刻, 该用户终端产生一个随机 数作为附加延迟时间 Tadd。 对于 a、 b、 c三种子情况, 该用户终端在本次 都是以 T+Tadd作为该用户终端的请求发起时刻, 但由于附加延迟时间 Tadd 是在每次收到新密钥有效消息后随机产生的,所以每次 Tadd的值是不同的, 也就是说, 在这种情况下, 附加延迟时间 Tadd是可变的。 2) After the user terminal receives the new key valid message, this situation is further divided into three sub-5 cases: a) When the timer is started, the user terminal generates a random number as an additional delay Time T add ; b) after the timer expires, the user terminal generates a random number as an additional delay time T add ; c) at any time during the timer counting process, the user terminal generates a random number as an additional delay time T add . For the three sub-cases a, b, and c, the user terminal uses T + T add as the user terminal's request initiation time, but due to the additional delay time T add , each time a new key valid message is received It is generated randomly afterwards, so the value of T add is different each time, that is, in this case, the additional delay time T add is variable.
下面再参见图 5〜图 7,配合具体实施例对本发明作进一步详细的说明。 其中, 图 5为本发明中所涉及的各种时间点之间的关系示意图, 图 5中时 间点 51为用户 i加入广播 /组播业务的时间点; 时间点 52为用户 j加入广 播 /组播业务的时间点; 时间点 53为广播 /组播服务器通知用户新密钥有效 的时间点; 时间点 54为用户使用新密钥的时间点; 时间点 55为广播 /组播 服务器期望用户群组完成集中请求共享密钥工作的时间点。 图 6为本发明 方法中所产生的离散时间点之间的关系示意图。 图 7为附加延迟时间与离 散时间点之间的关系示意图。 以下实施例中, 所述的用户均是指群组内用 户, 所述用户终端指相应群组用户对应的终端设备。 实施例一:  5-7, the present invention will be further described in detail with reference to specific embodiments. Among them, FIG. 5 is a schematic diagram of relationships between various time points involved in the present invention. Time point 51 in FIG. 5 is a time point when user i joins a broadcast / multicast service; time point 52 is a time when user j joins a broadcast / group. Time point of the broadcast service; Time point 53 is the time point when the broadcast / multicast server notifies the user that the new key is valid; Time point 54 is the time point when the user uses the new key; Time point 55 is the user group expected by the broadcast / multicast server The point in time when the group completes the centralized request for shared key work. FIG. 6 is a schematic diagram showing the relationship between discrete time points generated in the method of the present invention. Figure 7 is a schematic diagram of the relationship between the additional delay time and the point of departure. In the following embodiments, the users refer to users in a group, and the user terminal refers to a terminal device corresponding to a corresponding group of users. Embodiment one:
本实施例中, 直接将为用户终端分配的时间 T作为该用户终端的请求 发起时刻, 即: 定时器到达时间丁, 该用户终端就向广播 /组播服务器发送 请求密钥消息。 那么, 本实施例实现密钥分发的具体过程包括:  In this embodiment, the time T allocated for the user terminal is directly used as the request initiation time of the user terminal, that is, the timer arrives at time D, and the user terminal sends a request key message to the broadcast / multicast server. Then, the specific process of implementing key distribution in this embodiment includes:
步骤 11 : 当用户加入多媒体广播 /组播业务时, 广播 /组播服务器给该 用户分配一个时间 T,并将所分配的时间 Τ通知加入多媒体广播 /組播业务 的用户, 用户在自身设置时长为 Τ的定时器。  Step 11: When a user joins the multimedia broadcast / multicast service, the broadcast / multicast server allocates a time T to the user, and notifies the user who has joined the multimedia broadcast / multicast service of the allocated time T, and the user sets the duration for himself Is the timer of T.
该时间 Τ具有以下特征:假定从广播 /组播服务器通知用户群组新共享 密钥已经有效, 即通知群组内用户可以发送请求密钥消息, 到广播 /组播服 务器希望用户群组完成集中请求共享密钥工作的时间间隔为 TA; 用户 M 从发起请求、 广播 /组播服务器进行处理, 到用户 M最终得到新共享密钥 需要的时间间隔为 TB; 那么, T的选择范围要保证 ^^ (^ -^)。 因为, 广 播 /组播服务器希望用户群組完成集中请求共享密钥工作的时间点与用户 使用新密钥时间点可能重合, 所以上述取值范围可以保证所有群组内用户 在得到新共享密钥后, 网络才使用新共享密钥。 This time T has the following characteristics: It is assumed that the broadcast / multicast server notifies the user that the new shared key of the group is valid, that is, the user in the group is notified that a key request message can be sent to the broadcast / multicast server The server expects the time interval for the user group to complete the centralized request for shared key work to be TA; the time interval required for user M to initiate a request and broadcast / multicast server to process until user M finally obtains a new shared key is TB; then The selection range of T must be ^^ (^-^). Because the broadcast / multicast server expects that the time when the user group completes the centralized request for the shared key and the time when the user uses the new key may overlap, the above range of values can ensure that all users in the group get the new shared key. The network then uses the new shared secret.
举个例子来说, 用户 i和用户 j分别加入广播 /组播业务, 广播 /组播服 务器使用服从均匀.分布, 范围是 [Ο, ΤΑ-ΤΒ ) 的随机函数给用户 i分配的时 间为 Ti, Ti = ti, 给用户 j分配的时间为 Tj, Tj = 。 Ti和 η的取值可以是 连续的, 也可以是离散的, 如果时间点是离散的, 则两个相邻离散点间的 间隔固定为 Tx, 如图 6所示。 For example, user i and user j respectively join the broadcast / multicast service, and the broadcast / multicast server uses a uniform, distributed, random function in the range [0, ΤΑ-ΤΒ). The time allocated to user i is Ti , Ti = ti, the time allocated to user j is Tj, Tj =. The values of Ti and η can be continuous or discrete. If the time points are discrete, the interval between two adjacent discrete points is fixed as T x , as shown in FIG. 6.
广播 /组播服务器也可以使用固定函数为用户 i和用户 j分配时间, 例 如采用取模的方法: 广播 /组播服务器把时间段 [0,TA-TB )均分为 100个时 间段, 即每个时间段 Tx的长度为 (ΤΑ-ΤΒ ) 7100。 那么, 如果用户 i是第 89个加入的用户、 用户 j是第 2392个加入的用户, 则 T ( 89 mod 100 ) * ( TA-TB ) /100= ( TA-TB ) *89/100;
Figure imgf000012_0001
( 2392 mod 100 ) * ( TA-TB ) /100= ( TA-TB ) *92/100。 The broadcast / multicast server can also use a fixed function to allocate time for user i and user j. For example, using a modulo method: The broadcast / multicast server divides the time period [0, TA-TB) into 100 time periods, that is, The length of each time period T x is (TA-TB) 7100. Then, if user i is the 89th joined user and user j is the 2392th joined user, then T (89 mod 100) * (TA-TB) / 100 = (TA-TB) * 89/100;
Figure imgf000012_0001
(2392 mod 100) * (TA-TB) / 100 = (TA-TB) * 92/100.
步骤 12: 继续以用户 i和用户 j为例, 广播 /组播服务器向所有用户下 发新密钥有效的消息, 用户 i和用户 j收到该消息后, 并不马上向广播 /组 播服务器发送请求密钥消息, 而是立即触发 Ti和 η对应的定时器。 这里, 用户 i启动的定时器的时间长度为 ti,用户 j启动的定时器的时间长度为 tj。  Step 12: Continue taking user i and user j as an example. The broadcast / multicast server sends a message that the new key is valid to all users. After receiving the message, user i and user j do not immediately send the message to the broadcast / multicast server. A request key message is sent, but the timers corresponding to Ti and η are immediately triggered. Here, the length of the timer started by user i is ti, and the length of the timer started by user j is tj.
步骤 13: 用户 i和用户 j分别在各自的定时器到时后, 向广播 /組播服 务器发送请求密钥消息,请求新的共享密钥;广播 /组播服务器收到请求后, 分别向不同的请求用户返回新的共享密钥。  Step 13: User i and user j respectively send a request key message to the broadcast / multicast server to request a new shared key after their respective timers expire; after receiving the request, the broadcast / multicast server respectively sends requests to different The requesting user returned a new shared secret.
对于用户 i而言, 所对应的定时器 Ti到时后, 用户 i会向广播 /组播月艮 务器发送请求密钥消息; 广播 /组播服务器收到该请求密钥消息后, 与用户 i进行交互, 将密钥发送给用户 i。 同样, 对于用户 j , 所对应的定时器 η 到时后, 用户 j也会向广播 /組播服务器发送请求密钥消息; 广播 /组播服务 器收到该请求密钥消息后, 与用户 j进行交互, 将密钥发送给用户 j。 For user i, after the corresponding timer Ti expires, user i sends a broadcast / multicast The server sends a request key message; after receiving the request key message, the broadcast / multicast server interacts with user i and sends the key to user i. Similarly, for user j, when the corresponding timer η expires, user j also sends a request key message to the broadcast / multicast server; after receiving the request key message, the broadcast / multicast server performs a request with user j Interact and send the key to user j.
如果需要更新 Ti或 Tj的话, 可以在上述交互过程中, 由广播 /组播服 务器将新的 Ti或' η发送给相应的用户 i或用户 j , 这是因为网络侧, 具体 说就是广播 /组播^务器控制所有用户的密钥请求时间,其可以根据用户分 布均匀的要求, 对用户的请求时间进行调整。 对于任意用户, 由于它们给 广播 /组播服务器发送请求密钥消息的时间不同, 因此可避免同时发送请求 密钥消息所导致的网絡通信拥塞。 实施例二:  If Ti or Tj needs to be updated, the new Ti or 'η can be sent by the broadcast / multicast server to the corresponding user i or user j during the above interaction process. This is because the network side, specifically the broadcast / group The server controls the key request time of all users, and it can adjust the user request time according to the requirement of uniform distribution of users. For any user, because they send the request key message to the broadcast / multicast server at different times, network congestion caused by sending the request key message at the same time can be avoided. Embodiment two:
本实施例中, 当前发起请求的用户终端随机产生一个附加延迟时间 Tadd, 且该附加延迟时间 Tadd在定时器到达时间 T后产生。 本实施例将 T+ Tadd作为该用户终端的请求发起时刻,即:定时器到达时间 T后再延迟 Tadd, 之后, 该用户终端再向广播 /组播服务器发送请求密钥消息。 那么, 本实施 例实现密钥分发的具体过程包括: In this embodiment, the user terminal currently initiating the request randomly generates an additional delay time T add , and the additional delay time T add is generated after the timer reaches the time T. In this embodiment, T + T add is used as the request initiation time of the user terminal, that is, T add is delayed after the timer reaches the time T, and then the user terminal sends a request key message to the broadcast / multicast server. Then, the specific process of implementing key distribution in this embodiment includes:
步骤 21~22: 与实施例一中步驟 11〜; 12的所有描述全部相同。  Steps 21 to 22: All descriptions are the same as steps 11 to 12 in the first embodiment.
步骤 23: 用户 i和用户 j在各自的定时器到时后, 分別随机产生一个 随机数, 作为附加延迟时间 Tadd, 比如 Tadd, i或 Tadd, j, 并且继续延迟 Tadd, ^ Tadd, j的时长, 然后才向广播 /组播服务器发送请求密钥消息,请求新的 共享密钥; 广播 /组播服务器收到请求后, 分别向不同的请求用户返回新的 共享密钥。 这里, Tadd, i表示用户 i的附加延迟时间, Tadd, j表示用户 j的附 加延迟时间, 如图 7所示。 这里, Tadd也可以由广播 /组播服务器产生并发 送给当前发起请求的用户。 那么, 对于用户. i而言, 就是延时 Ti+Tadd, i后, 用户 i向广播 /组播服 务器发送请求密钥消息; 对于用户 j 而言, 就是延时 Tj+Tadd, j后, 用户 j 向广播 /组播服务器发送请求密钥消息。 Step 23: After the respective timers expire, the user i and the user j generate a random number as an additional delay time T add , such as T add , i or T add , j, and continue to delay T add , ^ T add , j, and then send a request key message to the broadcast / multicast server to request a new shared key; after receiving the request, the broadcast / multicast server returns a new shared key to different requesting users, respectively. Here, T add , i represents the additional delay time of the user i, and T add , j represents the additional delay time of the user j, as shown in FIG. 7. Here, T add can also be generated by the broadcast / multicast server and sent to the user who currently initiates the request. Then, for user. I, after delaying Ti + T add , i, user i sends a request key message to the broadcast / multicast server; for user j, after delaying Tj + T add , j User j sends a request key message to the broadcast / multicast server.
本步骤中, 每个用户的附加延迟时间 Tadd在本离散点与下一离散点之 间产生。 也就是, 对于用户 i而言, Tadd, i在 Ti+Τχ ) 的时间范围内随 机产生, Tadd, i的取值在概率上服从 0≤Ti≤Tx的均匀分布。 同样, 对于用 户 j而言, Tadd, j在 [Tj, Tj+Tx )的时间范围内随机产生, Tadd, j的取值在概 率上服从 0< ≤Τχ的均匀分布。 实施例三: In this step, the additional delay time T add of each user is generated between the present discrete point and the next discrete point. That is, for the user i, T add , i is randomly generated within the time range of Ti + Tχ), and the values of T add , i obey a uniform distribution of 0 Ti ≦ T x in probability. Similarly, for user j, T add , j is randomly generated within the time range of [Tj, Tj + T x ), and the values of T add , j obey a uniform distribution of 0 <≦ Tχ in probability. Example three:
本实施例中, 当前发起请求的用户终端随机产生一个附加延迟时间 In this embodiment, the user terminal currently initiating the request randomly generates an additional delay time.
Tadd,且该附加延迟时间 Tadd在用户终端收到新密钥有效消息时产生。本实 施例是将 T+Tadd作为该用户终端的请求发起时刻, 可直接将定时器的值设 为 T+Tadd, 定时器到时后, 该用户终端就向广播 /组播服务器发送请求密钥 消息。 那么, 本实施例实现密钥分发的具体过程包括: T add , and the additional delay time T add is generated when the user terminal receives a new key valid message. In this embodiment, T + T add is used as the request initiation time of the user terminal. The value of the timer can be directly set to T + T add . After the timer expires, the user terminal sends a request to the broadcast / multicast server. Key message. Then, the specific process of implementing key distribution in this embodiment includes:
步骤 31: 当用户加入多媒体广播 /组播业务时, 广播 /组播服务器给该 用户分配一个时间 T,并将所分配的时间 T通知加入多媒体广播 /组播业务 的用户; 该用户收到时间 T后, 马上随机产生一个随机数, 作为附加延迟 时间 Tadd; 然后, 该用户在自身设置时长为 T+Tadd的定时器。 Step 31: When the user joins the multimedia broadcast / multicast service, the broadcast / multicast server allocates a time T to the user, and notifies the user who joined the multimedia broadcast / multicast service of the allocated time T; the user receives the time After T, a random number is generated randomly as an additional delay time T add ; then, the user sets a timer with a duration of T + T add .
这里, 时间 T所具有的特征以及产生方法, 与实施例一步骤 11 中所 述的时间 T的特征及产生方法完全相同。 附加延迟时间 Tadd的特点与实施 例二步骤 23中所述完全相同。 Here, the characteristics and generation method of time T are exactly the same as the characteristics and generation method of time T described in step 11 of the first embodiment. The characteristic of the additional delay time T add is exactly the same as that described in step 23 of the second embodiment.
步驟 32: 广播 /组播服务器向所有用户下发新密钥有效的消息, 收到 该消息的用户, 并不马上向广播 /组播服务器发送请求密钥消息, 而是立即 触发自身设置的定时器。 这里, 用户启动的定时器的时间长度为 T+Tadd。 步骤 33: 定时器到时后, 向广播 /组播服务器发送请求密钥消息, 请 求新的共享密钥; Γ播 /组播服务器收到请求后, 分别向不同的请求用户返 回新的共享密钥。 Step 32: The broadcast / multicast server sends a message that the new key is valid to all users. The user who received the message does not immediately send a request key message to the broadcast / multicast server, but immediately triggers the timing set by itself. Device. Here, the length of the timer started by the user is T + T add . Step 33: After the timer expires, send a request key message to the broadcast / multicast server to request a new shared key. After receiving the request, the broadcast / multicast server returns a new shared secret to different requesting users. key.
对于用户 i而言, 附加延迟时间为 Tadd, i, 则延时 Ti+Tadd, i后, 用户 i 向广播 /组播服务器发送请求密钥消息; 对于用户 j而言, 附加延迟时间为 Tadd, j, 则延时 Tj+Tadd, j后, 用户 j向广播 /组播服务器发送请求密钥消息。 For user i, the additional delay time is T add , i, then after delay Ti + T add , i, user i sends a request key message to the broadcast / multicast server; for user j, the additional delay time is T add , j, after delaying Tj + T add , j, user j sends a request key message to the broadcast / multicast server.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限制本发明的保 护范围。  The above description is only the preferred embodiments of the present invention, and is not intended to limit the protection scope of the present invention.

Claims

权利要求书 Claim
1、 一种实现多媒体广播 /组播业务密钥分发的方法, 其特征在于, 该 方法包括以下步驟:  1. A method for implementing multimedia broadcast / multicast service key distribution, characterized in that the method includes the following steps:
a. 网络侧为每个群组用户分配一个时间 T, 并将所分配的时间 T通知 相应的用户终端;  a. The network side allocates a time T to each group of users, and notifies the corresponding user terminal of the allocated time T;
b. 网络侧更新共享密钥后向步骤 a所述群组内所有用户下发新密钥有 效消息, 每个收到新密钥有效消息的用户终端, 启动为自身所分配时间 T 对应的定时器;  b. After the network side updates the shared key, a new key validity message is sent to all users in the group described in step a. Each user terminal that receives the new key validity message starts the timing corresponding to its assigned time T. Device
c 当步骤 b所述定时器到时后,该定时器对应的用户终端向广播 /组播 服务器发送请求密钥消息; 广播 /组播服务器收到请求密钥消息后, 向发起 请求的用户终端发送新共享密钥。  c When the timer described in step b expires, the user terminal corresponding to the timer sends a request key message to the broadcast / multicast server; after receiving the request key message, the broadcast / multicast server sends the request key message to the user terminal that initiated the request Send a new shared secret.
2、根据权利要求 1所述的方法, 其特征在于, 步骤 a与步驟 b之间进 一步包括: 每个用户终端收到分配给自身的时间 T后, 产生一随机数作为 附加延迟时间;  2. The method according to claim 1, further comprising: step a and step b: each user terminal generates a random number as an additional delay time after receiving the time T allocated to itself;
则步骤 b中, 收到新密钥有效消息的用户终端, 启动时间长度为时间 Then, in step b, the user terminal that receives the new key valid message has a startup time length of time.
T加附加延迟时间的定时器。 T plus timer for additional delay time.
3、 根据权利要求 1所述的方法, 其特征在于, 在步骤 b用户终端启 动定时器的同时、 或用户终端启动定时器后、 或在步骤 c定时器到时后发 送请求密钥消息之前, 该方法进一步包括: 所述定时器对应的用户终端产 生一随机数作为附加延迟时间;  3. The method according to claim 1, characterized in that, when the user terminal starts the timer in step b, or after the user terminal starts the timer, or before the request key message is sent after the timer expires in step c, The method further includes: the user terminal corresponding to the timer generates a random number as an additional delay time;
则步骤 c中定时器到时后, 继续延迟附加延迟时间的时长后, 用户终 端再向广播 /组播服务器发送请求密钥消息。  Then, after the timer expires in step c, after continuing to delay the additional delay time, the user terminal sends a request key message to the broadcast / multicast server.
4、 根据权利要求 1、 2或 3所述的方法, 其特征在于, 所述网絡侧在 群组用户加入多媒体广播 /组播业务时为该群组用户分配时间 T; 或在群组 用户加入多媒体广播 /组播业务后为该群组用户分配时间 T; 或在向群组用 户发送共享密钥时为该群組用户分配时间 τ。 4. The method according to claim 1, 2 or 3, wherein the network side allocates time T to the group user when the group user joins the multimedia broadcast / multicast service; or in the group After the user joins the multimedia broadcast / multicast service, time T is allocated to the group user; or when the shared key is sent to the group user, time τ is allocated to the group user.
5、 根据权利要求 4 所述的方法, 其特征在于, 所述网络侧为每个群 组用户分配时间 Τ具体为: 广播 /组播服务器为每个群组用户分配时间 Τ。  5. The method according to claim 4, wherein the network side assigning time T to each group user is specifically: a broadcast / multicast server assigns time T to each group user.
6、 根据权利要求 1、 2或 3所述的方法, 其特征在于, 所述时间 Τ的 值位于:从新共享密钥有效时间点到广播 /组播服务器期望用户群组完成集 中请求共享密钥工作时间点的时间长度, 与用户从发起请求到最终得到新 共享密钥需要的时间长度差值之间, 且在概率上满足均匀分布。  6. The method according to claim 1, 2 or 3, wherein the value of the time T is located from the time when the new shared key is valid until the broadcast / multicast server expects the user group to complete the centralized request for the shared key. The time length of the working time point is different from the length of time required by the user from initiating the request to finally obtaining a new shared key, and it meets a uniform distribution in probability.
7、 根据权利要求 6所述的方法, 其特征在于, 所述时间 Τ通过随机 函数产生, 该随机函数的样本点在概率上服从均匀分布。  7. The method according to claim 6, wherein the time T is generated by a random function, and sample points of the random function obey a uniform distribution in probability.
8、 根据权利要求 6所述的方法, 其特征在于, 所述时间 Τ通过取模 法、 或 HASH函数法产生。  8. The method according to claim 6, wherein the time T is generated by a modulo method or a HASH function method.
9、 根据权利要求 6 所述的方法, 其特征在于, 所述网络侧在群组用 户加入多媒体广播 /组播业务时为该群组用户分配时间 T; 或在群组用户加 入多媒体广播 /组播业务后为该群组用户分配时间 T; 或在向群组用户发送 共享密钥时为该群组用户分配时间 T。  9. The method according to claim 6, wherein the network side allocates time T to the group user when the group user joins the multimedia broadcast / multicast service; or joins the group user to the multimedia broadcast / group Allocate time T to the group users after broadcasting the service; or allocate time T to the group users when sending the shared key to the group users.
10、 根据权利要求 2或 3所述的方法, 其特征在于, 所述附加延迟时 间在当前发起请求用户终端所属的当前离散点与下一离散点的时间间隔 Τχ内产生, 且在概率上服从 [0, ΤΧ]的均匀分布。 10. The method according to claim 2 or 3, wherein the additional delay time is generated within a time interval T χ between the current discrete point and the next discrete point to which the user terminal that is currently initiating the request belongs, and is probabilistic. subject [0, Τ Χ] uniform distribution.
11、根据权利要求 10所述的方法, 其特征在于, 所述网络侧在群组用 户加入多媒体广播 /组播业务时为该群组用户分配时间 Τ; 或在群组用户加 入多媒体广播 /组播业务后为该群组用户分配时间 Τ; 或在向群组用户发送 共享密钥.时为该群组用户分配时间 τ。  11. The method according to claim 10, wherein the network side allocates time T to the group user when the group user joins the multimedia broadcast / multicast service; or joins the group user to the multimedia broadcast / group Allocate time T for the group user after broadcasting the service; or allocate time τ for the group user when sending the shared key to the group user.
12、 根据权利要求 1、 2或 3所述的方法, 其特征在于, 步驟 b所述 网络侧更新共享密钥及下发新密钥有效消息具体为:广播 /组播服务器更新 共享密钥; 之后, 广播 /组播服务器向步驟 a所述群组内所有用户下发新密 钥有效消息.。 12. The method according to claim 1, 2, or 3, wherein the step of updating the shared key and issuing a new key valid message on the network side in step b is specifically: a broadcast / multicast server update Share the key; after that, the broadcast / multicast server sends a new key valid message to all users in the group in step a.
PCT/CN2005/000096 2004-02-09 2005-01-21 A Method for Implementing Multimedia Broadcast Multicast Service Key Distribution WO2005078992A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200410039255.5 2004-02-09
CNB2004100392555A CN1300974C (en) 2004-02-09 2004-02-09 Method for realizing multimedia broadcasting / multicasting service key dispensing

Publications (1)

Publication Number Publication Date
WO2005078992A1 true WO2005078992A1 (en) 2005-08-25

Family

ID=34845819

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2005/000096 WO2005078992A1 (en) 2004-02-09 2005-01-21 A Method for Implementing Multimedia Broadcast Multicast Service Key Distribution

Country Status (2)

Country Link
CN (1) CN1300974C (en)
WO (1) WO2005078992A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107592199A (en) * 2017-08-30 2018-01-16 北京奇艺世纪科技有限公司 A kind of method and system of data syn-chronization

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100450005C (en) * 2005-10-14 2009-01-07 中兴通讯股份有限公司 Method and apparatus for implementing cluster communication
CN100454320C (en) * 2005-11-28 2009-01-21 华为技术有限公司 Key management method and apparatus for digital copyright management
CN101030849B (en) * 2006-03-01 2010-10-27 华为技术有限公司 Method and system for realizing packet key synchronization between multiple base stations
CN1845599B (en) * 2006-05-17 2010-09-01 中国移动通信集团公司 Method for obtaining and updating service key in mobile television service
CN101102152B (en) * 2006-07-03 2011-05-11 华为技术有限公司 Method for guaranteeing data security in passive optical network
CN1878058B (en) * 2006-07-12 2010-05-26 中国移动通信集团公司 Subscriber terminal cipher key update method used in broadcast service
CN101267294B (en) * 2007-03-14 2012-05-09 中国移动通信集团公司 Secret key distribution method
CN100461974C (en) * 2007-05-09 2009-02-11 中兴通讯股份有限公司 Method and apparatus for triggering key updating
JP4969342B2 (en) * 2007-07-03 2012-07-04 パナソニック株式会社 Receiving terminal and receiving method
CN101488850B (en) * 2008-01-18 2011-03-16 中兴通讯股份有限公司 Method for ciphering content of multimedia broadcast
CN101262335B (en) * 2008-04-23 2011-10-26 中兴通讯股份有限公司 Method and system for secret key distribution in mobile phone TV service
CN101478725B (en) * 2009-01-24 2011-09-21 中兴通讯股份有限公司 Service cipher key synchronization method and system
CN101730067B (en) * 2009-06-25 2012-06-06 中兴通讯股份有限公司 Method and device for controlling user equipment to report network discovery
CN103874024B (en) * 2012-12-13 2017-06-20 中国移动通信集团公司 A kind of method for scheduling task, apparatus and system for broadcasting downloading service
CN107528678B (en) * 2016-06-22 2021-10-29 大唐移动通信设备有限公司 Method and equipment for updating system message
CN111836206B (en) * 2019-04-17 2022-08-30 中国移动通信有限公司研究院 Multicast processing method, terminal and network node
CN114466318B (en) * 2022-01-30 2023-04-07 西安电子科技大学 Method, system and equipment for realizing multicast service effective authentication and key distribution protocol

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5412722A (en) * 1993-08-31 1995-05-02 Motorola, Inc. Encryption key management
US6584566B1 (en) * 1998-08-27 2003-06-24 Nortel Networks Limited Distributed group key management for multicast security

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE362295T1 (en) * 1998-02-27 2007-06-15 Ericsson Telefon Ab L M METHOD AND DEVICE FOR AUTHENTICATION FOR SECURED TRANSMISSIONS BETWEEN A MOBILE ATM TERMINAL AND AN ATM ACCESS NODE IN A WIRELESS ATM RADIO COMMUNICATIONS NETWORK
JP4420571B2 (en) * 2001-02-22 2010-02-24 ソニー株式会社 Transmission device and method, reception device and method, information transmission / reception system and method, recording medium, and program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5412722A (en) * 1993-08-31 1995-05-02 Motorola, Inc. Encryption key management
US6584566B1 (en) * 1998-08-27 2003-06-24 Nortel Networks Limited Distributed group key management for multicast security

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
QI YUEBIN ET AL: "Multicast key management method based on periodic rekeying.", COMPUTER APPLICATIONS., vol. 122, no. 3, March 2003 (2003-03-01), pages 26 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107592199A (en) * 2017-08-30 2018-01-16 北京奇艺世纪科技有限公司 A kind of method and system of data syn-chronization
CN107592199B (en) * 2017-08-30 2020-04-21 北京奇艺世纪科技有限公司 Data synchronization method and system

Also Published As

Publication number Publication date
CN1655497A (en) 2005-08-17
CN1300974C (en) 2007-02-14

Similar Documents

Publication Publication Date Title
WO2005078992A1 (en) A Method for Implementing Multimedia Broadcast Multicast Service Key Distribution
TWI308008B (en) Method and apparatus for selecting a packet data serving node for multi-cast/broadcast services
US20210051474A1 (en) Network architecture having multicast and broadcast multimedia subsystem capabilities
KR100956040B1 (en) Method and apparatus for data packet transport in a wireless communications system using an internet protocol
TW569579B (en) Method and apparatus for header compression in a wireless communication system
US8983065B2 (en) Method and apparatus for security in a data processing system
TWI280768B (en) Method and apparatus for security in a data processing system
TWI223532B (en) Method and apparatus for data packet transport in a wireless communication system using an Internet Protocol
WO2017016326A1 (en) Data transmission method for edge mbms service and relevant device
US20130108043A1 (en) Method and apparatus for providing broadcast service using encryption key in a communication system
JP2007516657A (en) Method and apparatus for broadcast application in a wireless communication system
EP1374477A1 (en) Method and apparatus for security in a data processing system
WO2008086702A1 (en) Method, device and system for policy control
JP4554618B2 (en) Method and apparatus for enhanced policy control in a wireless communication system
WO2007112650A1 (en) System, method and bm-sc for mbms service
US7239705B2 (en) Apparatus and method for broadcast services transmission and reception
WO2004107645A1 (en) A method of updating share key
Kang Efficient data origin authentication scheme for video streaming transmitted by multiple senders
JP2004032711A (en) Multicast service data distribution system and method, confidential key generating apparatus, and program
WO2022027696A1 (en) Method and apparatus for configuring security information
CN1902974A (en) Method of synchronizing broadcast parameters during autonomous soft handoff
KR20050009115A (en) Method for Accounting Broadcast Service in a Mobile Communication System
AU2002341978A1 (en) Method and apparatus for data packet transport in a wireless communications system using an internet protocol

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase