WO2014131356A1 - Method, system, and terminal for hierarchical management of group keys of broadband cluster system - Google Patents

Method, system, and terminal for hierarchical management of group keys of broadband cluster system Download PDF

Info

Publication number
WO2014131356A1
WO2014131356A1 PCT/CN2014/072593 CN2014072593W WO2014131356A1 WO 2014131356 A1 WO2014131356 A1 WO 2014131356A1 CN 2014072593 W CN2014072593 W CN 2014072593W WO 2014131356 A1 WO2014131356 A1 WO 2014131356A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
group
access layer
system side
terminal
Prior art date
Application number
PCT/CN2014/072593
Other languages
French (fr)
Chinese (zh)
Inventor
李宗政
张志辉
赵洪坤
翟来国
甘露
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2014131356A1 publication Critical patent/WO2014131356A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/06Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
    • H04W4/08User group management

Definitions

  • the present invention relates to the field of mobile communication technologies, and in particular, to a group key layer management method, system and terminal for a broadband cluster system based on LTE (Long Term Evolution).
  • LTE Long Term Evolution
  • the cluster system is developed to meet the needs of industry users for command and dispatch, and is a dedicated wireless communication system for specific industry applications.
  • the cluster system is an efficient wireless communication system that supports a large number of wireless users for group communication by sharing a wireless channel with a small number of wireless channels.
  • the cluster system is mainly composed of an analog cluster system and a narrowband digital communication system, and can provide basic services in the voice and low-speed data services.
  • the cluster system With the rapid development of the mobile Internet and the large-scale construction of wireless cities around the world, broadband has become the trend of wireless communication development.
  • the cluster system also provides greater channel capacity, more service types, higher data bandwidth, etc.
  • the broadband cluster system evolved based on LTE technology.
  • LTE is a 3GPP (3rd Generation Partnership Project) long-term evolution project.
  • the LTE network adopts a flat architecture, and the eNB (evolved Node B) is deployed in a decentralized manner. Centralized control.
  • LTE has developed protocols for security management to effectively protect data security between signaling streams and media streams between network elements.
  • the broadband cluster system inherits the basic architecture of LTE. It can be deployed without the constraints of the LTE core network. Depending on the application scenario, only DSS (Dispatching Subsystem) or DSS and EPC (Evolved Packed Core) can be deployed. The evolved packet core network) is deployed. Therefore, the broadband cluster system needs to design a separate group key management method to ensure the security of the core network, eNB and terminal in the cluster system when using the broadband cluster network.
  • the security management of LTE as defined by the 3GPP protocol mainly focuses on: NAS (Non Access Stratum) signaling encryption protection, NAS signaling integrity protection, RRC (Radio Resource) Control, radio resource control M command encryption protection, RRC signaling integrity protection, UP (User Plane, user plane) data encryption protection and other aspects.
  • the key architecture of LTE is a layered design. The system uses the key K stored on the core network and the UE (User Equipment) to hierarchically derive the keys of each level, and combines the selected encryption algorithm and integrity protection algorithm. , to achieve the security management process of NAS and AS (Access Stratum, access layer).
  • the broadband trunking system provides the group call service
  • the downlink shared channel is encrypted and integrity protected, and the group key shared by all users in the group is captured.
  • the K values of the user terminals of the same group are confidential and different. Therefore, if the key K on the terminal is directly used, the group call service of the broadband cluster system cannot be managed securely.
  • the group key is pre-preset on the terminal to implement the group call service security management.
  • the scheme lacks flexibility in managing the group key, and since the group key is already preset on the terminal, In certain scenarios, for example, when group members change, there is some security.
  • the embodiment of the invention provides a method, a system and a terminal for group key management of a broadband cluster system, which implements hierarchical management of group keys for group call services, and makes the broadband cluster system more secure.
  • An embodiment of the present invention provides a group key layer management method for a broadband cluster system, including: the system side generates a group root key for the group, and sends the group root key to the terminal in the group.
  • the system side When the group call is established, the system side generates a group call security parameter, and generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, and the group call is The security parameters are sent to the listening user terminals in the group;
  • the system side protects the group call sharing channel of the group call based on the non-access stratum key and the access stratum key.
  • the foregoing method may further have the following feature: before the system side sends the group root key to the terminal in the group, the method further includes:
  • the method may further include the following: the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; and, the access stratum key includes: radio resource control Encryption key, radio resource control integrity protection key, and user plane data encryption key.
  • the method may also have the following feature: the system side generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, including:
  • the above method may also have the following features:
  • the system side generates different group root keys for different groups.
  • the above method may also have the following feature: the group call security parameter is a random number or a count value.
  • the method may further include the following features, the method further includes: when the update trigger condition is met, the system side updates the group root key of the group, and sends the updated group root key to the group The terminal in the group.
  • the above method may also have the following features, and the update triggering conditions include:
  • the method may also have the following features, the method further includes: when the system side generates a group root key for the group, the system further generates a key number; the system side sends the group root key to the When the terminal in the group is, the key number is also sent to the terminal in the group;
  • the system side When the group call is established, the system side sends the group call security parameter to the listening user terminal in the group, and sends the key number to the listening user terminal in the group. .
  • An embodiment of the present invention provides a group key layer management method for a broadband cluster system, including: Receiving, by the terminal, a group root key of the group to which the terminal belongs, sent by the system side;
  • the terminal When the group call is established, the terminal receives the group call security parameter sent by the system side; and the terminal generates a non-access stratum key and the access layer based on the group root key and the group call security parameter.
  • the key protects the group call shared channel of the group call based on the non-access stratum key and the access stratum key.
  • the foregoing method may further have the following feature: before receiving, by the terminal, the group root key of the group to which the terminal belongs, the terminal further includes: the terminal establishing a non-access layer and an access layer with the system side Safe passage; and
  • Receiving, by the terminal, the group root key of the group to which the terminal belongs, sent by the system, the terminal includes: receiving, by the security channel, the group root key of the group to which the terminal belongs by the system side.
  • the method may further include the following: the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; and, the access stratum key includes: radio resource control Encryption key, radio resource control integrity protection key, and user plane data encryption key.
  • the foregoing method may further have the following feature: the terminal generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, including:
  • the KDF Determining, by the terminal, a non-access stratum key and an evolved base station key using a key derivation function KDF based on the group root key and the group call security parameter, and using a key derivation function based on the evolved base station key
  • the KDF generates the access layer key.
  • the above method may also have the following features, the method further comprising:
  • the terminal When the terminal receives the group root key of the group to which the terminal belongs, the terminal further obtains a key number that is sent together with the group root key, and saves the group root key and the a key number; when the group call is established, the terminal further receives a key number that is sent together with the group call security parameter;
  • the method further includes: determining a key number and a local number received when the group call is established Whether the saved key numbers are consistent. If they are consistent, the non-access stratum key and the access stratum key are generated based on the group root key and the group call security parameter; if not, the terminal is The system side initiates a group root key synchronization request, and obtains a new group root key and a key number from the system side, and is based on Generating a non-access stratum key and an access stratum key for the new group root key and the group call security parameter.
  • the embodiment of the present invention further provides a group key hierarchical management system for a broadband cluster system, including: a system side network element, where the system side network element is set to:
  • the inbound key protects the group call shared channel of the group call.
  • the system may also have the following features: the system side network element is further configured to: before the group root key is sent to the terminal in the group, establish a non-access layer with the terminal in the group. And a secure channel at the access layer;
  • the system side network element is configured to send the group root key to the terminal in the group by using the secure channel.
  • the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; and, the access stratum key includes: radio resource control Encryption key, radio resource control integrity protection key, and user plane data encryption key.
  • the system may also have the following features:
  • the system side network element includes: a core network and an evolved base station, where:
  • the core network is configured to generate the non-access stratum key and the evolved base station key using a key derivation function KDF based on the group root key and the group call security parameter; and, the evolved Sending, by the base station key, the evolved base station related to the group call,
  • the evolved base station is configured to generate the access layer key based on the evolved base station key using a key derivation function KDF.
  • the above system may also have the following features:
  • the system side network element generates different group root keys for different groups.
  • the above system may also have the following characteristics: the group call security parameter is a random number or a count value.
  • system side network element is further configured to: meet the update touch When the condition is sent, the group root key of the group is updated, and the updated group root key is sent to the terminal in the group.
  • the above system may also have the following features, and the update triggering conditions include:
  • the system may also have the following features: the system side network element is further configured to: generate a key number when generating a group root key for the group; and send the group root key to the group The terminal number is also sent to the terminal in the group; and, when the group call is established, the group call security parameter is sent to the listening user terminal in the group. And sending the key number to the listening user terminal in the group.
  • the embodiment of the invention further provides a terminal, where the terminal includes:
  • An interaction unit configured to receive a group root key of the group to which the terminal belongs by the system side; and, when the group call is established, receive the group call security parameter sent by the system side;
  • a key generation unit configured to generate a non-access stratum key and an access stratum key based on the set root key and the group call security parameter
  • a protection unit configured to protect the group call shared channel of the group call based on the non-access stratum key and the access stratum key.
  • the foregoing terminal may further have the following feature: the interaction unit is further configured to: before receiving the group root key of the group to which the terminal belongs, sent by the system side, establishing a non-access layer and an access layer with the system side Safe passage;
  • the interaction unit is configured to receive, by using the secure channel, a group root key of the group to which the terminal is delivered by the system side.
  • the terminal may also have the following features: the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; and the access stratum key includes: radio resource control Encryption key, radio resource control integrity protection key, and user plane data encryption key.
  • the foregoing terminal may further have the following feature: the key generation unit generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter by:
  • the key generation unit generates a non-access stratum key and an evolved base station key based on the group root key and the group call security parameter using a key derivation function KDF, based on the evolved base station key
  • the access layer key is generated using a key derivation function KDF.
  • the foregoing terminal may also have the following features, the interaction unit is further configured to: when receiving the group root key of the group to which the terminal belongs, which is sent by the system side, obtain the same as the group root key a key number, where the group root key and the key number are saved; and, when the group call is established, receiving a key number that is sent together with the group call security parameter;
  • the key generating unit is further configured to: before the generating the non-access stratum key and the access stratum key based on the group root key and the group call security parameter, determining the secret received when the group call is established Whether the key number is consistent with the locally saved key number. If they are consistent, the non-access stratum key and the access stratum key are generated based on the group root key and the group call security parameter; if they are inconsistent, Initiating a group root key synchronization request to the system side, acquiring a new group root key and a key number from the system side, and generating a non-connection based on the new group root key and the group call security parameter Incoming layer key and access layer key.
  • the embodiment of the present invention further provides a group key hierarchical management system for a broadband cluster system, including the system side network element and the terminal.
  • the group key layer management method provided by the embodiment of the invention is simple to implement, and the key structure is hierarchically set.
  • the security level is ensured, the LTE security protocol architecture in the related technology is changed little, and the terminal side changes.
  • Software interface changes that do not involve the SIM card are easy to be backward compatible.
  • FIG. 1 is a block diagram of a group key used in an embodiment of the present invention.
  • Figure 2 is a KDF derivative relationship diagram of the group call key
  • FIG. 3 is a schematic diagram of a process of deriving a key of each level in a broadband cluster system and a UE applying a group root key k g and a group call security parameter when implementing the layered management method according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a group root key synchronization update according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of generating a group call encryption/decryption key according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of a group root key synchronization update process based on an LTE trunking communication system according to an embodiment of the present invention
  • FIG. 7 is a block diagram of a terminal in accordance with an embodiment of the present invention. Preferred embodiment of the invention
  • the embodiment of the present invention provides a group key layer management method for a broadband cluster system, including: the system side generates a group root key for the group, and sends the group root key to the terminal in the group; When the group call is established, the system side generates a group call security parameter, and generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, and the group call security is performed. The parameter is sent to the listening user terminal in the group;
  • the system side protects the group call sharing channel of the group call based on the non-access stratum key and the access stratum key.
  • the method before the system side sends the group root key to the terminal in the group, the method further includes:
  • the system side establishes a non-access stratum and a secure channel of the access layer with the terminal in the group; the system side sends the group root key to the terminal in the group, where: The system side sends the group root key to the terminal in the group through the secure channel.
  • the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key, where the access stratum key includes: Resource Control Encryption Key, Radio Resource Control Integrity Protection Key, and User Plane Data Encryption Key.
  • the non-access stratum key and the access stratum key can also include other types of keys as needed.
  • system side generates the non-access stratum key and the access stratum key based on the group root key and the group call security parameter, including:
  • the core network generates the non-access stratum key and the evolved base station key by using a key derivation function KDF based on the group root key and the group call security parameter;
  • the access layer key is generated by the evolved base station based on the evolved base station key using a key derivation function KDF.
  • system side generates different group root keys for different groups.
  • the group call security parameter is a random number or a count value.
  • the method further includes: when the update trigger condition is met, the system side updates the group root key of the group, and sends the updated group root key to the The terminal in the group.
  • the update triggering conditions include, but are not limited to, a member change or a security period in the group.
  • the method further includes: when the system side generates a group root key for the group, and further generates a key number; the system side sends the group root key When the terminal in the group is sent, the key number is also sent to the terminal in the group;
  • the system side When the group call is established, the system side sends the group call security parameter to the listening user terminal in the group, and sends the key number to the listening user terminal in the group. .
  • the method further includes: updating, by the system side, the group root key once every security period, simultaneously updating the key number, and adding the updated group root key The key and the updated key number are sent to the terminals in the group.
  • the embodiment of the present invention further provides a group key layer management method for a broadband cluster system, including: receiving, by a terminal, a group root key of a group to which the terminal belongs by the system side;
  • the terminal When the group call is established, the terminal receives the group call security parameter sent by the system side;
  • the terminal generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, based on the non-access stratum key and the access stratum key pair
  • the group call sharing channel of the group call is protected.
  • the receiving, by the terminal, the group root key of the group to which the terminal belongs further includes: establishing, by the terminal, the non-access layer and the system side a secure channel of the access layer; the terminal receives the group root key of the group to which the terminal belongs by the system side through the secure channel.
  • the generating, by the terminal, the non-access stratum key and the access stratum key based on the group root key and the group call security parameter includes:
  • the method further includes:
  • the terminal When the terminal receives the group root key of the group to which the terminal belongs, the terminal further obtains a key number that is sent together with the group root key, and saves the group root key and the The key number is set; when the group call is established, the terminal further receives a key number that is sent together with the group call security parameter; the terminal generates a non-connection based on the group root key and the group call security parameter.
  • the method further includes: determining whether the key number received by the group call is consistent with the locally saved key number, and if they are consistent, based on the group root key and the The group call security parameter generates the non-access stratum key and the access stratum key; if not, the terminal initiates a group root key synchronization request to the system side, and acquires a new one from the system side Generating a root key and a key number, and generating a non-access stratum key and an access stratum key based on the new group root key and the group call security parameter.
  • Broadband trunking system provides a hierarchical group key management method according to the present invention includes: a step 101, during establishment of the group by generating a group of broadband core network cluster root key K g;
  • the K g of each group may not be mutually exclusive, so as to ensure the privacy and security of the group communication;
  • Step 102 the cluster terminal establishes a point-to-point secure connection with the broadband cluster system, and the terminal uses the terminal to be stored on the terminal.
  • Key K establish a secure channel for the NAS and AS with the system;
  • Step 103 The cluster system sends the root key K g of the group to which the terminal belongs to the cluster terminal through a secure channel.
  • the delivery process may be performed multiple times.
  • Step 104 During the group call establishment process, the group call calling party establishes a point-to-point connection with the broadband cluster system, and the group calls the security management process of the calling user, and still uses the key K stored on the core network and the terminal. Derived key of each level;
  • Step 105 When the group call is established, there are multiple listening users in the system, and the system is between the listening user and the listening user. The point-to-multipoint connection, the system applies the key structure of the group call for the security management of the shared channel.
  • a group call security parameter such as a random variable, a counter, etc.
  • KDF Key Derivation Function
  • the NAS encryption key used by the group call sharing channel by the K g and the group call security parameter
  • the NAS integrity protection key and the eNB key K geNB ;
  • Step 107 In the group call establishment process, the broadband cluster core network notifies the K geNB to the relevant eNB, and the eNB uses the K geNB to derive the RRC signaling encryption key used by the group call sharing channel, and the RRC signaling integrity protection key. And a UP data encryption key;
  • Step 108 In the group call establishment process, the system side notifies the group call security parameters to each listening user terminal in the group. Listen to the user terminal after receiving the call set security parameters, combined with the previously saved K g, using a KDF function can be layered to derive levels of this key group call. For the group call, since the terminal side and the system save the K g and the group call security parameters are exactly the same, the keys of the levels obtained on the terminal are exactly the same as the system side;
  • Step 109 After the core network derives the key of the NAS layer, sends the group call security parameter to the terminal, and successfully sends the KgeNB to the eNB, and starts NAS encryption protection and NAS integrity protection of the group call shared channel; the eNB succeeds. After receiving the KGeNB and deriving the key of the AS layer, the RRC encryption protection, the RRC integrity protection, and the UP data encryption protection of the group call shared channel are started. After receiving the group call security parameter, the group listening user terminal derives the NAS layer. And the keys of the AS layer, the NAS encryption protection of the group call shared channel, the NAS integrity protection, the RRC encryption protection, the RRC integrity protection and the UP data encryption protection.
  • the method also includes:
  • the group root key K g is usually kept unchanged.
  • the system may focus on A new Kg is newly generated and sent to the terminal by the cluster broadband system core network encryption, and the process repeats steps 101 to 103; each time the new group call is established, steps 104 to 108 are repeated.
  • the above method does not need to preset the group root key on the terminal, but sends the group root key K g to the terminal through the encrypted channel, so the flexibility and security of the group root key can be guaranteed;
  • the system side and the terminal use the group root key K g to combine the new group call security parameters.
  • the number is used to regenerate the encryption key and integrity protection key used by the group call to improve the security of the system.
  • An embodiment of the present invention provides a security management method for a broadband trunking service implemented on an LTE system:
  • a group user establishes a point-to-point connection with a broadband cluster system
  • the group calling party initiates a connection establishment request
  • the UE When the UE initially attaches to the broadband cluster system, the UE establishes a point-to-point single-call connection with the broadband cluster system.
  • the UE and the broadband cluster system use the single-call key architecture for security management, based on the core network and The key K value on the UE is used to derive the key of the level.
  • the architecture is specifically defined in the LTE security management protocol.
  • the embodiment of the present invention does not describe the key derivation process.
  • the key structure is a group key structure, as shown in Figure 1.
  • the functions of the keys in the middle level are as follows:
  • K g The group root key of the broadband cluster system, used for group security management, is the basis for the generation of keys at all levels in a point-to-multipoint connection;
  • GroupCallRand Group call security parameters. In order to enhance security, each time a new group call is established, the encryption key and integrity protection key used by the group are changed, and GroupCallRand is introduced as a derivative function input variable of the key.
  • K gNA sEnc group call NAS signaling encryption key
  • KgNAsmt group call NAS signaling integrity protection key
  • K g eNB eNB key, it should be noted that all eNBs corresponding to one group have the same KgeNB;
  • K gUPEnc is the encryption key of the group call user plane data, that is, the UP data encryption key
  • K gR RCEn C is the encryption key of the group call RRC signaling
  • KgRRcint is the integrity protection key of the group call RC signaling.
  • FIG. 2 is a schematic diagram of a KDF derivation relationship of each key in the embodiment of the present invention
  • the present schematic diagram is only an example, and the input parameters of the KDF derivative function in the embodiment of the present invention are not limited to the examples in the figure: in K gNASEnc, KgNASInt 'Kg eN B K g are used as the input key, the security parameter by the group call participation GroupCallRand input byte string constructor function KDF; K geNB derived from the K gUP E nc, the KgRR CEnc, KgRRCMo 2 SN id is Serving Network identity, Enc-Alg-ID is Encryption Algorithm Identity, NAS-enc-alg is NAS Encryption Algorithm, Int -Alg-ID is (Integrity Algorithm Identity), NAS-int-alg is NAS Integrity Algorithm (NAS Integrity Algorithm), RRC-enc
  • the process of group key management in the broadband cluster system in the embodiment of the present invention is as follows:
  • PHR the process of group key management in the broadband cluster system in the embodiment of the present invention
  • Step 301 The PHR generates a group root key Kg for each group.
  • the Kg construction method may be directly generated by using a random number generator, or may be generated by using a group identifier GID and a random number using a KDF function, or may be manually set. Ways to generate, but not limited to, these specific methods;
  • Step 302 The cluster terminal is initially attached to the broadband cluster system, and the cluster terminal establishes a point-to-point connection with the broadband cluster system, and applies a single-call key structure.
  • the point-to-point NAS and AS secure channels are successfully established between the UE and the broadband cluster system, and then the data transmitted between the broadband cluster and the UE can be encrypted and integrity protected.
  • the broadband cluster system encrypts and sends the root key K g and the encryption algorithm ID and the complete new protection algorithm ID of the group to which the UE belongs to the UE in the group information update message.
  • the process is based on signaling. The length is different and may have to be repeated multiple times.
  • UE saves received K g , the encryption algorithm ID and the integrity protection algorithm ID are used for the specific security management process when the subsequent group call is established.
  • Step 303 When a new group call is established, the broadband cluster core network generates a group call security parameter GroupCallRand, and uses the KDF function to derive K gNASEnc from K g and GroupCallRand .
  • Step 304 The PDS notifies the K geNB to all eNBs related to the sub-group call, and each eNB applies
  • the KDF function is derived from KgeNB by K gRRCEn(; , Kg Rcint and Kg j Enco
  • Step 305 The broadband cluster core network sends the GroupCallRand to all listening user UEs through the control channel, and the UE uses the KDF function to derive the key keys required for security management by Kg and GroupCallRand: KgNASEnc, KgNASInt, K ge B ' Kg RCEnc, Kg Rcint and K g u Enc.
  • the parameters of the KDF algorithm for generating each key on the UE are completely consistent with the broadband cluster system side, so the keys of the levels derived from the UE are also identical to the system side.
  • the security cycle is introduced on the basis of the above solution.
  • the group root key is updated once in each security cycle, and the group key of the system side and the terminal side are consistent by the key number.
  • Step 401 Before the cluster group call is established, the core network generates and saves a group root key for each group, and the group root key is used as a base key of the group call, and the root key can be derived by KDF based on the group key.
  • the key management center When the key management center generates a new group root key for the group after a security period is exceeded, a new key number is generated synchronously.
  • Step 402 Send a single-call page to the terminal in the group by the system side, and establish a start-to-point single-call call between the system and the terminal in the group, and the single-call call enables the standard security mechanism in the related technology to Establish a secure communication channel between the terminal and the system within the group.
  • Step 403 The system enables the standard single-call encryption key to encrypt the group root key and the key number, and then encrypts the encrypted group root key and the key number through a single-call secure channel established between the system and the terminal. Send to the terminal.
  • Step 404 After receiving the encrypted group root key and the key number message, the terminal enables the standard single-call decryption key to decrypt the packet, thereby obtaining the group root key and the key number, and obtaining the obtained The group root key and key number are stored in the terminal.
  • Step 405 The terminal feeds back the group root key update success information to the system side.
  • Step 406 Release a point-to-point single-call call between the system and the group member terminal.
  • Step 407 Repeat steps 402 to 406 to synchronize and update the group root key and the key number of other group members in the group.
  • Step 408 After all the members in the group successfully complete the synchronization update of the group root key, the process of synchronously updating the root key of the group is ended.
  • the above steps 401 to 408 refer to FIG. 4.
  • the group root key update synchronization is performed on all members in the group according to the steps shown in FIG. 4. .
  • Step 409 When the group call is established, the system side generates a set of call security parameters, such as a random number or a counter, for the group call, and generates the key number together with the group call by the group call page message or the broadcast message.
  • the group call security parameters are broadcast to all members of the group.
  • Step 410 The system side uses the group root key and the group call security parameter generated by the group call as input parameters, and derives multiple encryption keys and integrity protection keys through the KDF function, and derives the encryption key. And the integrity protection key encrypts and protects the signaling or user plane packets of the current group call.
  • Step 411 After receiving the group call paging message or the broadcast message sent by the system side, the member terminal in the group determines whether the received key number is consistent with the key number saved by the terminal, to determine the group root density saved by the terminal. Whether the key is consistent with the group root key used by the system in this group call.
  • Step 412 If the judgment result indicates that the group root key is consistent, the group root security key stored in the terminal and the group call security parameter received from the group call paging message or the broadcast message are used as parameters, and the KDF is derived more.
  • Step 413 If the judgment result indicates that the group root key is inconsistent, the member terminal initiates a root key synchronization request to the system side, and then performs step 402 to step 406 to complete the group root key synchronization update.
  • the LTE cluster system implementation includes the following steps to perform group root key update: Step 601: A key management center of the core network generates a group root key for a group, and simultaneously generates a key number. .
  • Step 602 The core network sends a single call page to the member terminals of the group by using the base station.
  • Step 603 Complete a single call setup between the terminal, the base station, and the core network, and enable a standard security mechanism to establish a secure communication channel.
  • the NAS content is decrypted by using the NAS decryption key generated during the single call, and information such as the group root key, the key number, and the group call encryption algorithm ID is obtained.
  • Step 605 After the decryption succeeds, the member terminal feeds back the success information to the core network through the base station.
  • Step 606 The terminal, the base station, and the core network complete the single call release.
  • the embodiment of the present invention further provides a group key hierarchical management system for a broadband cluster system, including: a system side network element, where the system side network element is set to:
  • the parameter generates a non-access stratum key and an access stratum key, and sends the group call security parameter to the listening user terminal in the group; and, based on the non-access stratum key and the access stratum
  • the key protects the group call shared channel of the group call.
  • system side network element is further configured to: before the group key is sent to the terminal in the group, and the terminal in the group Establishing a secure channel of the non-access stratum and the access stratum; the system-side network element is configured to send the group root key to the terminal in the group by using the secure channel.
  • the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key, where the access stratum key includes: Resource Control Encryption Key, Radio Resource Control Integrity Protection Key, and User Plane Data Encryption Key.
  • system side network element includes: a core network and an evolved base station, where:
  • the core network is configured to generate the non-access stratum key and the evolved base station key using a key derivation function KDF based on the group root key and the group call security parameter; and, the evolved Sending, by the base station key, the evolved base station related to the group call,
  • the evolved base station is configured to generate the access stratum key using a KDF function based on the evolved base station key.
  • system side network element generates different group root keys for different groups.
  • the group call security parameter is a random number or a count value.
  • system side network element is further configured to: when the update trigger condition is met, update the group root key of the group, and send the updated group root key Give the terminal in the group.
  • the update triggering conditions include, but are not limited to: a member change or a security period in the group arrives.
  • system side network element is further configured to: generate a key number when generating a group root key for the group; and send the group root key to the When the terminal in the group is described, the key number is also sent to the terminal in the group; and, when the group call is established, When the group call security parameter is sent to the listening user terminal in the group, the key number is also sent to the listening user terminal in the group.
  • system side network element is further configured to: update the group root key once every security period, update the key number at the same time, and update the updated The group root key and the updated key number are sent to the terminals in the group.
  • the embodiment of the present invention further provides a terminal.
  • the terminal includes:
  • the interaction unit 701 is configured to receive the group root key of the group to which the terminal belongs, which is sent by the system side; and, when the group call is established, receive the group call security parameter sent by the system side;
  • a key generation unit 702 configured to generate a non-access stratum key and an access stratum key based on the group root key and the group call security parameter;
  • the protection unit 703 is configured to protect the group call sharing channel of the group call based on the non-access stratum key and the access stratum key.
  • the interaction unit 701 is further configured to: before receiving the group root key of the group to which the terminal belongs, sent by the system side, establishing a non-access layer with the system side And the security channel of the access layer; the interaction unit 701 is configured to receive, by using the secure channel, a group root key of the group to which the terminal is delivered by the system side.
  • the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; the access stratum key includes: Resource Control Encryption Key, Radio Resource Control Integrity Protection Key, and User Plane Data Encryption Key.
  • the generating of the non-access stratum key and the access stratum key by the key generating unit 702 based on the group root key and the group call security parameter includes:
  • the key generation unit 702 generates a non-access stratum key and an evolved base station key using a KDF function based on the group root key and the group call security parameter, and generates a KDF function based on the evolved base station key.
  • the access layer key is a KDF function based on the group root key and the group call security parameter.
  • the interaction unit 701 is further configured to: when receiving the group root key of the group to which the terminal belongs, sent by the system side, The key number delivered by the key together, the root key and the key number are saved; and when the group call is established, the key number sent together with the group call security parameter is also received;
  • the key generation unit 702 is further configured to: before the non-access stratum key and the access layer key are generated based on the group root key and the group call security parameter, determine that the group call is received Whether the key number is consistent with the locally saved key number, and if not, the non-access stratum key and the access stratum key are generated based on the group root key and the group call security parameter; Inconsistent, initiating a group root key synchronization request to the system side, acquiring a new group root key and a key number from the system side, and generating a security based on the new group root key and the group call security parameter Non-access stratum key and access stratum key.
  • the embodiment of the invention further provides a system including the system side network element and the terminal.
  • the group key hierarchical management method provided by the embodiments of the present invention is simple to implement, and the key architecture is hierarchically set.
  • the security level is ensured, the LTE security protocol architecture in the related technology is less changed.
  • the side changes do not involve changes to the software interface of the SIM card, making it easy to be backward compatible.

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, system, and terminal for hierarchical management of group keys of a broadband cluster system. The method comprises: a system side generates a group root key for a group and issues the group root key to terminals in the group; when establishing a group call, the system side generates a group call security parameter, generates a non-access stratum key and an access stratum key on the basis of the group root key and of the group call security parameter, and issues the group call security parameter to a listening user terminal in the group; and, the system side protects a group call shared channel of the group call on the basis of the non-access stratum key and of the access stratum key.

Description

一种宽带集群系统的组密钥分层管理方法、 系统和终端  Group key layer management method, system and terminal for broadband cluster system
技术领域 Technical field
本发明涉及移动通信技术领域,尤其涉及基于 LTE( Long Term Evolution, 长期演进) 实现的宽带集群系统的组密钥分层管理方法、 系统和终端。  The present invention relates to the field of mobile communication technologies, and in particular, to a group key layer management method, system and terminal for a broadband cluster system based on LTE (Long Term Evolution).
背景技术 Background technique
集群系统是为了满足行业用户指挥调度需求而开发的, 面向特定行业应 用的专用无线通信系统。 集群系统是一种高效的无线通信系统, 通过共享无 线信道, 以较少的无线信道数量支持大量的无线用户进行群组通信。 目前, 集群系统以模拟集群系统和窄带数字通信系统为主, 能够提供的基本业务集 中在语音和低速数据业务方面。  The cluster system is developed to meet the needs of industry users for command and dispatch, and is a dedicated wireless communication system for specific industry applications. The cluster system is an efficient wireless communication system that supports a large number of wireless users for group communication by sharing a wireless channel with a small number of wireless channels. At present, the cluster system is mainly composed of an analog cluster system and a narrowband digital communication system, and can provide basic services in the voice and low-speed data services.
随着移动互联网的飞速发展, 以及全球无线城市的大规模建设, 宽带化 成为整个无线通信发展的趋势, 集群系统也向提供更大的信道容量, 更多的 业务类型, 更高的数据带宽等方向发展。 宽带集群系统就是在这种背景下, 基于 LTE技术演进而来的。  With the rapid development of the mobile Internet and the large-scale construction of wireless cities around the world, broadband has become the trend of wireless communication development. The cluster system also provides greater channel capacity, more service types, higher data bandwidth, etc. Direction development. In this context, the broadband cluster system evolved based on LTE technology.
LTE是 3GPP ( 3rd Generation Partnership Project, 第三代合作伙伴计划) 长期演进项目, LTE网络釆取扁平化的架构, eNB ( evolved Node B, 演进的 基站)部署分散化, 运营商无法对其实行安全集中控制。 为了用户能安全地 使用网络, 以及网络向合法的用户提供服务, LTE中制订了安全管理的相关 协议, 以有效保护各网元间信令流和媒体流的数据安全。  LTE is a 3GPP (3rd Generation Partnership Project) long-term evolution project. The LTE network adopts a flat architecture, and the eNB (evolved Node B) is deployed in a decentralized manner. Centralized control. In order to enable users to use the network securely and provide services to legitimate users, LTE has developed protocols for security management to effectively protect data security between signaling streams and media streams between network elements.
宽带集群系统继承了 LTE的基本架构,部署时, 可以不受 LTE核心网的 约束, 根据不同的应用场景, 可以只部署 DSS (Dispatching Subsystem, 调度 子系统), 或者 DSS和 EPC ( Evolved Packed Core, 演进分组核心网 )都部署。 因此, 宽带集群系统需要设计一套单独的组密钥管理方法, 来保证集群系统 中核心网、 eNB以及终端在使用宽带集群网络时的安全性。  The broadband cluster system inherits the basic architecture of LTE. It can be deployed without the constraints of the LTE core network. Depending on the application scenario, only DSS (Dispatching Subsystem) or DSS and EPC (Evolved Packed Core) can be deployed. The evolved packet core network) is deployed. Therefore, the broadband cluster system needs to design a separate group key management method to ensure the security of the core network, eNB and terminal in the cluster system when using the broadband cluster network.
3GPP协议规定的 LTE的安全管理主要集中在: NAS( Non Access Stratum, 非接入层)信令加密保护, NAS 信令完整性保护, RRC ( Radio Resource Control,无线资源控制 M言令加密保护, RRC信令完整性保护, UP( User Plane, 用户面)数据加密保护等几个方面。 LTE的密钥架构为分层设计, 系统使用 在核心网和 UE(User Equipment, 用户设备)上保存的密钥 K来分层派生各级 密钥, 结合所选择的加密算法和完整性保护算法, 来实现 NAS和 AS ( Access Stratum, 接入层) 的安全管理过程。 The security management of LTE as defined by the 3GPP protocol mainly focuses on: NAS (Non Access Stratum) signaling encryption protection, NAS signaling integrity protection, RRC (Radio Resource) Control, radio resource control M command encryption protection, RRC signaling integrity protection, UP (User Plane, user plane) data encryption protection and other aspects. The key architecture of LTE is a layered design. The system uses the key K stored on the core network and the UE (User Equipment) to hierarchically derive the keys of each level, and combines the selected encryption algorithm and integrity protection algorithm. , to achieve the security management process of NAS and AS (Access Stratum, access layer).
宽带集群系统在提供组呼业务时, 由于多个听用户是釆取共享下行信道 的方式, 对下行共享信道进行加密和完整性保护, 要釆取组内所有用户共知 的组密钥。 而同一个组的听用户终端的 K值是保密的且各不相同, 因此如果 直接使用终端上的密钥 K, 无法对宽带集群系统的组呼业务进行安全管理。  When the broadband trunking system provides the group call service, because multiple listening users learn the shared downlink channel, the downlink shared channel is encrypted and integrity protected, and the group key shared by all users in the group is captured. The K values of the user terminals of the same group are confidential and different. Therefore, if the key K on the terminal is directly used, the group call service of the broadband cluster system cannot be managed securely.
在相关集群通信技术中, 也有预先在终端上预置组密钥来实现组呼业务 安全管理, 该方案对组密钥的管理缺少灵活性, 同时由于组密钥已经预置在 终端上, 在某些特定场景下, 例如, 群组成员发生变化时, 存在一定的安全 In the related trunking communication technology, the group key is pre-preset on the terminal to implement the group call service security management. The scheme lacks flexibility in managing the group key, and since the group key is already preset on the terminal, In certain scenarios, for example, when group members change, there is some security.
11^· 。 发明内容 11^·. Summary of the invention
本发明实施例提出一种宽带集群系统的组密钥分层管理方法、 系统和终 端, 实现对组呼业务的组密钥分层管理, 使宽带集群系统更加安全。  The embodiment of the invention provides a method, a system and a terminal for group key management of a broadband cluster system, which implements hierarchical management of group keys for group call services, and makes the broadband cluster system more secure.
本发明实施例提供了一种宽带集群系统的组密钥分层管理方法, 包括: 系统侧为群组生成组根密钥 ,将所述组根密钥下发给所述群组中的终端; 在组呼建立时, 所述系统侧生成组呼安全参数, 基于所述组根密钥和所 述组呼安全参数生成非接入层密钥和接入层密钥, 将所述组呼安全参数下发 给所述群组中的听用户终端; 以及  An embodiment of the present invention provides a group key layer management method for a broadband cluster system, including: the system side generates a group root key for the group, and sends the group root key to the terminal in the group. When the group call is established, the system side generates a group call security parameter, and generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, and the group call is The security parameters are sent to the listening user terminals in the group;
所述系统侧基于所述非接入层密钥和接入层密钥对所述组呼的组呼共享 信道进行保护。  The system side protects the group call sharing channel of the group call based on the non-access stratum key and the access stratum key.
上述方法还可具有以下特点, 所述系统侧将所述组根密钥下发给所述群 组中的终端前, 还包括:  The foregoing method may further have the following feature: before the system side sends the group root key to the terminal in the group, the method further includes:
所述系统侧与所述群组中的终端建立非接入层和接入层的安全通道; 以 及 所述系统侧将所述组根密钥下发给所述群组中的终端, 包括: 所述系统 侧通过所述安全通道将所述组根密钥下发给所述群组中的终端。 Establishing, by the system side, a secure channel of the non-access stratum and the access stratum with the terminal in the group; Sending, by the system side, the group root key to the terminal in the group, the system side: sending, by the system side, the group root key to the terminal in the group by using the secure channel .
上述方法还可具有以下特点, 所述非接入层密钥包括: 非接入层加密密 钥和非接入层完整性保护密钥; 以及, 所述接入层密钥包括: 无线资源控制 加密密钥、 无线资源控制完整性保护密钥和用户面数据加密密钥。  The method may further include the following: the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; and, the access stratum key includes: radio resource control Encryption key, radio resource control integrity protection key, and user plane data encryption key.
上述方法还可具有以下特点, 所述系统侧基于所述组根密钥和所述组呼 安全参数生成非接入层密钥和接入层密钥, 包括:  The method may also have the following feature: the system side generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, including:
核心网基于所述组根密钥和所述组呼安全参数使用密钥推导函数 KDF 生成所述非接入层密钥和演进的基站密钥; 以及  Generating, by the core network, the non-access stratum key and the evolved base station key using a key derivation function KDF based on the group root key and the group call security parameter;
所述核心网将所述演进的基站密钥下发给所述组呼相关的演进的基站, 由所述演进的基站基于所述演进的基站密钥使用密钥推导函数 KDF生成所 述接入层密钥。  Transmitting, by the core network, the evolved base station key to the group call related evolved base station, where the evolved base station generates the access by using a key derivation function KDF based on the evolved base station key Layer key.
上述方法还可具有以下特点, 所述系统侧为不同群组生成不同的组根密 钥。  The above method may also have the following features: The system side generates different group root keys for different groups.
上述方法还可具有以下特点, 所述组呼安全参数为一随机数, 或者为一 计数值。  The above method may also have the following feature: the group call security parameter is a random number or a count value.
上述方法还可具有以下特点, 所述方法还包括: 在满足更新触发条件时, 所述系统侧更新所述群组的组根密钥, 将更新后的组根密钥下发给所述群组 中的终端。  The method may further include the following features, the method further includes: when the update trigger condition is met, the system side updates the group root key of the group, and sends the updated group root key to the group The terminal in the group.
上述方法还可具有以下特点, 所述更新触发条件包括:  The above method may also have the following features, and the update triggering conditions include:
所述群组中的成员变动或者安全周期到达。  Member changes or security cycles in the group arrive.
上述方法还可具有以下特点, 所述方法还包括: 所述系统侧为所述群组 生成组根密钥时, 还生成密钥编号; 所述系统侧将所述组根密钥下发给所述 群组中的终端时, 还将所述密钥编号下发给所述群组中的终端; 以及  The method may also have the following features, the method further includes: when the system side generates a group root key for the group, the system further generates a key number; the system side sends the group root key to the When the terminal in the group is, the key number is also sent to the terminal in the group;
在组呼建立时, 所述系统侧将所述组呼安全参数下发给所述群组中的听 用户终端时, 还将所述密钥编号下发给所述群组中的听用户终端。  When the group call is established, the system side sends the group call security parameter to the listening user terminal in the group, and sends the key number to the listening user terminal in the group. .
本发明实施例提供一种宽带集群系统的组密钥分层管理方法, 包括: 终端接收系统侧下发的所述终端所属群组的组根密钥; An embodiment of the present invention provides a group key layer management method for a broadband cluster system, including: Receiving, by the terminal, a group root key of the group to which the terminal belongs, sent by the system side;
组呼建立时, 所述终端接收所述系统侧下发的组呼安全参数; 以及 所述终端基于所述组根密钥和所述组呼安全参数生成非接入层密钥和接 入层密钥, 基于所述非接入层密钥和所述接入层密钥对所述组呼的组呼共享 信道进行保护。  When the group call is established, the terminal receives the group call security parameter sent by the system side; and the terminal generates a non-access stratum key and the access layer based on the group root key and the group call security parameter. The key protects the group call shared channel of the group call based on the non-access stratum key and the access stratum key.
上述方法还可具有以下特点, 所述终端接收系统侧下发的所述终端所属 群组的组根密钥前, 还包括: 所述终端与所述系统侧建立非接入层和接入层 的安全通道; 以及  The foregoing method may further have the following feature: before receiving, by the terminal, the group root key of the group to which the terminal belongs, the terminal further includes: the terminal establishing a non-access layer and an access layer with the system side Safe passage; and
所述终端接收系统侧下发的所述终端所属群组的组根密钥, 包括: 所述 终端通过所述安全通道接收系统侧下发的所述终端所属群组的组根密钥。  Receiving, by the terminal, the group root key of the group to which the terminal belongs, sent by the system, the terminal includes: receiving, by the security channel, the group root key of the group to which the terminal belongs by the system side.
上述方法还可具有以下特点, 所述非接入层密钥包括: 非接入层加密密 钥和非接入层完整性保护密钥; 以及, 所述接入层密钥包括: 无线资源控制 加密密钥、 无线资源控制完整性保护密钥和用户面数据加密密钥。  The method may further include the following: the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; and, the access stratum key includes: radio resource control Encryption key, radio resource control integrity protection key, and user plane data encryption key.
上述方法还可具有以下特点, 所述终端基于所述组根密钥和所述组呼安 全参数生成非接入层密钥和接入层密钥, 包括:  The foregoing method may further have the following feature: the terminal generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, including:
所述终端基于所述组根密钥和所述组呼安全参数使用密钥推导函数 KDF 生成非接入层密钥和演进的基站密钥, 基于所述演进的基站密钥使用密钥推 导函数 KDF生成所述接入层密钥。  Determining, by the terminal, a non-access stratum key and an evolved base station key using a key derivation function KDF based on the group root key and the group call security parameter, and using a key derivation function based on the evolved base station key The KDF generates the access layer key.
上述方法还可具有以下特点, 所述方法还包括:  The above method may also have the following features, the method further comprising:
所述终端接收所述系统侧下发的所述终端所属群组的组根密钥时, 还获 取与所述组根密钥一起下发的密钥编号,保存所述组根密钥和所述密钥编号; 组呼建立时 ,所述终端还接收与所述组呼安全参数一起下发的密钥编号; 以及  When the terminal receives the group root key of the group to which the terminal belongs, the terminal further obtains a key number that is sent together with the group root key, and saves the group root key and the a key number; when the group call is established, the terminal further receives a key number that is sent together with the group call security parameter;
所述终端基于所述组根密钥和所述组呼安全参数生成非接入层密钥和接 入层密钥前, 还包括: 判断所述组呼建立时接收到的密钥编号与本地保存的 密钥编号是否一致, 如果一致, 基于所述组根密钥和所述组呼安全参数生成 所述非接入层密钥和所述接入层密钥; 如果不一致, 所述终端向所述系统侧 发起组根密钥同步请求, 从所述系统侧获取新的组根密钥和密钥编号, 并基 于所述新的组根密钥和所述组呼安全参数生成非接入层密钥和接入层密钥。 本发明实施例还提供一种宽带集群系统的组密钥分层管理系统, 包括: 系统侧网元, 所述系统侧网元设置成: Before the terminal generates the non-access stratum key and the access stratum key based on the group root key and the group call security parameter, the method further includes: determining a key number and a local number received when the group call is established Whether the saved key numbers are consistent. If they are consistent, the non-access stratum key and the access stratum key are generated based on the group root key and the group call security parameter; if not, the terminal is The system side initiates a group root key synchronization request, and obtains a new group root key and a key number from the system side, and is based on Generating a non-access stratum key and an access stratum key for the new group root key and the group call security parameter. The embodiment of the present invention further provides a group key hierarchical management system for a broadband cluster system, including: a system side network element, where the system side network element is set to:
为群组生成组根密钥, 将所述组根密钥下发给所述群组中的终端; 在组呼建立时, 生成组呼安全参数, 基于所述组根密钥和所述组呼安全 参数生成非接入层密钥和接入层密钥, 将所述组呼安全参数下发给所述群组 中的听用户终端; 以及, 基于所述非接入层密钥和接入层密钥对所述组呼的 组呼共享信道进行保护。  Generating a group root key for the group, and sending the group root key to the terminal in the group; when the group call is established, generating a group call security parameter, based on the group root key and the group The security parameter generates a non-access stratum key and an access stratum key, and sends the group call security parameter to the listening user terminal in the group; and, based on the non-access stratum key and the connection The inbound key protects the group call shared channel of the group call.
上述系统还可具有以下特点, 所述系统侧网元还设置成, 将所述组根密 钥下发给所述群组中的终端前, 与所述群组中的终端建立非接入层和接入层 的安全通道; 以及  The system may also have the following features: the system side network element is further configured to: before the group root key is sent to the terminal in the group, establish a non-access layer with the terminal in the group. And a secure channel at the access layer;
所述系统侧网元是设置成通过所述安全通道将所述组根密钥下发给所述 群组中的终端。  The system side network element is configured to send the group root key to the terminal in the group by using the secure channel.
上述系统还可具有以下特点, 所述非接入层密钥包括: 非接入层加密密 钥和非接入层完整性保护密钥; 以及, 所述接入层密钥包括: 无线资源控制 加密密钥、 无线资源控制完整性保护密钥和用户面数据加密密钥。  The system may also have the following features: the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; and, the access stratum key includes: radio resource control Encryption key, radio resource control integrity protection key, and user plane data encryption key.
上述系统还可具有以下特点, 所述系统侧网元包括: 核心网和演进的基 站, 其中:  The system may also have the following features: The system side network element includes: a core network and an evolved base station, where:
所述核心网设置成, 基于所述组根密钥和所述组呼安全参数使用密钥推 导函数 KDF生成所述非接入层密钥和演进的基站密钥; 以及, 将所述演进的 基站密钥下发给所述组呼相关的所述演进的基站,  The core network is configured to generate the non-access stratum key and the evolved base station key using a key derivation function KDF based on the group root key and the group call security parameter; and, the evolved Sending, by the base station key, the evolved base station related to the group call,
所述演进的基站设置成, 基于所述演进的基站密钥使用密钥推导函数 KDF生成所述接入层密钥。  The evolved base station is configured to generate the access layer key based on the evolved base station key using a key derivation function KDF.
上述系统还可具有以下特点, 所述系统侧网元为不同群组生成不同的组 根密钥。  The above system may also have the following features: The system side network element generates different group root keys for different groups.
上述系统还可具有以下特点, 所述组呼安全参数为一随机数, 或者为一 计数值。  The above system may also have the following characteristics: the group call security parameter is a random number or a count value.
上述系统还可具有以下特点, 所述系统侧网元还设置成: 在满足更新触 发条件时, 更新所述群组的组根密钥, 将更新后的组根密钥下发给所述群组 中的终端。 The above system may also have the following features, the system side network element is further configured to: meet the update touch When the condition is sent, the group root key of the group is updated, and the updated group root key is sent to the terminal in the group.
上述系统还可具有以下特点, 所述更新触发条件包括:  The above system may also have the following features, and the update triggering conditions include:
所述群组中的成员变动或者安全周期到达。  Member changes or security cycles in the group arrive.
上述系统还可具有以下特点, 所述系统侧网元还设置成: 为所述群组生 成组根密钥时, 生成密钥编号; 将所述组根密钥下发给所述群组中的终端时, 还将所述密钥编号下发给所述群组中的终端; 以及, 在组呼建立时, 将所述 组呼安全参数下发给所述群组中的听用户终端时, 还将所述密钥编号下发给 所述群组中的听用户终端。  The system may also have the following features: the system side network element is further configured to: generate a key number when generating a group root key for the group; and send the group root key to the group The terminal number is also sent to the terminal in the group; and, when the group call is established, the group call security parameter is sent to the listening user terminal in the group. And sending the key number to the listening user terminal in the group.
本发明实施例还提供一种终端, 所述终端包括:  The embodiment of the invention further provides a terminal, where the terminal includes:
交互单元, 其设置成接收系统侧下发的所述终端所属群组的组根密钥; 以及, 组呼建立时, 接收所述系统侧下发的组呼安全参数;  An interaction unit, configured to receive a group root key of the group to which the terminal belongs by the system side; and, when the group call is established, receive the group call security parameter sent by the system side;
密钥生成单元, 其设置成基于所述组根密钥和所述组呼安全参数生成非 接入层密钥和接入层密钥; 以及  a key generation unit configured to generate a non-access stratum key and an access stratum key based on the set root key and the group call security parameter;
保护单元, 其设置成基于所述非接入层密钥和所述接入层密钥对所述组 呼的组呼共享信道进行保护。  And a protection unit configured to protect the group call shared channel of the group call based on the non-access stratum key and the access stratum key.
上述终端还可具有以下特点, 所述交互单元还设置成, 接收系统侧下发 的所述终端所属群组的组根密钥前, 与所述系统侧建立非接入层和接入层的 安全通道; 以及  The foregoing terminal may further have the following feature: the interaction unit is further configured to: before receiving the group root key of the group to which the terminal belongs, sent by the system side, establishing a non-access layer and an access layer with the system side Safe passage;
所述交互单元是设置成通过所述安全通道接收所述系统侧下发的所述终 端所属群组的组根密钥。  The interaction unit is configured to receive, by using the secure channel, a group root key of the group to which the terminal is delivered by the system side.
上述终端还可具有以下特点, 所述非接入层密钥包括: 非接入层加密密 钥和非接入层完整性保护密钥; 以及, 所述接入层密钥包括: 无线资源控制 加密密钥、 无线资源控制完整性保护密钥和用户面数据加密密钥。  The terminal may also have the following features: the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; and the access stratum key includes: radio resource control Encryption key, radio resource control integrity protection key, and user plane data encryption key.
上述终端还可具有以下特点, 所述密钥生成单元通过如下方式基于所述 组根密钥和所述组呼安全参数生成非接入层密钥和接入层密钥:  The foregoing terminal may further have the following feature: the key generation unit generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter by:
所述密钥生成单元基于所述组根密钥和所述组呼安全参数使用密钥推导 函数 KDF生成非接入层密钥和演进的基站密钥,基于所述演进的基站密钥使 用密钥推导函数 KDF生成所述接入层密钥。 The key generation unit generates a non-access stratum key and an evolved base station key based on the group root key and the group call security parameter using a key derivation function KDF, based on the evolved base station key The access layer key is generated using a key derivation function KDF.
上述终端还可具有以下特点, 所述交互单元还设置成: 接收所述系统侧 下发的所述终端所属群组的组根密钥时, 还获取与所述组根密钥一起下发的 密钥编号, 保存所述组根密钥和所述密钥编号; 以及, 组呼建立时, 还接收 与所述组呼安全参数一起下发的密钥编号; 以及  The foregoing terminal may also have the following features, the interaction unit is further configured to: when receiving the group root key of the group to which the terminal belongs, which is sent by the system side, obtain the same as the group root key a key number, where the group root key and the key number are saved; and, when the group call is established, receiving a key number that is sent together with the group call security parameter;
所述密钥生成单元还设置成, 基于所述组根密钥和所述组呼安全参数生 成非接入层密钥和接入层密钥前, 判断所述组呼建立时接收到的密钥编号与 本地保存的密钥编号是否一致, 如果一致, 基于所述组根密钥和所述组呼安 全参数生成所述非接入层密钥和所述接入层密钥; 如果不一致, 向所述系统 侧发起组根密钥同步请求, 从所述系统侧获取新的组根密钥和密钥编号, 并 基于所述新的组根密钥和所述组呼安全参数生成非接入层密钥和接入层密 钥。  The key generating unit is further configured to: before the generating the non-access stratum key and the access stratum key based on the group root key and the group call security parameter, determining the secret received when the group call is established Whether the key number is consistent with the locally saved key number. If they are consistent, the non-access stratum key and the access stratum key are generated based on the group root key and the group call security parameter; if they are inconsistent, Initiating a group root key synchronization request to the system side, acquiring a new group root key and a key number from the system side, and generating a non-connection based on the new group root key and the group call security parameter Incoming layer key and access layer key.
本发明实施例还提供一种宽带集群系统的组密钥分层管理系统, 包括上 述系统侧网元和终端。  The embodiment of the present invention further provides a group key hierarchical management system for a broadband cluster system, including the system side network element and the terminal.
本发明实施例提供的组密钥分层管理方法, 实现简单, 密钥架构分层设 置,在保证了安全程度的同时,对相关技术中的 LTE安全协议架构改动较小, 在终端侧的改动不涉及 SIM卡的软件接口变化, 容易做到后向兼容。 附图概述  The group key layer management method provided by the embodiment of the invention is simple to implement, and the key structure is hierarchically set. When the security level is ensured, the LTE security protocol architecture in the related technology is changed little, and the terminal side changes. Software interface changes that do not involve the SIM card are easy to be backward compatible. BRIEF abstract
图 1是本发明实施例中所釆用的组密钥架构图;  1 is a block diagram of a group key used in an embodiment of the present invention;
图 2是组呼密钥 KDF派生关系图;  Figure 2 is a KDF derivative relationship diagram of the group call key;
图 3是实现本发明实施例的分层管理方法时, 宽带集群系统和 UE应用 组根密钥 kg和组呼安全参数派生各级密钥的过程示意图; 3 is a schematic diagram of a process of deriving a key of each level in a broadband cluster system and a UE applying a group root key k g and a group call security parameter when implementing the layered management method according to an embodiment of the present invention;
图 4是本发明实施例组根密钥同步更新的示意图;  4 is a schematic diagram of a group root key synchronization update according to an embodiment of the present invention;
图 5是本发明实施例组呼加解密密钥产生的示意图;  FIG. 5 is a schematic diagram of generating a group call encryption/decryption key according to an embodiment of the present invention; FIG.
图 6 是本发明实施例基于 LTE 集群通信系统的组根密钥同步更新流程 图;  6 is a flowchart of a group root key synchronization update process based on an LTE trunking communication system according to an embodiment of the present invention;
图 7是本发明实施例终端框图。 本发明的较佳实施方式 Figure 7 is a block diagram of a terminal in accordance with an embodiment of the present invention. Preferred embodiment of the invention
下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在 不冲突的情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。  Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
另外, 虽然在流程图中示出了逻辑顺序, 但是在某些情况下, 可以以不 同于此处的顺序执行所示出或描述的步骤。  Additionally, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
本发明实施例提供一种宽带集群系统的组密钥分层管理方法, 包括: 系统侧为群组生成组根密钥 ,将所述组根密钥下发给所述群组中的终端; 在组呼建立时, 所述系统侧生成组呼安全参数, 基于所述组根密钥和所 述组呼安全参数生成非接入层密钥和接入层密钥, 将所述组呼安全参数下发 给所述群组中的听用户终端;  The embodiment of the present invention provides a group key layer management method for a broadband cluster system, including: the system side generates a group root key for the group, and sends the group root key to the terminal in the group; When the group call is established, the system side generates a group call security parameter, and generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, and the group call security is performed. The parameter is sent to the listening user terminal in the group;
所述系统侧基于所述非接入层密钥和接入层密钥对所述组呼的组呼共享 信道进行保护。  The system side protects the group call sharing channel of the group call based on the non-access stratum key and the access stratum key.
在本实施例的一种备选方案中, 所述系统侧将所述组根密钥下发给所述 群组中的终端前, 还包括:  In an alternative of the embodiment, before the system side sends the group root key to the terminal in the group, the method further includes:
所述系统侧与所述群组中的终端建立非接入层和接入层的安全通道; 所述系统侧将所述组根密钥下发给所述群组中的终端包括: 所述系统侧 通过所述安全通道将所述组根密钥下发给所述群组中的终端。  The system side establishes a non-access stratum and a secure channel of the access layer with the terminal in the group; the system side sends the group root key to the terminal in the group, where: The system side sends the group root key to the terminal in the group through the secure channel.
在本实施例的一种备选方案中, 所述非接入层密钥包括: 非接入层加密 密钥和非接入层完整性保护密钥, 所述接入层密钥包括: 无线资源控制加密 密钥、 无线资源控制完整性保护密钥和用户面数据加密密钥。 当然, 非接入 层密钥和接入层密钥也可根据需要包括其他类型的密钥。  In an alternative of the embodiment, the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key, where the access stratum key includes: Resource Control Encryption Key, Radio Resource Control Integrity Protection Key, and User Plane Data Encryption Key. Of course, the non-access stratum key and the access stratum key can also include other types of keys as needed.
在本实施例的一种备选方案中, 所述系统侧基于所述组根密钥和所述组 呼安全参数生成非接入层密钥和接入层密钥包括:  In an alternative of the embodiment, the system side generates the non-access stratum key and the access stratum key based on the group root key and the group call security parameter, including:
核心网基于所述组根密钥和所述组呼安全参数使用密钥推导函数 KDF 生成所述非接入层密钥和演进的基站密钥;  The core network generates the non-access stratum key and the evolved base station key by using a key derivation function KDF based on the group root key and the group call security parameter;
所述核心网将所述演进的基站密钥下发给所述组呼相关的演进的基站, 由所述演进的基站基于所述演进的基站密钥使用密钥推导函数 KDF生成所 述接入层密钥。 Sending, by the core network, the evolved base station key to the evolved base station related to the group call, The access layer key is generated by the evolved base station based on the evolved base station key using a key derivation function KDF.
在本实施例的一种备选方案中, 所述系统侧为不同群组生成不同的组根 密钥。  In an alternative of this embodiment, the system side generates different group root keys for different groups.
在本实施例的一种备选方案中, 所述组呼安全参数为一随机数, 或者为 一计数值。  In an alternative of this embodiment, the group call security parameter is a random number or a count value.
在本实施例的一种备选方案中, 还包括: 在满足更新触发条件时, 所述 系统侧更新所述群组的组根密钥, 将更新后的组根密钥下发给所述群组中的 终端。 所述更新触发条件包括但不限于: 所述群组中的成员变动或者安全周 期到达。  In an alternative of the embodiment, the method further includes: when the update trigger condition is met, the system side updates the group root key of the group, and sends the updated group root key to the The terminal in the group. The update triggering conditions include, but are not limited to, a member change or a security period in the group.
在本实施例的一种备选方案中, 还包括: 所述系统侧为所述群组生成组 根密钥时, 还生成密钥编号; 所述系统侧将所述组根密钥下发给所述群组中 的终端时, 还将所述密钥编号下发给所述群组中的终端;  In an alternative of the embodiment, the method further includes: when the system side generates a group root key for the group, and further generates a key number; the system side sends the group root key When the terminal in the group is sent, the key number is also sent to the terminal in the group;
在组呼建立时, 所述系统侧将所述组呼安全参数下发给所述群组中的听 用户终端时, 还将所述密钥编号下发给所述群组中的听用户终端。  When the group call is established, the system side sends the group call security parameter to the listening user terminal in the group, and sends the key number to the listening user terminal in the group. .
在本实施例的一种备选方案中, 还包括: 所述系统侧每个安全周期更新 一次所述组根密钥, 同时更新所述密钥编号, 并将所述更新后的组根密钥和 更新后的密钥编号下发给所述群组中的终端。  In an alternative of the embodiment, the method further includes: updating, by the system side, the group root key once every security period, simultaneously updating the key number, and adding the updated group root key The key and the updated key number are sent to the terminals in the group.
本发明实施例还提供一种宽带集群系统的组密钥分层管理方法, 包括: 终端接收系统侧下发的所述终端所属群组的组根密钥;  The embodiment of the present invention further provides a group key layer management method for a broadband cluster system, including: receiving, by a terminal, a group root key of a group to which the terminal belongs by the system side;
组呼建立时, 所述终端接收所述系统侧下发的组呼安全参数;  When the group call is established, the terminal receives the group call security parameter sent by the system side;
所述终端基于所述组根密钥和所述组呼安全参数生成非接入层密钥和接 入层密钥, 基于所述非接入层密钥和所述接入层密钥对所述组呼的组呼共享 信道进行保护。  The terminal generates a non-access stratum key and an access stratum key based on the group root key and the group call security parameter, based on the non-access stratum key and the access stratum key pair The group call sharing channel of the group call is protected.
在本实施例的一种备选方案中, 所述终端接收系统侧下发的所述终端所 属群组的组根密钥前还包括: 所述终端与所述系统侧建立非接入层和接入层 的安全通道; 所述终端是通过所述安全通道接收系统侧下发的所述终端所属 群组的组根密钥。 在本实施例的一种备选方案中, 所述终端基于所述组根密钥和所述组呼 安全参数生成非接入层密钥和接入层密钥包括: In an alternative of the embodiment, the receiving, by the terminal, the group root key of the group to which the terminal belongs, further includes: establishing, by the terminal, the non-access layer and the system side a secure channel of the access layer; the terminal receives the group root key of the group to which the terminal belongs by the system side through the secure channel. In an alternative of the embodiment, the generating, by the terminal, the non-access stratum key and the access stratum key based on the group root key and the group call security parameter includes:
所述终端基于所述组根密钥和所述组呼安全参数使用 KDF 函数生成非 接入层密钥和演进的基站密钥,基于所述演进的基站密钥使用 KDF函数生成 所述接入层密钥。  Determining, by the terminal, a non-access stratum key and an evolved base station key using a KDF function based on the group root key and the group call security parameter, and generating the access by using a KDF function based on the evolved base station key Layer key.
在本实施例的一种备选方案中, 还包括:  In an alternative of this embodiment, the method further includes:
所述终端接收所述系统侧下发的所述终端所属群组的组根密钥时, 还获 取与所述组根密钥一起下发的密钥编号,保存所述组根密钥和所述密钥编号; 组呼建立时 ,所述终端还接收与所述组呼安全参数一起下发的密钥编号; 所述终端基于所述组根密钥和所述组呼安全参数生成非接入层密钥和接 入层密钥前还包括: 判断所述组呼建立时接收到的密钥编号与本地保存的密 钥编号是否一致, 如果一致, 才基于所述组根密钥和所述组呼安全参数生成 所述非接入层密钥和所述接入层密钥; 如果不一致, 所述终端向所述系统侧 发起组根密钥同步请求, 从所述系统侧获取新的组根密钥和密钥编号, 并基 于所述新的组根密钥和所述组呼安全参数生成非接入层密钥和接入层密钥。  When the terminal receives the group root key of the group to which the terminal belongs, the terminal further obtains a key number that is sent together with the group root key, and saves the group root key and the The key number is set; when the group call is established, the terminal further receives a key number that is sent together with the group call security parameter; the terminal generates a non-connection based on the group root key and the group call security parameter. Before the layer key and the access layer key, the method further includes: determining whether the key number received by the group call is consistent with the locally saved key number, and if they are consistent, based on the group root key and the The group call security parameter generates the non-access stratum key and the access stratum key; if not, the terminal initiates a group root key synchronization request to the system side, and acquires a new one from the system side Generating a root key and a key number, and generating a non-access stratum key and an access stratum key based on the new group root key and the group call security parameter.
本发明实施例提供一种宽带集群系统的组密钥分层管理方法, 包括: 步骤 101 , 在群组建立时, 由宽带集群核心网生成组根密钥 Kg; Broadband trunking system provides a hierarchical group key management method according to the present invention includes: a step 101, during establishment of the group by generating a group of broadband core network cluster root key K g;
其中,每个群组的 Kg可以互不重复,以保证群组通信的私密性和安全性; 步骤 102, 集群终端与宽带集群系统建立点到点的安全连接, 终端使用 保存在终端上的密钥 K, 与系统建立 NAS和 AS的安全通道; The K g of each group may not be mutually exclusive, so as to ensure the privacy and security of the group communication; Step 102, the cluster terminal establishes a point-to-point secure connection with the broadband cluster system, and the terminal uses the terminal to be stored on the terminal. Key K, establish a secure channel for the NAS and AS with the system;
步骤 103 , 集群系统通过安全通道将终端所属群组的根密钥 Kg下发给集 群终端。 当一个集群终端属于多个群组时, 该下发过程可能要进行多次。 Step 103: The cluster system sends the root key K g of the group to which the terminal belongs to the cluster terminal through a secure channel. When a cluster terminal belongs to multiple groups, the delivery process may be performed multiple times.
步骤 104, 组呼建立过程中, 组呼主叫用户与宽带集群系统之间建立点 到点的连接, 组呼主叫用户的安全管理过程, 仍使用存储在核心网和终端上 的密钥 K派生的各级密钥;  Step 104: During the group call establishment process, the group call calling party establishes a point-to-point connection with the broadband cluster system, and the group calls the security management process of the calling user, and still uses the key K stored on the core network and the terminal. Derived key of each level;
步骤 105 , 组呼建立时, 系统中存在多个听用户, 系统与听用户之间是 一点到多点的连接, 系统应用组呼的密钥架构进行共享信道的安全管理, 此 时先由宽带集群核心网生成一个组呼安全参数, 如随机变量, 计数器等; 步骤 106 , 宽带集群核心网使用 KDF(Key Derivation Function, 密钥推导 函数), 由 Kg和组呼安全参数派生组呼共享信道使用的 NAS加密密钥, NAS 完整性保护密钥以及 eNB密钥 KgeNB; Step 105: When the group call is established, there are multiple listening users in the system, and the system is between the listening user and the listening user. The point-to-multipoint connection, the system applies the key structure of the group call for the security management of the shared channel. At this time, a group call security parameter, such as a random variable, a counter, etc., is first generated by the broadband cluster core network; Step 106, the broadband cluster core The network uses KDF (Key Derivation Function), the NAS encryption key used by the group call sharing channel by the K g and the group call security parameter, the NAS integrity protection key and the eNB key K geNB ;
步骤 107 , 在组呼建立过程中, 宽带集群核心网将 KgeNB通知到相关的 eNB , eNB使用 KgeNB派生出组呼共享信道使用的 RRC信令加密密钥, RRC 信令完整性保护密钥以及 UP数据加密密钥; Step 107: In the group call establishment process, the broadband cluster core network notifies the K geNB to the relevant eNB, and the eNB uses the K geNB to derive the RRC signaling encryption key used by the group call sharing channel, and the RRC signaling integrity protection key. And a UP data encryption key;
步骤 108 , 在组呼建立过程中, 系统侧将组呼安全参数通知到组内的各 听用户终端。 听用户终端收到组呼安全参数后, 结合之前保存的 Kg, 使用 KDF函数可以分层派生出本次组呼的各级密钥。 对于该次组呼, 由于终端侧 与系统保存的 Kg和组呼安全参数完全相同, 因此在终端上派生得到的各级密 钥, 与系统侧也完全相同; Step 108: In the group call establishment process, the system side notifies the group call security parameters to each listening user terminal in the group. Listen to the user terminal after receiving the call set security parameters, combined with the previously saved K g, using a KDF function can be layered to derive levels of this key group call. For the group call, since the terminal side and the system save the K g and the group call security parameters are exactly the same, the keys of the levels obtained on the terminal are exactly the same as the system side;
步骤 109 ,核心网在派生出 NAS层的密钥,将组呼安全参数发送给终端, 并将 KgeNB成功发送给 eNB之后,启动组呼共享信道的 NAS加密保护和 NAS 完整性保护; eNB在成功收到 KgeNB并派生出 AS层的密钥后, 启动组呼共享 信道的 RRC加密保护, RRC完整性保护以及 UP数据加密保护; 组听用户终 端在收到组呼安全参数后, 派生出 NAS层和 AS层的各级密钥, 启动组呼共 享信道的 NAS加密保护, NAS完整性保护, RRC加密保护, RRC完整性保 护和 UP数据加密保护。  Step 109: After the core network derives the key of the NAS layer, sends the group call security parameter to the terminal, and successfully sends the KgeNB to the eNB, and starts NAS encryption protection and NAS integrity protection of the group call shared channel; the eNB succeeds. After receiving the KGeNB and deriving the key of the AS layer, the RRC encryption protection, the RRC integrity protection, and the UP data encryption protection of the group call shared channel are started. After receiving the group call security parameter, the group listening user terminal derives the NAS layer. And the keys of the AS layer, the NAS encryption protection of the group call shared channel, the NAS integrity protection, the RRC encryption protection, the RRC integrity protection and the UP data encryption protection.
该方法还包括:  The method also includes:
在群组建立之后, 通常情况下, 组根密钥 Kg—直保持不变, 在涉及到组 根密钥可能会泄漏导致安全隐患时, 例如, 当群组成员发生变化时, 可由系 统侧重新生成新的 Kg, 并由集群宽带系统核心网加密发送给终端, 此过程重 复步骤 101至步骤 103 ; 每次在新的组呼建立时, 重复步骤 104至步骤 108。 After the group is established, the group root key K g is usually kept unchanged. When the group root key may be leaked to cause a security risk, for example, when the group member changes, the system may focus on A new Kg is newly generated and sent to the terminal by the cluster broadband system core network encryption, and the process repeats steps 101 to 103; each time the new group call is established, steps 104 to 108 are repeated.
使用上述方法, 不需要在终端上预置组根密钥, 而是将组根密钥 Kg通过 加密通道下发给终端, 因此组根密钥的灵活性和安全性可以得到保证; 同时 在每次新的组呼建立时, 系统侧和终端使用组根密钥 Kg结合新的组呼安全参 数, 来重新生成该次组呼使用的加密密钥和完整性保护密钥, 使系统的安全 程度得到提高。 The above method does not need to preset the group root key on the terminal, but sends the group root key K g to the terminal through the encrypted channel, so the flexibility and security of the group root key can be guaranteed; Each time a new group call is established, the system side and the terminal use the group root key K g to combine the new group call security parameters. The number is used to regenerate the encryption key and integrity protection key used by the group call to improve the security of the system.
本发明实施例提供了一种在 LTE系统上实现的宽带集群业务的安全管理 方法: 当组用户与宽带集群系统建立点到点的连接时, 例如, 组呼主叫用户 发起连接建立请求, 或者, 当 UE初始附着到宽带集群系统时, UE与宽带集 群系统建立点对点的单呼连接, 此种场景下, UE与宽带集群系统使用单呼的 密钥架构进行安全管理, 基于保存在核心网和 UE上的密钥 K值来派生各级 密钥, 该架构在 LTE安全管理协议中有专门规定, 本发明实施例对于该密钥 派生过程不做重点描述。  An embodiment of the present invention provides a security management method for a broadband trunking service implemented on an LTE system: When a group user establishes a point-to-point connection with a broadband cluster system, for example, the group calling party initiates a connection establishment request, or When the UE initially attaches to the broadband cluster system, the UE establishes a point-to-point single-call connection with the broadband cluster system. In this scenario, the UE and the broadband cluster system use the single-call key architecture for security management, based on the core network and The key K value on the UE is used to derive the key of the level. The architecture is specifically defined in the LTE security management protocol. The embodiment of the present invention does not describe the key derivation process.
组呼业务中可能存在多个被叫用户, 此种场景下, 系统与多个听用户建 立一点到多点的连接, 釆取的密钥架构是组密钥架构, 如图 1所示, 图中各 级密钥的功能如下:  There may be multiple called users in the group call service. In this scenario, the system establishes a point-to-multipoint connection with multiple listening users. The key structure is a group key structure, as shown in Figure 1. The functions of the keys in the middle level are as follows:
Kg: 宽带集群系统的组根密钥, 用于组安全管理, 是一点对多点连接中 各级密钥产生的基础; K g : The group root key of the broadband cluster system, used for group security management, is the basis for the generation of keys at all levels in a point-to-multipoint connection;
GroupCallRand: 组呼安全参数。 为了加强安全, 每次新的组呼建立时, 群组使用的加密密钥和完整性保护密钥要进行变化, 引入 GroupCallRand作 为密钥的派生函数输入变量。  GroupCallRand: Group call security parameters. In order to enhance security, each time a new group call is established, the encryption key and integrity protection key used by the group are changed, and GroupCallRand is introduced as a derivative function input variable of the key.
KgNAsEnc: 组呼 NAS信令加密密钥; K gNA sEnc: group call NAS signaling encryption key;
KgNAsmt : 组呼 NAS信令完整性保护密钥;  KgNAsmt: group call NAS signaling integrity protection key;
KgeNB : eNB密钥, 需要说明的是, 一个群组对应的所有 eNB都具有相 同的 KgeNB; K g eNB : eNB key, it should be noted that all eNBs corresponding to one group have the same KgeNB;
KgUPEnc: 是组呼用户面数据的加密密钥, 即 UP数据加密密钥; K gUPEnc : is the encryption key of the group call user plane data, that is, the UP data encryption key;
KgRRCEnC: 是组呼 RRC信令的加密密钥; K gR RCEn C : is the encryption key of the group call RRC signaling;
KgRRcint: 是组呼 RC信令的完整性保护密钥。  KgRRcint: is the integrity protection key of the group call RC signaling.
图 1 中系统侧的 PHR(Push to Talk Home Register, 简称 PTT Home PHR (Push to Talk Home Register, PTT Home for short) on the system side in Figure 1.
Register, 一按即说归属寄存器 )/PDS(PTT Dispatch Server, PTT调度服务器) 使用 KDF函数,由 Kg和组呼安全参数 GroupCallRand派生组呼共享信道使用 的 NAS加密密钥 KgNASEne,NAS完整性保护密钥 KgNASint以及 eNB密钥 KgeNB。 的限定。 Register, click-to-talk home register) / PDS (PTT Dispatch Server, PTT scheduling server) Use KDF function, Kg and group call security parameter GroupCallRand Derived group call shared channel NAS encryption key K gNASEne , NAS integrity protection Key K gNAS in t and eNB key K geNB . Limited.
如图 2所示, 为本发明实施例中各密钥的 KDF派生关系示意图, 本示意 图仅是一个示例,本发明实施例的 KDF派生函数的各输入参数并不局限于图 中的示例: 图中 KgNASEnc, KgNASInt' KgeNB均使用 Kg作为输入密钥, 由组呼安 全参数 GroupCallRand参与构造 KDF函数的输入字节串;由 KgeNB派生 KgUPEnc , KgRRCEnc , KgRRCMo图 2中, SN id为 Serving Network identity (服务网络标识), Enc-Alg-ID为 Encryption Algorithm Identity (力口密算法标 i只) , NAS-enc-alg 为 NAS Encryption Algorithm( NAS力口密算法), Int-Alg-ID为 ( Integrity Algorithm Identity(完整性保护算法标识), NAS-int-alg为 NAS Integrity Algorithm ( NAS 完整性保护算法) , RRC-enc-alg为 RRC Encryption Algorithm ( RRC加密算 法), RRC-int-alg为 RRC Integrity Algorithm( RRC完整性保护算法), UP-enc-alg 为 UP Encryption Algorithm ( UP力口密算法) 。 As shown in FIG. 2, which is a schematic diagram of a KDF derivation relationship of each key in the embodiment of the present invention, the present schematic diagram is only an example, and the input parameters of the KDF derivative function in the embodiment of the present invention are not limited to the examples in the figure: in K gNASEnc, KgNASInt 'Kg eN B K g are used as the input key, the security parameter by the group call participation GroupCallRand input byte string constructor function KDF; K geNB derived from the K gUP E nc, the KgRR CEnc, KgRRCMo 2 SN id is Serving Network identity, Enc-Alg-ID is Encryption Algorithm Identity, NAS-enc-alg is NAS Encryption Algorithm, Int -Alg-ID is (Integrity Algorithm Identity), NAS-int-alg is NAS Integrity Algorithm (NAS Integrity Algorithm), RRC-enc-alg is RRC Encryption Algorithm (RRC Encryption Algorithm), RRC -int-alg is the RRC Integrity Algorithm, and UP-enc-alg is the UP Encryption Algorithm.
由图 2可以看出, 当组呼安全参数 GroupCallRand发生变化时, 派生密 钥都将发生变化, 这种实现方式使得每次组呼建立时, 只要使用新的组呼安 全参数 GroupCallRand, 就可以得到一组新的密钥进行组呼安全管理。  As shown in Figure 2, when the group call security parameter GroupCallRand changes, the derived key will change. This implementation enables each group call to be established by using the new group call security parameter GroupCallRand. A new set of keys for group call security management.
如图 3所示,本发明实施例中宽带集群系统进行组密钥管理的过程如下: 该实施例中 PHR  As shown in FIG. 3, the process of group key management in the broadband cluster system in the embodiment of the present invention is as follows: In this embodiment, PHR
步骤 301 , PHR为每个群组都生成一个组根密钥 Kg, Kg的构造方法可以 直接使用随机数发生器生成, 也可以使用组标识 GID与随机数使用 KDF函 数产生, 也可以通过人工设置的方式生成, 但不限于这些具体的方法;  Step 301: The PHR generates a group root key Kg for each group. The Kg construction method may be directly generated by using a random number generator, or may be generated by using a group identifier GID and a random number using a KDF function, or may be manually set. Ways to generate, but not limited to, these specific methods;
步骤 302, 集群终端初始附着到宽带集群系统, 集群终端与宽带集群系 统建立点到点的连接, 应用单呼密钥架构, 在 UE通过宽带集群系统的认证 鉴权, 并成功激活安全模式之后, UE与宽带集群系统之间成功建立了点到点 的 NAS和 AS安全通道, 之后在宽带集群和 UE之间传输的数据可以得到加 密和完整性保护。 宽带集群系统将该 UE所属的组的根密钥 Kg以及加密算法 ID和完整新保护算法 ID在组信息更新消息中加密发送给 UE, 当 UE属于多 个群组时, 此过程根据信令的长度不同, 可能要重复多次。 UE保存收到的 Kg, 加密算法 ID和完整性保护算法 ID, 用于后续组呼建立时的具体安全管 理过程。 Step 302: The cluster terminal is initially attached to the broadband cluster system, and the cluster terminal establishes a point-to-point connection with the broadband cluster system, and applies a single-call key structure. After the UE authenticates through the broadband cluster system and successfully activates the security mode, The point-to-point NAS and AS secure channels are successfully established between the UE and the broadband cluster system, and then the data transmitted between the broadband cluster and the UE can be encrypted and integrity protected. The broadband cluster system encrypts and sends the root key K g and the encryption algorithm ID and the complete new protection algorithm ID of the group to which the UE belongs to the UE in the group information update message. When the UE belongs to multiple groups, the process is based on signaling. The length is different and may have to be repeated multiple times. UE saves received K g , the encryption algorithm ID and the integrity protection algorithm ID, are used for the specific security management process when the subsequent group call is established.
步骤 303 , 当一次新的组呼建立时, 宽带集群核心网生成一个组呼安全 参数 GroupCallRand,并使用 KDF函数由 Kg和 GroupCallRand派生出 KgNASEnc ,Step 303: When a new group call is established, the broadband cluster core network generates a group call security parameter GroupCallRand, and uses the KDF function to derive K gNASEnc from K g and GroupCallRand .
KgNASInt和 Kge B。 KgNASInt and Kge B.
步骤 304, PDS将 KgeNB通知到该次组呼相关的所有 eNB, 各 eNB应用Step 304: The PDS notifies the K geNB to all eNBs related to the sub-group call, and each eNB applies
KDF函数由 KgeNB派生出 KgRRCEn(; , Kg Rcint和 Kg j Enco The KDF function is derived from KgeNB by K gRRCEn(; , Kg Rcint and Kg j Enco
步骤 305,宽带集群核心网将 GroupCallRand通过控制信道发送给所有的 听用户 UE, UE使用 KDF函数由 Kg和 GroupCallRand派生出安全管理所需 要用到的各级密钥: KgNASEnc, KgNASInt, Kge B ' Kg RCEnc , Kg Rcint和 Kgu Enc。 Step 305: The broadband cluster core network sends the GroupCallRand to all listening user UEs through the control channel, and the UE uses the KDF function to derive the key keys required for security management by Kg and GroupCallRand: KgNASEnc, KgNASInt, K ge B ' Kg RCEnc, Kg Rcint and K g u Enc.
UE上生成各密钥的 KDF算法的参数, 与宽带集群系统侧完全一致, 因此 UE 上派生出的各级密钥与系统侧也完全相同。  The parameters of the KDF algorithm for generating each key on the UE are completely consistent with the broadband cluster system side, so the keys of the levels derived from the UE are also identical to the system side.
为提高组根密钥的安全性, 在上述方案基础上, 引入安全周期, 每个安 全周期更新一次组根密钥, 并通过密钥编号保证系统侧和终端侧的组根密钥 的一致, 包括: To improve the security of the group root key, the security cycle is introduced on the basis of the above solution. The group root key is updated once in each security cycle, and the group key of the system side and the terminal side are consistent by the key number. Includes:
步骤 401 , 在集群组呼建立之前, 核心网为每个群组产生并保存一个组 根密钥, 此组根密钥作为组呼的基础密钥, 基于该组根密钥可以通过 KDF派 生出多个对信令或用户面报文进行加解密的密钥和完整性保护密钥; 同时还 为组根密钥产生一个密钥编号, 在一个安全周期内组根密钥不发生变化, 密 钥编号也不发生变化, 在超出一个安全周期之后密钥管理中心为群组产生一 个新的组根密钥时, 同步产生一个新的密钥编号。  Step 401: Before the cluster group call is established, the core network generates and saves a group root key for each group, and the group root key is used as a base key of the group call, and the root key can be derived by KDF based on the group key. A plurality of keys and integrity protection keys for encrypting and decrypting signaling or user plane messages; and generating a key number for the group root key, the group root key does not change during a security period, The key number does not change. When the key management center generates a new group root key for the group after a security period is exceeded, a new key number is generated synchronously.
步骤 402, 由系统侧向群组内的终端发送单呼寻呼, 并在系统与群组内 的终端间建立起点对点的单呼呼叫, 单呼呼叫启用相关技术中的标准的安全 机制, 以在群组内的终端与系统间建立起安全的通信通道。  Step 402: Send a single-call page to the terminal in the group by the system side, and establish a start-to-point single-call call between the system and the terminal in the group, and the single-call call enables the standard security mechanism in the related technology to Establish a secure communication channel between the terminal and the system within the group.
步骤 403 , 系统启用标准的单呼加密密钥对组根密钥和密钥编号进行加 密, 然后通过系统与终端间已建立起的单呼安全通道把加密后的组根密钥和 密钥编号发送给终端。 步骤 404 , 终端接收到已加密的组根密钥和密钥编号报文后, 启用标准 的单呼解密密钥对报文进行解密, 从而得到组根密钥和密钥编号, 并把得到 的组根密钥和密钥编号存储于终端中。 Step 403: The system enables the standard single-call encryption key to encrypt the group root key and the key number, and then encrypts the encrypted group root key and the key number through a single-call secure channel established between the system and the terminal. Send to the terminal. Step 404: After receiving the encrypted group root key and the key number message, the terminal enables the standard single-call decryption key to decrypt the packet, thereby obtaining the group root key and the key number, and obtaining the obtained The group root key and key number are stored in the terminal.
步骤 405 , 终端向系统侧反馈组根密钥更新成功信息。  Step 405: The terminal feeds back the group root key update success information to the system side.
步骤 406, 释放系统与组成员终端间点对点的单呼呼叫。  Step 406: Release a point-to-point single-call call between the system and the group member terminal.
步骤 407 , 重复步骤 402〜步骤 406, 以对群组中其他组成员进行组根密 钥和密钥编号的同步和更新。  Step 407: Repeat steps 402 to 406 to synchronize and update the group root key and the key number of other group members in the group.
步骤 408 , 当群组中所有成员都成功完成了组根密钥的同步更新后, 则 结束本次组根密钥的同步更新流程。  Step 408: After all the members in the group successfully complete the synchronization update of the group root key, the process of synchronously updating the root key of the group is ended.
上述步骤 401~408参见图 4, 当系统侧的密钥管理中心为一个群组产生 一个新的组根密钥时, 按图 4所示步骤对群组内所有成员进行组根密钥更新 同步。  The above steps 401 to 408 refer to FIG. 4. When the key management center on the system side generates a new group root key for a group, the group root key update synchronization is performed on all members in the group according to the steps shown in FIG. 4. .
步骤 409 , 组呼建立时, 由系统侧为本次组呼产生一组呼安全参数, 如 随机数或计数器等, 并通过组呼寻呼消息或广播消息把密钥编号连同本次组 呼产生的组呼安全参数广播给群组内的所有成员。  Step 409: When the group call is established, the system side generates a set of call security parameters, such as a random number or a counter, for the group call, and generates the key number together with the group call by the group call page message or the broadcast message. The group call security parameters are broadcast to all members of the group.
步骤 410 , 系统侧利用组根密钥以及本次组呼产生的组呼安全参数作入 参, 通过 KDF函数派生出多个加密密钥和完整性保护密钥, 并以派生出的加 密密钥和完整性保护密钥对本次组呼的信令或用户面报文进行加密和完整性 保护。  Step 410: The system side uses the group root key and the group call security parameter generated by the group call as input parameters, and derives multiple encryption keys and integrity protection keys through the KDF function, and derives the encryption key. And the integrity protection key encrypts and protects the signaling or user plane packets of the current group call.
该步骤中, 如何根据组根密钥和组呼安全参数进行派生可参考前述实施 例, 此处不再赘述。  For the derivation of the group root key and the group call security parameter, refer to the foregoing embodiment, and no further details are provided here.
步骤 411 , 群组内的成员终端接收到系统侧发送的组呼寻呼消息或广播 消息后, 判断接收到的密钥编号与终端保存的密钥编号是否一致, 以确定终 端保存的组根密钥与系统在本次组呼时使用的组根密钥是否一致。  Step 411: After receiving the group call paging message or the broadcast message sent by the system side, the member terminal in the group determines whether the received key number is consistent with the key number saved by the terminal, to determine the group root density saved by the terminal. Whether the key is consistent with the group root key used by the system in this group call.
步骤 412 , 若判断结果表明组根密钥一致, 则利用保存在终端中的组根 密钥以及从组呼寻呼消息或广播消息接收到的组呼安全参数作入参, 通过 KDF派生出多个本次组呼的解密密钥和完整性保护密钥, 并以派生出的解密 密钥和完整性保护密钥对本次组呼的信令或用户面报文进行完整性判断和解 密。 Step 412: If the judgment result indicates that the group root key is consistent, the group root security key stored in the terminal and the group call security parameter received from the group call paging message or the broadcast message are used as parameters, and the KDF is derived more. The decryption key and integrity protection key of the current group call, and the integrity judgment and solution of the signaling or user plane message of the group call by using the derived decryption key and integrity protection key Secret.
步骤 413 , 若判断结果表明组根密钥不一致, 成员终端则向系统侧发起 根密钥同步请求, 之后通过执行步骤 402 ~步骤 406 以完成组根密钥同步更 新。  Step 413: If the judgment result indicates that the group root key is inconsistent, the member terminal initiates a root key synchronization request to the system side, and then performs step 402 to step 406 to complete the group root key synchronization update.
上述步骤 409 ~ 413参见图 5, 组呼建立时, 按图 5所示步骤完成加解密 密钥生成, 对组成员终端与系统组根密钥不一致情况时, 也按图 5所示步骤 完成组根密钥的同步。  The above steps 409 ~ 413 are shown in Figure 5. When the group call is established, the encryption and decryption key generation is completed according to the steps shown in Figure 5. When the group member terminal and the system group root key are inconsistent, the group is also completed according to the steps shown in Figure 5. Synchronization of the root key.
下面结合附图对本发明实施例在 LTE 集群系统中的具体实施作详细说 明。 The specific implementation of the embodiment of the present invention in the LTE cluster system will be described in detail below with reference to the accompanying drawings.
如图 6所示, 在 LTE集群系统实施中包括以下步骤进行组根密钥更新: 步骤 601 , 核心网的密钥管理中心为一个群组产生一个组根密钥, 并同 时产生一个密钥编号。  As shown in FIG. 6, the LTE cluster system implementation includes the following steps to perform group root key update: Step 601: A key management center of the core network generates a group root key for a group, and simultaneously generates a key number. .
步骤 602 , 核心网通过基站向群组的成员终端发送单呼寻呼。  Step 602: The core network sends a single call page to the member terminals of the group by using the base station.
步骤 603 , 在终端、 基站、 核心网间完成单呼呼叫建立, 并启用标准的 安全机制建立起安全的通信通道。  Step 603: Complete a single call setup between the terminal, the base station, and the core network, and enable a standard security mechanism to establish a secure communication channel.
步骤 604 , 核心网利用单呼时产生的 NAS加密密钥对组^ =艮密钥、 密钥编 号、 组呼加密算法 ID等信息进行加密, 并使用 NAS直传消息通过基站发送 给终端, 终端利用单呼时产生的 NAS解密密钥对 NAS内容进行解密, 获取 到组根密钥、 密钥编号、 组呼加密算法 ID等信息。  Step 604: The core network encrypts information such as the group ^=艮 key, the key number, the group call encryption algorithm ID, and the like by using the NAS encryption key generated by the single call, and sends the information to the terminal through the base station by using the NAS direct transmission message. The NAS content is decrypted by using the NAS decryption key generated during the single call, and information such as the group root key, the key number, and the group call encryption algorithm ID is obtained.
步骤 605, 成员终端在解密成功后, 通过基站向核心网反馈成功信息。 步骤 606, 终端、 基站、 核心网完成单呼呼叫释放。  Step 605: After the decryption succeeds, the member terminal feeds back the success information to the core network through the base station. Step 606: The terminal, the base station, and the core network complete the single call release.
本发明实施例还提供一种宽带集群系统的组密钥分层管理系统, 包括: 系统侧网元, 所述系统侧网元设置成: The embodiment of the present invention further provides a group key hierarchical management system for a broadband cluster system, including: a system side network element, where the system side network element is set to:
为群组生成组根密钥, 将所述组根密钥下发给所述群组中的终端; 以及, 在组呼建立时, 生成组呼安全参数, 基于所述组根密钥和所述组呼安全 参数生成非接入层密钥和接入层密钥, 将所述组呼安全参数下发给所述群组 中的听用户终端; 以及, 基于所述非接入层密钥和接入层密钥对所述组呼的 组呼共享信道进行保护。 Generating a group root key for the group, and sending the group root key to the terminal in the group; and, when the group call is established, generating a group call security parameter, based on the group root key and the Group call security The parameter generates a non-access stratum key and an access stratum key, and sends the group call security parameter to the listening user terminal in the group; and, based on the non-access stratum key and the access stratum The key protects the group call shared channel of the group call.
在本实施例的一种备选方案中, 所述系统侧网元还设置成, 将所述组才艮 密钥下发给所述群组中的终端前, 与所述群组中的终端建立非接入层和接入 层的安全通道; 所述系统侧网元是用于通过所述安全通道将所述组根密钥下 发给所述群组中的终端。  In an alternative of the embodiment, the system side network element is further configured to: before the group key is sent to the terminal in the group, and the terminal in the group Establishing a secure channel of the non-access stratum and the access stratum; the system-side network element is configured to send the group root key to the terminal in the group by using the secure channel.
在本实施例的一种备选方案中, 所述非接入层密钥包括: 非接入层加密 密钥和非接入层完整性保护密钥, 所述接入层密钥包括: 无线资源控制加密 密钥、 无线资源控制完整性保护密钥和用户面数据加密密钥。  In an alternative of the embodiment, the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key, where the access stratum key includes: Resource Control Encryption Key, Radio Resource Control Integrity Protection Key, and User Plane Data Encryption Key.
在本实施例的一种备选方案中, 所述系统侧网元包括: 核心网和演进的 基站, 其中:  In an alternative of the embodiment, the system side network element includes: a core network and an evolved base station, where:
所述核心网设置成, 基于所述组根密钥和所述组呼安全参数使用密钥推 导函数 KDF生成所述非接入层密钥和演进的基站密钥; 以及, 将所述演进的 基站密钥下发给所述组呼相关的所述演进的基站,  The core network is configured to generate the non-access stratum key and the evolved base station key using a key derivation function KDF based on the group root key and the group call security parameter; and, the evolved Sending, by the base station key, the evolved base station related to the group call,
所述演进的基站设置成,基于所述演进的基站密钥使用 KDF函数生成所 述接入层密钥。  The evolved base station is configured to generate the access stratum key using a KDF function based on the evolved base station key.
在本实施例的一种备选方案中, 所述系统侧网元为不同群组生成不同的 组根密钥。  In an alternative of this embodiment, the system side network element generates different group root keys for different groups.
在本实施例的一种备选方案中, 所述组呼安全参数为一随机数, 或者为 一计数值。  In an alternative of this embodiment, the group call security parameter is a random number or a count value.
在本实施例的一种备选方案中, 所述系统侧网元还设置成: 在满足更新 触发条件时, 更新所述群组的组根密钥, 将更新后的组根密钥下发给所述群 组中的终端。 所述更新触发条件包括但不限于: 所述群组中的成员变动或者 安全周期到达。  In an alternative of the embodiment, the system side network element is further configured to: when the update trigger condition is met, update the group root key of the group, and send the updated group root key Give the terminal in the group. The update triggering conditions include, but are not limited to: a member change or a security period in the group arrives.
在本实施例的一种备选方案中, 所述系统侧网元还设置成: 为所述群组 生成组根密钥时, 生成密钥编号; 将所述组根密钥下发给所述群组中的终端 时, 还将所述密钥编号下发给所述群组中的终端; 以及, 在组呼建立时, 将 所述组呼安全参数下发给所述群组中的听用户终端时, 还将所述密钥编号下 发给所述群组中的听用户终端。 In an alternative of the embodiment, the system side network element is further configured to: generate a key number when generating a group root key for the group; and send the group root key to the When the terminal in the group is described, the key number is also sent to the terminal in the group; and, when the group call is established, When the group call security parameter is sent to the listening user terminal in the group, the key number is also sent to the listening user terminal in the group.
在本实施例的一种备选方案中, 所述系统侧网元还设置成, 每个安全周 期更新一次所述组根密钥, 同时更新所述密钥编号, 并将所述更新后的组根 密钥和更新后的密钥编号下发给所述群组中的终端。  In an alternative of the embodiment, the system side network element is further configured to: update the group root key once every security period, update the key number at the same time, and update the updated The group root key and the updated key number are sent to the terminals in the group.
本发明实施例还提供一种终端, 如图 7所示, 所述终端包括:  The embodiment of the present invention further provides a terminal. As shown in FIG. 7, the terminal includes:
交互单元 701 , 其设置成接收系统侧下发的所述终端所属群组的组根密 钥; 以及, 组呼建立时, 接收所述系统侧下发的组呼安全参数;  The interaction unit 701 is configured to receive the group root key of the group to which the terminal belongs, which is sent by the system side; and, when the group call is established, receive the group call security parameter sent by the system side;
密钥生成单元 702 , 其设置成基于所述组根密钥和所述组呼安全参数生 成非接入层密钥和接入层密钥;  a key generation unit 702 configured to generate a non-access stratum key and an access stratum key based on the group root key and the group call security parameter;
保护单元 703 , 其设置成基于所述非接入层密钥和所述接入层密钥对所 述组呼的组呼共享信道进行保护。  The protection unit 703 is configured to protect the group call sharing channel of the group call based on the non-access stratum key and the access stratum key.
在本实施例的一种备选方案中, 所述交互单元 701还设置成, 接收系统 侧下发的所述终端所属群组的组根密钥前, 与所述系统侧建立非接入层和接 入层的安全通道; 所述交互单元 701是设置成通过所述安全通道接收所述系 统侧下发的所述终端所属群组的组根密钥。  In an alternative of the embodiment, the interaction unit 701 is further configured to: before receiving the group root key of the group to which the terminal belongs, sent by the system side, establishing a non-access layer with the system side And the security channel of the access layer; the interaction unit 701 is configured to receive, by using the secure channel, a group root key of the group to which the terminal is delivered by the system side.
在本实施例的一种备选方案中, 所述非接入层密钥包括: 非接入层加密 密钥和非接入层完整性保护密钥; 所述接入层密钥包括: 无线资源控制加密 密钥、 无线资源控制完整性保护密钥和用户面数据加密密钥。  In an alternative of the embodiment, the non-access stratum key includes: a non-access stratum encryption key and a non-access stratum integrity protection key; the access stratum key includes: Resource Control Encryption Key, Radio Resource Control Integrity Protection Key, and User Plane Data Encryption Key.
在本实施例的一种备选方案中, 所述密钥生成单元 702基于所述组根密 钥和所述组呼安全参数生成非接入层密钥和接入层密钥包括:  In an alternative of the embodiment, the generating of the non-access stratum key and the access stratum key by the key generating unit 702 based on the group root key and the group call security parameter includes:
所述密钥生成单元 702基于所述组根密钥和所述组呼安全参数使用 KDF 函数生成非接入层密钥和演进的基站密钥, 基于所述演进的基站密钥使用 KDF函数生成所述接入层密钥。  The key generation unit 702 generates a non-access stratum key and an evolved base station key using a KDF function based on the group root key and the group call security parameter, and generates a KDF function based on the evolved base station key. The access layer key.
在本实施例的一种备选方案中, 所述交互单元 701还设置成: 接收所述 系统侧下发的所述终端所属群组的组根密钥时, 还获取与所述组根密钥一起 下发的密钥编号, 保存所述组根密钥和所述密钥编号; 以及, 组呼建立时, 还接收与所述组呼安全参数一起下发的密钥编号; 所述密钥生成单元 702还设置成, 基于所述组根密钥和所述组呼安全参 数生成非接入层密钥和接入层密钥前, 判断所述组呼建立时接收到的密钥编 号与本地保存的密钥编号是否一致, 如果一致, 才基于所述组根密钥和所述 组呼安全参数生成所述非接入层密钥和所述接入层密钥; 如果不一致, 向所 述系统侧发起组根密钥同步请求, 从所述系统侧获取新的组根密钥和密钥编 号, 并基于所述新的组根密钥和所述组呼安全参数生成非接入层密钥和接入 层密钥。 In an alternative of the embodiment, the interaction unit 701 is further configured to: when receiving the group root key of the group to which the terminal belongs, sent by the system side, The key number delivered by the key together, the root key and the key number are saved; and when the group call is established, the key number sent together with the group call security parameter is also received; The key generation unit 702 is further configured to: before the non-access stratum key and the access layer key are generated based on the group root key and the group call security parameter, determine that the group call is received Whether the key number is consistent with the locally saved key number, and if not, the non-access stratum key and the access stratum key are generated based on the group root key and the group call security parameter; Inconsistent, initiating a group root key synchronization request to the system side, acquiring a new group root key and a key number from the system side, and generating a security based on the new group root key and the group call security parameter Non-access stratum key and access stratum key.
本发明实施例还提供一种包括上述系统侧网元和终端的系统。  The embodiment of the invention further provides a system including the system side network element and the terminal.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。  One of ordinary skill in the art will appreciate that all or a portion of the above steps may be accomplished by a program instructing the associated hardware, such as a read-only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
工业实用性 本发明实施例提供的组密钥分层管理方法, 实现简单, 密钥架构分层设 置,在保证了安全程度的同时,对相关技术中的 LTE安全协议架构改动较小, 在终端侧的改动不涉及 SIM卡的软件接口变化, 容易做到后向兼容。 Industrial Applicability The group key hierarchical management method provided by the embodiments of the present invention is simple to implement, and the key architecture is hierarchically set. When the security level is ensured, the LTE security protocol architecture in the related technology is less changed. The side changes do not involve changes to the software interface of the SIM card, making it easy to be backward compatible.

Claims

权 利 要 求 书 claims
1、 一种宽带集群系统的组密钥分层管理方法, 包括: 1. A hierarchical group key management method for a broadband cluster system, including:
系统侧为群组生成组根密钥 ,将所述组根密钥下发给所述群组中的终端; 在组呼建立时, 所述系统侧生成组呼安全参数, 基于所述组根密钥和所 述组呼安全参数生成非接入层密钥和接入层密钥, 将所述组呼安全参数下发 给所述群组中的听用户终端; 以及 The system side generates a group root key for the group, and delivers the group root key to the terminals in the group; when the group call is established, the system side generates group call security parameters, based on the group root key The key and the group call security parameter generate a non-access layer key and an access layer key, and deliver the group call security parameter to the listening user terminals in the group; and
所述系统侧基于所述非接入层密钥和接入层密钥对所述组呼的组呼共享 信道进行保护。 The system side protects the group call shared channel of the group call based on the non-access layer key and the access layer key.
2、 如权利要求 1所述的方法, 其中, 所述系统侧将所述组根密钥下发给 所述群组中的终端前, 还包括: 2. The method of claim 1, wherein before the system side issues the group root key to the terminals in the group, it further includes:
所述系统侧与所述群组中的终端建立非接入层和接入层的安全通道; 以 及 The system side establishes secure channels of the non-access layer and the access layer with the terminals in the group; and
所述系统侧将所述组根密钥下发给所述群组中的终端, 包括: 所述系统 侧通过所述安全通道将所述组根密钥下发给所述群组中的终端。 The system side delivers the group root key to the terminals in the group, including: the system side delivers the group root key to the terminals in the group through the secure channel. .
3、 如权利要求 1所述的方法, 其中, 3. The method of claim 1, wherein,
所述非接入层密钥包括:非接入层加密密钥和非接入层完整性保护密钥; 以及 The non-access layer keys include: non-access layer encryption keys and non-access layer integrity protection keys; and
所述接入层密钥包括: 无线资源控制加密密钥、 无线资源控制完整性保 护密钥和用户面数据加密密钥。 The access layer keys include: radio resource control encryption key, radio resource control integrity protection key and user plane data encryption key.
4、 如权利要求 1或 3所述的方法, 其中, 所述系统侧基于所述组根密钥 和所述组呼安全参数生成非接入层密钥和接入层密钥, 包括: 4. The method according to claim 1 or 3, wherein the system side generates a non-access layer key and an access layer key based on the group root key and the group call security parameter, including:
核心网基于所述组根密钥和所述组呼安全参数使用密钥推导函数 KDF 生成所述非接入层密钥和演进的基站密钥; 以及 The core network uses a key derivation function KDF to generate the non-access layer key and the evolved base station key based on the group root key and the group call security parameter; and
所述核心网将所述演进的基站密钥下发给所述组呼相关的演进的基站, 由所述演进的基站基于所述演进的基站密钥使用密钥推导函数 KDF生成所 述接入层密钥。 The core network delivers the evolved base station key to the evolved base station related to the group call, and the evolved base station uses a key derivation function KDF to generate the access based on the evolved base station key. layer key.
5、 如权利要求 1所述的方法, 其中, 所述系统侧为不同群组生成不同的 组根密钥。 5. The method of claim 1, wherein the system side generates different messages for different groups. Group root key.
6、 如权利要求 1所述的方法, 其中, 所述组呼安全参数为一随机数, 或 者为一计数值。 6. The method according to claim 1, wherein the group call security parameter is a random number or a count value.
7、 如权利要求 1所述的方法, 还包括: 在满足更新触发条件时, 所述系 统侧更新所述群组的组根密钥, 将更新后的组根密钥下发给所述群组中的终 端。 7. The method of claim 1, further comprising: when the update trigger condition is met, the system side updates the group root key of the group, and issues the updated group root key to the group. Terminals in the group.
8、 如权利要求 7所述的方法, 其中, 所述更新触发条件包括: 8. The method of claim 7, wherein the update triggering condition includes:
所述群组中的成员变动或者安全周期到达。 The members in the group change or the security period arrives.
9、 如权利要求 1或 7所述的方法, 还包括: 9. The method of claim 1 or 7, further comprising:
所述系统侧为所述群组生成组根密钥时, 还生成密钥编号; When the system side generates a group root key for the group, it also generates a key number;
所述系统侧将所述组根密钥下发给所述群组中的终端时, 还将所述密钥 编号下发给所述群组中的终端; 以及 When the system side issues the group root key to the terminals in the group, it also issues the key number to the terminals in the group; and
在组呼建立时, 所述系统侧将所述组呼安全参数下发给所述群组中的听 用户终端时, 还将所述密钥编号下发给所述群组中的听用户终端。 When a group call is established, when the system side delivers the group call security parameters to the listening user terminals in the group, it also delivers the key number to the listening user terminals in the group. .
10、 一种宽带集群系统的组密钥分层管理方法, 包括: 10. A hierarchical group key management method for a broadband cluster system, including:
终端接收系统侧下发的所述终端所属群组的组根密钥; The terminal receives the group root key of the group to which the terminal belongs issued by the system side;
组呼建立时, 所述终端接收所述系统侧下发的组呼安全参数; 以及 所述终端基于所述组根密钥和所述组呼安全参数生成非接入层密钥和接 入层密钥, 基于所述非接入层密钥和所述接入层密钥对所述组呼的组呼共享 信道进行保护。 When a group call is established, the terminal receives the group call security parameters issued by the system side; and the terminal generates a non-access layer key and an access layer key based on the group root key and the group call security parameters. The key is used to protect the group call shared channel of the group call based on the non-access layer key and the access layer key.
11、 如权利要求 10所述的方法, 其中, 所述终端接收系统侧下发的所述 终端所属群组的组根密钥前, 还包括: 11. The method of claim 10, wherein before the terminal receives the group root key of the group to which the terminal belongs issued by the system side, it further includes:
所述终端与所述系统侧建立非接入层和接入层的安全通道; 以及 所述终端接收系统侧下发的所述终端所属群组的组根密钥, 包括: 所述 终端通过所述安全通道接收系统侧下发的所述终端所属群组的组根密钥。 The terminal establishes a secure channel for the non-access layer and the access layer with the system side; and the terminal receives the group root key of the group to which the terminal belongs issued by the system side, including: the terminal passes the The secure channel receives the group root key of the group to which the terminal belongs issued by the system side.
12、 如权利要求 10所述的方法, 其中, 12. The method of claim 10, wherein,
所述非接入层密钥包括:非接入层加密密钥和非接入层完整性保护密钥; 以及 The non-access layer keys include: non-access layer encryption keys and non-access layer integrity protection keys; as well as
所述接入层密钥包括: 无线资源控制加密密钥、 无线资源控制完整性保 护密钥和用户面数据加密密钥。 The access layer keys include: radio resource control encryption key, radio resource control integrity protection key and user plane data encryption key.
13、 如权利要求 10至 12任一所述的方法, 其中, 所述终端基于所述组 根密钥和所述组呼安全参数生成非接入层密钥和接入层密钥, 包括: 13. The method according to any one of claims 10 to 12, wherein the terminal generates a non-access layer key and an access layer key based on the group root key and the group call security parameter, including:
所述终端基于所述组根密钥和所述组呼安全参数使用密钥推导函数 KDF 生成非接入层密钥和演进的基站密钥, 基于所述演进的基站密钥使用密钥推 导函数 KDF生成所述接入层密钥。 The terminal uses a key derivation function KDF based on the group root key and the group call security parameter to generate a non-access layer key and an evolved base station key, and uses a key derivation function based on the evolved base station key. KDF generates the access layer key.
14、 如权利要求 10至 12任一所述的方法, 还包括: 14. The method according to any one of claims 10 to 12, further comprising:
所述终端接收所述系统侧下发的所述终端所属群组的组根密钥时, 还获 取与所述组根密钥一起下发的密钥编号,保存所述组根密钥和所述密钥编号; 组呼建立时 ,所述终端还接收与所述组呼安全参数一起下发的密钥编号; 以及 When the terminal receives the group root key of the group to which the terminal belongs issued by the system side, it also obtains the key number issued together with the group root key, and saves the group root key and the group root key. The key number; When the group call is established, the terminal also receives the key number issued together with the group call security parameters; and
所述终端基于所述组根密钥和所述组呼安全参数生成非接入层密钥和接 入层密钥前, 还包括: Before the terminal generates the non-access layer key and the access layer key based on the group root key and the group call security parameter, it also includes:
判断所述组呼建立时接收到的密钥编号与本地保存的密钥编号是否一 致, 如果一致, 基于所述组根密钥和所述组呼安全参数生成所述非接入层密 钥和所述接入层密钥; 如果不一致, 所述终端向所述系统侧发起组根密钥同 步请求, 从所述系统侧获取新的组根密钥和密钥编号, 并基于所述新的组根 密钥和所述组呼安全参数生成非接入层密钥和接入层密钥。 Determine whether the key number received when the group call is established is consistent with the locally stored key number. If they are consistent, generate the non-access layer key and the key number based on the group root key and the group call security parameter. The access layer key; if inconsistent, the terminal initiates a group root key synchronization request to the system side, obtains a new group root key and key number from the system side, and based on the new The group root key and the group call security parameters generate a non-access layer key and an access layer key.
15、 一种宽带集群系统的组密钥分层管理系统, 包括: 系统侧网元, 所 述系统侧网元设置成: 15. A group key hierarchical management system for a broadband cluster system, including: system side network element, the system side network element is set to:
为群组生成组根密钥, 将所述组根密钥下发给所述群组中的终端; 在组呼建立时, 生成组呼安全参数, 基于所述组根密钥和所述组呼安全 参数生成非接入层密钥和接入层密钥, 将所述组呼安全参数下发给所述群组 中的听用户终端; 以及 Generate a group root key for the group, and deliver the group root key to the terminals in the group; When the group call is established, generate group call security parameters based on the group root key and the group The call security parameters generate a non-access layer key and an access layer key, and deliver the group call security parameters to the listening user terminals in the group; and
基于所述非接入层密钥和接入层密钥对所述组呼的组呼共享信道进行保 护。 The group call shared channel of the group call is protected based on the non-access layer key and the access layer key.
16、 如权利要求 15所述的系统, 其中, 16. The system of claim 15, wherein,
所述系统侧网元还设置成,将所述组根密钥下发给所述群组中的终端前, 与所述群组中的终端建立非接入层和接入层的安全通道; 以及 The system-side network element is further configured to establish non-access layer and access layer secure channels with the terminals in the group before issuing the group root key to the terminals in the group; as well as
所述系统侧网元是设置成通过所述安全通道将所述组根密钥下发给所述 群组中的终端。 The system-side network element is configured to deliver the group root key to the terminals in the group through the secure channel.
17、 如权利要求 15所述的系统, 其中, 17. The system of claim 15, wherein,
所述非接入层密钥包括:非接入层加密密钥和非接入层完整性保护密钥; 以及 The non-access layer keys include: non-access layer encryption keys and non-access layer integrity protection keys; and
所述接入层密钥包括: 无线资源控制加密密钥、 无线资源控制完整性保 护密钥和用户面数据加密密钥。 The access layer keys include: radio resource control encryption key, radio resource control integrity protection key and user plane data encryption key.
18、 如权利要求 15至 17任一所述的系统, 其中, 所述系统侧网元包括: 核心网和演进的基站, 其中: 18. The system according to any one of claims 15 to 17, wherein the system side network element includes: a core network and an evolved base station, wherein:
所述核心网设置成, 基于所述组根密钥和所述组呼安全参数使用密钥推 导函数 KDF生成所述非接入层密钥和演进的基站密钥; 以及 The core network is configured to use a key derivation function KDF to generate the non-access layer key and the evolved base station key based on the group root key and the group call security parameter; and
将所述演进的基站密钥下发给所述组呼相关的所述演进的基站; 所述演进的基站设置成, 基于所述演进的基站密钥使用密钥推导函数 KDF生成所述接入层密钥。 The evolved base station key is delivered to the evolved base station related to the group call; the evolved base station is configured to use a key derivation function KDF to generate the access based on the evolved base station key. layer key.
19、 如权利要求 15所述的系统, 其中, 所述系统侧网元为不同群组生成 不同的组根密钥。 19. The system of claim 15, wherein the system side network element generates different group root keys for different groups.
20、 如权利要求 15所述的系统, 其中, 所述组呼安全参数为一随机数, 或者为一计数值。 20. The system of claim 15, wherein the group call security parameter is a random number or a count value.
21、 如权利要求 15所述的系统, 其中, 所述系统侧网元还设置成: 在满 足更新触发条件时, 更新所述群组的组根密钥, 将更新后的组根密钥下发给 所述群组中的终端。 21. The system of claim 15, wherein the system side network element is further configured to: when the update trigger condition is met, update the group root key of the group, and download the updated group root key. Sent to terminals in the group.
22、 如权利要求 21所述的系统, 其中, 所述更新触发条件包括: 所述群组中的成员变动或者安全周期到达。 22. The system of claim 21, wherein the update triggering condition includes: a member change in the group or the arrival of a safety period.
23、 如权利要求 15或 21所述的系统, 其中, 所述系统侧网元还设置成: 为所述群组生成组根密钥时, 生成密钥编号; 将所述组根密钥下发给所述群组中的终端时, 还将所述密钥编号下发给 所述群组中的终端; 以及 23. The system of claim 15 or 21, wherein, The system side network element is also configured to: when generating a group root key for the group, generate a key number; when issuing the group root key to the terminals in the group, also generate the The key number is issued to the terminals in the group; and
在组呼建立时 ,将所述组呼安全参数下发给所述群组中的听用户终端时 , 还将所述密钥编号下发给所述群组中的听用户终端。 When a group call is established, when the group call security parameters are delivered to the listening user terminals in the group, the key number is also delivered to the listening user terminals in the group.
24、 一种终端, 包括: 24. A terminal, including:
交互单元, 其设置成接收系统侧下发的所述终端所属群组的组根密钥; 以及, 组呼建立时, 接收所述系统侧下发的组呼安全参数; The interaction unit is configured to receive the group root key of the group to which the terminal belongs issued by the system side; and, when a group call is established, receive the group call security parameters issued by the system side;
密钥生成单元, 其设置成基于所述组根密钥和所述组呼安全参数生成非 接入层密钥和接入层密钥; 以及 A key generation unit configured to generate a non-access layer key and an access layer key based on the group root key and the group call security parameter; and
保护单元, 其设置成基于所述非接入层密钥和所述接入层密钥对所述组 呼的组呼共享信道进行保护。 A protection unit configured to protect the group call shared channel of the group call based on the non-access layer key and the access layer key.
25、 如权利要求 24所述的终端, 其中, 所述交互单元还设置成, 接收系 统侧下发的所述终端所属群组的组根密钥前, 与所述系统侧建立非接入层和 接入层的安全通道; 以及 25. The terminal according to claim 24, wherein the interaction unit is further configured to establish a non-access layer with the system side before receiving the group root key of the group to which the terminal belongs issued by the system side. and secure channels at the access layer; and
所述交互单元是设置成通过所述安全通道接收所述系统侧下发的所述终 端所属群组的组根密钥。 The interaction unit is configured to receive the group root key of the group to which the terminal belongs issued by the system side through the secure channel.
26、 如权利要求 24所述的终端, 其中, 26. The terminal according to claim 24, wherein,
所述非接入层密钥包括:非接入层加密密钥和非接入层完整性保护密钥; 以及 The non-access layer keys include: non-access layer encryption keys and non-access layer integrity protection keys; and
所述接入层密钥包括: 无线资源控制加密密钥、 无线资源控制完整性保 护密钥和用户面数据加密密钥。 The access layer keys include: radio resource control encryption key, radio resource control integrity protection key and user plane data encryption key.
27、 如权利要求 24至 26任一所述的终端, 其中, 所述密钥生成单元通 过如下方式基于所述组根密钥和所述组呼安全参数生成非接入层密钥和接入 层密钥: 27. The terminal according to any one of claims 24 to 26, wherein the key generation unit generates a non-access layer key and an access layer key based on the group root key and the group call security parameter in the following manner: Layer key:
所述密钥生成单元基于所述组根密钥和所述组呼安全参数使用密钥推导 函数 KDF生成非接入层密钥和演进的基站密钥,基于所述演进的基站密钥使 用密钥推导函数 KDF生成所述接入层密钥。 The key generation unit uses a key derivation function KDF to generate a non-access layer key and an evolved base station key based on the group root key and the group call security parameter, and generates a non-access layer key based on the evolved base station key. The access layer key is generated using a key derivation function KDF.
28、 如权利要求 24至 26任一所述的终端, 其中, 28. The terminal according to any one of claims 24 to 26, wherein,
所述交互单元还设置成: 接收所述系统侧下发的所述终端所属群组的组 根密钥时, 还获取与所述组根密钥一起下发的密钥编号, 保存所述组根密钥 和所述密钥编号; 组呼建立时, 还接收与所述组呼安全参数一起下发的密钥 编号; 以及 The interaction unit is further configured to: when receiving the group root key of the group to which the terminal belongs issued by the system side, also obtain the key number issued together with the group root key, and save the group The root key and the key number; when the group call is established, the key number issued together with the group call security parameters is also received; and
所述密钥生成单元还设置成, 基于所述组根密钥和所述组呼安全参数生 成非接入层密钥和接入层密钥前, 判断所述组呼建立时接收到的密钥编号与 本地保存的密钥编号是否一致, 如果一致, 基于所述组根密钥和所述组呼安 全参数生成所述非接入层密钥和所述接入层密钥; 如果不一致, 向所述系统 侧发起组根密钥同步请求, 从所述系统侧获取新的组根密钥和密钥编号, 并 基于所述新的组根密钥和所述组呼安全参数生成非接入层密钥和接入层密 钥。 The key generation unit is further configured to, before generating the non-access layer key and the access layer key based on the group root key and the group call security parameter, determine the password received when the group call is established. Whether the key number is consistent with the locally saved key number. If they are consistent, generate the non-access layer key and the access layer key based on the group root key and the group call security parameter; if they are inconsistent, Initiate a group root key synchronization request to the system side, obtain a new group root key and key number from the system side, and generate a contactless call based on the new group root key and the group call security parameters. Ingress key and access layer key.
29、 一种宽带集群系统的组密钥分层管理系统, 包括: 如权利要求 23所 述的系统侧网元和权利要求 28所述的终端。 29. A group key hierarchical management system for a broadband cluster system, including: the system side network element as claimed in claim 23 and the terminal as claimed in claim 28.
PCT/CN2014/072593 2013-02-27 2014-02-27 Method, system, and terminal for hierarchical management of group keys of broadband cluster system WO2014131356A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310061843.8 2013-02-27
CN201310061843.8A CN104010276B (en) 2013-02-27 2013-02-27 A kind of group key tiered management approach, system and the terminal of broadband cluster system

Publications (1)

Publication Number Publication Date
WO2014131356A1 true WO2014131356A1 (en) 2014-09-04

Family

ID=51370737

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/072593 WO2014131356A1 (en) 2013-02-27 2014-02-27 Method, system, and terminal for hierarchical management of group keys of broadband cluster system

Country Status (2)

Country Link
CN (1) CN104010276B (en)
WO (1) WO2014131356A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105578456B (en) * 2014-10-14 2019-01-25 成都鼎桥通信技术有限公司 End to End Encryption method, equipment and the system of TD-LTE trunked communication system
CN106162626A (en) * 2015-04-20 2016-11-23 北京信威通信技术股份有限公司 Group communication is eated dishes without rice or wine the methods, devices and systems of security control
CN106358159A (en) * 2015-07-17 2017-01-25 中兴通讯股份有限公司 Shared channel management method and system of broadband cluster system, terminals and base station
CN106998537B (en) * 2016-01-25 2019-09-10 展讯通信(上海)有限公司 The information transferring method and device of group-calling service
CN107770769B (en) * 2016-08-15 2020-05-12 大唐移动通信设备有限公司 Encryption method, network side equipment and terminal
CN106211091B (en) * 2016-09-08 2020-04-24 宇龙计算机通信科技(深圳)有限公司 Method and system for establishing cluster communication
CN106535178B (en) * 2016-11-16 2019-07-12 中国人民解放军信息工程大学 Access layer and Non-Access Stratum key safety insulating device and its method
CN107196920B (en) * 2017-04-28 2019-07-30 中国人民解放军信息工程大学 A kind of key generation distribution method towards wireless communication system
CN109729522A (en) * 2017-10-27 2019-05-07 普天信息技术有限公司 Eat dishes without rice or wine encryption method and device under fail soft mode
CN117295138A (en) * 2023-10-17 2023-12-26 泸州卓远液压有限公司 Control method and device for hydraulic equipment cluster

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237444A (en) * 2007-01-31 2008-08-06 华为技术有限公司 Secret key processing method, system and device
CN101835152A (en) * 2010-04-16 2010-09-15 中兴通讯股份有限公司 Method and system for establishing reinforced secret key when terminal moves to reinforced UTRAN (Universal Terrestrial Radio Access Network)
CN102291680A (en) * 2010-06-18 2011-12-21 普天信息技术研究院有限公司 Encrypted group calling method based on long term evolution (TD-LTE) trunking communication system
EP2418884A1 (en) * 2009-06-12 2012-02-15 ZTE Corporation Method and system for generating cipher key during switching

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101094065B (en) * 2006-06-23 2011-09-28 华为技术有限公司 Method and system for distributing cipher key in wireless communication network
CN101159556B (en) * 2007-11-09 2011-01-26 清华大学 Group key server based key management method in sharing encryption file system
CN101257723A (en) * 2008-04-08 2008-09-03 中兴通讯股份有限公司 Method, apparatus and system for generating cipher key
US8914849B2 (en) * 2011-06-08 2014-12-16 Tracfone Wireless, Inc. Broadcast replenishment of account parameters for groups of wireless devices
KR101860440B1 (en) * 2011-07-01 2018-05-24 삼성전자주식회사 Apparatus, method and system for creating and maintaining multiast data encryption key in machine to machine communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237444A (en) * 2007-01-31 2008-08-06 华为技术有限公司 Secret key processing method, system and device
EP2418884A1 (en) * 2009-06-12 2012-02-15 ZTE Corporation Method and system for generating cipher key during switching
CN101835152A (en) * 2010-04-16 2010-09-15 中兴通讯股份有限公司 Method and system for establishing reinforced secret key when terminal moves to reinforced UTRAN (Universal Terrestrial Radio Access Network)
CN102291680A (en) * 2010-06-18 2011-12-21 普天信息技术研究院有限公司 Encrypted group calling method based on long term evolution (TD-LTE) trunking communication system

Also Published As

Publication number Publication date
CN104010276B (en) 2019-02-15
CN104010276A (en) 2014-08-27

Similar Documents

Publication Publication Date Title
US10903987B2 (en) Key configuration method, key management center, and network element
WO2014131356A1 (en) Method, system, and terminal for hierarchical management of group keys of broadband cluster system
US20190068591A1 (en) Key Distribution And Authentication Method And System, And Apparatus
US10397775B2 (en) Key exchange method and apparatus
EP3422629B1 (en) Method, apparatus and system for encryption key distribution and authentication
CN102291680B (en) Encrypted group calling method based on long term evolution (TD-LTE) trunking communication system
KR101877733B1 (en) Method and system of securing group communication in a machine-to-machine communication environment
JP5288210B2 (en) Unicast key management method and multicast key management method in network
KR100836028B1 (en) Method for multicast broadcast service
WO2013185735A2 (en) Encryption realization method and system
CN102170636B (en) Methods and devices for computing shared encryption key
CN101583083B (en) Implementation method of real-time data service and real-time data service system
WO2020052414A1 (en) Data protection method, device and system
KR20200003108A (en) Key generation methods, user equipment, devices, computer readable storage media, and communication systems
WO2013064089A1 (en) Method and related device for generating group key
WO2011091751A1 (en) Authentication method for machine type communication device, machine type communication gateway and related devices
JP6614304B2 (en) Mobile communication system, group gateway, UE and communication method
CN101166177B (en) A method and system for initialization signaling transmission at non access layer
WO2022027476A1 (en) Key management method and communication apparatus
EP4238273A1 (en) Method and device for distributing a multicast encryption key
WO2015139370A1 (en) Method of establishing small data secure transmission connection for mtc device group, and hss and system
WO2014180390A2 (en) Trunking group communication public security implementation method and device
WO2017012425A1 (en) Method for managing shared channel of broadband cluster system, system, terminal and base station
CN106162515B (en) Method, device and system for machine type communication safety communication
JP6511542B2 (en) Communication network and method for establishing non-access layer connection in communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14757701

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14757701

Country of ref document: EP

Kind code of ref document: A1