WO2017143685A1 - Key updating method, device, and system - Google Patents

Key updating method, device, and system Download PDF

Info

Publication number
WO2017143685A1
WO2017143685A1 PCT/CN2016/083676 CN2016083676W WO2017143685A1 WO 2017143685 A1 WO2017143685 A1 WO 2017143685A1 CN 2016083676 W CN2016083676 W CN 2016083676W WO 2017143685 A1 WO2017143685 A1 WO 2017143685A1
Authority
WO
WIPO (PCT)
Prior art keywords
iot device
server
random number
session key
iot
Prior art date
Application number
PCT/CN2016/083676
Other languages
French (fr)
Chinese (zh)
Inventor
余万涛
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017143685A1 publication Critical patent/WO2017143685A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols

Definitions

  • the present application relates to, but is not limited to, the field of communications, and in particular, to a key update method, apparatus, and system.
  • AKA authentication and key agreement protocol
  • IoT Internet of Things
  • the number of IoT devices is huge, and IoT devices may continuously and intermittently send data.
  • the system needs to authenticate and key the IoT device every time the access network sends data. This makes the CIoT system require a lot of system resources to process the AKA process of the IoT device.
  • the IoT device needs to perform the problem of wasting network resources caused by authentication every time the data is transmitted to the network, and an effective solution has not been proposed.
  • the present invention provides a method, a device and a system for updating a key to at least solve the problem of waste of network resources caused by the authentication of the Internet of Things IoT device in the related art.
  • An embodiment of the present invention provides a key update method, including: receiving, by a server, user identity information of an Internet of Things IOT device, and determining whether a time point of receiving the user identity information is within a valid duration, where the effective duration The duration set by the server after the access authentication is completed each time the IOT device completes; if the determination result is yes, the server sends the specified information for generating the session key of the IOT device to The IOT device.
  • the method further includes: when the determining result is negative, the server terminates the timing operation of the valid duration, and triggers an operation of performing access authentication on the IOT device, and triggering the A re-timed operation that describes the effective duration.
  • the effective duration is determined by: setting, by the server, the time point of the IOT device access authentication as a starting time of the effective duration, and setting and configuring all the IOT devices in the cellular Internet of Things CIoT system.
  • the duration of the effective duration is the same; or the time when the server completes the access authentication by using the IOT devices in the cellular IoT CIoT system as the starting point of the effective duration, respectively, setting the effective duration of each of the IOT devices.
  • the specifying information includes: a random number used to generate the IOT device session key.
  • the server receiving the user identity information of the Internet of Things IOT device includes: the server receiving user identity information forwarded by the Internet of Things IOT device by the network side node; the server is configured to generate the session secret of the IOT device
  • Sending the designation information of the key to the IOT device includes: the server transmitting, by the network side node, specified information for generating a session key of the IOT device to the IOT device.
  • the method further includes: receiving, by the server, the user private secret sent by the IOT device a key; the server generates a session key using the random number and the user private key, and transmits the session key to a network side node.
  • the server includes any one of the following: a home location register HLR, and a home subscription subscriber server HSS.
  • the embodiment of the present invention further provides a key update method, including: the Internet of Things IOT device sends the user identity information to the server; the IOT device determines whether the specified information for generating the session key sent by the server is received, The specified information is sent to the time when it is determined that the time when the server receives the user identity information is within a preset effective time period.
  • the information of the IOT device, the effective duration is the duration set by the server after each time the IOT device completes the access authentication; if the determination result is yes, the IOT device generates the location according to the specified information.
  • the session key including: the Internet of Things IOT device sends the user identity information to the server; the IOT device determines whether the specified information for generating the session key sent by the server is received, The specified information is sent to the time when it is determined that the time when the server receives the user identity information is within a preset effective time period.
  • the information of the IOT device, the effective duration is the duration set by the server after each time the IOT device complete
  • the method further includes: when the determining result is no, the IOT device re-initiates an access authentication operation.
  • the specifying information includes: a random number used to generate the IOT device session key.
  • the generating, by the IOT device, the session key according to the specified information comprises: the IOT device receiving the random number forwarded by the server by a network side node; the IOT device using a user private key and The random number generates the session key.
  • the generating, by the IOT device, the session key according to the specified information comprises: the IOT device receiving a random number forwarded by the server by a network side node, and a randomization after performing encryption processing by the network side node
  • the IOT device generates a session key using the user secret key and the random number, and decrypts the encrypted random number according to the session key to obtain a decrypted random number
  • the IOT device Determining whether the decrypted random number and the random number forwarded by the server by the network side node are the same; if the determination result is yes, the IOT device sends the data to be sent to the network side node; If the result is no, the IOT device sends a request message to the server, wherein the request message is used to request the server to resend the random number.
  • the embodiment of the invention further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the embodiment of the present invention further provides a key updating apparatus, which is applied to a server, and includes: a first processing module, configured to: receive user identity information of an Internet of Things IOT device, and determine a time point of receiving the user identity information. Whether the effective duration is the duration set by the server after each time the IOT device completes the access authentication; the first sending module is configured to: if the determination result is yes, The specified information for generating the session key of the IOT device is sent to the IOT device.
  • a key updating apparatus which is applied to a server, and includes: a first processing module, configured to: receive user identity information of an Internet of Things IOT device, and determine a time point of receiving the user identity information. Whether the effective duration is the duration set by the server after each time the IOT device completes the access authentication; the first sending module is configured to: if the determination result is yes, The specified information for generating the session key of the IOT device is sent to the IOT device.
  • the device further includes: a second processing module, configured to: if the determination result is negative, terminate the timing operation of the valid duration, and trigger an access authentication for the IOT device Operation, and a retiming operation that triggers the effective duration.
  • a second processing module configured to: if the determination result is negative, terminate the timing operation of the valid duration, and trigger an access authentication for the IOT device Operation, and a retiming operation that triggers the effective duration.
  • the first processing module is further configured to: determine an effective duration by using a time point at which the IOT device accesses the authentication as a starting time of the valid duration, and is all under the cellular Internet of Things CIoT system.
  • the IOT device is set to have the same duration as the effective duration; or, the time point at which all the IOT devices under the cellular IoT CIoT system respectively complete the access authentication is used as the starting point of the effective duration, and the respective IOT devices are respectively set to be effective. duration.
  • the specifying information includes: a random number used to generate the IOT device session key.
  • the first processing module includes a first processing unit, where the first processing unit is configured to: receive user identity information of the Internet of Things IOT device, where the server receives the IoT IOT device forwarded by the network side node.
  • User identity information the first sending module includes a first sending unit, and the sending unit is configured to: send, by the network side node, specified information for generating a session key of the IOT device to the IOT device .
  • the device further includes: a receiving module, configured to: before the server sends the designation information for generating the session key of the IOT device to the IOT device, receive the sending by the IOT device a user privacy key; the third processing module is configured to: use the random number and the user privacy before the server sends the designation information for generating the session key of the IOT device to the IOT device The key generates a session key and sends the session key to the network side node.
  • a receiving module configured to: before the server sends the designation information for generating the session key of the IOT device to the IOT device, receive the sending by the IOT device a user privacy key
  • the third processing module is configured to: use the random number and the user privacy before the server sends the designation information for generating the session key of the IOT device to the IOT device
  • the key generates a session key and sends the session key to the network side node.
  • the server includes any one of the following: a home location register HLR, and a home subscription subscriber server HSS.
  • the embodiment of the present invention further provides a key updating apparatus, which is applied to an IoT IOT device, and includes: a second sending module, configured to: send user identity information to a server; and the determining module is configured to: determine whether the The specified information sent by the server for generating a session key, wherein the specified information is sent to the IOT device when it is determined that the time point when the server receives the user identity information is within a preset effective time period And the effective duration is the duration set by the server after each time the IOT device completes the access authentication; the obtaining module is configured to: when the determination result is yes, generate the location according to the specified information The session key.
  • a second sending module configured to: send user identity information to a server
  • the determining module is configured to: determine whether the The specified information sent by the server for generating a session key, wherein the specified information is sent to the IOT device when it is determined that the time point when the server receives the user identity information is within a preset effective time period And the effective duration is the duration
  • the device further includes: a fourth processing module, configured to re-initiate the access authentication operation if the determination result is negative.
  • the specifying information includes: setting: generating the IOT device session key Number of machines.
  • the acquiring module includes: a first receiving unit, configured to: receive the random number forwarded by the server by a network side node; and the acquiring unit is configured to: generate a user private key and the random number The session key.
  • the acquiring module includes: a second receiving unit, configured to: receive a random number forwarded by the server by the network side node, and a random number that is encrypted by the network side node; and a second processing unit, The method is configured to: generate a session key by using a user secret key and the random number, and decrypt the encrypted random number according to the session key to obtain a decrypted random number; and the determining unit is configured to: determine Whether the decrypted random number and the random number forwarded by the server through the network side node are the same; the second sending unit is configured to: send the data to be sent to the network side node if the determination result is yes And a third sending unit, configured to: when the determination result is no, send a request message to the server, wherein the request message is used to request the server to resend the random number.
  • a second receiving unit configured to: receive a random number forwarded by the server by the network side node, and a random number that is encrypted by the network side node
  • the embodiment of the present invention further provides a key update system, including: an Internet of Things IOT device, configured to: send user identity information to a network side node; the network side node is configured to: send the user identity information to a server, and Sending, to the IOT device, the specified information for generating the session key of the IOT device; the server is configured to: after receiving the user identity information, determine whether the time point of receiving the user identity information is Within the valid duration; if so, the specified information is sent to the network side node.
  • an Internet of Things IOT device configured to: send user identity information to a network side node
  • the network side node is configured to: send the user identity information to a server, and Sending, to the IOT device, the specified information for generating the session key of the IOT device
  • the server is configured to: after receiving the user identity information, determine whether the time point of receiving the user identity information is Within the valid duration; if so, the specified information is sent to the network side node.
  • the server receives the user identity information of the Internet of Things IOT device, and determines whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration is that the IOT device completes access every time. After the authentication, the server sets the duration; if the judgment result is yes, the server sends the specified information for generating the session key of the IOT device to the IOT device. That is, in the embodiment of the present invention, after the IOT device completes the access authentication, the server sets the effective duration of the IOT device access authentication, and if the user identity information sent by the IOT device is received within the valid duration, only You need to generate a session key, and you do not need to perform IOT device access authentication.
  • the problem of waste of network resources caused by the authentication of the Internet of Things IoT device in each time when the Internet access IoT device transmits data is solved, thereby achieving the effect of saving network resources and further improving.
  • FIG. 1 is a flow chart of a first method of key update according to an embodiment of the present invention
  • FIG. 2 is a flowchart of an IoT device authentication method according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of an IoT device re-authentication method according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a second method of key update according to an embodiment of the present invention.
  • FIG. 5 is a structural block diagram of a first type of key update apparatus according to an embodiment of the present invention.
  • FIG. 6 is a structural block diagram of a second type of key update apparatus according to an embodiment of the present invention.
  • FIG. 7 is a structural block diagram of a third type of key updating apparatus according to an embodiment of the present invention.
  • FIG. 8 is a structural block diagram of a fourth type of key update apparatus according to an embodiment of the present invention.
  • FIG. 9 is a structural block diagram of an IOT device authentication management apparatus according to an embodiment of the present invention.
  • FIG. 10 is a structural block diagram of an IOT device session key checking apparatus according to an embodiment of the present invention.
  • FIG. 11 is a flowchart of a third method of key update according to an embodiment of the present invention.
  • FIG. 12 is a flowchart of a fourth key update method according to an embodiment of the present invention.
  • FIG. 13 is a structural block diagram of a fifth type of key updating apparatus according to an embodiment of the present invention.
  • FIG. 14 is a structural block diagram of a sixth type of key updating apparatus according to an embodiment of the present invention.
  • FIG. 15 is a block diagram showing the structure of a seventh type of key updating apparatus according to an embodiment of the present invention.
  • 16 is a block diagram showing the structure of a key update system according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a first key update method according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step S102 The server receives the user identity information of the IoT IOT device, and determines whether the time point of receiving the user identity information is within a valid duration, where the effective duration is after each time the IOT device completes the access authentication, The length of time the server is set;
  • Step S104 If the determination result is yes, the server sends the designation information for generating the session key of the IOT device to the IOT device.
  • the application scenario of the foregoing key update method may include, but is not limited to, a Cellular Internet of Things (CIoT) system, where a large number of objects may be disposed in the system.
  • IoT Internet of Things
  • the server may receive the user identity information of the IoT IOT device, and determine whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration may be completed each time the IOT device is completed. After the access authentication, the length of time set by the server; if the judgment result is yes, the server may send the specified information for generating the session key of the IOT device to the IOT device.
  • the server sets the effective duration of the IOT device access authentication, and if the user identity information sent by the IOT device is received within the valid duration, only You need to generate a session key, and you do not need to perform IOT device access authentication.
  • the present embodiment provides a key update method, which is applicable to a cellular Internet of Things (CIOT) communication system including an IoT device, wherein the server uses a Home Location Register/Home Subscriber Server (Home Location Register/Home Subscriber Server,
  • the HLR/HSS is used as an example.
  • the IoT device may include a Subscriber Identity Module (SIM)/Universal Subscriber Identity Module (USIM) card, which may include the following content:
  • the HLR/HSS determines when to re-authenticate the IoT device, as defined by the HLR/HSS for each authentication effective duration.
  • HLR/HSS can define a uniform authentication effective duration for all IoT devices, and can also define a separate authentication effective duration for different IoT devices.
  • the HLR/HSS can initiate the authentication timing of the IoT device. When the authentication timing exceeds the validity period of the authentication, the HLR/HSS may terminate the authentication timing of the IoT device. All uncertified IoT devices will need to be certified subsequently. For example, HLR/HSS can define the effective duration of an IoT device.
  • the HLR/HSS can set a counter for the IoT device. When the counter reaches the authentication valid period, the HLR/HSS can clear the counter and cancel the counting for the IoT device. Upon subsequent receipt of the user identity information sent by the IoT device, the HLR/HSS will initiate the authentication process.
  • the HLR/HSS may initiate the authentication process for the IoT device after receiving the identity information sent by the IoT device;
  • the HLR/HSS can perform authentication timing for the IoT device.
  • the IoT device user identity information may be sent to a network side node, such as a Serving General Packet Radio Service Node (Serving GPRS Support Node, SGSN);
  • a network side node such as a Serving General Packet Radio Service Node (Serving GPRS Support Node, SGSN);
  • the network side node such as the SGSN, may forward the information to the HLR/HSS after receiving the identity information sent by the IoT device;
  • the HLR/HSS can check whether the authentication duration of the IoT device reaches the validity time of the authentication according to the defined validity period. If the authentication is valid or exceeded, the HLR/HSS can initiate an authentication process for the IoT device. If the authentication validity period is not reached, the HLR/HSS can generate a new random number for the IoT device and generate a new session key using the new random number and the IoT device user secret key, and then the new session key. And sending a new random number to the network side node, such as the SGSN;
  • the SGSN After receiving the new session key and the new random number, the SGSN can send the new random number to the IoT device;
  • the SGSN may encrypt the new random number with a new session, and then send the new random number together with the encrypted new random number to the IoT device;
  • the IoT device may generate a session key according to the user secret key saved on the SIM/USIM and the new random number received;
  • the IoT device may generate a session key according to the user secret key saved on the SIM/USIM and the received new random number, and use the session secret.
  • the key decrypts the encrypted new random number and checks whether the decrypted new random number is the same as the received new random number. If different, the IoT device can request retransmission to the network side node, such as the SGSN; if the same, the IoT device can communicate securely with the network side node, such as the SGSN.
  • the method may include the following steps:
  • step S11 the server terminates the timing operation of the valid duration, and triggers an operation of performing access authentication on the IOT device, and a re-timing operation that triggers the effective duration.
  • the server terminates the timing operation of the valid duration, and triggers an operation of performing access authentication on the IOT device to implement the IOT.
  • the secure communication between the device and the network side node avoids the problem that the communication security caused by the access authentication operation is not reduced even if the time point of the user identity information sent by the IOT device is not within the effective duration.
  • an IoT device authentication method wherein the effective duration can be implemented by a timer counter, and the server is described by taking an HLR/HSS as an example. As shown in Figure 2, the following steps are included:
  • Step S201 the IoT device accesses the network and completes AKA authentication
  • Step S202 the HLR/HSS starts a timing counter for the IoT device
  • step S203 when the counter reaches the authentication valid duration of the IoT device set by the HLR/HSS, the HLR/HSS clears the counter and cancels the counting for the IoT device.
  • an IoT device re-authentication method is also provided.
  • the server uses the HLR/HSS as an example. As shown in Figure 3, the following steps are included:
  • Step S301 when the IoT device needs to send data, send the IoT device user identity information to the network side node SGSN;
  • Step S302 after receiving the user identity information sent by the IoT device, the network side node SGSN forwards the IoT device user identity information to the HLR/HSS;
  • Step S303 after receiving the IoT device user identity information, the HLR/HSS checks whether there is a timing counter of the IoT device. If not, the HLR/HSS determines that the IoT device needs to be re-authenticated.
  • Step S304 an AKA authentication process is performed between the HLR/HSS and the IoT.
  • Step S305 after the end of the authentication between the HLR/HSS and the IoT, the HLR/HSS starts a new timing counter for the IoT device.
  • the effective duration can be determined by the following steps:
  • step S21 the time point at which the server accesses the authentication by the IOT device is used as the starting point of the effective duration, and all the IOT devices in the cellular IoT CIoT system are set to have the same duration as the effective duration; or
  • step S22 the server uses the time point for completing the access authentication for all the IOT devices in the cellular Internet of Things (CIoT system) as the starting point of the effective duration, and sets the effective duration of each of the IOT devices.
  • CIP system cellular Internet of Things
  • the effective duration is preset for all the IOT devices in the cellular Internet of Things CIoT system by using a predetermined rule, and the dynamic setting of the effective duration is realized.
  • the foregoing specifying information may include: a random number used to generate the IOT device session key.
  • the random number may be used to generate a security key according to the random number after receiving the random number by the IOT device.
  • the server receiving the user identity information of the Internet of Things IOT device may include the following steps:
  • Step S31 the server receives user identity information forwarded by the Internet of Things IOT device through the network side node;
  • the server sends the specified information for generating the session key of the IOT device to the IOT device, which may include the following steps:
  • Step S32 The server sends the specified information for generating the session key of the IOT device to the IOT device through the network side node.
  • the network side node is used as an intermediate node for receiving user identity information and transmitting designated information, and the related art is required, and the IoT device needs to perform authentication every time the data is sent to the network.
  • the resulting problem of wasted network resources thereby achieving the effect of saving network resources, and further improving the efficiency of key update.
  • the method may further include the following steps:
  • Step S41 The server receives the user secret key sent by the IOT device.
  • Step S42 the server generates the session key by using the random number and the user private key, and sends the session key to the network side node.
  • the user secret key may be saved on the SIM/USIM.
  • the server generates a session key by using a user secret key and a random number sent by the IOT device, and sends the session key to the network side node, thereby further implementing secure communication between the IOT device and the network side node. effect.
  • an IoT device key update method is provided.
  • the server is described by taking the HLR/HSS as an example. As shown in FIG. 4, the method includes the following steps:
  • Step S401 when the IoT device needs to send data, send the IoT device user identity information to the network side node SGSN;
  • Step S402 after receiving the user identity information sent by the IoT device, the network side node SGSN forwards the IoT device user identity information to the HLR/HSS;
  • Step S403 after receiving the IoT device user identity information, the HLR/HSS checks whether there is a timing counter of the IoT device, and if so, the HLR/HSS generates a new random number for the IoT device, and uses the new random number and The IoT device user private key generates a new session key.
  • Step S404 the HLR/HSS sends the new session key and the new random number to the network side node, such as the SGSN;
  • Step S405 after receiving the new session key and the new random number, the SGSN sends the new random number to the IoT device.
  • Step S406 After receiving the new random number, the IoT device generates a session key according to the user secret key saved on the SIM/USIM and the received new random number.
  • step S407 the IoT device performs secure communication with the network side node, such as the SGSN.
  • the server may include any one of the following: a home location register HLR, a home subscription subscriber server HSS.
  • the method according to the above embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium (such as ROM/RAM, disk).
  • the optical disc includes a plurality of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present invention.
  • a key update device is also provided, which is configured to implement the foregoing embodiments and optional implementations, and details are not described herein.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the devices described in the following embodiments may be implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 5 is a structural block diagram of a first type of key update apparatus according to an embodiment of the present invention. As shown in FIG. 5, the apparatus includes:
  • the first processing module 52 is configured to: receive user identity information of the Internet of Things IOT device, and determine whether the time point of receiving the user identity information is within a valid duration, wherein the effective duration is each time the IOT device The length of time set by the server after the access authentication is completed;
  • the first sending module 54 is configured to: when the determination result is YES, send designation information for generating a session key of the IOT device to the IOT device.
  • the application scenario of the foregoing key update method may include, but is not limited to, a Cellular Internet of Things (CIoT) system, where A large number of Internet of Things (IoT) devices are installed in the system.
  • the server may receive the user identity information of the IoT IOT device, and determine whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration may be completed each time the IOT device is completed. After the access authentication, the length of time set by the server; if the judgment result is yes, the server may send the specified information for generating the session key of the IOT device to the IOT device.
  • the server may set the effective duration of the IOT device access authentication, and if the user identity information sent by the IOT device is received within the valid duration, Simply generate a session key and no need to perform IOT device access authentication.
  • the problem of waste of network resources caused by the authentication of the Internet of Things IoT device during each access to the network is required to be solved, thereby achieving the effect of saving network resources and further improving the density.
  • the present embodiment provides a key update method, which can be applied to a cellular IoT CIoT communication system including an IoT device, wherein the server is described by taking an HLR/HSS as an example, and the IoT device can include a SIM/USIM card. , can include the following steps:
  • the HLR/HSS determines when the IoT device is re-authenticated, for example, the HLR/HSS can define the effective duration of each authentication.
  • HLR/HSS can define a uniform authentication effective duration for all IoT devices, and can also define a separate authentication effective duration for different IoT devices.
  • the HLR/HSS can initiate the authentication timing of the IoT device. When the authentication timing exceeds the validity period of the authentication, the HLR/HSS may terminate the authentication timing of the IoT device. All uncertified IoT devices will need to be certified subsequently. For example, HLR/HSS can define the effective duration of an IoT device.
  • the HLR/HSS can set a counter for the IoT device. When the counter reaches the authentication valid period, the HLR/HSS can clear the counter and cancel the counting for the IoT device. Upon subsequent receipt of the user identity information sent by the IoT device, the HLR/HSS will initiate the authentication process.
  • the HLR/HSS may initiate the authentication process for the IoT device after receiving the identity information sent by the IoT device;
  • the HLR/HSS can perform authentication timing for the IoT device.
  • the IoT device When the IoT device needs to send data, it can send the IoT device to the network side node, such as the SGSN.
  • the network side node such as the SGSN.
  • the network side node such as the SGSN, may forward the information to the HLR/HSS after receiving the identity information sent by the IoT device;
  • the HLR/HSS can check whether the authentication duration of the IoT device reaches the validity time of the authentication according to the defined validity period. If the authentication is valid or exceeded, the HLR/HSS can initiate an authentication process for the IoT device. If the authentication validity period is not reached, the HLR/HSS can generate a new random number for the IoT device and generate a new session key using the new random number and the IoT device user secret key, and then the new session key. And sending a new random number to the network side node, such as the SGSN;
  • the SGSN After receiving the new session key and the new random number, the SGSN can send the new random number to the IoT device;
  • the SGSN may encrypt the new random number with a new session, and then send the new random number together with the encrypted new random number to the IoT device;
  • the IoT device may generate a session key according to the user secret key saved on the SIM/USIM and the new random number received;
  • the IoT device may generate a session key according to the user secret key saved on the SIM/USIM and the received new random number, and use the session secret.
  • the key decrypts the encrypted new random number and checks whether the decrypted new random number is the same as the received new random number. If different, the IoT device can request retransmission to the network side node, such as the SGSN; if the same, the IoT device can communicate securely with the network side node, such as the SGSN.
  • FIG. 6 is a structural block diagram of a second type of key update apparatus according to an embodiment of the present invention. As shown in FIG. 6, the apparatus includes, in addition to all the modules shown in FIG.
  • the second processing module 62 is configured to: if the determination result is negative, terminate the timing operation of the valid duration, trigger an operation of performing access authentication on the IOT device, and trigger a re-timed of the valid duration operating.
  • the server may terminate the timing operation of the valid duration, and trigger an operation of performing access authentication on the IOT device, thereby implementing Secure communication between the IOT device and the network side node, avoiding even When the time point of the user identity information sent by the IOT device is not within the valid duration, the communication security caused by the access authentication operation is not reduced.
  • the first processing module may be further configured to: determine an effective duration by using a time point at which the IOT device accesses the authentication as a starting point of the effective duration, and is a cellular IoT system under the CIoT system. All the IOT devices are set to have the same duration as the effective duration; or, the time points at which all the IOT devices under the cellular IoT CIoT system respectively complete the access authentication are used as the starting point of the effective duration, and the respective IOT devices are respectively set to be effective. duration.
  • the effective duration can be preset for all IOT devices under the cellular Internet of Things CIoT system through predetermined rules, and the dynamic setting of the effective duration is realized.
  • the specifying information may include: a random number used to generate the IOT device session key.
  • the random number may be used to generate a security key according to the random number after receiving the random number by the IOT device.
  • FIG. 7 is a structural block diagram of a third type of key updating apparatus according to an embodiment of the present invention.
  • the first processing module 52 includes:
  • the first processing unit 72 is configured to: receive user identity information of the Internet of Things IOT device, where the server receives user identity information forwarded by the Internet of Things IOT device through the network side node;
  • the first sending module 54 includes:
  • the first sending unit 74 is configured to: send the designation information for generating the session key of the IOT device to the IOT device through the network side node.
  • the network side node is used as an intermediate node for receiving user identity information and transmitting designated information, and the related art is required, and the IoT device needs to perform authentication every time the data is sent to the network.
  • the resulting problem of wasted network resources thereby achieving the effect of saving network resources, and further improving the efficiency of key update.
  • FIG. 8 is a structural block diagram of a fourth key updating apparatus according to an embodiment of the present invention. As shown in FIG. 8, the apparatus includes, in addition to all the modules shown in FIG. :
  • the receiving module 82 is configured to: the session secret that the server will use to generate the IOT device Receiving the user secret key sent by the IOT device before sending the specified information of the key to the IOT device;
  • the third processing module 84 is configured to: before the server sends the designation information for generating the session key of the IOT device to the IOT device, generate the session key by using the random number and the user secret key, And send the session key to the network side node.
  • the user secret key may be saved on the SIM/USIM.
  • the server may generate a session key by using a user secret key and a random number sent by the IOT device, and send the session key to the network side node, thereby further implementing secure communication between the IOT device and the network side node. Effect.
  • the foregoing server may include any one of the following: a home location register HLR, and a home subscription subscriber server HSS.
  • an IOT device authentication management device is further provided in this embodiment.
  • the method includes:
  • the authentication timing module 92 is configured to: perform authentication timing for the IoT device after the AKA process ends;
  • the management module 94 the user HLR/HSS manages the authentication timing module, and checks whether the timing counter for one IoT device timing module has reached the authentication effective duration. When the authentication is valid for a long time, the counter is cleared and the timing for the IoT device is cancelled.
  • the checking module 96 is configured to: check whether the IoT device needs to be authenticated according to the IoT device user identity information, or update the session key;
  • a session key checking apparatus is further provided, as shown in FIG. 10, including:
  • the session key check management module 1002 is configured to: update the IoT device session key, and check whether the update session key needs to be renegotiated.
  • FIG. 11 is a flowchart of a third key update method according to an embodiment of the present invention. As shown in FIG. 11, the method includes the following steps:
  • Step S1102 The Internet of Things IOT device sends user identity information to the server.
  • Step S1104 The IOT device determines whether the specified information for generating the session key sent by the server is received, where the specified information is when the time point when the server receives the user identity information is within a preset effective time period.
  • the information sent to the IOT device, the effective duration being the length of time set by the server after the IOT device completes the access authentication;
  • step S1106 if the determination result is yes, the IOT device generates the session key according to the specified information.
  • the application scenario of the foregoing key update method may include, but is not limited to, a Cellular Internet of Things (CIoT) system, where a large number of Internet of Things is set in the system. (Internet of Things, referred to as IoT) devices.
  • IoT Internet of Things
  • the IoT IOT device may send the user identity information to the server; the IOT device may determine whether the specified information sent by the server for generating the session key is received, wherein the specified information may be determining the server.
  • the information sent to the IOT device when the time point of receiving the user identity information is within a preset effective time period, and the effective duration may be the duration set by the server after each time the IOT device completes the access authentication; If the determination result is yes, the IOT device may generate the session key according to the specified information. That is, after the IOT device sends the user identity information to the server, if the specified information for generating the session key sent by the server is received within the length of the IOT device authentication, the access authentication is not required, but can be directly based on The specified information generates the session key, thereby solving the problem of waste of network resources caused by the authentication of the IoT IoT device in each of the related technologies in the related art, thereby achieving the effect of saving network resources. , further improve the efficiency of key update.
  • the method may include the following steps:
  • step S51 the IOT device re-initiates the access authentication operation.
  • the IOT device re-initiates the access authentication operation when the IOT device determines that the specified information for generating the session key sent by the server is not received, thereby avoiding related technologies.
  • the problem of wasted network resources caused by the authentication is required, thereby achieving the effect of saving network resources and further improving the efficiency of key update.
  • the foregoing specifying information may include: used to generate the IOT device The random number of the session key.
  • the random number may be used to generate a security key according to the random number after receiving the random number by the IOT device.
  • the generating, by the IOT device, the session key according to the specified information may include the following steps:
  • Step S61 the IOT device receives the random number forwarded by the server through the network side node
  • Step S62 the IOT device generates the session key by using the user secret key and the random number.
  • the user secret key may be saved on the SIM/USIM.
  • the IOT device may receive a random number sent by the server, and generate the session key according to the user private key and the random number to further implement secure communication.
  • the generating, by the IOT device, the session key according to the specified information may include the following steps:
  • Step S71 The IOT device receives the random number forwarded by the server through the network side node and the random number after the network side node performs encryption processing.
  • Step S72 The IOT device generates a session key by using the user secret key and the random number, and decrypts the encrypted random number according to the session key to obtain the decrypted random number.
  • Step S73 the IOT device determines whether the decrypted random number is the same as the random number forwarded by the server through the network side node;
  • Step S74 in the case that the determination result is yes, the IOT device sends the data to be sent to the network side node;
  • Step S75 If the determination result is no, the IOT device sends a request message to the server, where the request message is used to request the server to resend the random number.
  • the IOT device can compare the random number sent by the receiving server with the decrypted random number, and perform corresponding operations according to the comparison result, which solves the problem that the Internet of Things IoT device sends in each access network.
  • the problem of wasted network resources caused by authentication is required, and the effect of saving network resources is achieved at the same time.
  • the secure communication of the IOT device is further guaranteed.
  • an IoT device key update method is provided, where the server takes the HLR/HSS as an example. As shown in Figure 12, the following steps are included:
  • Step S1201 When the IoT device needs to send data, send the IoT device user identity information to the network side node SGSN.
  • Step S1202 After receiving the user identity information sent by the IoT device, the network side node SGSN forwards the IoT device user identity information to the HLR/HSS.
  • Step S1203 After receiving the IoT device user identity information, the HLR/HSS checks whether there is a counter of the IoT device, and if so, the HLR/HSS generates a new random number for the IoT device, and uses the new random number and IoT.
  • the device user private key generates a new session key.
  • Step S1204 the HLR/HSS sends the new session key and the new random number to the network side node, such as the SGSN;
  • Step S1205 the SGSN encrypts the new random number with the new session, and then sends the new random number together with the encrypted new random number to the IoT device;
  • Step S1206 After receiving the new random number and the encrypted new random number, the IoT device generates a session key according to the user secret key saved on the SIM/USIM and the received new random number, and decrypts the session key.
  • the encrypted new random number checks whether the decrypted new random number is the same as the received new random number. If they are the same, step 407 is performed. If different, the IoT device requests retransmission from the network side node, such as the SGSN.
  • step S1207 the IoT device performs secure communication with the network side node, such as the SGSN.
  • the method according to the above embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware.
  • the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium (such as ROM/RAM, disk).
  • the optical disc includes a plurality of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present invention.
  • a key update device is further provided, which is configured to implement the above implementation.
  • the examples and optional embodiments have not been described again.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the devices described in the following embodiments may be implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 13 is a structural block diagram of a fifth type of key update apparatus according to an embodiment of the present invention. As shown in FIG. 13, the apparatus includes:
  • the second sending module 1302 is configured to: send user identity information to the server;
  • the determining module 1304 is configured to: determine whether the specified information for generating the session key sent by the server is received, where the specified information is pre-set at a time point when determining that the server receives the user identity information
  • the information sent to the IOT device during the effective duration is the duration set by the server after each time the IOT device completes the access authentication;
  • the obtaining module 1306 is configured to: when the determination result is YES, generate the session key according to the specified information.
  • the application scenario of the foregoing key update method may include, but is not limited to, a Cellular Internet of Things (CIoT) system, where a large number of objects may be disposed in the system.
  • IoT Internet of Things
  • the IoT IOT device may send the user identity information to the server; the IOT device may determine whether the specified information sent by the server for generating the session key is received, wherein the specified information may be determining the server.
  • the information sent to the IOT device when the time point of receiving the user identity information is within a preset effective time period, and the effective duration may be the duration set by the server after each time the IOT device completes the access authentication; If the determination result is yes, the IOT device may generate the session key according to the specified information. That is, after the IOT device sends the user identity information to the server, if the specified information for generating the session key sent by the server is received within the length of the IOT device authentication, the access authentication is not required, but directly according to the The specified information generates the session key, thereby solving the problem of waste of network resources caused by the authentication of the IoT IoT device in each of the related technologies in the related art, thereby achieving the effect of saving network resources. Further improve the efficiency of key update.
  • FIG. 14 is a structural block diagram of a sixth key updating apparatus according to an embodiment of the present invention. As shown in FIG. 14, the apparatus includes all the modules shown in FIG. Also includes:
  • the fourth processing module 1402 is configured to: re-initiate the access authentication operation if the determination result is no.
  • the IOT device re-initiates the access authentication operation when the IOT device determines that the specified information for generating the session key sent by the server is not received, thereby avoiding related technologies.
  • the problem of wasted network resources caused by the authentication is required, thereby achieving the effect of saving network resources and further improving the efficiency of key update.
  • the specifying information may include: a random number used to generate the IOT device session key.
  • the random number may be used to generate a security key according to the random number after receiving the random number by the IOT device.
  • FIG. 15 is a structural block diagram of a seventh key updating apparatus according to an embodiment of the present invention.
  • the obtaining module 1306 includes:
  • the first receiving unit 1502 is configured to: receive the random number forwarded by the server by the network side node;
  • the obtaining unit 1504 is configured to generate the session key using the user private key and the random number.
  • the unit included in the obtaining module 106 may also perform equivalent replacement by using the following unit: 1) the second receiving unit is configured to: receive the random number forwarded by the server through the network side node, and a random number after the network side node performs encryption processing; 2) the second processing unit is configured to: generate a session key by using the user private key and the random number, and randomly process the encrypted process according to the session key The number is decrypted to obtain the decrypted random number; 3) the determining unit is configured to: determine whether the decrypted random number is the same as the random number forwarded by the server through the network side node; 4) the second sending unit is set to: If the determination result is yes, the data to be sent is sent to the network side node; 5) the third sending unit is configured to: if the determination result is no, send a request message to the server, where the request message Used to request the server to resend a random number.
  • a key update system is also provided in this embodiment. As shown in FIG. 16, the system includes:
  • the Internet of Things IOT device 1602 is configured to: send user identity information to the network side node;
  • the network side node 1604 is configured to: send the user identity information to the server, and send the designated information for generating the session key of the IOT device to the IOT device;
  • the server 1606 is configured to: after receiving the identity information of the user, determine whether the time point of receiving the identity information of the user is within a valid duration; if yes, send the specified information to the network side node.
  • the server 1606 may include: a home location register HLR, a home subscription subscriber server HSS.
  • modules may be implemented by software or hardware.
  • the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are respectively located in multiple processes. In the device.
  • the embodiment of the invention further provides a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • the server receives the user identity information of the IoT IOT device, and determines whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration is after each time the IOT device completes the access authentication, the server The length of time set;
  • the server sends the designation information for generating the session key of the IOT device to the IOT device.
  • the storage medium may also be arranged to store program code for performing the following steps:
  • the Internet of Things IOT device sends user identity information to the server;
  • the IOT device determines whether the specified information for generating the session key sent by the server is received, where the specified information is determined to be within a preset effective time when the server receives the identity information of the user.
  • the information sent to the IOT device, the effective duration is the duration set by the server after each time the IOT device completes the access authentication;
  • the IOT device If the determination result is yes, the IOT device generates the session key according to the specified information.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk
  • the processor may perform the foregoing steps S1, S2 according to the stored program code in the storage medium.
  • the processor may perform the foregoing steps S3, S4, and S5 according to the stored program code in the storage medium.
  • the embodiment of the invention further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • the device/function module/functional unit in the above embodiment When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the server receives the user identity information of the Internet of Things IOT device, and determines whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration is that the IOT device completes access every time. After the authentication, the server sets the duration; if the judgment result is yes, the server sends the specified information for generating the session key of the IOT device to the IOT device. That is, in the embodiment of the present invention, after the IOT device completes the access authentication, the server sets the effective duration of the IOT device access authentication, and if the user identity information sent by the IOT device is received within the valid duration, only You need to generate a session key, and you do not need to perform IOT device access authentication.
  • the problem of waste of network resources caused by the authentication of the Internet of Things IoT device in each time when the Internet access IoT device transmits data is solved, thereby achieving the effect of saving network resources and further improving.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A key updating method comprises: a server receives user identification information of an Internet of Things (IOT) device, and determines whether the user identification information is received during a valid duration, wherein the valid duration is a duration set by the server each time after the IOT device completes an access authentication process; and if so, the server transmits to the IOT device designated information of a session key.

Description

密钥更新方法、装置及系统Key update method, device and system 技术领域Technical field
本申请涉及但不限于通信领域,尤其涉及一种密钥更新方法、装置及系统。The present application relates to, but is not limited to, the field of communications, and in particular, to a key update method, apparatus, and system.
背景技术Background technique
在增强型数据速率全球移动通信系统(Global System for Mobile Communication,GSM)演进(Enhanced Data Rate for GSM Evolution,简称为EGPRS)技术中,认证和密钥协商是在一个认证与密钥协商协议(Authentication and Key Agreement,简称为AKA)过程中完成的。对于物联网(Internet of Things,简称为IoT)设备,其不需要持续发送数据,因此不需要时刻在线,只需要在发送数据时接入网络。每次接入网络时,都需要对IoT设备进行认证和密钥协商,以保证通信的安全性。认证和密钥协商是在一个AKA过程完成的。In the Enhanced Data Rate for GSM Evolution (EGPRS) technology, authentication and key agreement are in an authentication and key agreement protocol (Authentication). And Key Agreement (referred to as AKA) is completed in the process. For the Internet of Things (IoT) device, it does not need to continuously send data, so it does not need to be online at all times, and only needs to access the network when sending data. Every time you access the network, you need to authenticate and key the IoT device to ensure the security of the communication. Authentication and key agreement are done in an AKA process.
但是在蜂窝物联网(Cellular Internet of Things,简称为CIoT)系统中,IoT设备数量庞大,并且IoT设备可能会持续但间断地发送数据。系统需要在每次接入网络发送数据时对IoT设备进行认证和密钥协商。这使得CIoT系统需要耗费大量系统资源处理IoT设备的AKA过程。However, in the Cellular Internet of Things (CIoT) system, the number of IoT devices is huge, and IoT devices may continuously and intermittently send data. The system needs to authenticate and key the IoT device every time the access network sends data. This makes the CIoT system require a lot of system resources to process the AKA process of the IoT device.
针对相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,尚未提出有效的解决方案。In the related art, the IoT device needs to perform the problem of wasting network resources caused by authentication every time the data is transmitted to the network, and an effective solution has not been proposed.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本文提供了一种密钥更新方法、装置及系统,以至少解决相关技术中物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题。 The present invention provides a method, a device and a system for updating a key to at least solve the problem of waste of network resources caused by the authentication of the Internet of Things IoT device in the related art.
本发明实施例提供了一种密钥更新方法,包括:服务器接收物联网IOT设备的用户身份信息,并判断接收到所述用户身份信息的时间点是否处于有效时长内,其中,所述有效时长为在每次所述IOT设备完成接入认证后,所述服务器设置的时长;在判断结果为是的情况下,所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备。An embodiment of the present invention provides a key update method, including: receiving, by a server, user identity information of an Internet of Things IOT device, and determining whether a time point of receiving the user identity information is within a valid duration, where the effective duration The duration set by the server after the access authentication is completed each time the IOT device completes; if the determination result is yes, the server sends the specified information for generating the session key of the IOT device to The IOT device.
可选地,所述方法还包括:在所述判断结果为否的情况下,所述服务器终止所述有效时长的计时操作,并触发对所述IOT设备进行接入认证的操作,以及触发所述有效时长的重新计时操作。Optionally, the method further includes: when the determining result is negative, the server terminates the timing operation of the valid duration, and triggers an operation of performing access authentication on the IOT device, and triggering the A re-timed operation that describes the effective duration.
可选地,所述有效时长通过以下方式确定:所述服务器以所述IOT设备接入认证的时间点作为所述有效时长的计时起点,为蜂窝物联网CIoT系统下的所有IOT设备设置与所述有效时长相同的时长;或者,所述服务器以蜂窝物联网CIoT系统下的所有IOT设备各自完成接入认证的时间点作为所述有效时长的计时起点,分别设置所有IOT设备各自的有效时长。Optionally, the effective duration is determined by: setting, by the server, the time point of the IOT device access authentication as a starting time of the effective duration, and setting and configuring all the IOT devices in the cellular Internet of Things CIoT system. The duration of the effective duration is the same; or the time when the server completes the access authentication by using the IOT devices in the cellular IoT CIoT system as the starting point of the effective duration, respectively, setting the effective duration of each of the IOT devices.
可选地,所述指定信息包括:用于生成所述IOT设备会话密钥的随机数。Optionally, the specifying information includes: a random number used to generate the IOT device session key.
可选地,所述服务器接收物联网IOT设备的用户身份信息包括:所述服务器接收物联网IOT设备通过网络侧节点转发的用户身份信息;所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备包括:所述服务器将用于生成所述IOT设备的会话密钥的指定信息通过所述网络侧节点发送至所述IOT设备。Optionally, the server receiving the user identity information of the Internet of Things IOT device includes: the server receiving user identity information forwarded by the Internet of Things IOT device by the network side node; the server is configured to generate the session secret of the IOT device Sending the designation information of the key to the IOT device includes: the server transmitting, by the network side node, specified information for generating a session key of the IOT device to the IOT device.
可选地,在所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备之前,所述方法还包括:所述服务器接收所述IOT设备发送的用户私密密钥;所述服务器使用所述随机数和所述用户私密密钥生成会话密钥,并将所述会话密钥发送至网络侧节点。Optionally, before the sending, by the server, the specified information for generating the session key of the IOT device to the IOT device, the method further includes: receiving, by the server, the user private secret sent by the IOT device a key; the server generates a session key using the random number and the user private key, and transmits the session key to a network side node.
可选地,所述服务器包括以下任意一种:归属位置寄存器HLR、归属签约用户服务器HSS。Optionally, the server includes any one of the following: a home location register HLR, and a home subscription subscriber server HSS.
本发明实施例还提供了一种密钥更新方法,包括:物联网IOT设备向服务器发送用户身份信息;所述IOT设备判断是否接收到所述服务器发送的用于生成会话密钥的指定信息,其中,所述指定信息是在判定所述服务器接收到所述用户身份信息的时间点处于预先设置的有效时长内时,发送至所述 IOT设备的信息,所述有效时长为在每次所述IOT设备完成接入认证后,所述服务器设置的时长;在判断结果为是的情况下,所述IOT设备根据所述指定信息生成所述会话密钥。The embodiment of the present invention further provides a key update method, including: the Internet of Things IOT device sends the user identity information to the server; the IOT device determines whether the specified information for generating the session key sent by the server is received, The specified information is sent to the time when it is determined that the time when the server receives the user identity information is within a preset effective time period. The information of the IOT device, the effective duration is the duration set by the server after each time the IOT device completes the access authentication; if the determination result is yes, the IOT device generates the location according to the specified information. The session key.
可选地,所述方法还包括:在所述判断结果为否的情况下,所述IOT设备重新发起接入认证操作。Optionally, the method further includes: when the determining result is no, the IOT device re-initiates an access authentication operation.
可选地,所述指定信息包括:用于生成所述IOT设备会话密钥的随机数。Optionally, the specifying information includes: a random number used to generate the IOT device session key.
可选地,所述IOT设备根据所述指定信息生成所述会话密钥包括:所述IOT设备接收所述服务器通过网络侧节点转发的所述随机数;所述IOT设备使用用户私密密钥和所述随机数生成所述会话密钥。Optionally, the generating, by the IOT device, the session key according to the specified information comprises: the IOT device receiving the random number forwarded by the server by a network side node; the IOT device using a user private key and The random number generates the session key.
可选地,所述IOT设备根据所述指定信息生成所述会话密钥包括:所述IOT设备接收所述服务器通过网络侧节点转发的随机数以及经过所述网络侧节点进行加密处理后的随机数;所述IOT设备使用用户私密密钥和所述随机数生成会话密钥,并根据所述会话密钥对所述加密处理后的随机数进行解密得到解密后的随机数;所述IOT设备判断解密后的随机数和所述服务器通过网络侧节点转发的所述随机数是否相同;在判断结果为是的情况下,所述IOT设备向所述网络侧节点发送待发送的数据;在判断结果为否的情况下,所述IOT设备向所述服务器发送请求消息,其中,所述请求消息用于请求所述服务器重新发送随机数。Optionally, the generating, by the IOT device, the session key according to the specified information comprises: the IOT device receiving a random number forwarded by the server by a network side node, and a randomization after performing encryption processing by the network side node The IOT device generates a session key using the user secret key and the random number, and decrypts the encrypted random number according to the session key to obtain a decrypted random number; the IOT device Determining whether the decrypted random number and the random number forwarded by the server by the network side node are the same; if the determination result is yes, the IOT device sends the data to be sent to the network side node; If the result is no, the IOT device sends a request message to the server, wherein the request message is used to request the server to resend the random number.
本发明实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述密钥更新方法。The embodiment of the invention further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
本发明实施例还提供了一种密钥更新装置,应用于服务器,包括:第一处理模块,设置为:接收物联网IOT设备的用户身份信息,并判断接收到所述用户身份信息的时间点是否处于有效时长内,其中,所述有效时长为在每次所述IOT设备完成接入认证后,所述服务器设置的时长;第一发送模块,设置为:在判断结果为是的情况下,将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备。The embodiment of the present invention further provides a key updating apparatus, which is applied to a server, and includes: a first processing module, configured to: receive user identity information of an Internet of Things IOT device, and determine a time point of receiving the user identity information. Whether the effective duration is the duration set by the server after each time the IOT device completes the access authentication; the first sending module is configured to: if the determination result is yes, The specified information for generating the session key of the IOT device is sent to the IOT device.
可选地,所述装置还包括:第二处理模块,设置为:在所述判断结果为否的情况下,终止所述有效时长的计时操作,并触发对所述IOT设备进行接入认证的操作,以及触发所述有效时长的重新计时操作。 Optionally, the device further includes: a second processing module, configured to: if the determination result is negative, terminate the timing operation of the valid duration, and trigger an access authentication for the IOT device Operation, and a retiming operation that triggers the effective duration.
可选地,所述第一处理模块还设置为:通过以下方式确定有效时长:以所述IOT设备接入认证的时间点作为所述有效时长的计时起点,为蜂窝物联网CIoT系统下的所有IOT设备设置与所述有效时长相同的时长;或者,以蜂窝物联网CIoT系统下的所有IOT设备各自完成接入认证的时间点作为所述有效时长的计时起点,分别设置所有IOT设备各自的有效时长。Optionally, the first processing module is further configured to: determine an effective duration by using a time point at which the IOT device accesses the authentication as a starting time of the valid duration, and is all under the cellular Internet of Things CIoT system. The IOT device is set to have the same duration as the effective duration; or, the time point at which all the IOT devices under the cellular IoT CIoT system respectively complete the access authentication is used as the starting point of the effective duration, and the respective IOT devices are respectively set to be effective. duration.
可选地,所述指定信息包括:用于生成所述IOT设备会话密钥的随机数。Optionally, the specifying information includes: a random number used to generate the IOT device session key.
可选地,所述第一处理模块包括第一处理单元,所述第一处理单元设置为:接收物联网IOT设备的用户身份信息包括:所述服务器接收物联网IOT设备通过网络侧节点转发的用户身份信息;所述第一发送模块包括第一发送单元,所述发送单元设置为:将用于生成所述IOT设备的会话密钥的指定信息通过所述网络侧节点发送至所述IOT设备。Optionally, the first processing module includes a first processing unit, where the first processing unit is configured to: receive user identity information of the Internet of Things IOT device, where the server receives the IoT IOT device forwarded by the network side node. User identity information; the first sending module includes a first sending unit, and the sending unit is configured to: send, by the network side node, specified information for generating a session key of the IOT device to the IOT device .
可选地,所述装置还包括:接收模块,设置为:在所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备之前,接收所述IOT设备发送的用户私密密钥;第三处理模块,设置为:在所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备之前,使用所述随机数和所述用户私密密钥生成会话密钥,并将所述会话密钥发送至网络侧节点。Optionally, the device further includes: a receiving module, configured to: before the server sends the designation information for generating the session key of the IOT device to the IOT device, receive the sending by the IOT device a user privacy key; the third processing module is configured to: use the random number and the user privacy before the server sends the designation information for generating the session key of the IOT device to the IOT device The key generates a session key and sends the session key to the network side node.
可选地,所述服务器包括以下任意一种:归属位置寄存器HLR、归属签约用户服务器HSS。Optionally, the server includes any one of the following: a home location register HLR, and a home subscription subscriber server HSS.
本发明实施例还提供了一种密钥更新装置,应用于物联网IOT设备,包括:第二发送模块,设置为:向服务器发送用户身份信息;判断模块,设置为:判断是否接收到所述服务器发送的用于生成会话密钥的指定信息,其中,所述指定信息是在判定所述服务器接收到所述用户身份信息的时间点处于预先设置的有效时长内时,发送至所述IOT设备的信息,所述有效时长为在每次所述IOT设备完成接入认证后,所述服务器设置的时长;获取模块,设置为:在判断结果为是的情况下,根据所述指定信息生成所述会话密钥。The embodiment of the present invention further provides a key updating apparatus, which is applied to an IoT IOT device, and includes: a second sending module, configured to: send user identity information to a server; and the determining module is configured to: determine whether the The specified information sent by the server for generating a session key, wherein the specified information is sent to the IOT device when it is determined that the time point when the server receives the user identity information is within a preset effective time period And the effective duration is the duration set by the server after each time the IOT device completes the access authentication; the obtaining module is configured to: when the determination result is yes, generate the location according to the specified information The session key.
可选地,所述装置还包括:第四处理模块,设置为:在所述判断结果为否的情况下,重新发起接入认证操作。Optionally, the device further includes: a fourth processing module, configured to re-initiate the access authentication operation if the determination result is negative.
可选地,所述指定信息包括:设置为:生成所述IOT设备会话密钥的随 机数。Optionally, the specifying information includes: setting: generating the IOT device session key Number of machines.
可选地,所述获取模块包括:第一接收单元,设置为:接收所述服务器通过网络侧节点转发的所述随机数;获取单元,设置为:使用用户私密密钥和所述随机数生成所述会话密钥。Optionally, the acquiring module includes: a first receiving unit, configured to: receive the random number forwarded by the server by a network side node; and the acquiring unit is configured to: generate a user private key and the random number The session key.
可选地,所述获取模块包括:第二接收单元,设置为:接收所述服务器通过网络侧节点转发的随机数以及经过所述网络侧节点进行加密处理后的随机数;第二处理单元,设置为:使用用户私密密钥和所述随机数生成会话密钥,并根据所述会话密钥对所述加密处理后的随机数进行解密得到解密后的随机数;判断单元,设置为:判断解密后的随机数和所述服务器通过网络侧节点转发的所述随机数是否相同;第二发送单元,设置为:在判断结果为是的情况下,向所述网络侧节点发送待发送的数据;第三发送单元,设置为:在判断结果为否的情况下,向所述服务器发送请求消息,其中,所述请求消息用于请求所述服务器重新发送随机数。Optionally, the acquiring module includes: a second receiving unit, configured to: receive a random number forwarded by the server by the network side node, and a random number that is encrypted by the network side node; and a second processing unit, The method is configured to: generate a session key by using a user secret key and the random number, and decrypt the encrypted random number according to the session key to obtain a decrypted random number; and the determining unit is configured to: determine Whether the decrypted random number and the random number forwarded by the server through the network side node are the same; the second sending unit is configured to: send the data to be sent to the network side node if the determination result is yes And a third sending unit, configured to: when the determination result is no, send a request message to the server, wherein the request message is used to request the server to resend the random number.
本发明实施例还提供了一种密钥更新系统,包括:物联网IOT设备,设置为:向网络侧节点发送用户身份信息;网络侧节点,设置为:向服务器发送所述用户身份信息,并将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备;服务器,设置为:在接收到所述用户身份信息后,判断接收到所述用户身份信息的时间点是否处于有效时长内;如果是,将所述指定信息发送至所述网络侧节点。The embodiment of the present invention further provides a key update system, including: an Internet of Things IOT device, configured to: send user identity information to a network side node; the network side node is configured to: send the user identity information to a server, and Sending, to the IOT device, the specified information for generating the session key of the IOT device; the server is configured to: after receiving the user identity information, determine whether the time point of receiving the user identity information is Within the valid duration; if so, the specified information is sent to the network side node.
通过本发明实施例,采用服务器接收物联网IOT设备的用户身份信息,并判断接收到该用户身份信息的时间点是否处于有效时长内,其中,该有效时长为在每次该IOT设备完成接入认证后,服务器设置的时长;在判断结果为是的情况下,该服务器将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备。也就是说,本发明实施例在IOT设备每次完成接入认证后,服务器设置该IOT设备接入认证的有效时长,在该有效时长内,如果接收到该IOT设备发送的用户身份信息,只需生成会话密钥即可,无需再执行IOT设备接入认证的操作。通过本发明实施例,解决了相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高了密钥更新的效率。 According to the embodiment of the present invention, the server receives the user identity information of the Internet of Things IOT device, and determines whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration is that the IOT device completes access every time. After the authentication, the server sets the duration; if the judgment result is yes, the server sends the specified information for generating the session key of the IOT device to the IOT device. That is, in the embodiment of the present invention, after the IOT device completes the access authentication, the server sets the effective duration of the IOT device access authentication, and if the user identity information sent by the IOT device is received within the valid duration, only You need to generate a session key, and you do not need to perform IOT device access authentication. Through the embodiments of the present invention, the problem of waste of network resources caused by the authentication of the Internet of Things IoT device in each time when the Internet access IoT device transmits data is solved, thereby achieving the effect of saving network resources and further improving. The efficiency of key updates.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1是根据本发明实施例的第一种密钥更新方法的流程图;1 is a flow chart of a first method of key update according to an embodiment of the present invention;
图2是根据本发明实施例的IoT设备认证方法的流程图;2 is a flowchart of an IoT device authentication method according to an embodiment of the present invention;
图3是根据本发明实施例的IoT设备重新认证方法的流程图;3 is a flowchart of an IoT device re-authentication method according to an embodiment of the present invention;
图4是根据本发明实施例的第二种密钥更新方法的流程图;4 is a flowchart of a second method of key update according to an embodiment of the present invention;
图5是根据本发明实施例的第一种密钥更新装置的结构框图;FIG. 5 is a structural block diagram of a first type of key update apparatus according to an embodiment of the present invention; FIG.
图6是根据本发明实施例的第二种密钥更新装置的结构框图;6 is a structural block diagram of a second type of key update apparatus according to an embodiment of the present invention;
图7是根据本发明实施例的第三种密钥更新装置的结构框图;FIG. 7 is a structural block diagram of a third type of key updating apparatus according to an embodiment of the present invention; FIG.
图8是根据本发明实施例的第四种密钥更新装置的结构框图;FIG. 8 is a structural block diagram of a fourth type of key update apparatus according to an embodiment of the present invention; FIG.
图9是根据本发明实施例的一种IOT设备认证管理装置的结构框图;9 is a structural block diagram of an IOT device authentication management apparatus according to an embodiment of the present invention;
图10是根据本发明实施例的一种IOT设备会话密钥检查装置的结构框图;FIG. 10 is a structural block diagram of an IOT device session key checking apparatus according to an embodiment of the present invention; FIG.
图11是根据本发明实施例的第三种密钥更新方法的流程图;11 is a flowchart of a third method of key update according to an embodiment of the present invention;
图12是根据本发明实施例的第四种密钥更新方法的流程图;FIG. 12 is a flowchart of a fourth key update method according to an embodiment of the present invention; FIG.
图13是根据本发明实施例的第五种密钥更新装置的结构框图;FIG. 13 is a structural block diagram of a fifth type of key updating apparatus according to an embodiment of the present invention; FIG.
图14是根据本发明实施例的第六种密钥更新装置的结构框图;FIG. 14 is a structural block diagram of a sixth type of key updating apparatus according to an embodiment of the present invention; FIG.
图15是根据本发明实施例的第七种密钥更新装置的结构框图;15 is a block diagram showing the structure of a seventh type of key updating apparatus according to an embodiment of the present invention;
图16是根据本发明实施例的密钥更新系统的结构框图。16 is a block diagram showing the structure of a key update system according to an embodiment of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
下面结合附图对本发明的实施方式进行描述。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的各种方式可以相互组合。 Embodiments of the present invention will be described below with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the various manners in the embodiments may be combined with each other without conflict.
需要说明的是,本文中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that the terms "first", "second" and the like are used herein to distinguish similar objects, and are not necessarily used to describe a particular order or order.
在本实施例中提供了一种密钥更新方法,图1是根据本发明实施例的第一种密钥更新方法的流程图,如图1所示,该方法包括如下步骤:In this embodiment, a key update method is provided. FIG. 1 is a flowchart of a first key update method according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
步骤S102,服务器接收物联网IOT设备的用户身份信息,并判断接收到该用户身份信息的时间点是否处于有效时长内,其中,该有效时长为在每次该IOT设备完成接入认证后,该服务器设置的时长;Step S102: The server receives the user identity information of the IoT IOT device, and determines whether the time point of receiving the user identity information is within a valid duration, where the effective duration is after each time the IOT device completes the access authentication, The length of time the server is set;
步骤S104,在判断结果为是的情况下,该服务器将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备。Step S104: If the determination result is yes, the server sends the designation information for generating the session key of the IOT device to the IOT device.
可选地,在本实施例中,上述密钥更新方法的应用场景可包括但并不限于:蜂窝物联网(Cellular Internet of Things,简称为CIoT)系统中,其中该系统中可设置有大量物联网(Internet of Things,简称为IoT)设备。在该应用场景下,可采用服务器接收物联网IOT设备的用户身份信息,并判断接收到该用户身份信息的时间点是否处于有效时长内,其中,该有效时长可为在每次该IOT设备完成接入认证后,服务器设置的时长;在判断结果为是的情况下,该服务器可将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备。也就是说,本发明实施例在IOT设备每次完成接入认证后,服务器设置该IOT设备接入认证的有效时长,在该有效时长内,如果接收到该IOT设备发送的用户身份信息,只需生成会话密钥即可,无需再执行IOT设备接入认证的操作。通过本发明实施例,解决了相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高了密钥更新的效率。Optionally, in this embodiment, the application scenario of the foregoing key update method may include, but is not limited to, a Cellular Internet of Things (CIoT) system, where a large number of objects may be disposed in the system. Internet of Things (IoT) devices. In the application scenario, the server may receive the user identity information of the IoT IOT device, and determine whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration may be completed each time the IOT device is completed. After the access authentication, the length of time set by the server; if the judgment result is yes, the server may send the specified information for generating the session key of the IOT device to the IOT device. That is, in the embodiment of the present invention, after the IOT device completes the access authentication, the server sets the effective duration of the IOT device access authentication, and if the user identity information sent by the IOT device is received within the valid duration, only You need to generate a session key, and you do not need to perform IOT device access authentication. Through the embodiments of the present invention, the problem of waste of network resources caused by the authentication of the Internet of Things IoT device in each time when the Internet access IoT device transmits data is solved, thereby achieving the effect of saving network resources and further improving. The efficiency of key updates.
下面结合具体示例,对本实施例作举例说明。The present embodiment will be exemplified below with reference to specific examples.
本实施例提供了一种密钥更新方法,该方法可应用于包含IoT设备的蜂窝物联网CIoT通信系统中,其中,服务器以归属位置寄存器/归属签约用户服务器(Home Location Register/Home Subscriber Server,简称为HLR/HSS)为例进行说明,该IoT设备可以包含用户识别模块(Subscriber Identity Module,简称为SIM)/全球客户识别模块(Universal Subscriber Identity Module,简称为USIM)卡,可以包括以下内容: The present embodiment provides a key update method, which is applicable to a cellular Internet of Things (CIOT) communication system including an IoT device, wherein the server uses a Home Location Register/Home Subscriber Server (Home Location Register/Home Subscriber Server, For example, the HLR/HSS is used as an example. The IoT device may include a Subscriber Identity Module (SIM)/Universal Subscriber Identity Module (USIM) card, which may include the following content:
IoT设备接入认证完成后,由HLR/HSS确定何时对IoT设备重新进行认证,如由HLR/HSS定义每一次认证有效时长。HLR/HSS可以对所有的IoT设备定义统一的认证有效时长,也可以为不同的IoT设备定义单独的认证有效时长。每一次IoT接入认证完成后,HLR/HSS可即启动对该IoT设备的认证计时。当认证计时超过认证有效时长后,HLR/HSS可即终止对该IoT设备的认证计时。所有未经认证计时的IoT设备,后续都需要进行认证。例如,HLR/HSS可定义IoT设备的认证有效时长。HLR/HSS可针对IoT设备设置一个计数器,当计数器达到认证有效时长时,HLR/HSS可即对该计数器清零,并取消针对该IoT设备的计数。在后续收到IoT设备发送的用户身份信息时,HLR/HSS将启动认证过程。After the IoT device access authentication is completed, the HLR/HSS determines when to re-authenticate the IoT device, as defined by the HLR/HSS for each authentication effective duration. HLR/HSS can define a uniform authentication effective duration for all IoT devices, and can also define a separate authentication effective duration for different IoT devices. After each IoT access authentication is completed, the HLR/HSS can initiate the authentication timing of the IoT device. When the authentication timing exceeds the validity period of the authentication, the HLR/HSS may terminate the authentication timing of the IoT device. All uncertified IoT devices will need to be certified subsequently. For example, HLR/HSS can define the effective duration of an IoT device. The HLR/HSS can set a counter for the IoT device. When the counter reaches the authentication valid period, the HLR/HSS can clear the counter and cancel the counting for the IoT device. Upon subsequent receipt of the user identity information sent by the IoT device, the HLR/HSS will initiate the authentication process.
或者,HLR/HSS可以在收到IoT设备发送的用户身份信息后,强制启动对IoT设备的认证过程;Alternatively, the HLR/HSS may initiate the authentication process for the IoT device after receiving the identity information sent by the IoT device;
IoT设备接入认证完成后,HLR/HSS可即针对该IoT设备进行认证计时。After the IoT device access authentication is completed, the HLR/HSS can perform authentication timing for the IoT device.
IoT设备需要发送数据时,可向网络侧节点,如服务通用分组无线业务支持节点(Serving General Packet Radio Service Support Node,Serving GPRS Support Node,简称为SGSN),发送IoT设备用户身份信息;When the IoT device needs to send data, the IoT device user identity information may be sent to a network side node, such as a Serving General Packet Radio Service Node (Serving GPRS Support Node, SGSN);
网络侧节点,如SGSN,收到IoT设备发送的用户身份信息后,可将该信息转发给HLR/HSS;The network side node, such as the SGSN, may forward the information to the HLR/HSS after receiving the identity information sent by the IoT device;
HLR/HSS收到IoT设备发送的用户身份信息后,可根据定义的认证有效时长检查IoT设备的认证时长是否达到认证有效时长。如果达到或超过认证有效时长,则HLR/HSS可针对该IoT设备启动认证过程。如果未达到认证有效时长,则HLR/HSS可针对该IoT设备生成一个新的随机数,并使用新的随机数和IoT设备用户私密密钥生成新的会话密钥,然后将新的会话密钥和新的随机数发送给网络侧节点,如SGSN;After receiving the user identity information sent by the IoT device, the HLR/HSS can check whether the authentication duration of the IoT device reaches the validity time of the authentication according to the defined validity period. If the authentication is valid or exceeded, the HLR/HSS can initiate an authentication process for the IoT device. If the authentication validity period is not reached, the HLR/HSS can generate a new random number for the IoT device and generate a new session key using the new random number and the IoT device user secret key, and then the new session key. And sending a new random number to the network side node, such as the SGSN;
SGSN收到新的会话密钥和新的随机数后,可把新的随机数发送给IoT设备;After receiving the new session key and the new random number, the SGSN can send the new random number to the IoT device;
可选地,为了保证安全,SGSN可以用新的会话对新的随机数进行加密,然后把新的随机数和加密后的新的随机数一起发送给IoT设备; Optionally, to ensure security, the SGSN may encrypt the new random number with a new session, and then send the new random number together with the encrypted new random number to the IoT device;
IoT设备收到新的随机数后,可根据SIM/USIM上保存的用户私密密钥和收到的新的随机数生成会话密钥;After receiving the new random number, the IoT device may generate a session key according to the user secret key saved on the SIM/USIM and the new random number received;
可选的,IoT设备收到新的随机数和加密后的新的随机数后,可根据SIM/USIM上保存的用户私密密钥和收到的新的随机数生成会话密钥,并用会话密钥解密加密后的新的随机数,检查解密后的新随机数是否与收到的新随机数相同。如果不同,则IoT设备可向网络侧节点,如SGSN,请求重新发送;如果相同,IoT设备可与网络侧节点,如SGSN,之间进行安全通信。Optionally, after receiving the new random number and the encrypted new random number, the IoT device may generate a session key according to the user secret key saved on the SIM/USIM and the received new random number, and use the session secret. The key decrypts the encrypted new random number and checks whether the decrypted new random number is the same as the received new random number. If different, the IoT device can request retransmission to the network side node, such as the SGSN; if the same, the IoT device can communicate securely with the network side node, such as the SGSN.
在一个可选的实施方式中,在判断接收到该用户身份信息的时间点不在该有效时长内时,该方法可包括以下步骤:In an optional implementation manner, when it is determined that the time point when the user identity information is received is not within the valid duration, the method may include the following steps:
步骤S11,服务器终止该有效时长的计时操作,并触发对该IOT设备进行接入认证的操作,以及触发该有效时长的重新计时操作。In step S11, the server terminates the timing operation of the valid duration, and triggers an operation of performing access authentication on the IOT device, and a re-timing operation that triggers the effective duration.
通过本可选实施方式,在判断接收到该用户身份信息的时间点不在该有效时长内时,服务器终止该有效时长的计时操作,并触发对该IOT设备进行接入认证的操作,实现了IOT设备与网络侧节点的安全通信,避免了即使IOT设备发送的用户身份信息的时间点不在该有效时长内时,还是不执行接入认证操作所导致的通信安全性降低的问题。In this optional implementation manner, when it is determined that the time point when the user identity information is received is not within the valid duration, the server terminates the timing operation of the valid duration, and triggers an operation of performing access authentication on the IOT device to implement the IOT. The secure communication between the device and the network side node avoids the problem that the communication security caused by the access authentication operation is not reduced even if the time point of the user identity information sent by the IOT device is not within the effective duration.
下面结合具体示例,对本实施例作举例说明。The present embodiment will be exemplified below with reference to specific examples.
在本实施例中,提供了一种IoT设备认证方法,其中,有效时长可通过计时计数器实现,服务器以HLR/HSS为例进行说明。如图2所示,包括以下步骤:In this embodiment, an IoT device authentication method is provided, wherein the effective duration can be implemented by a timer counter, and the server is described by taking an HLR/HSS as an example. As shown in Figure 2, the following steps are included:
步骤S201,IoT设备接入网络并完成AKA认证;Step S201, the IoT device accesses the network and completes AKA authentication;
步骤S202,HLR/HSS针对该IoT设备启动一个计时计数器;Step S202, the HLR/HSS starts a timing counter for the IoT device;
步骤S203,计数器达到HLR/HSS设定的IoT设备的认证有效时长时,HLR/HSS对计数器清零,同时取消针对该IoT设备的计数。In step S203, when the counter reaches the authentication valid duration of the IoT device set by the HLR/HSS, the HLR/HSS clears the counter and cancels the counting for the IoT device.
在本实施例中,还提供了一种IoT设备重新认证方法。服务器以HLR/HSS为例进行说明,如图3所示,包括以下步骤:In this embodiment, an IoT device re-authentication method is also provided. The server uses the HLR/HSS as an example. As shown in Figure 3, the following steps are included:
步骤S301,当IoT设备需要发送数据时,向网络侧节点SGSN发送IoT设备用户身份信息; Step S301, when the IoT device needs to send data, send the IoT device user identity information to the network side node SGSN;
步骤S302,网络侧节点SGSN收到IoT设备发送的用户身份信息后,将IoT设备用户身份信息转发给HLR/HSS;Step S302, after receiving the user identity information sent by the IoT device, the network side node SGSN forwards the IoT device user identity information to the HLR/HSS;
步骤S303,HLR/HSS收到IoT设备用户身份信息后,检查是否有该IoT设备的计时计数器,如果没有,则HLR/HSS确定针对该IoT设备需要重新认证。Step S303, after receiving the IoT device user identity information, the HLR/HSS checks whether there is a timing counter of the IoT device. If not, the HLR/HSS determines that the IoT device needs to be re-authenticated.
步骤S304,HLR/HSS与IoT之间进行AKA认证过程。Step S304, an AKA authentication process is performed between the HLR/HSS and the IoT.
步骤S305,HLR/HSS与IoT之间认证结束后,HLR/HSS针对该IoT设备启动一个新的计时计数器。Step S305, after the end of the authentication between the HLR/HSS and the IoT, the HLR/HSS starts a new timing counter for the IoT device.
在一个可选的实施方式中,有效时长可通过以下步骤确定:In an alternative embodiment, the effective duration can be determined by the following steps:
步骤S21,服务器以该IOT设备接入认证的时间点作为该有效时长的计时起点,为蜂窝物联网CIoT系统下的所有IOT设备设置与该有效时长相同的时长;或者,In step S21, the time point at which the server accesses the authentication by the IOT device is used as the starting point of the effective duration, and all the IOT devices in the cellular IoT CIoT system are set to have the same duration as the effective duration; or
步骤S22,该服务器以蜂窝物联网CIoT系统下的所有IOT设备各自完成接入认证的时间点作为该有效时长的计时起点,分别设置所有IOT设备各自的有效时长。In step S22, the server uses the time point for completing the access authentication for all the IOT devices in the cellular Internet of Things (CIoT system) as the starting point of the effective duration, and sets the effective duration of each of the IOT devices.
通过本可选实施方式,通过预定规则为蜂窝物联网CIoT系统下的所有IOT设备预先设置有效时长,实现了有效时长的动态设置。Through the optional implementation manner, the effective duration is preset for all the IOT devices in the cellular Internet of Things CIoT system by using a predetermined rule, and the dynamic setting of the effective duration is realized.
在一个可选的实施方式中,上述指定信息可包括:用于生成该IOT设备会话密钥的随机数。In an optional implementation manner, the foregoing specifying information may include: a random number used to generate the IOT device session key.
需要说明的是,在本可选实施方式中,上述随机数可用于在IOT设备接收该随机数后,根据该随机数生成安全密钥。It should be noted that, in this optional embodiment, the random number may be used to generate a security key according to the random number after receiving the random number by the IOT device.
在一个可选的实施方式中,服务器接收物联网IOT设备的用户身份信息可包括以下步骤:In an optional implementation manner, the server receiving the user identity information of the Internet of Things IOT device may include the following steps:
步骤S31,服务器接收物联网IOT设备通过网络侧节点转发的用户身份信息;Step S31, the server receives user identity information forwarded by the Internet of Things IOT device through the network side node;
服务器将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备可包括以下步骤: The server sends the specified information for generating the session key of the IOT device to the IOT device, which may include the following steps:
步骤S32,服务器将用于生成该IOT设备的会话密钥的指定信息通过该网络侧节点发送至该IOT设备。Step S32: The server sends the specified information for generating the session key of the IOT device to the IOT device through the network side node.
在本可选实施方式中,通过将网络侧节点作为接收用户身份信息以及发送指定信息的中间节点,解决了相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高密钥更新的效率。In this optional implementation, the network side node is used as an intermediate node for receiving user identity information and transmitting designated information, and the related art is required, and the IoT device needs to perform authentication every time the data is sent to the network. The resulting problem of wasted network resources, thereby achieving the effect of saving network resources, and further improving the efficiency of key update.
在一个可选的实施方式中,在服务器将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备之前,该方法还可包括以下步骤:In an optional implementation manner, before the server sends the specified information for generating the session key of the IOT device to the IOT device, the method may further include the following steps:
步骤S41,服务器接收该IOT设备发送的用户私密密钥;Step S41: The server receives the user secret key sent by the IOT device.
步骤S42,服务器使用该随机数和该用户私密密钥生成会话密钥,并将该会话密钥发送至网络侧节点。Step S42, the server generates the session key by using the random number and the user private key, and sends the session key to the network side node.
可选的,在本可选实施方式中,用户私密密钥可保存在SIM/USIM上。Optionally, in this alternative embodiment, the user secret key may be saved on the SIM/USIM.
在本可选实施方式中,服务器通过IOT设备发送的用户私密密钥以及随机数生成会话密钥,并将该会话密钥发送至网络侧节点,进一步实现了IOT设备和网络侧节点安全通信的效果。In this optional implementation manner, the server generates a session key by using a user secret key and a random number sent by the IOT device, and sends the session key to the network side node, thereby further implementing secure communication between the IOT device and the network side node. effect.
下面结合具体示例,对本实施例作举例说明。The present embodiment will be exemplified below with reference to specific examples.
在本实施例中,提供了一种IoT设备密钥更新方法,其中,服务器以HLR/HSS为例进行说明,如图4所示,包括以下步骤:In this embodiment, an IoT device key update method is provided. The server is described by taking the HLR/HSS as an example. As shown in FIG. 4, the method includes the following steps:
步骤S401,当IoT设备需要发送数据时,向网络侧节点SGSN发送IoT设备用户身份信息;Step S401, when the IoT device needs to send data, send the IoT device user identity information to the network side node SGSN;
步骤S402,网络侧节点SGSN收到IoT设备发送的用户身份信息后,将IoT设备用户身份信息转发给HLR/HSS;Step S402, after receiving the user identity information sent by the IoT device, the network side node SGSN forwards the IoT device user identity information to the HLR/HSS;
步骤S403,HLR/HSS收到IoT设备用户身份信息后,检查是否有该IoT设备的计时计数器,如果有,则HLR/HSS针对该IoT设备生成一个新的随机数,并使用新的随机数和IoT设备用户私密密钥生成新的会话密钥。Step S403, after receiving the IoT device user identity information, the HLR/HSS checks whether there is a timing counter of the IoT device, and if so, the HLR/HSS generates a new random number for the IoT device, and uses the new random number and The IoT device user private key generates a new session key.
步骤S404,HLR/HSS将新的会话密钥和新的随机数发送给网络侧节点,如SGSN; Step S404, the HLR/HSS sends the new session key and the new random number to the network side node, such as the SGSN;
步骤S405,SGSN收到新的会话密钥和新的随机数后,把新的随机数发送给IoT设备。Step S405, after receiving the new session key and the new random number, the SGSN sends the new random number to the IoT device.
步骤S406,IoT设备收到新的随机数后,根据SIM/USIM上保存的用户私密密钥和收到的新的随机数生成会话密钥。Step S406: After receiving the new random number, the IoT device generates a session key according to the user secret key saved on the SIM/USIM and the received new random number.
步骤S407,IoT设备与网络侧节点,如SGSN,之间进行安全通信。In step S407, the IoT device performs secure communication with the network side node, such as the SGSN.
在一个可选的实施方式中,服务器可以包括以下任意一种:归属位置寄存器HLR、归属签约用户服务器HSS。In an optional implementation manner, the server may include any one of the following: a home location register HLR, a home subscription subscriber server HSS.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,本发明实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium (such as ROM/RAM, disk). The optical disc includes a plurality of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present invention.
在本实施例中还提供了一种密钥更新装置,该装置设置为:实现上述实施例及可选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置可以以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In this embodiment, a key update device is also provided, which is configured to implement the foregoing embodiments and optional implementations, and details are not described herein. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the devices described in the following embodiments may be implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图5是根据本发明实施例的第一种密钥更新装置的结构框图,如图5所示,该装置包括:FIG. 5 is a structural block diagram of a first type of key update apparatus according to an embodiment of the present invention. As shown in FIG. 5, the apparatus includes:
1)第一处理模块52,设置为:接收物联网IOT设备的用户身份信息,并判断接收到该用户身份信息的时间点是否处于有效时长内,其中,该有效时长为在每次该IOT设备完成接入认证后,该服务器设置的时长;1) The first processing module 52 is configured to: receive user identity information of the Internet of Things IOT device, and determine whether the time point of receiving the user identity information is within a valid duration, wherein the effective duration is each time the IOT device The length of time set by the server after the access authentication is completed;
2)第一发送模块54,设置为:在判断结果为是的情况下,将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备。2) The first sending module 54 is configured to: when the determination result is YES, send designation information for generating a session key of the IOT device to the IOT device.
可选地,在本实施例中,上述密钥更新方法的应用场景可包括但并不限于:蜂窝物联网(Cellular Internet of Things,简称为CIoT)系统中,其中该 系统中设置有大量物联网(Internet of Things,简称为IoT)设备。在该应用场景下,可采用服务器接收物联网IOT设备的用户身份信息,并判断接收到该用户身份信息的时间点是否处于有效时长内,其中,该有效时长可为在每次该IOT设备完成接入认证后,服务器设置的时长;在判断结果为是的情况下,该服务器可将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备。也就是说,本发明实施例在IOT设备每次完成接入认证后,服务器可设置该IOT设备接入认证的有效时长,在该有效时长内,如果接收到该IOT设备发送的用户身份信息,只需生成会话密钥即可,无需再执行IOT设备接入认证的操作。通过本发明实施例,解决了相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高密钥更新的效率。Optionally, in this embodiment, the application scenario of the foregoing key update method may include, but is not limited to, a Cellular Internet of Things (CIoT) system, where A large number of Internet of Things (IoT) devices are installed in the system. In the application scenario, the server may receive the user identity information of the IoT IOT device, and determine whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration may be completed each time the IOT device is completed. After the access authentication, the length of time set by the server; if the judgment result is yes, the server may send the specified information for generating the session key of the IOT device to the IOT device. That is, in the embodiment of the present invention, after the IOT device completes the access authentication, the server may set the effective duration of the IOT device access authentication, and if the user identity information sent by the IOT device is received within the valid duration, Simply generate a session key and no need to perform IOT device access authentication. Through the embodiments of the present invention, the problem of waste of network resources caused by the authentication of the Internet of Things IoT device during each access to the network is required to be solved, thereby achieving the effect of saving network resources and further improving the density. The efficiency of key updates.
下面结合具体示例,对本实施例作举例说明。The present embodiment will be exemplified below with reference to specific examples.
本实施例提供了一种密钥更新方法,该方法可应用于包含IoT设备的蜂窝物联网CIoT通信系统中,其中,服务器以HLR/HSS为例进行说明,该IoT设备可以包含SIM/USIM卡,可以包括以下步骤:The present embodiment provides a key update method, which can be applied to a cellular IoT CIoT communication system including an IoT device, wherein the server is described by taking an HLR/HSS as an example, and the IoT device can include a SIM/USIM card. , can include the following steps:
IoT设备接入认证完成后,由HLR/HSS确定何时对IoT设备重新进行认证,如可由HLR/HSS定义每一次认证有效时长。HLR/HSS可以对所有的IoT设备定义统一的认证有效时长,也可以为不同的IoT设备定义单独的认证有效时长。每一次IoT接入认证完成后,HLR/HSS可即启动对该IoT设备的认证计时。当认证计时超过认证有效时长后,HLR/HSS可即终止对该IoT设备的认证计时。所有未经认证计时的IoT设备,后续都需要进行认证。例如,HLR/HSS可定义IoT设备的认证有效时长。HLR/HSS可针对IoT设备设置一个计数器,当计数器达到认证有效时长时,HLR/HSS可即对该计数器清零,并取消针对该IoT设备的计数。在后续收到IoT设备发送的用户身份信息时,HLR/HSS将启动认证过程。After the IoT device access authentication is completed, the HLR/HSS determines when the IoT device is re-authenticated, for example, the HLR/HSS can define the effective duration of each authentication. HLR/HSS can define a uniform authentication effective duration for all IoT devices, and can also define a separate authentication effective duration for different IoT devices. After each IoT access authentication is completed, the HLR/HSS can initiate the authentication timing of the IoT device. When the authentication timing exceeds the validity period of the authentication, the HLR/HSS may terminate the authentication timing of the IoT device. All uncertified IoT devices will need to be certified subsequently. For example, HLR/HSS can define the effective duration of an IoT device. The HLR/HSS can set a counter for the IoT device. When the counter reaches the authentication valid period, the HLR/HSS can clear the counter and cancel the counting for the IoT device. Upon subsequent receipt of the user identity information sent by the IoT device, the HLR/HSS will initiate the authentication process.
或者,HLR/HSS可以在收到IoT设备发送的用户身份信息后,强制启动对IoT设备的认证过程;Alternatively, the HLR/HSS may initiate the authentication process for the IoT device after receiving the identity information sent by the IoT device;
IoT设备接入认证完成后,HLR/HSS可即针对该IoT设备进行认证计时。After the IoT device access authentication is completed, the HLR/HSS can perform authentication timing for the IoT device.
IoT设备需要发送数据时,可向网络侧节点,如SGSN,发送IoT设备 用户身份信息;When the IoT device needs to send data, it can send the IoT device to the network side node, such as the SGSN. User identity information;
网络侧节点,如SGSN,收到IoT设备发送的用户身份信息后,可将该信息转发给HLR/HSS;The network side node, such as the SGSN, may forward the information to the HLR/HSS after receiving the identity information sent by the IoT device;
HLR/HSS收到IoT设备发送的用户身份信息后,可根据定义的认证有效时长检查IoT设备的认证时长是否达到认证有效时长。如果达到或超过认证有效时长,则HLR/HSS可针对该IoT设备启动认证过程。如果未达到认证有效时长,则HLR/HSS可针对该IoT设备生成一个新的随机数,并使用新的随机数和IoT设备用户私密密钥生成新的会话密钥,然后将新的会话密钥和新的随机数发送给网络侧节点,如SGSN;After receiving the user identity information sent by the IoT device, the HLR/HSS can check whether the authentication duration of the IoT device reaches the validity time of the authentication according to the defined validity period. If the authentication is valid or exceeded, the HLR/HSS can initiate an authentication process for the IoT device. If the authentication validity period is not reached, the HLR/HSS can generate a new random number for the IoT device and generate a new session key using the new random number and the IoT device user secret key, and then the new session key. And sending a new random number to the network side node, such as the SGSN;
SGSN收到新的会话密钥和新的随机数后,可把新的随机数发送给IoT设备;After receiving the new session key and the new random number, the SGSN can send the new random number to the IoT device;
可选地,为了保证安全,SGSN可以用新的会话对新的随机数进行加密,然后把新的随机数和加密后的新的随机数一起发送给IoT设备;Optionally, to ensure security, the SGSN may encrypt the new random number with a new session, and then send the new random number together with the encrypted new random number to the IoT device;
IoT设备收到新的随机数后,可根据SIM/USIM上保存的用户私密密钥和收到的新的随机数生成会话密钥;After receiving the new random number, the IoT device may generate a session key according to the user secret key saved on the SIM/USIM and the new random number received;
可选的,IoT设备收到新的随机数和加密后的新的随机数后,可根据SIM/USIM上保存的用户私密密钥和收到的新的随机数生成会话密钥,并用会话密钥解密加密后的新的随机数,检查解密后的新随机数是否与收到的新随机数相同。如果不同,则IoT设备可向网络侧节点,如SGSN,请求重新发送;如果相同,IoT设备可与网络侧节点,如SGSN,之间进行安全通信。Optionally, after receiving the new random number and the encrypted new random number, the IoT device may generate a session key according to the user secret key saved on the SIM/USIM and the received new random number, and use the session secret. The key decrypts the encrypted new random number and checks whether the decrypted new random number is the same as the received new random number. If different, the IoT device can request retransmission to the network side node, such as the SGSN; if the same, the IoT device can communicate securely with the network side node, such as the SGSN.
图6是根据本发明实施例的第二种密钥更新装置的结构框图,如图6所示,该装置除了包括图5所示的所有模块外,还包括:FIG. 6 is a structural block diagram of a second type of key update apparatus according to an embodiment of the present invention. As shown in FIG. 6, the apparatus includes, in addition to all the modules shown in FIG.
1)第二处理模块62,设置为:在该判断结果为否的情况下,终止该有效时长的计时操作,并触发对该IOT设备进行接入认证的操作,以及触发该有效时长的重新计时操作。1) The second processing module 62 is configured to: if the determination result is negative, terminate the timing operation of the valid duration, trigger an operation of performing access authentication on the IOT device, and trigger a re-timed of the valid duration operating.
通过本可选实施方式,在判断接收到该用户身份信息的时间点不在该有效时长内时,服务器可终止该有效时长的计时操作,并触发对该IOT设备进行接入认证的操作,实现了IOT设备与网络侧节点的安全通信,避免了即使 IOT设备发送的用户身份信息的时间点不在该有效时长内时,还是不执行接入认证操作所导致的通信安全性降低的问题。In this optional implementation manner, when it is determined that the time point when the user identity information is received is not within the valid duration, the server may terminate the timing operation of the valid duration, and trigger an operation of performing access authentication on the IOT device, thereby implementing Secure communication between the IOT device and the network side node, avoiding even When the time point of the user identity information sent by the IOT device is not within the valid duration, the communication security caused by the access authentication operation is not reduced.
在一个可选的实施方式中,第一处理模块还可设置为:通过以下方式确定有效时长:以该IOT设备接入认证的时间点作为该有效时长的计时起点,为蜂窝物联网CIoT系统下的所有IOT设备设置与该有效时长相同的时长;或者,以蜂窝物联网CIoT系统下的所有IOT设备各自完成接入认证的时间点作为该有效时长的计时起点,分别设置所有IOT设备各自的有效时长。In an optional implementation manner, the first processing module may be further configured to: determine an effective duration by using a time point at which the IOT device accesses the authentication as a starting point of the effective duration, and is a cellular IoT system under the CIoT system. All the IOT devices are set to have the same duration as the effective duration; or, the time points at which all the IOT devices under the cellular IoT CIoT system respectively complete the access authentication are used as the starting point of the effective duration, and the respective IOT devices are respectively set to be effective. duration.
通过本可选实施方式,可通过预定规则为蜂窝物联网CIoT系统下的所有IOT设备预先设置有效时长,实现了有效时长的动态设置。Through the optional implementation manner, the effective duration can be preset for all IOT devices under the cellular Internet of Things CIoT system through predetermined rules, and the dynamic setting of the effective duration is realized.
在一个可选的实施方式中,该指定信息可包括:用于生成该IOT设备会话密钥的随机数。In an optional implementation manner, the specifying information may include: a random number used to generate the IOT device session key.
需要说明的是,在本可选实施方式中,上述随机数可用于在IOT设备接收该随机数后,根据该随机数生成安全密钥。It should be noted that, in this optional embodiment, the random number may be used to generate a security key according to the random number after receiving the random number by the IOT device.
在一个可选的实施方式中,图7是根据本发明实施例的第三种密钥更新装置的结构框图,如图7所示,第一处理模块52包括:In an alternative embodiment, FIG. 7 is a structural block diagram of a third type of key updating apparatus according to an embodiment of the present invention. As shown in FIG. 7, the first processing module 52 includes:
1)第一处理单元72,设置为:接收物联网IOT设备的用户身份信息包括:该服务器接收物联网IOT设备通过网络侧节点转发的用户身份信息;1) The first processing unit 72 is configured to: receive user identity information of the Internet of Things IOT device, where the server receives user identity information forwarded by the Internet of Things IOT device through the network side node;
第一发送模块54包括:The first sending module 54 includes:
2)第一发送单元74,设置为:将用于生成该IOT设备的会话密钥的指定信息通过该网络侧节点发送至该IOT设备。2) The first sending unit 74 is configured to: send the designation information for generating the session key of the IOT device to the IOT device through the network side node.
在本可选实施方式中,通过将网络侧节点作为接收用户身份信息以及发送指定信息的中间节点,解决了相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高密钥更新的效率。In this optional implementation, the network side node is used as an intermediate node for receiving user identity information and transmitting designated information, and the related art is required, and the IoT device needs to perform authentication every time the data is sent to the network. The resulting problem of wasted network resources, thereby achieving the effect of saving network resources, and further improving the efficiency of key update.
在一个可选的实施方式中,图8是根据本发明实施例的第四种密钥更新装置的结构框图,如图8所示,该装置除了包括图5所示的所有模块外,还包括:In an alternative embodiment, FIG. 8 is a structural block diagram of a fourth key updating apparatus according to an embodiment of the present invention. As shown in FIG. 8, the apparatus includes, in addition to all the modules shown in FIG. :
1)接收模块82,设置为:在该服务器将用于生成该IOT设备的会话密 钥的指定信息发送至该IOT设备之前,接收该IOT设备发送的用户私密密钥;1) The receiving module 82 is configured to: the session secret that the server will use to generate the IOT device Receiving the user secret key sent by the IOT device before sending the specified information of the key to the IOT device;
2)第三处理模块84,设置为:在该服务器将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备之前,使用该随机数和该用户私密密钥生成会话密钥,并将该会话密钥发送至网络侧节点。2) The third processing module 84 is configured to: before the server sends the designation information for generating the session key of the IOT device to the IOT device, generate the session key by using the random number and the user secret key, And send the session key to the network side node.
可选地,在本可选实施方式中,用户私密密钥可保存在SIM/USIM上。Optionally, in this alternative embodiment, the user secret key may be saved on the SIM/USIM.
在本可选实施方式中,服务器可通过IOT设备发送的用户私密密钥以及随机数生成会话密钥,并将该会话密钥发送至网络侧节点,进一步实现了IOT设备和网络侧节点安全通信的效果。In this optional implementation manner, the server may generate a session key by using a user secret key and a random number sent by the IOT device, and send the session key to the network side node, thereby further implementing secure communication between the IOT device and the network side node. Effect.
在一个可选的实施方式中,上述服务器可包括以下任意一种:归属位置寄存器HLR、归属签约用户服务器HSS。In an optional implementation manner, the foregoing server may include any one of the following: a home location register HLR, and a home subscription subscriber server HSS.
可选地,在本实施例中还提供了一种IOT设备认证管理装置,如图9所示,包括:Optionally, an IOT device authentication management device is further provided in this embodiment. As shown in FIG. 9, the method includes:
1)认证计时模块92,设置为:在AKA过程结束后,针对IoT设备进行认证计时;1) The authentication timing module 92 is configured to: perform authentication timing for the IoT device after the AKA process ends;
2)管理模块94,用户HLR/HSS对认证计时模块的管理,检查针对一个IoT设备计时模块的计时计数器是否达到认证有效时长。当达到认证有效时长时,清零计数器并取消针对该IoT设备的计时。2) The management module 94, the user HLR/HSS manages the authentication timing module, and checks whether the timing counter for one IoT device timing module has reached the authentication effective duration. When the authentication is valid for a long time, the counter is cleared and the timing for the IoT device is cancelled.
3)检查模块96,设置为:根据IoT设备用户身份信息检查IoT设备是否需要进行认证,或更新会话密钥;3) The checking module 96 is configured to: check whether the IoT device needs to be authenticated according to the IoT device user identity information, or update the session key;
在另一可选实施方式中还提供了一种会话密钥检查装置,如图10所示,包括:In another optional implementation, a session key checking apparatus is further provided, as shown in FIG. 10, including:
1)会话密钥检查管理模块1002,设置为:IoT设备会话密钥更新,检查更新会话密钥是否需要重新协商。1) The session key check management module 1002 is configured to: update the IoT device session key, and check whether the update session key needs to be renegotiated.
在本实施例中还提供了一种密钥更新方法,图11是根据本发明实施例的第三种密钥更新方法的流程图,如图11所示,该方法包括如下步骤:A key update method is also provided in this embodiment. FIG. 11 is a flowchart of a third key update method according to an embodiment of the present invention. As shown in FIG. 11, the method includes the following steps:
步骤S1102,物联网IOT设备向服务器发送用户身份信息; Step S1102: The Internet of Things IOT device sends user identity information to the server.
步骤S1104,IOT设备判断是否接收到该服务器发送的用于生成会话密钥的指定信息,其中,该指定信息是在判定该服务器接收到该用户身份信息的时间点处于预先设置的有效时长内时,发送至该IOT设备的信息,该有效时长为在每次该IOT设备完成接入认证后,该服务器设置的时长;Step S1104: The IOT device determines whether the specified information for generating the session key sent by the server is received, where the specified information is when the time point when the server receives the user identity information is within a preset effective time period. The information sent to the IOT device, the effective duration being the length of time set by the server after the IOT device completes the access authentication;
步骤S1106,在判断结果为是的情况下,该IOT设备根据该指定信息生成该会话密钥。In step S1106, if the determination result is yes, the IOT device generates the session key according to the specified information.
可选地,在本实施例中,上述密钥更新方法的应用场景可包括但并不限于:蜂窝物联网(Cellular Internet of Things,简称为CIoT)系统中,其中该系统中设置有大量物联网(Internet of Things,简称为IoT)设备。在该应用场景下,物联网IOT设备可向服务器发送用户身份信息;IOT设备可判断是否接收到该服务器发送的用于生成会话密钥的指定信息,其中,该指定信息可以是在判定该服务器接收到该用户身份信息的时间点处于预先设置的有效时长内时,发送至该IOT设备的信息,该有效时长可为在每次该IOT设备完成接入认证后,该服务器设置的时长;在判断结果为是的情况下,该IOT设备可根据该指定信息生成该会话密钥。也就是说,IOT设备向服务器发送用户身份信息后,如果在该IOT设备认证有效时长内收到服务器发送的用于生成会话密钥的指定信息,则无需进行接入认证,而是可直接根据该指定信息生成该会话密钥,从而解决了相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高密钥更新的效率。Optionally, in this embodiment, the application scenario of the foregoing key update method may include, but is not limited to, a Cellular Internet of Things (CIoT) system, where a large number of Internet of Things is set in the system. (Internet of Things, referred to as IoT) devices. In the application scenario, the IoT IOT device may send the user identity information to the server; the IOT device may determine whether the specified information sent by the server for generating the session key is received, wherein the specified information may be determining the server. The information sent to the IOT device when the time point of receiving the user identity information is within a preset effective time period, and the effective duration may be the duration set by the server after each time the IOT device completes the access authentication; If the determination result is yes, the IOT device may generate the session key according to the specified information. That is, after the IOT device sends the user identity information to the server, if the specified information for generating the session key sent by the server is received within the length of the IOT device authentication, the access authentication is not required, but can be directly based on The specified information generates the session key, thereby solving the problem of waste of network resources caused by the authentication of the IoT IoT device in each of the related technologies in the related art, thereby achieving the effect of saving network resources. , further improve the efficiency of key update.
在一个可选的实施方式中,IOT设备判断没有接收到该服务器发送的用于生成会话密钥的指定信息时,该方法可包括以下步骤:In an optional implementation manner, when the IOT device determines that the specified information sent by the server for generating the session key is not received, the method may include the following steps:
步骤S51,IOT设备重新发起接入认证操作。In step S51, the IOT device re-initiates the access authentication operation.
可选地,在本可选实施方式中,具体是在IOT设备判断没有接收到该服务器发送的用于生成会话密钥的指定信息时,重新发起接入认证操作,从而避免了相关技术中,在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高密钥更新的效率。Optionally, in the optional implementation, the IOT device re-initiates the access authentication operation when the IOT device determines that the specified information for generating the session key sent by the server is not received, thereby avoiding related technologies. Each time the data is sent to the network, the problem of wasted network resources caused by the authentication is required, thereby achieving the effect of saving network resources and further improving the efficiency of key update.
在一个可选的实施方式中,上述指定信息可包括:用于生成该IOT设备 会话密钥的随机数。In an optional implementation manner, the foregoing specifying information may include: used to generate the IOT device The random number of the session key.
需要说明的是,在本可选实施方式中,上述随机数可用于在IOT设备接收该随机数后,根据该随机数生成安全密钥。It should be noted that, in this optional embodiment, the random number may be used to generate a security key according to the random number after receiving the random number by the IOT device.
在一个可选的实施方式中,IOT设备根据该指定信息生成该会话密钥可包括以下步骤:In an optional implementation manner, the generating, by the IOT device, the session key according to the specified information may include the following steps:
步骤S61,IOT设备接收该服务器通过网络侧节点转发的该随机数;Step S61, the IOT device receives the random number forwarded by the server through the network side node;
步骤S62,IOT设备使用用户私密密钥和该随机数生成该会话密钥。Step S62, the IOT device generates the session key by using the user secret key and the random number.
可选地,在本可选实施方式中,用户私密密钥可保存在SIM/USIM上。Optionally, in this alternative embodiment, the user secret key may be saved on the SIM/USIM.
在本可选实施方式中,IOT设备可接收服务器发送的随机数,并根据用户私密密钥和该随机数生成该会话密钥,进一步实现安全通信。In this optional implementation manner, the IOT device may receive a random number sent by the server, and generate the session key according to the user private key and the random number to further implement secure communication.
在一个可选的实施方式中,IOT设备根据该指定信息生成该会话密钥可以包括以下步骤:In an optional implementation manner, the generating, by the IOT device, the session key according to the specified information may include the following steps:
步骤S71,IOT设备接收该服务器通过网络侧节点转发的该随机数以及经过该网络侧节点进行加密处理后的随机数;Step S71: The IOT device receives the random number forwarded by the server through the network side node and the random number after the network side node performs encryption processing.
步骤S72,IOT设备使用用户私密密钥和该随机数生成会话密钥,并根据该会话密钥对该加密处理后的随机数进行解密得到解密后的随机数;Step S72: The IOT device generates a session key by using the user secret key and the random number, and decrypts the encrypted random number according to the session key to obtain the decrypted random number.
步骤S73,IOT设备判断解密后的随机数和该服务器通过网络侧节点转发的该随机数是否相同;Step S73, the IOT device determines whether the decrypted random number is the same as the random number forwarded by the server through the network side node;
步骤S74,在判断结果为是的情况下,该IOT设备向该网络侧节点发送待发送的数据;Step S74, in the case that the determination result is yes, the IOT device sends the data to be sent to the network side node;
步骤S75,在判断结果为否的情况下,该IOT设备向该服务器发送请求消息,其中,该请求消息用于请求该服务器重新发送随机数。Step S75: If the determination result is no, the IOT device sends a request message to the server, where the request message is used to request the server to resend the random number.
在本可选实施方式中,IOT设备可根据接收服务器发送的随机数和解密后的随机数进行比较,并根据比较结果执行对应的操作,在解决了物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果的同时。还进一步保证了IOT设备的安全通信。 In this optional implementation manner, the IOT device can compare the random number sent by the receiving server with the decrypted random number, and perform corresponding operations according to the comparison result, which solves the problem that the Internet of Things IoT device sends in each access network. When data is used, the problem of wasted network resources caused by authentication is required, and the effect of saving network resources is achieved at the same time. The secure communication of the IOT device is further guaranteed.
下面结合具体示例,对本实施例作举例说明。The present embodiment will be exemplified below with reference to specific examples.
在本可选实施例中,提供了一种IoT设备密钥更新方法,其中,服务器以HLR/HSS为例。如图12所示,包括以下步骤:In this alternative embodiment, an IoT device key update method is provided, where the server takes the HLR/HSS as an example. As shown in Figure 12, the following steps are included:
步骤S1201,当IoT设备需要发送数据时,向网络侧节点SGSN发送IoT设备用户身份信息;Step S1201: When the IoT device needs to send data, send the IoT device user identity information to the network side node SGSN.
步骤S1202,网络侧节点SGSN收到IoT设备发送的用户身份信息后,将IoT设备用户身份信息转发给HLR/HSS;Step S1202: After receiving the user identity information sent by the IoT device, the network side node SGSN forwards the IoT device user identity information to the HLR/HSS.
步骤S1203,HLR/HSS收到IoT设备用户身份信息后,检查是否有该IoT设备的计数器,如果有,则HLR/HSS针对该IoT设备生成一个新的随机数,并使用新的随机数和IoT设备用户私密密钥生成新的会话密钥。Step S1203: After receiving the IoT device user identity information, the HLR/HSS checks whether there is a counter of the IoT device, and if so, the HLR/HSS generates a new random number for the IoT device, and uses the new random number and IoT. The device user private key generates a new session key.
步骤S1204,HLR/HSS将新的会话密钥和新的随机数发送给网络侧节点,如SGSN;Step S1204, the HLR/HSS sends the new session key and the new random number to the network side node, such as the SGSN;
步骤S1205,SGSN用新的会话对新的随机数进行加密,然后把新的随机数和加密后的新的随机数一起发送给IoT设备;Step S1205, the SGSN encrypts the new random number with the new session, and then sends the new random number together with the encrypted new random number to the IoT device;
步骤S1206,IoT设备收到新的随机数和加密后的新的随机数后,根据SIM/USIM上保存的用户私密密钥和收到的新的随机数生成会话密钥,并用会话密钥解密加密后的新的随机数,检查解密后的新随机数是否与收到的新随机数相同。如果相同,则执行步骤407,如果不同,则IoT设备向网络侧节点,如SGSN,请求重新发送;Step S1206: After receiving the new random number and the encrypted new random number, the IoT device generates a session key according to the user secret key saved on the SIM/USIM and the received new random number, and decrypts the session key. The encrypted new random number checks whether the decrypted new random number is the same as the received new random number. If they are the same, step 407 is performed. If different, the IoT device requests retransmission from the network side node, such as the SGSN.
步骤S1207,IoT设备与网络侧节点,如SGSN,之间进行安全通信。In step S1207, the IoT device performs secure communication with the network side node, such as the SGSN.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,本发明实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, by hardware. Based on such understanding, the technical solution of the embodiments of the present invention may be embodied in the form of a software product in essence or in the form of a software product stored in a storage medium (such as ROM/RAM, disk). The optical disc includes a plurality of instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method described in the embodiments of the present invention.
在本实施例中还提供了一种密钥更新装置,该装置设置为实现上述实施 例及可选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置可以以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In the embodiment, a key update device is further provided, which is configured to implement the above implementation. The examples and optional embodiments have not been described again. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the devices described in the following embodiments may be implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图13是根据本发明实施例的第五种密钥更新装置的结构框图,如图13所示,该装置包括:FIG. 13 is a structural block diagram of a fifth type of key update apparatus according to an embodiment of the present invention. As shown in FIG. 13, the apparatus includes:
1)第二发送模块1302,设置为:向服务器发送用户身份信息;1) The second sending module 1302 is configured to: send user identity information to the server;
2)判断模块1304,设置为:判断是否接收到该服务器发送的用于生成会话密钥的指定信息,其中,该指定信息是在判定该服务器接收到该用户身份信息的时间点处于预先设置的有效时长内时,发送至该IOT设备的信息,该有效时长为在每次该IOT设备完成接入认证后,该服务器设置的时长;2) The determining module 1304 is configured to: determine whether the specified information for generating the session key sent by the server is received, where the specified information is pre-set at a time point when determining that the server receives the user identity information The information sent to the IOT device during the effective duration is the duration set by the server after each time the IOT device completes the access authentication;
3)获取模块1306,设置为:在判断结果为是的情况下,根据该指定信息生成该会话密钥。3) The obtaining module 1306 is configured to: when the determination result is YES, generate the session key according to the specified information.
可选地,在本实施例中,上述密钥更新方法的应用场景可包括但并不限于:蜂窝物联网(Cellular Internet of Things,简称为CIoT)系统中,其中该系统中可设置有大量物联网(Internet of Things,简称为IoT)设备。在该应用场景下,物联网IOT设备可向服务器发送用户身份信息;IOT设备可判断是否接收到该服务器发送的用于生成会话密钥的指定信息,其中,该指定信息可以是在判定该服务器接收到该用户身份信息的时间点处于预先设置的有效时长内时,发送至该IOT设备的信息,该有效时长可为在每次该IOT设备完成接入认证后,该服务器设置的时长;在判断结果为是的情况下,该IOT设备可根据该指定信息生成该会话密钥。也就是说,IOT设备向服务器发送用户身份信息后,如果在该IOT设备认证有效时长内收到服务器发送的用于生成会话密钥的指定信息,则无需进行接入认证,而是直接根据该指定信息生成该会话密钥,从而解决了相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高密钥更新的效率。Optionally, in this embodiment, the application scenario of the foregoing key update method may include, but is not limited to, a Cellular Internet of Things (CIoT) system, where a large number of objects may be disposed in the system. Internet of Things (IoT) devices. In the application scenario, the IoT IOT device may send the user identity information to the server; the IOT device may determine whether the specified information sent by the server for generating the session key is received, wherein the specified information may be determining the server. The information sent to the IOT device when the time point of receiving the user identity information is within a preset effective time period, and the effective duration may be the duration set by the server after each time the IOT device completes the access authentication; If the determination result is yes, the IOT device may generate the session key according to the specified information. That is, after the IOT device sends the user identity information to the server, if the specified information for generating the session key sent by the server is received within the length of the IOT device authentication, the access authentication is not required, but directly according to the The specified information generates the session key, thereby solving the problem of waste of network resources caused by the authentication of the IoT IoT device in each of the related technologies in the related art, thereby achieving the effect of saving network resources. Further improve the efficiency of key update.
在一个可选的实施方式中,图14是根据本发明实施例的第六种密钥更新装置的结构框图,如图14所示,该装置除了包括图13所示的所有模块外, 还包括:In an alternative embodiment, FIG. 14 is a structural block diagram of a sixth key updating apparatus according to an embodiment of the present invention. As shown in FIG. 14, the apparatus includes all the modules shown in FIG. Also includes:
1)第四处理模块1402,设置为:在该判断结果为否的情况下,重新发起接入认证操作。1) The fourth processing module 1402 is configured to: re-initiate the access authentication operation if the determination result is no.
可选地,在本可选实施方式中,具体是在IOT设备判断没有接收到该服务器发送的用于生成会话密钥的指定信息时,重新发起接入认证操作,从而避免了相关技术中,在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高密钥更新的效率。Optionally, in the optional implementation, the IOT device re-initiates the access authentication operation when the IOT device determines that the specified information for generating the session key sent by the server is not received, thereby avoiding related technologies. Each time the data is sent to the network, the problem of wasted network resources caused by the authentication is required, thereby achieving the effect of saving network resources and further improving the efficiency of key update.
在一个可选的实施方式中,该指定信息可包括:用于生成该IOT设备会话密钥的随机数。In an optional implementation manner, the specifying information may include: a random number used to generate the IOT device session key.
需要说明的是,在本可选实施方式中,上述随机数可用于在IOT设备接收该随机数后,根据该随机数生成安全密钥。It should be noted that, in this optional embodiment, the random number may be used to generate a security key according to the random number after receiving the random number by the IOT device.
在一个可选的实施方式中,图15是根据本发明实施例的第七种密钥更新装置的结构框图,如图15所示,获取模块1306包括:In an alternative embodiment, FIG. 15 is a structural block diagram of a seventh key updating apparatus according to an embodiment of the present invention. As shown in FIG. 15, the obtaining module 1306 includes:
1)第一接收单元1502,设置为:接收该服务器通过网络侧节点转发的该随机数;1) The first receiving unit 1502 is configured to: receive the random number forwarded by the server by the network side node;
2)获取单元1504,设置为:使用用户私密密钥和该随机数生成该会话密钥。2) The obtaining unit 1504 is configured to generate the session key using the user private key and the random number.
在一个可选的实施方式中,上述获取模块106中所包括的单元还可以通过以下单元进行等同替换,1)第二接收单元,设置为:接收该服务器通过网络侧节点转发的该随机数以及经过该网络侧节点进行加密处理后的随机数;2)第二处理单元,设置为:使用用户私密密钥和该随机数生成会话密钥,并根据该会话密钥对该加密处理后的随机数进行解密得到解密后的随机数;3)判断单元,设置为:判断解密后的随机数和该服务器通过网络侧节点转发的该随机数是否相同;4)第二发送单元,设置为:在判断结果为是的情况下,向该网络侧节点发送待发送的数据;5)第三发送单元,设置为:在判断结果为否的情况下,向该服务器发送请求消息,其中,该请求消息用于请求该服务器重新发送随机数。 In an optional implementation manner, the unit included in the obtaining module 106 may also perform equivalent replacement by using the following unit: 1) the second receiving unit is configured to: receive the random number forwarded by the server through the network side node, and a random number after the network side node performs encryption processing; 2) the second processing unit is configured to: generate a session key by using the user private key and the random number, and randomly process the encrypted process according to the session key The number is decrypted to obtain the decrypted random number; 3) the determining unit is configured to: determine whether the decrypted random number is the same as the random number forwarded by the server through the network side node; 4) the second sending unit is set to: If the determination result is yes, the data to be sent is sent to the network side node; 5) the third sending unit is configured to: if the determination result is no, send a request message to the server, where the request message Used to request the server to resend a random number.
在本实施例中还提供了一种密钥更新系统,如图16所示,该系统包括:A key update system is also provided in this embodiment. As shown in FIG. 16, the system includes:
1)物联网IOT设备1602,设置为:向网络侧节点发送用户身份信息;1) The Internet of Things IOT device 1602 is configured to: send user identity information to the network side node;
2)网络侧节点1604,设置为:向服务器发送该用户身份信息,并将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备;2) The network side node 1604 is configured to: send the user identity information to the server, and send the designated information for generating the session key of the IOT device to the IOT device;
3)服务器1606,设置为:在接收到该用户身份信息后,判断接收到该用户身份信息的时间点是否处于有效时长内;如果是,将该指定信息发送至该网络侧节点。3) The server 1606 is configured to: after receiving the identity information of the user, determine whether the time point of receiving the identity information of the user is within a valid duration; if yes, send the specified information to the network side node.
可选地,服务器1606可以包括:归属位置寄存器HLR、归属签约用户服务器HSS。Optionally, the server 1606 may include: a home location register HLR, a home subscription subscriber server HSS.
需要说明的是,上述模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述模块分别位于多个处理器中。It should be noted that the above modules may be implemented by software or hardware. For the latter, the foregoing may be implemented by, but not limited to, the foregoing modules are all located in the same processor; or, the modules are respectively located in multiple processes. In the device.
本发明实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:The embodiment of the invention further provides a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
S1,服务器接收物联网IOT设备的用户身份信息,并判断接收到该用户身份信息的时间点是否处于有效时长内,其中,该有效时长为在每次该IOT设备完成接入认证后,该服务器设置的时长;S1. The server receives the user identity information of the IoT IOT device, and determines whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration is after each time the IOT device completes the access authentication, the server The length of time set;
S2,在判断结果为是的情况下,该服务器将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备。S2. If the determination result is yes, the server sends the designation information for generating the session key of the IOT device to the IOT device.
可选地,存储介质还可被设置为存储用于执行以下步骤的程序代码:Alternatively, the storage medium may also be arranged to store program code for performing the following steps:
S3,物联网IOT设备向服务器发送用户身份信息;S3, the Internet of Things IOT device sends user identity information to the server;
S4,IOT设备判断是否接收到该服务器发送的用于生成会话密钥的指定信息,其中,该指定信息是在判定该服务器接收到该用户身份信息的时间点处于预先设置的有效时长内时,发送至该IOT设备的信息,该有效时长为在每次该IOT设备完成接入认证后,该服务器设置的时长;S4: The IOT device determines whether the specified information for generating the session key sent by the server is received, where the specified information is determined to be within a preset effective time when the server receives the identity information of the user. The information sent to the IOT device, the effective duration is the duration set by the server after each time the IOT device completes the access authentication;
S5,在判断结果为是的情况下,该IOT设备根据该指定信息生成该会话密钥。 S5. If the determination result is yes, the IOT device generates the session key according to the specified information.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.
可选地,在本实施例中,处理器可根据存储介质中已存储的程序代码执行上述步骤S1、S2。Optionally, in this embodiment, the processor may perform the foregoing steps S1, S2 according to the stored program code in the storage medium.
可选地,在本实施例中,处理器可根据存储介质中已存储的程序代码执行上述步骤S3、S4以及S5。Optionally, in this embodiment, the processor may perform the foregoing steps S3, S4, and S5 according to the stored program code in the storage medium.
可选地,本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For example, the specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.
本发明实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述密钥更新方法。The embodiment of the invention further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件、处理器等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, processor, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve.
上述实施例中的装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When the device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
本领域的普通技术人员可以理解,可以对本申请的技术方案进行修改或者等同替换,而不脱离本申请技术方案的精神和范围。本申请的保护范围以权利要求所定义的范围为准。 A person skilled in the art can understand that the technical solutions of the present application can be modified or equivalently replaced without departing from the spirit and scope of the technical solutions of the present application. The scope of protection of this application is defined by the scope defined by the claims.
工业实用性Industrial applicability
通过本发明实施例,采用服务器接收物联网IOT设备的用户身份信息,并判断接收到该用户身份信息的时间点是否处于有效时长内,其中,该有效时长为在每次该IOT设备完成接入认证后,服务器设置的时长;在判断结果为是的情况下,该服务器将用于生成该IOT设备的会话密钥的指定信息发送至该IOT设备。也就是说,本发明实施例在IOT设备每次完成接入认证后,服务器设置该IOT设备接入认证的有效时长,在该有效时长内,如果接收到该IOT设备发送的用户身份信息,只需生成会话密钥即可,无需再执行IOT设备接入认证的操作。通过本发明实施例,解决了相关技术中,物联网IoT设备在每次接入网络发送数据时均需进行认证所导致的网络资源浪费的问题,进而达到了节省网络资源的效果,进一步提高了密钥更新的效率。 According to the embodiment of the present invention, the server receives the user identity information of the Internet of Things IOT device, and determines whether the time point of receiving the identity information of the user is within a valid duration, where the effective duration is that the IOT device completes access every time. After the authentication, the server sets the duration; if the judgment result is yes, the server sends the specified information for generating the session key of the IOT device to the IOT device. That is, in the embodiment of the present invention, after the IOT device completes the access authentication, the server sets the effective duration of the IOT device access authentication, and if the user identity information sent by the IOT device is received within the valid duration, only You need to generate a session key, and you do not need to perform IOT device access authentication. Through the embodiments of the present invention, the problem of waste of network resources caused by the authentication of the Internet of Things IoT device in each time when the Internet access IoT device transmits data is solved, thereby achieving the effect of saving network resources and further improving. The efficiency of key updates.

Claims (25)

  1. 一种密钥更新方法,包括:A key update method includes:
    服务器接收物联网IOT设备的用户身份信息,并判断接收到所述用户身份信息的时间点是否处于有效时长内,其中,所述有效时长为在每次所述IOT设备完成接入认证后,所述服务器设置的时长;The server receives the user identity information of the IoT IOT device, and determines whether the time point of receiving the user identity information is within a valid duration, where the effective duration is after each time the IOT device completes the access authentication. The length of time the server is set up;
    在判断结果为是的情况下,所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备。In a case where the determination result is YES, the server transmits designation information for generating a session key of the IOT device to the IOT device.
  2. 根据权利要求1所述的方法,还包括:The method of claim 1 further comprising:
    在所述判断结果为否的情况下,所述服务器终止所述有效时长的计时操作,并触发对所述IOT设备进行接入认证的操作,以及触发所述有效时长的重新计时操作。If the determination result is negative, the server terminates the timing operation of the valid duration, and triggers an operation of performing access authentication on the IOT device, and triggering a re-timing operation of the valid duration.
  3. 根据权利要求1所述的方法,其中,所述有效时长通过以下方式确定:The method of claim 1 wherein said effective duration is determined by:
    所述服务器以所述IOT设备接入认证的时间点作为所述有效时长的计时起点,为蜂窝物联网CIoT系统下的所有IOT设备设置与所述有效时长相同的时长;或者,The time when the server accesses the authentication by the IOT device is used as a starting point of the effective duration, and all the IOT devices under the cellular IoT CIoT system are set to have the same duration as the effective duration; or
    所述服务器以蜂窝物联网CIoT系统下的所有IOT设备各自完成接入认证的时间点作为所述有效时长的计时起点,分别设置所有IOT设备各自的有效时长。The server uses the time point at which all the IOT devices under the cellular IoT CIoT system complete the access authentication as the starting point of the effective duration, and sets the effective duration of each of the IOT devices.
  4. 根据权利要求1所述的方法,其中,所述指定信息包括:用于生成所述IOT设备会话密钥的随机数。The method of claim 1, wherein the designation information comprises a random number for generating the IOT device session key.
  5. 根据权利要求1所述的方法,其中,The method of claim 1 wherein
    所述服务器接收物联网IOT设备的用户身份信息包括:所述服务器接收物联网IOT设备通过网络侧节点转发的用户身份信息;Receiving user identity information of the IoT IOT device by the server includes: the server receiving user identity information forwarded by the Internet of Things IOT device by the network side node;
    所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备包括:所述服务器将用于生成所述IOT设备的会话密钥的指定信息通过所述网络侧节点发送至所述IOT设备。 Sending, by the server, the designation information for generating the session key of the IOT device to the IOT device includes: the server uses the network side node to generate specified information of a session key of the IOT device Sent to the IOT device.
  6. 根据权利要求4所述的方法,在所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备之前,还包括:The method according to claim 4, before the server sends the designation information for generating the session key of the IOT device to the IOT device, the method further includes:
    所述服务器接收所述IOT设备发送的用户私密密钥;Receiving, by the server, a user private key sent by the IOT device;
    所述服务器使用所述随机数和所述用户私密密钥生成会话密钥,并将所述会话密钥发送至网络侧节点。The server generates a session key using the random number and the user private key, and transmits the session key to a network side node.
  7. 根据权利要求1至6中任意一项所述的方法,其中,所述服务器包括以下任意一种:归属位置寄存器HLR、归属签约用户服务器HSS。The method according to any one of claims 1 to 6, wherein the server comprises any one of the following: a home location register HLR, a home subscriber server HSS.
  8. 一种密钥更新方法,包括:A key update method includes:
    物联网IOT设备向服务器发送用户身份信息;The IoT IOT device sends user identity information to the server;
    所述IOT设备判断是否接收到所述服务器发送的用于生成会话密钥的指定信息,其中,所述指定信息是在判定所述服务器接收到所述用户身份信息的时间点处于预先设置的有效时长内时,发送至所述IOT设备的信息,所述有效时长为在每次所述IOT设备完成接入认证后,所述服务器设置的时长;Determining, by the IOT device, whether the information specified by the server for generating a session key is received, wherein the specifying information is valid in a preset time when determining that the server receives the user identity information The duration of the duration, the information sent to the IOT device, the effective duration is the duration set by the server after each time the IOT device completes the access authentication;
    在判断结果为是的情况下,所述IOT设备根据所述指定信息生成所述会话密钥。In a case where the determination result is YES, the IOT device generates the session key according to the specified information.
  9. 根据权利要求8所述的方法,还包括:The method of claim 8 further comprising:
    在所述判断结果为否的情况下,所述IOT设备重新发起接入认证操作。In the case that the determination result is no, the IOT device re-initiates an access authentication operation.
  10. 根据权利要求8所述的方法,其中,所述指定信息包括:用于生成所述IOT设备会话密钥的随机数。The method of claim 8, wherein the designation information comprises a random number for generating the IOT device session key.
  11. 根据权利要求10所述的方法,其中,所述IOT设备根据所述指定信息生成所述会话密钥包括:The method of claim 10, wherein the generating, by the IOT device, the session key according to the specified information comprises:
    所述IOT设备接收所述服务器通过网络侧节点转发的所述随机数;Receiving, by the IOT device, the random number forwarded by the server by a network side node;
    所述IOT设备使用用户私密密钥和所述随机数生成所述会话密钥。The IOT device generates the session key using a user private key and the random number.
  12. 根据权利要求8所述的方法,其中,所述IOT设备根据所述指定信息生成所述会话密钥包括:The method of claim 8, wherein the generating, by the IOT device, the session key according to the specified information comprises:
    所述IOT设备接收所述服务器通过网络侧节点转发的随机数以及经过 所述网络侧节点进行加密处理后的随机数;The IOT device receives a random number forwarded by the server through a network side node and passes through The network side node performs a cryptographically processed random number;
    所述IOT设备使用用户私密密钥和所述随机数生成会话密钥,并根据所述会话密钥对所述加密处理后的随机数进行解密得到解密后的随机数;The IOT device generates a session key by using a user secret key and the random number, and decrypts the encrypted random number according to the session key to obtain a decrypted random number;
    所述IOT设备判断解密后的随机数和所述服务器通过网络侧节点转发的所述随机数是否相同;Determining, by the IOT device, whether the decrypted random number and the random number forwarded by the server by the network side node are the same;
    在判断结果为是的情况下,所述IOT设备向所述网络侧节点发送待发送的数据;If the judgment result is yes, the IOT device sends the data to be sent to the network side node;
    在判断结果为否的情况下,所述IOT设备向所述服务器发送请求消息,其中,所述请求消息用于请求所述服务器重新发送随机数。If the determination result is no, the IOT device sends a request message to the server, where the request message is used to request the server to resend the random number.
  13. 一种密钥更新装置,应用于服务器,包括:A key update device, applied to a server, comprising:
    第一处理模块,设置为:接收物联网IOT设备的用户身份信息,并判断接收到所述用户身份信息的时间点是否处于有效时长内,其中,所述有效时长为在每次所述IOT设备完成接入认证后,所述服务器设置的时长;The first processing module is configured to: receive user identity information of the IoT IOT device, and determine whether the time point of receiving the user identity information is within a valid duration, wherein the effective duration is each time the IOT device The length of time set by the server after the access authentication is completed;
    第一发送模块,设置为:在判断结果为是的情况下,将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备。The first sending module is configured to: when the determination result is yes, send designation information for generating a session key of the IOT device to the IOT device.
  14. 根据权利要求13所述的装置,所述装置还包括:The apparatus of claim 13 further comprising:
    第二处理模块,设置为:在所述判断结果为否的情况下,终止所述有效时长的计时操作,并触发对所述IOT设备进行接入认证的操作,以及触发所述有效时长的重新计时操作。The second processing module is configured to: if the determination result is negative, terminate the timing operation of the valid duration, trigger an operation of performing access authentication on the IOT device, and trigger a restart of the effective duration Timing operation.
  15. 根据权利要求13所述的装置,所述第一处理模块还设置为:通过以下方式确定有效时长:The apparatus according to claim 13, wherein the first processing module is further configured to: determine an effective duration by:
    以所述IOT设备接入认证的时间点作为所述有效时长的计时起点,为蜂窝物联网CIoT系统下的所有IOT设备设置与所述有效时长相同的时长;或者,Setting a time point for accessing the authentication by the IOT device as a starting point of the effective duration, and setting a duration of the same effective duration for all IOT devices under the cellular Internet of Things CIoT system; or
    以蜂窝物联网CIoT系统下的所有IOT设备各自完成接入认证的时间点作为所述有效时长的计时起点,分别设置所有IOT设备各自的有效时长。The time point at which all the IOT devices under the cellular IoT CIoT system respectively complete the access authentication is used as the starting point of the effective duration, and the effective durations of all the IOT devices are respectively set.
  16. 根据权利要求13所述的装置,其中,所述指定信息包括:用于生 成所述IOT设备会话密钥的随机数。The apparatus of claim 13, wherein the specified information comprises: for A random number of the IOT device session key.
  17. 根据权利要求13所述的装置,其中,The device according to claim 13, wherein
    所述第一处理模块包括第一处理单元,所述第一处理单元设置为:所述服务器接收物联网IOT设备通过网络侧节点转发的用户身份信息;The first processing module includes a first processing unit, and the first processing unit is configured to: the server receives user identity information forwarded by the Internet of Things IOT device by the network side node;
    所述第一发送模块包括第一发送单元,所述发送单元设置为:将用于生成所述IOT设备的会话密钥的指定信息通过所述网络侧节点发送至所述IOT设备。The first sending module includes a first sending unit, and the sending unit is configured to: send, by the network side node, specified information for generating a session key of the IOT device to the IOT device.
  18. 根据权利要求16所述的装置,所述装置还包括:The apparatus of claim 16 further comprising:
    接收模块,设置为:在所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备之前,接收所述IOT设备发送的用户私密密钥;a receiving module, configured to: before the server sends the specified information for generating the session key of the IOT device to the IOT device, receive a user private key sent by the IOT device;
    第三处理模块,设置为:在所述服务器将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备之前,使用所述随机数和所述用户私密密钥生成会话密钥,并将所述会话密钥发送至网络侧节点。a third processing module, configured to: generate a session secret using the random number and the user private key before the server sends the designation information for generating the session key of the IOT device to the IOT device Key and send the session key to the network side node.
  19. 根据权利要求13至18中任意一项所述的装置,其中,所述服务器包括以下任意一种:归属位置寄存器HLR、归属签约用户服务器HSS。The apparatus according to any one of claims 13 to 18, wherein the server comprises any one of the following: a home location register HLR, a home subscriber server HSS.
  20. 一种密钥更新装置,应用于物联网IOT设备,包括:A key update device for an Internet of Things IOT device, comprising:
    第二发送模块,设置为:向服务器发送用户身份信息;a second sending module, configured to: send user identity information to the server;
    判断模块,设置为:判断是否接收到所述服务器发送的用于生成会话密钥的指定信息,其中,所述指定信息是在判定所述服务器接收到所述用户身份信息的时间点处于预先设置的有效时长内时,发送至所述IOT设备的信息,所述有效时长为在每次所述IOT设备完成接入认证后,所述服务器设置的时长;The determining module is configured to: determine whether the specified information for generating the session key sent by the server is received, wherein the specified information is preset in determining that the server receives the user identity information The information sent to the IOT device during the effective duration is the duration set by the server after each time the IOT device completes the access authentication;
    获取模块,在判断结果为是的情况下,根据所述指定信息生成所述会话密钥。The acquisition module generates the session key based on the specified information if the determination result is YES.
  21. 根据权利要求20所述的装置,所述装置还包括:The apparatus of claim 20, the apparatus further comprising:
    第四处理模块,设置为:在所述判断结果为否的情况下,重新发起接入 认证操作。The fourth processing module is configured to: re-initiate the access if the determination result is negative Certification operation.
  22. 根据权利要求20所述的装置,其中,所述指定信息包括:用于生成所述IOT设备会话密钥的随机数。The apparatus of claim 20, wherein the designation information comprises a random number for generating the IOT device session key.
  23. 根据权利要求22所述的装置,其中,所述获取模块包括:The apparatus of claim 22, wherein the obtaining module comprises:
    第一接收单元,设置为:接收所述服务器通过网络侧节点转发的所述随机数;The first receiving unit is configured to: receive the random number forwarded by the server by the network side node;
    获取单元,设置为:使用用户私密密钥和所述随机数生成所述会话密钥。And an obtaining unit, configured to: generate the session key by using a user private key and the random number.
  24. 根据权利要求20所述的装置,其中,所述获取模块包括:The apparatus of claim 20, wherein the obtaining module comprises:
    第二接收单元,设置为:接收所述服务器通过网络侧节点转发的随机数以及经过所述网络侧节点进行加密处理后的随机数;a second receiving unit, configured to: receive a random number forwarded by the server by the network side node, and a random number after the network side node performs encryption processing;
    第二处理单元,设置为:使用用户私密密钥和所述随机数生成会话密钥,并根据所述会话密钥对所述加密处理后的随机数进行解密得到解密后的随机数;a second processing unit, configured to: generate a session key by using a user secret key and the random number, and decrypt the encrypted random number according to the session key to obtain a decrypted random number;
    判断单元,设置为:判断解密后的随机数和所述服务器通过网络侧节点转发的所述随机数是否相同;a determining unit, configured to: determine whether the decrypted random number is the same as the random number forwarded by the server by the network side node;
    第二发送单元,设置为:在判断结果为是的情况下,向所述网络侧节点发送待发送的数据;The second sending unit is configured to: when the determination result is yes, send the data to be sent to the network side node;
    第三发送单元,设置为:在判断结果为否的情况下,向所述服务器发送请求消息,其中,所述请求消息用于请求所述服务器重新发送随机数。The third sending unit is configured to: when the determination result is no, send a request message to the server, where the request message is used to request the server to resend the random number.
  25. 一种密钥更新系统,包括:A key update system comprising:
    物联网IOT设备,设置为:向网络侧节点发送用户身份信息;The Internet of Things IOT device is configured to: send user identity information to the network side node;
    网络侧节点,设置为:向服务器发送所述用户身份信息,并将用于生成所述IOT设备的会话密钥的指定信息发送至所述IOT设备;a network side node, configured to: send the user identity information to a server, and send specified information for generating a session key of the IOT device to the IOT device;
    服务器,设置为:在接收到所述用户身份信息后,判断接收到所述用户身份信息的时间点是否处于有效时长内;如果是,将所述指定信息发送至所述网络侧节点。 The server is configured to: after receiving the user identity information, determine whether the time point of receiving the user identity information is within a valid duration; if yes, send the specified information to the network side node.
PCT/CN2016/083676 2016-02-23 2016-05-27 Key updating method, device, and system WO2017143685A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610101539.5A CN107104932A (en) 2016-02-23 2016-02-23 Key updating method, apparatus and system
CN201610101539.5 2016-02-23

Publications (1)

Publication Number Publication Date
WO2017143685A1 true WO2017143685A1 (en) 2017-08-31

Family

ID=59658460

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/083676 WO2017143685A1 (en) 2016-02-23 2016-05-27 Key updating method, device, and system

Country Status (2)

Country Link
CN (1) CN107104932A (en)
WO (1) WO2017143685A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108449756B (en) * 2018-06-29 2020-06-05 北京邮电大学 System, method and device for updating network key
JP7185978B2 (en) 2018-07-03 2022-12-08 株式会社ソラコム Apparatus and method for mediating setting of authentication information
CN110519052B (en) * 2019-08-23 2022-07-05 青岛海尔科技有限公司 Data interaction method and device based on Internet of things operating system
CN111988143B (en) * 2020-08-28 2024-03-01 百度时代网络技术(北京)有限公司 Key updating method, device, equipment and storage medium
CN112671532B (en) * 2020-12-07 2023-03-28 华帝股份有限公司 Method for generating communication key and related equipment
CN112784250B (en) * 2021-01-27 2024-04-23 深圳融安网络科技有限公司 Identity authentication method, client, server and storage medium
CN112953923A (en) * 2021-02-03 2021-06-11 广州技象科技有限公司 Safe network access method and device based on secret key updating
CN116415227A (en) * 2021-12-31 2023-07-11 中兴通讯股份有限公司 Key updating method, server, client and storage medium
CN115767522B (en) * 2023-01-09 2023-05-05 中国电子科技集团公司第三十研究所 Internet of things application security enhancement system and method for communication security integrated design

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102547680A (en) * 2010-12-17 2012-07-04 北京创毅视讯科技有限公司 System of internet of things and safety management method for system of internet of things
CN103686717A (en) * 2013-12-23 2014-03-26 江苏物联网研究发展中心 Key management method of Internet of Things (IOT) sensor system
US20140192976A1 (en) * 2012-10-31 2014-07-10 Snu R&Db Foundation Method and system for id-based encryption and decryption
CN104853354A (en) * 2015-05-18 2015-08-19 深圳门萨通信科技有限公司 Bluetooth authentication method and system thereof
CN105117657A (en) * 2015-07-22 2015-12-02 南京邮电大学 Smart service based open authorization access design method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420799B (en) * 2010-09-27 2015-03-11 中国移动通信集团公司 User authentication method, device and system
CN103117983B (en) * 2011-11-16 2015-11-04 中国移动通信集团公司 The method for designing of data service request answer method and data, services protocol stack
CN103532713B (en) * 2012-07-04 2018-03-23 中国移动通信集团公司 Sensor authentication and shared key production method and system and sensor

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102547680A (en) * 2010-12-17 2012-07-04 北京创毅视讯科技有限公司 System of internet of things and safety management method for system of internet of things
US20140192976A1 (en) * 2012-10-31 2014-07-10 Snu R&Db Foundation Method and system for id-based encryption and decryption
CN103686717A (en) * 2013-12-23 2014-03-26 江苏物联网研究发展中心 Key management method of Internet of Things (IOT) sensor system
CN104853354A (en) * 2015-05-18 2015-08-19 深圳门萨通信科技有限公司 Bluetooth authentication method and system thereof
CN105117657A (en) * 2015-07-22 2015-12-02 南京邮电大学 Smart service based open authorization access design method and system

Also Published As

Publication number Publication date
CN107104932A (en) 2017-08-29

Similar Documents

Publication Publication Date Title
WO2017143685A1 (en) Key updating method, device, and system
US9843575B2 (en) Wireless network authentication method and wireless network authentication apparatus
CN108293223B (en) Data transmission method, user equipment and network side equipment
US8375432B2 (en) Methods, apparatus, and computer program products for subscriber authentication and temporary code generation
US9331993B2 (en) Authentication server and communication device
JP6504630B2 (en) GPRS system key reinforcement method, SGSN device, UE, HLR / HSS, and GPRS system
EP3657835A1 (en) Access method of user equipment and user equipment
KR102232121B1 (en) Apparatus and method for maintaining a security key in a device to device communication system
EP2861002A1 (en) Virtual user identification data distributing method and obtaining method, and devices
TW201644291A (en) Apparatus and method for sponsored connectivity to wireless networks using application-specific network access credentials (1)
WO2018201946A1 (en) Anchor key generation method, device and system
TW201644292A (en) Apparatus and method for sponsored connectivity to wireless networks using application-specific network access credentials (2)
WO2021212928A1 (en) Blockchain data authorization access method and apparatus, and device
CN102934470A (en) Method and apparatus for binding subscriber authentication and device authentication in communication systems
US10462671B2 (en) Methods and arrangements for authenticating a communication device
US20190253403A1 (en) Network Authentication Triggering Method and Related Device
WO2018076740A1 (en) Data transmission method and related device
JP6951445B2 (en) Emergency number setting method, acquisition method and equipment
WO2018010480A1 (en) Network locking method for esim card, terminal, and network locking authentication server
CN111065101A (en) 5G communication information encryption and decryption method and device based on block chain and storage medium
WO2013185709A1 (en) Call authentication method, device, and system
WO2011124051A1 (en) Method and system for terminal authentication
WO2014177106A1 (en) Network access control method and system
US10349278B2 (en) Method for accessing LTE network, electronic device, and computer storage medium
CN109756451B (en) Information interaction method and device

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16891139

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 16891139

Country of ref document: EP

Kind code of ref document: A1