WO2022036600A1 - Key update methods, apparatus and devices, and storage medium - Google Patents

Key update methods, apparatus and devices, and storage medium Download PDF

Info

Publication number
WO2022036600A1
WO2022036600A1 PCT/CN2020/110081 CN2020110081W WO2022036600A1 WO 2022036600 A1 WO2022036600 A1 WO 2022036600A1 CN 2020110081 W CN2020110081 W CN 2020110081W WO 2022036600 A1 WO2022036600 A1 WO 2022036600A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
multicast service
group
terminal device
service
Prior art date
Application number
PCT/CN2020/110081
Other languages
French (fr)
Chinese (zh)
Inventor
许阳
曹进
熊丽晖
孙韵清
李晖
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN202080101919.3A priority Critical patent/CN115918119A/en
Priority to PCT/CN2020/110081 priority patent/WO2022036600A1/en
Publication of WO2022036600A1 publication Critical patent/WO2022036600A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to a key update method, apparatus, device, and storage medium.
  • Some of these multimedia services require multiple UEs (User Equipment, user equipment) to be able to receive the same data at the same time, such as video-on-demand, TV broadcasting, online education, in-vehicle communication, and so on. Compared with ordinary data, these multimedia services have the characteristics of large amount of data and long duration. In order to effectively utilize mobile network resources and provide better services for UEs, a multicast (Multicast) service is produced.
  • UEs User Equipment, user equipment
  • Multicast Multicast
  • the multicast service refers to a UE point-to-multipoint sending the same information content to the UEs in the multicast service group;
  • MBMS Multimedia Broadcast/Multicast Service, Multimedia Broadcast Multicast Service
  • the multicast service refers to the wireless network point-to-multipoint sending the same information content to the UEs in the multicast service group.
  • Multicast services can realize network resource sharing, improve the utilization rate of network resources, especially air interface resources, and efficiently provide users with high-speed and stable multimedia services.
  • Embodiments of the present application provide a key update method, apparatus, device, and storage medium.
  • the technical solution is as follows:
  • an embodiment of the present application provides a method for updating a key, which is applied to a terminal device, and the method includes:
  • the security key used by the first terminal device in the first multicast service group is updated, and the first multicast service group is used for performing the first multicast service.
  • an embodiment of the present application provides a method for updating a key, which is applied to a core network device, and the method includes:
  • the first multicast service group When the first multicast service group is updated, send a key update message to the first terminal device, where the key update message is used to update the security code used by the first terminal device in the first multicast service group key, the first multicast service group is used to perform the first multicast service.
  • an embodiment of the present application provides a key update apparatus, which is set in a terminal device, and the apparatus includes:
  • a message receiving module for receiving a key update message from a network device
  • a key update module configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first group broadcast business.
  • an embodiment of the present application provides a key update apparatus, which is set in a core network device, and the apparatus includes:
  • a message sending module configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first multicast
  • the security key used in the service group, the first multicast service group is used to perform the first multicast service.
  • an embodiment of the present application provides a terminal device, where the terminal device includes: a processor, and a transceiver connected to the processor; wherein:
  • the transceiver for receiving a key update message from a network device
  • the processor is configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first group broadcast business.
  • an embodiment of the present application provides a core network device, where the core network device includes: a processor, and a transceiver connected to the processor; wherein:
  • the transceiver is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first group.
  • the security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
  • an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a terminal device, so as to implement the above-mentioned first terminal device Side key update method.
  • an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a core network device, so as to implement the above-mentioned core network device Side key update method.
  • an embodiment of the present application provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a terminal device, it is used to implement the above-mentioned first terminal device side encryption key update method.
  • an embodiment of the present application provides a chip, the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a core network device, it is used to implement the above-mentioned core network device side encryption key update method.
  • an embodiment of the present application provides a computer program product, which, when the computer program product runs on a terminal device, causes the computer to execute the above-mentioned first terminal device side key update method.
  • an embodiment of the present application provides a computer program product, which, when the computer program product runs on a core network device, causes a computer to execute the above method for updating a key on the core network device side.
  • a certain multicast service group managed by the core network device When a certain multicast service group managed by the core network device is updated, send a key update message to the terminal equipment included in the updated multicast service group, and timely respond to the update of the multicast service group , which enriches the functions corresponding to multicast services.
  • the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group.
  • the security of multicast services improves the security guarantee mechanism of multicast services.
  • the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated
  • the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group
  • the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
  • FIG. 1 is a schematic diagram of a system architecture provided by an embodiment of the present application.
  • FIG. 2 is a schematic diagram of a multicast communication system architecture provided by an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a multicast communication process provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of a multicast communication process provided by another embodiment of the present application.
  • FIG. 5 is a schematic diagram of a key system provided by an embodiment of the present application.
  • FIG. 6 is a schematic diagram of a key system provided by another embodiment of the present application.
  • FIG. 7 is a flowchart of a key update method provided by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of a method for updating a multicast service group provided by an embodiment of the present application.
  • FIG. 9 is a flowchart of a key update method provided by another embodiment of the present application.
  • FIG. 10 is a block diagram of a key update device provided by an embodiment of the present application.
  • FIG. 11 is a block diagram of a key update device provided by another embodiment of the present application.
  • FIG. 12 is a block diagram of a key update device provided by another embodiment of the present application.
  • FIG. 13 is a block diagram of a terminal device provided by an embodiment of the present application.
  • FIG. 14 is a block diagram of a core network device provided by an embodiment of the present application.
  • the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application.
  • the evolution of new business scenarios and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
  • FIG. 1 shows a schematic diagram of a system architecture provided by an embodiment of the present application.
  • the system architecture 100 may include: a terminal device 10 , an access network device 20 , and a core network device 30 .
  • Terminal equipment 10 may refer to a UE, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, wireless communication device, user agent, or user equipment.
  • the terminal device may also be a cellular phone, a cordless phone, a SIP (Session Initiation Protocol, session initiation protocol) phone, a WLL (Wireless Local Loop, wireless local loop) station, a PDA (Personal Digita1 Assistant, personal digital processing) , handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G (5th-Generation, fifth-generation mobile communication technology), or future evolved PLMNs (Pub1ic Land Mobi1e Network, public land mobile communication network) terminal equipment and the like, which are not limited in this embodiment of the present application.
  • the devices mentioned above are collectively referred to as terminal devices.
  • the number of terminal devices 10 is usually multiple, and one
  • the access network device 20 is a device deployed in the access network to provide the terminal device 10 with a wireless communication function.
  • the access network device 20 may include various forms of macro base stations, micro base stations, relay stations, access points, and the like.
  • the names of devices with access network device functions may be different, for example, in a 5G NR (New Radio, new air interface) system, it is called gNodeB or gNB.
  • gNodeB New Radio, new air interface
  • the name "Access Network Equipment” may change.
  • access network devices For convenience of description, in the embodiments of the present application, the above-mentioned apparatuses for providing a wireless communication function for the terminal device 10 are collectively referred to as access network devices.
  • the access network device 20 may be an EUTRAN (Evolved Universal Terrestrial Radio Access Network, Evolved Universal Terrestrial Radio Access Network) or one or more eNodeBs (eNodeBs) in the EUTRAN. evolved Node B); in a 5G NR system, the access network device 20 may be a RAN (Radio Access Network, radio access network) or one or more gNBs in the RAN.
  • EUTRAN Evolved Universal Terrestrial Radio Access Network
  • eNodeBs evolved Node B
  • the access network device 20 in a 5G NR system, the access network device 20 may be a RAN (Radio Access Network, radio access network) or one or more gNBs in the RAN.
  • the functions of the core network device 30 are mainly to provide user connection, manage users, and carry out services, and serve as an interface for the bearer network to provide an external network.
  • the core network device 30 in the 5G NR system may include an AMF (Access and Mobility Management Function) entity, a UPF (User Plane Function, user plane function) entity and an SMF (Session Management Function, session) entity management functions) entities and other equipment.
  • AMF Access and Mobility Management Function
  • UPF User Plane Function, user plane function
  • SMF Session Management Function, session
  • the access network device 20 and the core network device 30 communicate with each other through some air technology, such as the NG interface in the 5G NR system.
  • the access network device 20 and the terminal device 10 communicate with each other through some air technology, such as a Uu interface.
  • Multicast service types include: a UE point-to-multipoint sending the same information content to UEs in a multicast service group (such as the multicast service in V2X and the multicast service in ProSe), wireless network (application server) point-to-multipoint The point sends the same information content to the UEs in the multicast service group (such as MBMS).
  • FIG. 2 shows a schematic diagram of the architecture of a multicast communication system provided by an embodiment of the present application.
  • the architecture of the multicast communication system includes: an application server 210 and a terminal device 220 .
  • the application server 210 refers to the server corresponding to the multicast service.
  • the application server 210 can be a BM-SC; in the 5G system, the application server 210 can be an MBSF (Multimedia Broadcast Service Function, multimedia broadcast service function). function) and MBSU (Multimedia Broadcast Service User plane).
  • the application server may be located outside the mobile network, that is, the application server is independent of the core network device.
  • the interaction between the application server and the terminal device may be implemented through an application layer protocol, such as HTTP (Hyper Text Transfer Protocol, hypertext transfer protocol) protocol.
  • the application server may also be located within the mobile network, that is, the function of the application server is implemented by core network equipment (or referred to as network elements) and/or access network equipment (such as base stations) in the core network,
  • the function of the application server MBSF is implemented by the core network device SMF
  • the function of the application server MBSU is implemented by the core network device UPF or the access network device (eg, base station).
  • the interaction between the application server and the terminal device may be performed through the control plane and/or the user plane, wherein the control plane interaction may use NAS (Non-Access-Stratum, non-access stratum) messages; user plane interaction can be implemented through the radio bearer of the air interface and/or the GTP (GPRS Tunneling Protocol, GPRS Tunneling Protocol) of the core network.
  • the above interaction may include messages related to group establishment, service request or service revocation between the terminal device and the application server, such as identity authentication request, key acquisition request or service revocation request in the following embodiments.
  • the multicast communication system includes at least one multicast service group.
  • each multicast service group corresponds to a different application server 210, that is, the number of application servers 210 in the multicast communication system is the same as the number of multicast service groups;
  • the application server 210 that is, the multicast communication system includes an application server 210, and the application server 210 is configured to provide multicast services for different multicast service groups in the multicast communication system.
  • each multicast service group includes at least two terminal devices 220, and the device types of the terminal devices 220 in each multicast service group may be the same (for example, both are handheld devices), or may be different (for example, some are Handheld devices, some in-vehicle devices).
  • the multicast service types of the multicast services in the same multicast communication system are the same, for example, one UE sends the same information content to other UEs in the multicast service group point-to-multipoint.
  • the transmitted information may be encrypted.
  • the keys used in the information encryption process in different multicast service groups are different. The following describes the keys used in the information encryption process for several typical multicast communication systems.
  • V2X multicast communication system The terminal device applies to the application server (V2X Application Server) in V2X to join the multicast service group and obtains the authorization of the group service. At this time, the terminal device will obtain the GID (Group Identifier, group identifier). After the terminal device obtains the GID, the KMF (Key Management Function, key management function) in V2X securely distributes the group key for the terminal device. Furthermore, in the multicast service group that the terminal device applies to join, each terminal device builds a secure connection with the assistance of the group key and some other keys, ID (Identity), etc., so as to realize safe and accurate multicast communication.
  • the application server V2X Application Server
  • GID Group Identifier, group identifier
  • KMF Key Management Function, key management function
  • ProSe multicast communication system As shown in Figure 3, the terminal device implements group service authorization with ProSe Function and ProSe KMF, and the terminal device sends a key acquisition request to ProSe KMF, which includes the GID and the security of the terminal device. After checking the key acquisition request, ProSe KMF uses the MIKEY (Multimedia Network Encryption) protocol to encrypt and issue the group key (PGK), the ID of the group key and the expiration time of the group key (or issue the group member ID, Master Key (PMK), Master Key ID, and other information). Secondly, the terminal device uses the information sent by the ProSe KMF to achieve a secure and accurate multicast service between other terminal devices in the multicast service group.
  • MIKEY Multimedia Network Encryption
  • the terminal device calculates the encryption key (PEK) and integrity protection based on the information sent by the ProSe KMF. Key (PIK) and other keys to protect the information transmitted in the multicast service.
  • PEK encryption key
  • PIK Key
  • the multicast communication process of the V2X multicast communication system may refer to the multicast communication process of the ProSe multicast communication system.
  • the MBMS server authenticates the terminal device, and the terminal device can send an identity authentication request to the MBSF.
  • the MBSF stores the device information of the terminal device.
  • the terminal device may initiate a key acquisition request to the MBSF, and the key acquisition request is used to request to acquire a service key (MSK).
  • the key acquisition request includes the Key Domain ID and MSK ID.
  • the server authenticates the key authentication request, and executes the distribution of the service key (MSK) and the traffic key (MTK) in sequence after the authentication is passed.
  • the service key (MSK) uses the MIKEY message protected by the user key (MUK) to encrypt and deliver, and the service key (MSK) uses the Key Domain ID and MSK ID identification; the traffic key (MTK) uses the service key
  • the MIKEY message protected by (MSK) is encrypted and delivered, and the traffic key (MTK) is identified by Key domain ID, MSK ID, and MTK ID.
  • the terminal device can send an identity authentication request and a key acquisition request to the MBSF at the same time, that is, the identity authentication request and the key authentication request can be carried in the same message, as shown in Figure 4.
  • the identity authentication request and the key authentication request are NAS messages.
  • each terminal device in the multicast service group that the terminal device joins can establish a secure connection through the service key and the traffic key, so as to protect the transmitted multicast information.
  • MBMS may also be called MBS (Multicast Broadcast Service, multicast broadcast service) in the 5G system, and those skilled in the art should understand its meaning.
  • the MIKEY protocol is used to deliver the key to the terminal device by the application server, that is, the message carrying the key delivered by the application server to the terminal device may be called a MIKEY message.
  • the MIKEY message can protect the confidentiality and integrity of the key.
  • the encryption algorithm used by MIKEY is AES (Advanced Encryption Standard)-CM-128 or AES-KW-128, and the message verification code is HMAC (Hash-based Message Authentication Code, Hash Message Authentication Code)-SHA (Secure Hash Algorithm, Secure Hash Algorithm)-1-160.
  • HMAC Hash-based Message Authentication Code
  • Hash Message Authentication Code Hash Message Authentication Code
  • SHA Secure Hash Algorithm
  • the application server executes the distribution of the service key (MSK) and the traffic key (MTK) in sequence.
  • Table 1 shows the logical structure of the MIKEY message of the MSK protected by the MUK provided by an embodiment of the present application. in:
  • EXT Contains the MSK ID and MSK type, and the ID of the key domain where the MSK is located;
  • IDi ID of the application server (BM-SC);
  • IDr ID of the terminal device
  • MIKEY RAND used to generate encryption keys and authentication keys to handle traffic keys that need to be protected (MTK);
  • ⁇ SP ⁇ used in the multicast service data service, it can include: information related to the security protocol (such as the algorithm used, the length of the key, the initial value of the algorithm, etc.);
  • KEMAC It includes the MSK ciphertext encrypted by MUK and the MAC (Media Access Control, media access control) of MSK, and the rest is plaintext.
  • MIKEY RAND is not required in the message structure of MTK.
  • EXT including MTK, the ID, type and key domain ID of the MSK used to protect the MTK;
  • KEMAC Contains the MTK ciphertext and MAC encrypted by the MSK-derived key.
  • the key used for encryption and integrity protection of multicast service information in the multicast service is derived from the root key layer by layer according to the key system.
  • the following describes the generation of keys for encrypting and integrity-protecting multicast service information based on the key system in the V2X multicast communication system.
  • FIG. 5 shows a schematic diagram of a key system in MBMS provided by an embodiment of the present application.
  • the key system consists of the following three layers: MUK (user key), MSK (service key), and MTK (traffic key).
  • the user key (MUK) is used to protect the delivery of the service key (MSK)
  • the service key (MSK) is used to protect the delivery of the traffic key (MTK).
  • the service key (MSK) may be derived from the user key (MUK), or it may be selected and issued by the application server;
  • the traffic key (MTK) may be derived from the service key (MSK) , or it can be selected and delivered by the application server.
  • the connection between the MUK and the MSK and the connection between the MSK and the MTK are only used to represent the protection relationship, but not used to limit the derivative relationship.
  • FIG. 6 shows a schematic diagram of a key system in a V2X multicast communication system provided by an embodiment of the present application.
  • the key system consists of the following three layers: VGK (group key), PTK (traffic key), PEK (encryption key) and PIK (integrity protection key) key).
  • VGK group key
  • PTK traffic key
  • PEK encryption key
  • PIK integrated protection key
  • VGK or root key, which occupies 256 bits.
  • PTK or service key, which occupies 256 bits and is calculated and generated by the terminal device after decrypting the MIKEY message sent by the application server.
  • PEK and PIK used in confidentiality algorithm and integrity algorithm respectively to protect multicast service information.
  • PEK and PIK are calculated and generated by terminal equipment using PTK.
  • the PTK can be updated by updating the VGK.
  • Table 4 shows the input parameters required for derivation of PEK and PIK provided by an embodiment of the present application.
  • the PEK and PIK are updated by updating the PTK.
  • the security of the multicast service information and the multicast communication system can be improved.
  • the above example only considers the security guarantee when the terminal device joins the multicast service group, but does not consider how to ensure the multicast service information transmitted between the remaining terminal devices in the multicast service group when the terminal device exits the multicast service group security.
  • the embodiments of the present application provide a key update method, which can be used to ensure the security of multicast service information transmitted between other terminal devices when a terminal device exits a multicast service group, and reduce security risks.
  • the technical solutions of the present application will be described through several exemplary embodiments.
  • FIG. 7 shows a flowchart of a key update method provided by an embodiment of the present application.
  • the method can be applied to the system architectures shown in FIG. 1 and FIG. 2 , and the method may include the following steps (710 ⁇ 720):
  • Step 710 when the first multicast service group is updated, the core network device sends a key update message to the first terminal device, and the key update message is used to update the first terminal device to use in the first multicast service group.
  • the first multicast service group is used to perform the first multicast service.
  • the core network device refers to a device that can provide multicast service services for the first terminal device.
  • the core network device is a server (ie, an application server) of a multicast service.
  • the first multicast service group is used to perform the first multicast service.
  • the core network device may provide at least one multicast service, that is, the core network device manages at least one multicast service group.
  • the number of terminal devices in the first multicast service group is greater than or equal to two.
  • the first multicast service group will also be updated.
  • This embodiment of the present application does not limit the situation in which the first multicast service group is updated.
  • the first multicast service group is updated, it means that a terminal device in the first multicast service group exits (or cancels). Please refer to In the following embodiments, details are not repeated here; or, the update of the first multicast service group is manifested as a change in the security requirements of the terminal equipment in the first multicast service group for the multicast service.
  • the security requirements of the service are more stringent, and it is expected that the purpose of strictly protecting the information related to the multicast service can be achieved by continuously updating the security key.
  • the core network device determines that the subscription service of a terminal device for the first multicast service expires, the terminal device is withdrawn from the first multicast service group, or the core network device is When the security policy of the first multicast service group is updated, the terminal equipment in the first multicast service group is actively cancelled.
  • the core network device When determining that the first multicast service group is updated, the core network device generates a key update message, and delivers the key update message to the first terminal device in the first multicast service group, and responds to the The update of the first multicast service group.
  • the first terminal device when the update of the first multicast service group indicates that the terminal device is withdrawn, the first terminal device is the remaining terminal equipment in the first multicast service group except the withdrawn terminal equipment.
  • the key update message is used to update the security key used by the first terminal device in the first multicast service group, where the security key is used to encrypt and protect the integrity of information related to the first multicast service.
  • the key update message is a MIKEY message, that is, the key update message is delivered by the core network device to the first terminal device through the MIKEY protocol.
  • the key update message includes a random number required for deriving the security key or a root key for deriving the security key.
  • Step 720 The first terminal device updates the security key according to the key update message.
  • the first terminal device After receiving the key update message, the first terminal device parses the key update message to extract the update content carried in the key update message, and updates the security key according to the update content.
  • the key update message is a MIKEY message
  • the first terminal device needs to use the encryption key of the key update message to parse the key update message.
  • the key update message Encrypted by user key (MUK). Since the key update message carries the content required for deriving the security key, after parsing the key update message to obtain the update content, the first terminal device may regenerate a new security key according to the update content.
  • the technical solutions provided by the embodiments of the present application when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group
  • the update message in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service.
  • the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group.
  • the security of multicast services improves the security guarantee mechanism of multicast services.
  • the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated
  • the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group
  • the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
  • step 720 includes the following steps:
  • Step 722 The first terminal device updates the service key corresponding to the first multicast service according to the key update message.
  • the security key is not directly issued by the core network device to the terminal device, but is derived by the terminal device layer by layer according to the root key issued by the core network device.
  • the first terminal device after receiving the key update message from the core network device, the first terminal device first updates the service key corresponding to the first multicast service, and then The business key further updates the security key.
  • the names of service keys are different.
  • the service key when the first multicast service includes the multicast service in V2X or the multicast service in ProSe, the service key is called the service key; when the first multicast service includes MBMS, The service key may be called a service key or a service key. It should be understood that during the evolution of the communication protocol, the service key may generate new names, but all perform the same function, and these new names should also fall within the protection scope of this application.
  • the parameters used include a group key (or called a root key) and a key calculation parameter.
  • the key calculation parameter includes a random number.
  • the original P0 is designed as a random number in its derived input parameters. That is, on the basis of the above Table 3, the P0 (group member identifier) is modified to (Nonce_1), as shown in the following Table 5.
  • the key update message includes at least one of the following: the updated key Calculation parameters, updated group key.
  • the core network device checks whether the group key corresponding to the first multicast service group expires when the first multicast service group is updated, optionally, the use time limit set by the core network device for the group key, When the group key is outside the usage time limit, it means that the group key has expired, and when the group key is within the usage time limit, it means that the group key has not expired; When the group key expires, the core network device generates an updated group key and issues it to the first terminal device, that is, the key update message includes the updated group key; In the case where the group key of the device has not expired, the core network device generates the updated key calculation parameter and delivers it to the first terminal device, that is, the key update message includes the updated key calculation parameter.
  • Step 724 the first terminal device updates the security key according to the updated service key.
  • the first terminal device After deriving the updated service key according to the key update message, the first terminal device further updates the security key according to the updated service key in order to be compatible with the established key system.
  • the first terminal device For the manner in which the first terminal device updates the security key according to the updated service key, reference may be made to the foregoing Table 4, and details are not repeated here.
  • the security key includes at least one of the following: an encryption key, an integrity protection key;
  • the security key may include a traffic key, or at least one of the following: an encryption key and an integrity protection key. It should be understood that during the evolution of the communication protocol, the service key may generate new names, but all perform the same function, and these new names should also fall within the protection scope of this application.
  • the updated service key is derived from the updated key update message by the terminal equipment included in the updated multicast service group, and further derived from the updated service key.
  • the updated security key is effectively compatible with the established key system in the multicast service.
  • the core network device adopts different key update methods to determine whether the group key corresponding to the multicast service expires. When the key is not expired, the key calculation parameters are updated. Since the computing resources required to update the key calculation parameters are less than the computing resources required to update the group key, the embodiment of the present application proposes a lightweight key update. In this way, it helps to reduce the calculation overhead of the core network device to generate updated content, and to reduce the calculation overhead of the terminal device to derive the security key.
  • the update of the first multicast service group includes at least one of the following possibilities: there is a UE in the first multicast service group that actively withdraws, and the core network device cancels the terminal equipment in the first multicast service group. .
  • the above method further includes the following steps:
  • Step 801 the second terminal device sends a service cancellation request to the core network device.
  • the second terminal device refers to a terminal device that needs to cancel the multicast service in the first multicast service group before the update.
  • the second terminal device can send a service cancellation request to the core network device to request to quit the first multicast service group.
  • the service withdrawal request is a NAS message.
  • This embodiment of the present application does not limit the content of the service revocation request.
  • the service revocation request includes at least one of the following: a multicast service group identifier (GID) and an identifier of the first terminal device.
  • GID multicast service group identifier
  • Step 803 the core network device cancels the second terminal device from the first multicast service group according to the service cancellation request.
  • the core network device After receiving the service cancellation request from the second terminal equipment, the core network device parses the service cancellation request, and can determine the terminal equipment that requests to withdraw from the multicast service, that is, the second terminal equipment, and determine the multicast group where the second terminal equipment is located. Service group, that is, the first multicast service group. Thus, the core network device withdraws the second terminal device from the first multicast service group in response to the service withdrawal request of the second terminal device.
  • the core network device revoking the second terminal device from the first multicast service group includes: deleting information related to the second terminal device, such as the identifier of the second terminal device, from the member list corresponding to the first multicast service group. .
  • step 805 the core network equipment sends a service cancellation response to the second terminal equipment, and the service withdraws The response is used to instruct the second terminal device to complete the withdrawal from the first multicast service group.
  • the core network device may not send a service cancellation response to the second terminal device, because after the subsequent update The remaining terminal devices in the multicast service group of the first terminal have updated their security keys, and the second terminal device cannot use its explicit security key to continue the multicast service.
  • the second terminal device after sending the service cancellation request, defaults to withdraw from the multicast service, that is, defaults to withdraw from the first multicast service group; or, after the second terminal device sends the service cancellation request If it does not receive a response message from the core network device to the service cancellation request within a period of time, it quits the multicast service by default. Start the timer. If the second terminal device receives a service cancellation response from the core network device within the working time of the timer, it is determined to be cancelled from the first multicast service group. If the second terminal device expires in the timer If the service revocation response has not been received from the core network device, it will be revoked from the first multicast service group by default.
  • the second terminal device when the timer expires, has not yet received a service cancellation response from the core network device, and may also default that it has not been withdrawn from the first multicast service group.
  • the terminal device may re-send the service cancellation request to the core network device.
  • the above method further includes the following steps:
  • Step 802 the core network device cancels the third terminal device from the first multicast service group when the subscription service of the third terminal device for the first multicast service expires.
  • the third terminal device refers to the terminal device in the first multicast service group before the update.
  • the core network equipment determines whether the subscription service of each terminal equipment for the first multicast service expires.
  • the core network device determines in real time whether the subscription server of each terminal device expires; or, the core network device determines whether the subscription service of each terminal device expires every preset time. In the case that the core network device determines that the subscription service of the third terminal device in the first multicast service group expires, the third terminal device is withdrawn from the first multicast service group.
  • a subscription duration or subscription termination time is set for each terminal device to subscribe to the first multicast service, so that the core network device can determine whether each terminal device can obtain the first multicast service. For example, when each terminal device corresponds to a subscription duration, the core network device determines whether the duration for each terminal device to obtain the first multicast service reaches the subscription duration. 's subscription service expires. For another example, in the case where each terminal device corresponds to a subscription termination time, the core network device determines whether the current time at which each terminal device obtains the first multicast service reaches the subscription termination time, and if it reaches the subscription termination time, then determines that the terminal device targets the subscription termination time. The subscription service of the first multicast service expires.
  • the same subscription duration or subscription termination time is set; or, for different terminal devices in the first multicast service group, different subscription durations or different subscription durations are set.
  • the subscription termination time for example, for a terminal device that pays more fees, a longer subscription duration is set.
  • step 804 the core network equipment sends The third terminal device sends revocation prompt information, where the revocation prompt information is used to instruct the third terminal device to complete the revocation from the first multicast service group.
  • the core network device sends the service cancellation reason to the third terminal device, and the service cancellation reason is used to instruct the core network device to Three reasons for the terminal equipment to be withdrawn from the first multicast service group, for example, the reason for the service withdrawal is that the subscription service of the third terminal equipment for the first multicast service expires.
  • the reason for service revocation is carried in the revocation prompt information, so as to reduce the signaling exchange between the core network device and the terminal device, and reduce the signaling overhead of the core network device.
  • the technical solutions provided by the embodiments of the present application enable the terminal equipment to send a service cancellation request to the core network equipment when there is a need for cancellation of the multicast service, so as to withdraw from the multicast service group in which it is located, thereby enriching the group.
  • the function of multicast service realizes the purpose of flexibly withdrawing from multicast service.
  • the core network device sends a service revocation response to the terminal device after revoking the terminal device that sends the service revocation request from the multicast service group, so that the terminal device can clearly grasp whether it has successfully withdrawn from the multicast service. business.
  • the technical solutions provided by the embodiments of the present application determine whether the subscription service of each terminal device in the multicast service group for the multicast service has expired through the core network device, and cancel the terminal device whose subscription service has expired in time to avoid these terminal devices. Free access to multicast services, thus avoiding unnecessary losses to providers of multicast services.
  • the core network device after revoking the terminal device whose subscription service has expired, the core network device further sends revocation prompt information to the terminal device, so as to notify the terminal device in time, so that the terminal device can timely grasp the fact that it cannot obtain the multicast service. situation, so as to deal with the situation in time to restore the multicast service.
  • FIG. 9 only takes the V2X multicast communication system as an example, and does not constitute a limitation on the technical solution of the present application.
  • the technical solution of the invention is applicable to other multicast communication systems, such as MBMS (or referred to as MBS), which shall fall within the protection scope of the present application.
  • FIG. 9 shows a flowchart of a key update method provided by an embodiment of the present application.
  • the method can be applied to the system architecture shown in FIG. 1 and FIG. 2 , and the method may include the following steps:
  • Step 910 the second terminal device sends a service cancellation request to the core network device.
  • the second terminal device refers to a terminal device in the first multicast service group that needs to cancel the multicast service.
  • the service withdrawal request is used to request to withdraw from the first multicast service group.
  • the service revocation request includes at least one of the following: a multicast service group identifier and an identifier of the first terminal device.
  • Step 920 The core network device cancels the second terminal device from the first multicast service group according to the service cancellation request.
  • the core network device revoking the second terminal device from the first multicast service group includes: deleting information related to the second terminal device, such as the identifier of the second terminal device, from the member list corresponding to the first multicast service group. .
  • Step 930 The core network device sends a service cancellation response to the second terminal device.
  • the service revocation response is used to instruct the second terminal device to complete revocation from the first multicast service group.
  • the core network device directly cancels the second terminal device from the first multicast service group without sending a service cancellation response to the second terminal device (step 930 does not need to be executed).
  • Step 940 the core network device determines whether the group key corresponding to the first multicast service group expires.
  • the use time limit set by the core network device for the group key when the group key is outside the use time limit, indicates that the group key expires, and when the group key is within the use time limit, Indicates that the group key has not expired. It should be noted that this embodiment of the present application does not limit the execution sequence of step 940 and step 930 . FIG. 9 is only for convenience of description, and step 940 is executed after step 930 .
  • Step 950 The core network device sends a key update message to the first terminal device.
  • the first terminal device refers to the terminal device included in the updated first multicast service group, that is, the first terminal device is a terminal device other than the revoked terminal device (second terminal device) in the first multicast service group. remaining terminal equipment.
  • the key update message is used to update the security key used by the first terminal device in the first multicast service group.
  • the key update message includes the updated group key; when the group key corresponding to the first multicast service group has not expired, the key
  • the update message includes the updated key calculation parameters.
  • the key calculation parameter includes a random number.
  • the core network device directly sends the key update information to the first terminal device when it is determined that the first multicast service group is updated (eg, receiving a service revocation request from the second terminal device). That is, the core network device does not need to determine whether the group key corresponding to the first multicast service group expires (the above step 940 does not need to be performed), and at this time, the key update message may carry the updated group key by default, Alternatively, the updated key calculation parameters are carried by default. It should be noted that this embodiment of the present application does not limit the execution timing of step 950.
  • step 950 is executed after step 910; or, step 950 is executed after step 920; or, step 950 and step 920 are executed simultaneously .
  • Step 960 the first terminal device updates the service key (PTK) corresponding to the first multicast service according to the key update message; and updates the security keys (PEK and PIK) according to the updated service key (PTK).
  • PTK service key
  • PEK and PIK security keys
  • the key update method provided by the present application is described mainly from the perspective of interaction between the first terminal device, the second terminal device and the core network device.
  • the above-mentioned steps performed by the first terminal device can be independently implemented as a key update method on the first terminal device side; the above-mentioned steps performed by the core network device can be implemented independently as a key network device side key update method.
  • FIG. 10 shows a block diagram of a key update apparatus provided by an embodiment of the present application.
  • the apparatus has the function of implementing the above-mentioned first terminal device-side method example, and the function may be implemented by hardware or by executing corresponding software in hardware.
  • the apparatus may be the above-mentioned terminal equipment, or may be set in the terminal equipment.
  • the apparatus 1000 may include: a message receiving module 1010 and a key updating module 1020 .
  • the message receiving module 1010 is configured to receive a key update message from a network device.
  • a key update module 1020 configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first Multicast service.
  • the key update module is configured to: update the service key corresponding to the first multicast service according to the key update message; update the security key according to the updated service key key.
  • the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
  • the key calculation parameter includes a random number.
  • the key update message when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
  • the first multicast service includes any one of the following: a multicast service in V2X, a multicast service in ProSe, and MBMS.
  • the service key includes a service key; and the first multicast service includes MBMS.
  • the security key includes at least one of the following: an encryption key and an integrity protection key;
  • the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
  • the security key includes a traffic key; and the first multicast service includes MBMS.
  • the technical solutions provided by the embodiments of the present application when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group
  • the update message in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service.
  • the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group.
  • the security of multicast services improves the security guarantee mechanism of multicast services.
  • the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated
  • the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group
  • the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
  • FIG. 11 shows a block diagram of a key update apparatus provided by an embodiment of the present application.
  • the apparatus has the function of implementing the above-mentioned method example on the device side of the core network, and the function may be implemented by hardware, or by executing corresponding software in the hardware.
  • the apparatus may be the core network equipment described above, or may be provided in the core network equipment.
  • the apparatus 1100 may include: a message sending module 1110 .
  • the message sending module 1110 is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first group.
  • the security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
  • the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
  • the key calculation parameter includes a random number.
  • the key update message when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
  • the security key includes at least one of the following: an encryption key and an integrity protection key;
  • the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
  • the security key includes a traffic key; and the first multicast service includes MBMS.
  • the apparatus 1100 further includes: a request receiving module 1120 for receiving a service cancellation request from the second terminal device; a device cancellation module 1130 for receiving a service cancellation request according to the service cancellation request , withdraw the second terminal device from the first multicast service group.
  • the service revocation request includes at least one of the following items: a multicast service group identifier, and an identifier of the first terminal device.
  • the apparatus 1100 further includes: a response sending module 1140, configured to send a service withdrawal response to the second terminal device, where the service withdrawal response is used to instruct the second terminal The revocation of the device from the first multicast service group is completed.
  • a response sending module 1140 configured to send a service withdrawal response to the second terminal device, where the service withdrawal response is used to instruct the second terminal The revocation of the device from the first multicast service group is completed.
  • the technical solutions provided by the embodiments of the present application when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group
  • the update message in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service.
  • the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group.
  • the security of multicast services improves the security guarantee mechanism of multicast services.
  • the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated
  • the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group
  • the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
  • the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.
  • FIG. 13 shows a schematic structural diagram of a terminal device 130 provided by an embodiment of the present application.
  • the terminal device can be used to execute the above-mentioned first terminal device side key update method.
  • the terminal device 130 may include: a processor 131, and a transceiver 132 connected to the processor 131; wherein:
  • the processor 131 includes one or more processing cores, and the processor 131 executes various functional applications and information processing by running software programs and modules.
  • Transceiver 132 includes a receiver and a transmitter.
  • transceiver 132 is a communication chip.
  • the terminal device 130 further includes: a memory and a bus.
  • the memory is connected to the processor through a bus.
  • the memory can be used to store a computer program, and the processor is used to execute the computer program, so as to implement each step performed by the first terminal device in the above method embodiment.
  • volatile or non-volatile storage devices include but are not limited to: RAM (Random-Access Memory, random access memory) and ROM (Read-Only Memory), EPROM (Erasable Programmable Read-Only Memory, Erasable Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory, Electrically Erasable Programmable Read-Only Memory) ), flash memory or other solid-state storage technology, CD-ROM (Compact Disc Read-Only Memory), DVD (Digital Video Disc, high-density digital video disc) or other optical storage, tape cassettes, tapes, disk storage or other magnetic storage devices. in:
  • the transceiver 132 is configured to receive a key update message from a network device.
  • the processor 131 is configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first Multicast service.
  • the processor 131 is configured to: update the service key corresponding to the first multicast service according to the key update message; update the security key according to the updated service key .
  • the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
  • the key calculation parameter includes a random number.
  • the key update message when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
  • the first multicast service includes any one of the following: a multicast service in V2X, a multicast service in ProSe, and MBMS.
  • the service key includes a service key; and the first multicast service includes MBMS.
  • the security key includes at least one of the following: an encryption key and an integrity protection key;
  • the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
  • the security key includes a traffic key; and the first multicast service includes MBMS.
  • FIG. 14 shows a schematic structural diagram of a core network device 1413 provided by an embodiment of the present application.
  • the core network device can be used to execute the above-mentioned core network device-side key update method.
  • the core network device 1413 may include: a processor 141, and a transceiver 142 connected to the processor 141; wherein:
  • the processor 141 includes one or more processing cores, and the processor 141 executes various functional applications and information processing by running software programs and modules.
  • Transceiver 142 includes a receiver and a transmitter.
  • transceiver 142 is a communication chip.
  • the core network device 1413 further includes: a memory and a bus.
  • the memory is connected to the processor through a bus.
  • the memory can be used to store a computer program, and the processor is used to execute the computer program, so as to implement various steps performed by the core network device in the above method embodiments.
  • the memory may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to: RAM and ROM, EPROM, EEPROM, flash memory or other Solid-state storage technology, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices. in:
  • the transceiver 142 is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first terminal device.
  • the security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
  • the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
  • the key calculation parameter includes a random number.
  • the key update message when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
  • the security key includes at least one of the following: an encryption key and an integrity protection key;
  • the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
  • the security key includes a traffic key; and the first multicast service includes MBMS.
  • the transceiver 142 is configured to receive a service withdrawal request from the second terminal device; the processor 141 is configured to withdraw all services from the first multicast service group according to the service withdrawal request. the second terminal device.
  • the service withdrawal request includes at least one of the following items: a multicast service group identifier, and an identifier of the first terminal device.
  • the transceiver 142 is configured to send a service withdrawal response to the second terminal device, where the service withdrawal response is used to instruct the second terminal device to withdraw from the first multicast service group Finish.
  • Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a terminal device to implement the first terminal device side key as described above. Update method.
  • Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a core network device, so as to implement the above-mentioned core network device side key Update method.
  • An embodiment of the present application further provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a terminal device, it is used to implement the above-mentioned first method for updating a key on the terminal device side .
  • An embodiment of the present application further provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a core network device, it is used to implement the above method for updating a key on the core network device side .
  • the embodiments of the present application further provide a computer program product, which, when the computer program product runs on the terminal device, causes the computer to execute the above-mentioned first method for updating the key on the side of the terminal device.
  • the embodiment of the present application also provides a computer program product, which when the computer program product runs on the core network device, causes the computer to execute the above-mentioned method for updating the key on the side of the core network device.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.

Abstract

The present application relates to the technical field of communications and disclosed thereby are key update methods, apparatus and devices, and a storage medium. A method comprises: a core network device sends a key update message to a first terminal device when a first multicast service group is updated, the key update message being used to update a security key used by the first terminal device in the first multicast service group, and the first multicast service group being used to perform a first multicast service; and the first terminal device updates the security key according to the key update message. Embodiments of the present application enrich functions corresponding to a multicast service, ensure the security of a multicast service performed in an updated multicast service group, and improve the security guarantee mechanism of the multicast service.

Description

密钥更新方法、装置、设备及存储介质Key update method, device, device and storage medium 技术领域technical field
本申请实施例涉及通信技术领域,特别涉及一种密钥更新方法、装置、设备及存储介质。The embodiments of the present application relate to the field of communication technologies, and in particular, to a key update method, apparatus, device, and storage medium.
背景技术Background technique
随着网络通信技术的迅速发展,人们对移动通信的需求已不再仅仅满足于电话和消息收发业务,大量多媒体业务要求不断涌现出来。With the rapid development of network communication technology, people's demand for mobile communication is no longer only satisfied with telephone and message sending and receiving services, and a large number of multimedia service requirements are constantly emerging.
其中一些多媒体业务要求多个UE(User Equipment,用户设备)能够同时接收相同的数据,如视频点播、电视广播、网上教育、车载通信等等。这些多媒体业务与一般的数据相比,具有数据量大,持续时间长等特点。为了有效地利用移动网络资源,更好地为UE提供服务,于是产生了组播(Multicast)业务。针对V2X(Vehicle to Everything,车用无线通信技术)或ProSe(Proximity Service,近距离通讯服务),组播业务是指一个UE点对多点发送同一信息内容给组播业务组中的UE;针对MBMS(Multimedia Broadcast/Multicast Service,多媒体广播组播业务)业务,组播业务是指无线网络点对多点发送同一信息内容给组播业务组中的UE。组播业务可以实现网络资源共享,提高网络资源的利用率,尤其是空中接口资源,高效率地为用户提供高速、稳定的多媒体业务。Some of these multimedia services require multiple UEs (User Equipment, user equipment) to be able to receive the same data at the same time, such as video-on-demand, TV broadcasting, online education, in-vehicle communication, and so on. Compared with ordinary data, these multimedia services have the characteristics of large amount of data and long duration. In order to effectively utilize mobile network resources and provide better services for UEs, a multicast (Multicast) service is produced. For V2X (Vehicle to Everything, vehicle wireless communication technology) or ProSe (Proximity Service, short-range communication service), the multicast service refers to a UE point-to-multipoint sending the same information content to the UEs in the multicast service group; for MBMS (Multimedia Broadcast/Multicast Service, Multimedia Broadcast Multicast Service) service, the multicast service refers to the wireless network point-to-multipoint sending the same information content to the UEs in the multicast service group. Multicast services can realize network resource sharing, improve the utilization rate of network resources, especially air interface resources, and efficiently provide users with high-speed and stable multimedia services.
然而,如何将组播业务相关的信息安全地发送给用户,还需要进一步地讨论研究。However, how to securely send information related to multicast services to users needs further discussion and research.
发明内容SUMMARY OF THE INVENTION
本申请实施例提供了一种密钥更新方法、装置、设备及存储介质。所述技术方案如下:Embodiments of the present application provide a key update method, apparatus, device, and storage medium. The technical solution is as follows:
一方面,本申请实施例提供了一种密钥更新方法,应用于终端设备中,所述方法包括:On the one hand, an embodiment of the present application provides a method for updating a key, which is applied to a terminal device, and the method includes:
接收来自于网络设备的密钥更新消息;Receive a key update message from a network device;
根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。According to the key update message, the security key used by the first terminal device in the first multicast service group is updated, and the first multicast service group is used for performing the first multicast service.
另一方面,本申请实施例提供了一种密钥更新方法,应用于核心网设备中,所述方法包括:On the other hand, an embodiment of the present application provides a method for updating a key, which is applied to a core network device, and the method includes:
在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,所述密钥更新消息用于更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。When the first multicast service group is updated, send a key update message to the first terminal device, where the key update message is used to update the security code used by the first terminal device in the first multicast service group key, the first multicast service group is used to perform the first multicast service.
再一方面,本申请实施例提供了一种密钥更新装置,设置在终端设备中,所述装置包括:In another aspect, an embodiment of the present application provides a key update apparatus, which is set in a terminal device, and the apparatus includes:
消息接收模块,用于接收来自于网络设备的密钥更新消息;a message receiving module for receiving a key update message from a network device;
密钥更新模块,用于根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。A key update module, configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first group broadcast business.
又一方面,本申请实施例提供了一种密钥更新装置,设置在核心网设备中,所述装置包括:In another aspect, an embodiment of the present application provides a key update apparatus, which is set in a core network device, and the apparatus includes:
消息发送模块,用于在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,所述密钥更新消息用于更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。A message sending module, configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first multicast The security key used in the service group, the first multicast service group is used to perform the first multicast service.
还一方面,本申请实施例提供了一种终端设备,所述终端设备包括:处理器,以及与所述处理器相连的收发器;其中:In another aspect, an embodiment of the present application provides a terminal device, where the terminal device includes: a processor, and a transceiver connected to the processor; wherein:
所述收发器,用于接收来自于网络设备的密钥更新消息;the transceiver for receiving a key update message from a network device;
所述处理器,用于根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。The processor is configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first group broadcast business.
还一方面,本申请实施例提供了一种核心网设备,所述核心网设备包括:处理器,以及与所述处理器相连的收发器;其中:In another aspect, an embodiment of the present application provides a core network device, where the core network device includes: a processor, and a transceiver connected to the processor; wherein:
所述收发器,用于在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,所述密钥更新消息用于更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。The transceiver is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first group. The security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
还一方面,本申请实施例提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序用于被终端设备的处理器执行,以实现如上述第一终端设备侧密钥更新方法。In another aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a terminal device, so as to implement the above-mentioned first terminal device Side key update method.
还一方面,本申请实施例提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序用于被核心网设备的处理器执行,以实现如上述核心网设备侧密钥更新方法。In another aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a core network device, so as to implement the above-mentioned core network device Side key update method.
还一方面,本申请实施例提供了一种芯片,所述芯片包括可编程逻辑电路和/或程序指令,当所述芯片在终端设备上运行时,用于实现如上述第一终端设备侧密钥更新方法。In another aspect, an embodiment of the present application provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a terminal device, it is used to implement the above-mentioned first terminal device side encryption key update method.
还一方面,本申请实施例提供了一种芯片,所述芯片包括可编程逻辑电路和/或程序指令,当所述芯片在核心网设备上运行时,用于实现如上述核心网设备侧密钥更新方法。On the other hand, an embodiment of the present application provides a chip, the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a core network device, it is used to implement the above-mentioned core network device side encryption key update method.
还一方面,本申请实施例提供了一种计算机程序产品,当计算机程序产品在终端设备上运行时,使得计算机执行如上述第一终端设备侧密钥更新方法。In another aspect, an embodiment of the present application provides a computer program product, which, when the computer program product runs on a terminal device, causes the computer to execute the above-mentioned first terminal device side key update method.
还一方面,本申请实施例提供了一种计算机程序产品,当计算机程序产品在核心网设备上运行时,使得计算机执行如上述核心网设备侧密钥更新方法。In another aspect, an embodiment of the present application provides a computer program product, which, when the computer program product runs on a core network device, causes a computer to execute the above method for updating a key on the core network device side.
本申请实施例提供的技术方案可以包括如下有益效果:The technical solutions provided by the embodiments of the present application may include the following beneficial effects:
通过核心网设备在其管理的某一组播业务组发生更新的情况下,向更新后的组播业务组中包括的终端设备发送密钥更新消息,以及时响应于该组播业务组的更新,丰富了组播业务对应的功能。并且,更新后的组播业务组中包括的终端设备在接收到密钥更新消息后,及时更新在该组播业务组中使用的安全密钥,保障了更新后的组播业务组中进行的组播业务的安全性,完善了组播业务的安全保障机制。另外,核心网设备是向更新后的组播业务组中包括的终端设备发送密钥更新消息,也即,若某一终端设备在该组播业务组更新前使用该组播业务组提供的组播业务,但是由于该终端设备退出该组播业务组导致该组播业务组发生更新,则更新后的组播业务组中不包括该终端设备,由于更新后的组播业务组中的终端设备更新了安全密钥,该退出的终端设备没有接收到密钥更新消息,也就无法获知更新后的安全密钥,进而为组播业务组中剩余终端设备开展组播业务提供了良好的安全性保障。When a certain multicast service group managed by the core network device is updated, send a key update message to the terminal equipment included in the updated multicast service group, and timely respond to the update of the multicast service group , which enriches the functions corresponding to multicast services. In addition, after receiving the key update message, the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group. The security of multicast services improves the security guarantee mechanism of multicast services. In addition, the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated However, since the terminal equipment exits the multicast service group, the multicast service group is updated, the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group After the security key is updated, the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.
图1是本申请一个实施例提供的系统架构的示意图;1 is a schematic diagram of a system architecture provided by an embodiment of the present application;
图2是本申请一个实施例提供的组播通信系统架构的示意图;2 is a schematic diagram of a multicast communication system architecture provided by an embodiment of the present application;
图3是本申请一个实施例提供的组播通信过程的示意图;3 is a schematic diagram of a multicast communication process provided by an embodiment of the present application;
图4是本申请另一个实施例提供的组播通信过程的示意图;4 is a schematic diagram of a multicast communication process provided by another embodiment of the present application;
图5是本申请一个实施例提供的密钥体系的示意图;5 is a schematic diagram of a key system provided by an embodiment of the present application;
图6是本申请另一个实施例提供的密钥体系的示意图;6 is a schematic diagram of a key system provided by another embodiment of the present application;
图7是本申请一个实施例提供的密钥更新方法的流程图;7 is a flowchart of a key update method provided by an embodiment of the present application;
图8是本申请一个实施例提供的组播业务组更新方法的示意图;8 is a schematic diagram of a method for updating a multicast service group provided by an embodiment of the present application;
图9是本申请另一个实施例提供的密钥更新方法的流程图;9 is a flowchart of a key update method provided by another embodiment of the present application;
图10是本申请一个实施例提供的密钥更新装置的框图;10 is a block diagram of a key update device provided by an embodiment of the present application;
图11是本申请另一个实施例提供的密钥更新装置的框图;11 is a block diagram of a key update device provided by another embodiment of the present application;
图12是本申请还一个实施例提供的密钥更新装置的框图;12 is a block diagram of a key update device provided by another embodiment of the present application;
图13是本申请一个实施例提供的终端设备的框图;13 is a block diagram of a terminal device provided by an embodiment of the present application;
图14是本申请一个实施例提供的核心网设备的框图。FIG. 14 is a block diagram of a core network device provided by an embodiment of the present application.
具体实施方式detailed description
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.
本申请实施例描述的网络架构以及业务场景是为了更加清楚地说明本申请实施例的技术方案,并不构成对本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。The network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. The evolution of new business scenarios and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
请参考图1,其示出了本申请一个实施例提供的系统架构的示意图。该系统架构100可以包括:终端设备10、接入网设备20、核心网设备30。Please refer to FIG. 1 , which shows a schematic diagram of a system architecture provided by an embodiment of the present application. The system architecture 100 may include: a terminal device 10 , an access network device 20 , and a core network device 30 .
终端设备10可以指UE、接入终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、无线通信设备、用户代理或用户装置。可选地,终端设备还可以是蜂窝电话、无绳电话、SIP(Session Initiation Protocol,会话启动协议)电话、WLL(Wireless Local Loop,无线本地环路)站、PDA(Personal Digita1 Assistant,个人数字处理)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备、5G(5th-Generation,第五代移动通信技术)中的终端设备或者未来演进的PLMN(Pub1ic Land Mobi1e Network,公用陆地移动通信网络)中的终端设备等,本申请实施例对此并不限定。为方便描述,上面提到的设备统称为终端设备。终端设备10的数量通常为多个,每一个接入网设备20所管理的小区内可以分布一个或多个终端设备10。 Terminal equipment 10 may refer to a UE, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, wireless communication device, user agent, or user equipment. Optionally, the terminal device may also be a cellular phone, a cordless phone, a SIP (Session Initiation Protocol, session initiation protocol) phone, a WLL (Wireless Local Loop, wireless local loop) station, a PDA (Personal Digita1 Assistant, personal digital processing) , handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G (5th-Generation, fifth-generation mobile communication technology), or future evolved PLMNs (Pub1ic Land Mobi1e Network, public land mobile communication network) terminal equipment and the like, which are not limited in this embodiment of the present application. For the convenience of description, the devices mentioned above are collectively referred to as terminal devices. The number of terminal devices 10 is usually multiple, and one or more terminal devices 10 may be distributed in a cell managed by each access network device 20 .
接入网设备20是一种部署在接入网中用以为终端设备10提供无线通信功能的设备。接入网设备20可以包括各种形式的宏基站,微基站,中继站,接入点等等。在采用不同的无线接入技术的系统中,具备接入网设备功能的设备的名称可能会有所不同,例如在5G NR(New Radio,新空口)系统中,称为gNodeB或者gNB。随着通信技术的演进,“接入网设备”这一名称可能会变化。为方便描述,本申请实施例中,上述为终端设备10提供无线通信功能的装置统称为接入网设备。可选地,通过接入网设备20,终端设备10和核心网设备30之间可以建立通信关系。示例性地,在LTE(Long Term Evolution,长期演进)系统中,接入网设备20可以是EUTRAN(Evolved Universal Terrestrial Radio Access Network,演进的通用陆地无线网)或者EUTRAN中的一个或者多个eNodeB(evolved Node B,演进型基站);在5G NR系统中,接入网设备20可以是RAN(Radio Access Network,无线接入网)或者RAN中的一个或者多个gNB。The access network device 20 is a device deployed in the access network to provide the terminal device 10 with a wireless communication function. The access network device 20 may include various forms of macro base stations, micro base stations, relay stations, access points, and the like. In systems using different wireless access technologies, the names of devices with access network device functions may be different, for example, in a 5G NR (New Radio, new air interface) system, it is called gNodeB or gNB. As communication technology evolves, the name "Access Network Equipment" may change. For convenience of description, in the embodiments of the present application, the above-mentioned apparatuses for providing a wireless communication function for the terminal device 10 are collectively referred to as access network devices. Optionally, through the access network device 20, a communication relationship can be established between the terminal device 10 and the core network device 30. Exemplarily, in an LTE (Long Term Evolution, Long Term Evolution) system, the access network device 20 may be an EUTRAN (Evolved Universal Terrestrial Radio Access Network, Evolved Universal Terrestrial Radio Access Network) or one or more eNodeBs (eNodeBs) in the EUTRAN. evolved Node B); in a 5G NR system, the access network device 20 may be a RAN (Radio Access Network, radio access network) or one or more gNBs in the RAN.
核心网设备30的功能主要是提供用户连接、对用户的管理以及对业务完成承载,作为承载网络提供到外部网络的接口。例如,5G NR系统中的核心网设备30可以包括AMF(Access and Mobility Management Function,接入和移动性管理功能)实体、UPF(User Plane Function,用户平面功能)实体和SMF(Session Management Function,会话管理功能)实体等设备。The functions of the core network device 30 are mainly to provide user connection, manage users, and carry out services, and serve as an interface for the bearer network to provide an external network. For example, the core network device 30 in the 5G NR system may include an AMF (Access and Mobility Management Function) entity, a UPF (User Plane Function, user plane function) entity and an SMF (Session Management Function, session) entity management functions) entities and other equipment.
在一个示例中,接入网设备20与核心网设备30之间通过某种空中技术相互通信,例如5G NR系统中的NG接口。接入网设备20与终端设备10之间通过某种空中技术互相通信,例如Uu接口。In one example, the access network device 20 and the core network device 30 communicate with each other through some air technology, such as the NG interface in the 5G NR system. The access network device 20 and the terminal device 10 communicate with each other through some air technology, such as a Uu interface.
由上述介绍说明可知,某些多媒体业务要求多个UE能够同时接收相同的数据,这些多 媒体业务与一般的数据相比,具有数据量大,持续时间长等特点。为了有效地利用移动网络资源,更好地为UE提供服务,于是产生了组播业务。组播业务类型包括:一个UE点对多点发送同一信息内容给组播业务组中的UE(如V2X中的组播业务和ProSe中的组播业务)、无线网络(应用服务器)点对多点发送同一信息内容给组播业务组中的UE(如MBMS)。As can be seen from the above description, some multimedia services require multiple UEs to receive the same data at the same time. Compared with general data, these multimedia services have the characteristics of large data volume and long duration. In order to effectively utilize mobile network resources and provide better services for UEs, multicast services are generated. Multicast service types include: a UE point-to-multipoint sending the same information content to UEs in a multicast service group (such as the multicast service in V2X and the multicast service in ProSe), wireless network (application server) point-to-multipoint The point sends the same information content to the UEs in the multicast service group (such as MBMS).
请参考图2,其示出了本申请一个实施例提供的组播通信系统架构的示意图。该组播通信系统架构中包括:应用服务器210和终端设备220。Please refer to FIG. 2 , which shows a schematic diagram of the architecture of a multicast communication system provided by an embodiment of the present application. The architecture of the multicast communication system includes: an application server 210 and a terminal device 220 .
应用服务器210是指组播业务对应的服务器,示例性地,在LTE系统中,应用服务器210可以为BM-SC;在5G系统中,应用服务器210可以为MBSF(Multimedia Broadcast Service Function,多媒体广播服务功能)和MBSU(Multimedia Broadcast Service User plane,多媒体广播服务用户面)。可选地,应用服务器可以位于移动网络之外,也即,应用服务器独立于核心网设备。在应用服务器位于移动网络之外时,可选地,应用服务器与终端设备之间的交互可以通过应用层协议来实现,如HTTP(Hyper Text Transfer Protocol,超文本传输协议)协议。可选地,应用服务器也可以位于移动网络之内,也即,应用服务器的功能由核心网中的核心网设备(或称为网元)和/或接入网设备(如基站)来实现,如应用服务器MBSF的功能由核心网设备SMF来实现,应用服务器MBSU的功能由核心网设备UPF或接入网设备(如基站)来实现。在应用服务器位于移动网络之内时,可选地,应用服务器与终端设备之间的交互可以通过控制面和/或用户面进行交互,其中,控制面交互可以使用NAS(Non-Access-Stratum,非接入层)消息来实现;用户面交互可以通过空口的无线承载和/或核心网的GTP(GPRS Tunneling Protocol,GPRS隧道协议)来实现。可选地,上述交互可以包括终端设备与应用服务器之间进行群组建立、业务请求或业务撤销等相关的消息,如下述实施例中的身份认证请求、密钥获取请求或业务撤销请求等。The application server 210 refers to the server corresponding to the multicast service. Exemplarily, in the LTE system, the application server 210 can be a BM-SC; in the 5G system, the application server 210 can be an MBSF (Multimedia Broadcast Service Function, multimedia broadcast service function). function) and MBSU (Multimedia Broadcast Service User plane). Optionally, the application server may be located outside the mobile network, that is, the application server is independent of the core network device. When the application server is located outside the mobile network, optionally, the interaction between the application server and the terminal device may be implemented through an application layer protocol, such as HTTP (Hyper Text Transfer Protocol, hypertext transfer protocol) protocol. Optionally, the application server may also be located within the mobile network, that is, the function of the application server is implemented by core network equipment (or referred to as network elements) and/or access network equipment (such as base stations) in the core network, For example, the function of the application server MBSF is implemented by the core network device SMF, and the function of the application server MBSU is implemented by the core network device UPF or the access network device (eg, base station). When the application server is located in the mobile network, optionally, the interaction between the application server and the terminal device may be performed through the control plane and/or the user plane, wherein the control plane interaction may use NAS (Non-Access-Stratum, non-access stratum) messages; user plane interaction can be implemented through the radio bearer of the air interface and/or the GTP (GPRS Tunneling Protocol, GPRS Tunneling Protocol) of the core network. Optionally, the above interaction may include messages related to group establishment, service request or service revocation between the terminal device and the application server, such as identity authentication request, key acquisition request or service revocation request in the following embodiments.
在一个示例中,组播通信系统中包括至少一个组播业务组。可选地,每个组播业务组对应不同的应用服务器210,也即,组播通信系统中应用服务器210的数量和组播业务组的数量相同;或者,每个组播业务组对应相同的应用服务器210,也即,组播通信系统中包括一个应用服务器210,该应用服务器210用于为组播通信系统中不同的组播业务组提供组播业务。可选地,每个组播业务组中包括至少两个终端设备220,每个组播业务组中终端设备220的设备类型可以相同(如均为手持设备),也可以不相同(如部分为手持设备,部分为车载设备)。可选地,同一组播通信系统中组播业务的组播业务类型是相同的,例如,均为一个UE点对多点发送同一信息内容给组播业务组中的其余UE。In one example, the multicast communication system includes at least one multicast service group. Optionally, each multicast service group corresponds to a different application server 210, that is, the number of application servers 210 in the multicast communication system is the same as the number of multicast service groups; The application server 210, that is, the multicast communication system includes an application server 210, and the application server 210 is configured to provide multicast services for different multicast service groups in the multicast communication system. Optionally, each multicast service group includes at least two terminal devices 220, and the device types of the terminal devices 220 in each multicast service group may be the same (for example, both are handheld devices), or may be different (for example, some are Handheld devices, some in-vehicle devices). Optionally, the multicast service types of the multicast services in the same multicast communication system are the same, for example, one UE sends the same information content to other UEs in the multicast service group point-to-multipoint.
可选地,在组播业务组中需要进行信息传输的情况下,为了确保传输的信息的安全性和准确性,可以对传输的信息进行加密。可选地,为了提升传输的信息的安全性,不同的组播业务组中信息加密过程中使用的密钥是不同的。下面针对几种典型的组播通信系统,对信息加密过程中使用的密钥进行介绍说明。Optionally, when information transmission needs to be performed in the multicast service group, in order to ensure the security and accuracy of the transmitted information, the transmitted information may be encrypted. Optionally, in order to improve the security of the transmitted information, the keys used in the information encryption process in different multicast service groups are different. The following describes the keys used in the information encryption process for several typical multicast communication systems.
V2X组播通信系统:终端设备向V2X中的应用服务器(V2X Application Server)申请加入组播业务组并获得群组服务授权,这时,终端设备会获取到GID(Group Identifier,组标识)。在终端设备获取到GID之后,由V2X中的KMF(Key Management Function,密钥管理功能)为终端设备安全分发组密钥。进而,终端设备申请加入的组播业务组中,各个终端设备在组密钥以及一些其它的密钥、ID(Identity,标识)等的辅助下构建安全连接,实现安全准确地进行组播通信。V2X multicast communication system: The terminal device applies to the application server (V2X Application Server) in V2X to join the multicast service group and obtains the authorization of the group service. At this time, the terminal device will obtain the GID (Group Identifier, group identifier). After the terminal device obtains the GID, the KMF (Key Management Function, key management function) in V2X securely distributes the group key for the terminal device. Furthermore, in the multicast service group that the terminal device applies to join, each terminal device builds a secure connection with the assistance of the group key and some other keys, ID (Identity), etc., so as to realize safe and accurate multicast communication.
ProSe组播通信系统:如图3所示,终端设备与ProSe Function和ProSe KMF实现群组服务授权,终端设备向ProSe KMF发送密钥获取请求,该密钥获取请求中包括GID和终端设备的安全能力,ProSe KMF检查该密钥获取请求后使用MIKEY(多媒体网络加密)协议加密下发组密钥(PGK)、组密钥的ID和组密钥的到期时间(或者下发组成员ID、主密钥(PMK)、主密钥ID以及其它信息)。其次,终端设备使用ProSe KMF下发的信息与组播业务组中其余终端设备之间实现安全准确的组播业务,终端设备根据ProSe KMF下发的信息计算加密密钥(PEK)和完整性保护密钥(PIK)等密钥,以保护该组播业务中传输的信息。接收传输的信 息的终端设备接收到信息后,检查该信息的第二层报头获得LC(Logic Channel,逻辑信道)ID、组标识和组成员标识,然后,接收传输的信息的终端设备识别发送信息的终端设备使用了哪个组密钥,并检查组密钥是否有效,进而进一步计算加密密钥和完整性保护密钥来处理接收到的消息。可选地,V2X组播通信系统的组播通信过程可以参照ProSe组播通信系统的组播通信过程。ProSe multicast communication system: As shown in Figure 3, the terminal device implements group service authorization with ProSe Function and ProSe KMF, and the terminal device sends a key acquisition request to ProSe KMF, which includes the GID and the security of the terminal device. After checking the key acquisition request, ProSe KMF uses the MIKEY (Multimedia Network Encryption) protocol to encrypt and issue the group key (PGK), the ID of the group key and the expiration time of the group key (or issue the group member ID, Master Key (PMK), Master Key ID, and other information). Secondly, the terminal device uses the information sent by the ProSe KMF to achieve a secure and accurate multicast service between other terminal devices in the multicast service group. The terminal device calculates the encryption key (PEK) and integrity protection based on the information sent by the ProSe KMF. Key (PIK) and other keys to protect the information transmitted in the multicast service. After the terminal equipment receiving the transmitted information receives the information, it checks the second layer header of the information to obtain the LC (Logic Channel, logical channel) ID, group identification and group member identification, and then the terminal equipment receiving the transmitted information identifies and sends the information which group key is used by the terminal device, and checks whether the group key is valid, and further calculates the encryption key and the integrity protection key to process the received message. Optionally, the multicast communication process of the V2X multicast communication system may refer to the multicast communication process of the ProSe multicast communication system.
MBMS组播通信系统:首先,MBMS服务器(MBSF)对终端设备进行认证,终端设备可以向MBSF发送身份认证请求。在终端设备认证成功后,MBSF存储该终端设备的设备信息,之后,终端设备可能会向MBSF发起密钥获取请求,该密钥获取请求用于请求获取服务密钥(MSK),可选地,该密钥获取请求中包括Key Domain ID,MSK ID。服务器认证该密钥认证请求,并在认证通过后依次执行服务密钥(MSK)、流量密钥(MTK)的分发。其中,服务密钥(MSK)使用用户密钥(MUK)保护的MIKEY消息加密下发,并且,服务密钥(MSK)使用Key Domain ID、MSK ID标识;流量密钥(MTK)使用服务密钥(MSK)保护的MIKEY消息加密下发,并且,流量密钥(MTK)使用Key domain ID、MSK ID、MTK ID标识。需要说明的一点是,为了减少终端设备与MBSF之间的信令往来,终端设备可以同时向MBSF发送身份认证请求与密钥获取请求,也即,身份认证请求和密钥认证请求可以承载在相同的消息中,如图4所示。可选地,身份认证请求和密钥认证请求为NAS消息。之后,终端设备加入的组播业务组中的各个终端设备即可通过服务密钥和流量密钥建立安全连接,以保护传输的组播信息。需要说明的一点是,MBMS在5G系统中又可以称为MBS(Multicast Broadcast Service,多播广播服务),本领域技术人员应当理解其含义。MBMS multicast communication system: First, the MBMS server (MBSF) authenticates the terminal device, and the terminal device can send an identity authentication request to the MBSF. After the terminal device is authenticated successfully, the MBSF stores the device information of the terminal device. After that, the terminal device may initiate a key acquisition request to the MBSF, and the key acquisition request is used to request to acquire a service key (MSK). Optionally, The key acquisition request includes the Key Domain ID and MSK ID. The server authenticates the key authentication request, and executes the distribution of the service key (MSK) and the traffic key (MTK) in sequence after the authentication is passed. Among them, the service key (MSK) uses the MIKEY message protected by the user key (MUK) to encrypt and deliver, and the service key (MSK) uses the Key Domain ID and MSK ID identification; the traffic key (MTK) uses the service key The MIKEY message protected by (MSK) is encrypted and delivered, and the traffic key (MTK) is identified by Key domain ID, MSK ID, and MTK ID. It should be noted that, in order to reduce the signaling exchange between the terminal device and the MBSF, the terminal device can send an identity authentication request and a key acquisition request to the MBSF at the same time, that is, the identity authentication request and the key authentication request can be carried in the same message, as shown in Figure 4. Optionally, the identity authentication request and the key authentication request are NAS messages. After that, each terminal device in the multicast service group that the terminal device joins can establish a secure connection through the service key and the traffic key, so as to protect the transmitted multicast information. It should be noted that MBMS may also be called MBS (Multicast Broadcast Service, multicast broadcast service) in the 5G system, and those skilled in the art should understand its meaning.
在一个示例中,应用服务器向终端设备下发密钥均使用MIKEY协议,也即,应用服务器向终端设备下发的携带密钥的消息可以称为MIKEY消息。MIKEY消息可以对密钥的机密性和完整性进行保护,可选地,MIKEY使用的加密算法为AES(Advanced Encryption Standard,高级加密标准)-CM-128或AES-KW-128,消息验证码为HMAC(Hash-based Message Authentication Code,哈希消息验证码)-SHA(Secure Hash Algorithm,安全哈希算法)-1-160。下面以MBMS为例,对MIKEY消息进行介绍说明。In an example, the MIKEY protocol is used to deliver the key to the terminal device by the application server, that is, the message carrying the key delivered by the application server to the terminal device may be called a MIKEY message. The MIKEY message can protect the confidentiality and integrity of the key. Optionally, the encryption algorithm used by MIKEY is AES (Advanced Encryption Standard)-CM-128 or AES-KW-128, and the message verification code is HMAC (Hash-based Message Authentication Code, Hash Message Authentication Code)-SHA (Secure Hash Algorithm, Secure Hash Algorithm)-1-160. The following takes MBMS as an example to describe the MIKEY message.
由上述关于MBMS组播通信系统的介绍说明可知,应用服务器在终端设备认证成功后,依次执行服务密钥(MSK)、流量密钥(MTK)的分发。It can be seen from the above description about the MBMS multicast communication system that after the terminal device is authenticated successfully, the application server executes the distribution of the service key (MSK) and the traffic key (MTK) in sequence.
表一 服务密钥(MSK)消息结构Table 1 Service Key (MSK) message structure
Common HDRCommon HDR
EXT(扩展有效载荷)EXT (Extended Payload)
TSTS
MIKEY RAND(Random,随机数)MIKEY RAND (Random, random number)
IDiIDi
IDrIDr
{SP(Security Policy,安全策略)}{SP(Security Policy, security policy)}
KEMACKEMAC
如上述表一所示,示出了本申请一个实施例提供的由MUK保护的MSK的MIKEY消息的逻辑结构。其中:As shown in Table 1 above, it shows the logical structure of the MIKEY message of the MSK protected by the MUK provided by an embodiment of the present application. in:
EXT:包含MSK ID和MSK类型,以及MSK所在密钥域ID;EXT: Contains the MSK ID and MSK type, and the ID of the key domain where the MSK is located;
IDi:应用服务器(BM-SC)的ID;IDi: ID of the application server (BM-SC);
IDr:终端设备的ID;IDr: ID of the terminal device;
MIKEY RAND:用于生成加密密钥和身份验证密钥,以处理需要保护的流量密钥(MTK);MIKEY RAND: used to generate encryption keys and authentication keys to handle traffic keys that need to be protected (MTK);
{SP}:用于组播业务数据服务中,可以包括:安全协议相关的信息(如使用的算法、密钥的长度、算法的初始值等);{SP}: used in the multicast service data service, it can include: information related to the security protocol (such as the algorithm used, the length of the key, the initial value of the algorithm, etc.);
KEMAC:包括通过MUK加密后的MSK密文和MSK的MAC(Media Access Control,媒体接入控制),其余部分为明文。KEMAC: It includes the MSK ciphertext encrypted by MUK and the MAC (Media Access Control, media access control) of MSK, and the rest is plaintext.
表二 流量密钥(MTK)消息结构Table 2 Traffic key (MTK) message structure
Common HDRCommon HDR
EXT(扩展有效载荷)EXT (Extended Payload)
TSTS
KEMACKEMAC
如上述表二所示,示出了本申请一个实施例提供的应用服务器下发MTK的MIKEY消息的逻辑结构。由于下发MSK的MIKEY消息中的MIKEY RAND衍生的密钥用于保护MTK,所以在MTK的消息结构中不需要MIKEY RAND。其中:As shown in Table 2 above, the logical structure of the MIKEY message of the MTK delivered by the application server provided by an embodiment of the present application is shown. Since the key derived from MIKEY RAND in the MIKEY message of MSK is used to protect MTK, MIKEY RAND is not required in the message structure of MTK. in:
EXT:包括MTK、用于保护MTK的MSK的ID、类型以及所在密钥域ID;EXT: including MTK, the ID, type and key domain ID of the MSK used to protect the MTK;
KEMAC:包括MSK衍生的密钥加密的MTK密文和MAC。KEMAC: Contains the MTK ciphertext and MAC encrypted by the MSK-derived key.
由上述介绍可知,组播业务中最终用于组播业务信息加密和完整性保护的密钥,是通过根密钥依据密钥体系层层衍生得到的。下面以V2X组播通信系统中的密钥体系,对加密和完整性保护组播业务信息的密钥的生成进行介绍说明。It can be seen from the above introduction that the key used for encryption and integrity protection of multicast service information in the multicast service is derived from the root key layer by layer according to the key system. The following describes the generation of keys for encrypting and integrity-protecting multicast service information based on the key system in the V2X multicast communication system.
请参考图5,其示出了本申请一个实施例提供的MBMS中的密钥体系的示意图。由图5可以看出,MBMS中,密钥体系由以下三层组成:MUK(用户密钥)、MSK(服务密钥)、MTK(流量密钥)。用户密钥(MUK)用于保护服务密钥(MSK)的下发,服务密钥(MSK)用于保护流量密钥(MTK)的下发。其中,服务密钥(MSK)可以是通过用户密钥(MUK)衍生得到的,也可以是应用服务器选取后下发的;流量密钥(MTK)可以是通过服务密钥(MSK)衍生得到的,也可以是应用服务器选取后下发的。应理解,图5所示密钥体系中,MUK与MSK之间的连接、MSK与MTK之间的连接仅用于表示保护关系,而不用于限定衍生关系。Please refer to FIG. 5 , which shows a schematic diagram of a key system in MBMS provided by an embodiment of the present application. As can be seen from Figure 5, in MBMS, the key system consists of the following three layers: MUK (user key), MSK (service key), and MTK (traffic key). The user key (MUK) is used to protect the delivery of the service key (MSK), and the service key (MSK) is used to protect the delivery of the traffic key (MTK). The service key (MSK) may be derived from the user key (MUK), or it may be selected and issued by the application server; the traffic key (MTK) may be derived from the service key (MSK) , or it can be selected and delivered by the application server. It should be understood that, in the key system shown in FIG. 5 , the connection between the MUK and the MSK and the connection between the MSK and the MTK are only used to represent the protection relationship, but not used to limit the derivative relationship.
请参考图6,其示出了本申请一个实施例提供的V2X组播通信系统中的密钥体系的示意图。由图6可以看出,V2X组播通信系统中,密钥体系由以下三层组成:VGK(组密钥)、PTK(流量密钥)、PEK(加密密钥)和PIK(完整性保护密钥)。应理解,在V2X组播通信系统中,流量密钥、加密密钥和完整性保护密钥沿用ProSe组播通信系统中的名称,随着通信协议的演进,可能会产生其它的名称,如流量密钥称为VTK、加密密钥称为VEK、完整性保护密钥称为VIK等,这些演进的名称也应当属于本申请的保护范围。其中:Please refer to FIG. 6 , which shows a schematic diagram of a key system in a V2X multicast communication system provided by an embodiment of the present application. As can be seen from Figure 6, in the V2X multicast communication system, the key system consists of the following three layers: VGK (group key), PTK (traffic key), PEK (encryption key) and PIK (integrity protection key) key). It should be understood that in the V2X multicast communication system, the traffic key, encryption key and integrity protection key follow the names in the ProSe multicast communication system. With the evolution of communication protocols, other names may be generated, such as traffic The key is called VTK, the encryption key is called VEK, the integrity protection key is called VIK, etc. These evolved names should also belong to the protection scope of this application. in:
VGK:或称为根密钥,其占用256个bit(比特)。VGK: or root key, which occupies 256 bits.
PTK:或称为业务密钥,其占用256个bit,由终端设备解密应用服务器下发的MIKEY消息后计算生成。PTK: or service key, which occupies 256 bits and is calculated and generated by the terminal device after decrypting the MIKEY message sent by the application server.
PEK和PIK:分别用于机密性算法和完整性算法中,以保护组播业务信息。PEK和PIK由终端设备使用PTK计算生成。PEK and PIK: used in confidentiality algorithm and integrity algorithm respectively to protect multicast service information. PEK and PIK are calculated and generated by terminal equipment using PTK.
表三 PTK衍生输入参数Table 3 PTK derived input parameters
KDF输入参数KDF input parameters 具体值specific value
FCFC 0X4A0X4A
P0P0 Group Member Identity(群组成员标识)Group Member Identity
L0L0 P0长度P0 length
P1P1 PTK IdentityPTK Identity
L1L1 P1长度P1 length
P2P2 Group IdentityGroup Identity
L2L2 P2长度P2 length
Input Key(输入密钥)Input Key 256位VGK256-bit VGK
如上述表三所示,其示出了本申请一个实施例提供的衍生PTK时需要的输入参数。在一个示例中,可以通过更新VGK来更新PTK。As shown in Table 3 above, it shows the input parameters required to derive the PTK provided by an embodiment of the present application. In one example, the PTK can be updated by updating the VGK.
表四 PEK和PIK衍生输入参数Table 4 PEK and PIK derived input parameters
Figure PCTCN2020110081-appb-000001
Figure PCTCN2020110081-appb-000001
Figure PCTCN2020110081-appb-000002
Figure PCTCN2020110081-appb-000002
如上述表四所示,其示出了本申请一个实施例提供的衍生PEK和PIK时需要的输入参数。在一个示例中,通过更新PTK来更新PEK和PIK。As shown in Table 4 above, it shows the input parameters required for derivation of PEK and PIK provided by an embodiment of the present application. In one example, the PEK and PIK are updated by updating the PTK.
通过上述对组播业务信息进行加密和完整性保护的方式,可以提升组播业务信息以及组播通信系统的安全性。然而,上述示例仅考虑到终端设备加入组播业务组时的安全保障,而没有考虑到终端设备退出组播业务组时,如何确保组播业务组中其余终端设备之间传输的组播业务信息的安全性。基于此,本申请实施例提供了一种密钥更新方法,可用于在终端设备退出组播业务组时保障其余终端设备之间传输的组播业务信息的安全性,减少安全隐患。下面,通过几个示例性实施例对本申请的技术方案进行介绍说明。By encrypting and protecting the integrity of the multicast service information above, the security of the multicast service information and the multicast communication system can be improved. However, the above example only considers the security guarantee when the terminal device joins the multicast service group, but does not consider how to ensure the multicast service information transmitted between the remaining terminal devices in the multicast service group when the terminal device exits the multicast service group security. Based on this, the embodiments of the present application provide a key update method, which can be used to ensure the security of multicast service information transmitted between other terminal devices when a terminal device exits a multicast service group, and reduce security risks. Hereinafter, the technical solutions of the present application will be described through several exemplary embodiments.
请参考图7,其示出了本申请实施例提供的一种密钥更新方法的流程图,该方法可应用于图1和图2所示的系统架构中,该方法可以包括如下步骤(710~720):Please refer to FIG. 7 , which shows a flowchart of a key update method provided by an embodiment of the present application. The method can be applied to the system architectures shown in FIG. 1 and FIG. 2 , and the method may include the following steps (710 ~720):
步骤710,核心网设备在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,密钥更新消息用于更新第一终端设备在第一组播业务组中使用的安全密钥,第一组播业务组用于进行第一组播业务。Step 710, when the first multicast service group is updated, the core network device sends a key update message to the first terminal device, and the key update message is used to update the first terminal device to use in the first multicast service group. The first multicast service group is used to perform the first multicast service.
核心网设备是指能够为第一终端设备提供组播业务服务的设备,可选地,核心网设备为组播业务的服务器(即应用服务器),有关应用服务器的其它介绍说明,请参见上述实施例,此处不多赘述。第一组播业务组用于进行第一组播业务。本申请实施例中,核心网设备可以提供至少一个组播业务,也即,核心网设备管理至少一个组播业务组。可选地,第一组播业务组内终端设备的数量大于或等于2。The core network device refers to a device that can provide multicast service services for the first terminal device. Optionally, the core network device is a server (ie, an application server) of a multicast service. For other introductions to the application server, please refer to the above implementation. For example, I won't go into details here. The first multicast service group is used to perform the first multicast service. In this embodiment of the present application, the core network device may provide at least one multicast service, that is, the core network device manages at least one multicast service group. Optionally, the number of terminal devices in the first multicast service group is greater than or equal to two.
随着终端设备业务需求的变化,第一组播业务组也会发生更新。本申请实施例对第一组播业务组发生更新的情况不作限定,可选地,第一组播业务组发生更新表现为第一组播业务组中存在终端设备退出(或撤销),请参见下述实施例,此处不多赘述;或者,第一组播业务组发生更新表现为第一组播业务组中的终端设备对组播业务的安全性需求发生变化,如终端设备对组播业务的安全性需求更为严格,期望通过不断更新安全密钥达到严格保护组播业务相关信息的目的;或者,第一组播业务组发生更新表现为核心网设备撤销第一组播业务组中的某一终端设备,例如,核心网设备在确定某一终端设备针对第一组播业务的订阅服务到期时,从第一组播业务组中撤销该终端设备,或者,核心网设备在针对第一组播业务组的安全策略发生更新的情况下,主动撤销第一组播业务组中的终端设备。As the service requirements of the terminal equipment change, the first multicast service group will also be updated. This embodiment of the present application does not limit the situation in which the first multicast service group is updated. Optionally, when the first multicast service group is updated, it means that a terminal device in the first multicast service group exits (or cancels). Please refer to In the following embodiments, details are not repeated here; or, the update of the first multicast service group is manifested as a change in the security requirements of the terminal equipment in the first multicast service group for the multicast service. The security requirements of the service are more stringent, and it is expected that the purpose of strictly protecting the information related to the multicast service can be achieved by continuously updating the security key. For example, when the core network device determines that the subscription service of a terminal device for the first multicast service expires, the terminal device is withdrawn from the first multicast service group, or the core network device is When the security policy of the first multicast service group is updated, the terminal equipment in the first multicast service group is actively cancelled.
核心网设备在确定第一组播业务组发生更新的情况下,生成密钥更新消息,并将该密钥更新消息下发给第一组播业务组中的第一终端设备,以及时响应于第一组播业务组的更新。其中,在第一组播业务组发生更新表现为存在终端设备撤销时,第一终端设备为第一组播业务组中除撤销的终端设备之外的剩余终端设备。密钥更新消息用于更新第一终端设备在第一组播业务组中使用的安全密钥,该安全密钥用于对第一组播业务相关的信息进行加密和完整性保护。可选地,密钥更新消息为MIKEY消息,也即,密钥更新消息由核心网设备通过MIKEY协议向第一终端设备下发。本申请实施例对密钥更新消息的具体内容不作限定,可选地,密钥更新消息包括衍生安全密钥所需的随机数或者衍生安全密钥的根密钥等,有关密钥更新消息的内容的介绍说明,请参见下述实施例,此处不多赘述。When determining that the first multicast service group is updated, the core network device generates a key update message, and delivers the key update message to the first terminal device in the first multicast service group, and responds to the The update of the first multicast service group. Wherein, when the update of the first multicast service group indicates that the terminal device is withdrawn, the first terminal device is the remaining terminal equipment in the first multicast service group except the withdrawn terminal equipment. The key update message is used to update the security key used by the first terminal device in the first multicast service group, where the security key is used to encrypt and protect the integrity of information related to the first multicast service. Optionally, the key update message is a MIKEY message, that is, the key update message is delivered by the core network device to the first terminal device through the MIKEY protocol. This embodiment of the present application does not limit the specific content of the key update message. Optionally, the key update message includes a random number required for deriving the security key or a root key for deriving the security key. For the introduction and description of the content, please refer to the following embodiments, and details are not repeated here.
步骤720,第一终端设备根据密钥更新消息,更新安全密钥。Step 720: The first terminal device updates the security key according to the key update message.
第一终端设备在接收到密钥更新消息后,解析该密钥更新消息,以提取密钥更新消息中 携带的更新内容,并根据该更新内容更新安全密钥。可选地,在密钥更新消息为MIKEY消息的情况下,第一终端设备需要使用密钥更新消息的加密密钥以解析该密钥更新消息,示例性地,在MBMS中,密钥更新消息由用户密钥(MUK)加密。由于密钥更新消息中携带的是衍生安全密钥所需的内容,第一终端设备在解析密钥更新消息得到更新内容后,根据该更新内容重新衍生新的安全密钥即可。After receiving the key update message, the first terminal device parses the key update message to extract the update content carried in the key update message, and updates the security key according to the update content. Optionally, when the key update message is a MIKEY message, the first terminal device needs to use the encryption key of the key update message to parse the key update message. Exemplarily, in MBMS, the key update message Encrypted by user key (MUK). Since the key update message carries the content required for deriving the security key, after parsing the key update message to obtain the update content, the first terminal device may regenerate a new security key according to the update content.
综上所述,本申请实施例提供的技术方案,通过核心网设备在其管理的某一组播业务组发生更新的情况下,向更新后的组播业务组中包括的终端设备发送密钥更新消息,以及时响应于该组播业务组的更新,丰富了组播业务对应的功能。并且,更新后的组播业务组中包括的终端设备在接收到密钥更新消息后,及时更新在该组播业务组中使用的安全密钥,保障了更新后的组播业务组中进行的组播业务的安全性,完善了组播业务的安全保障机制。另外,核心网设备是向更新后的组播业务组中包括的终端设备发送密钥更新消息,也即,若某一终端设备在该组播业务组更新前使用该组播业务组提供的组播业务,但是由于该终端设备退出该组播业务组导致该组播业务组发生更新,则更新后的组播业务组中不包括该终端设备,由于更新后的组播业务组中的终端设备更新了安全密钥,该退出的终端设备没有接收到密钥更新消息,也就无法获知更新后的安全密钥,进而为组播业务组中剩余终端设备开展组播业务提供了良好的安全性保障。To sum up, the technical solutions provided by the embodiments of the present application, when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group The update message, in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service. In addition, after receiving the key update message, the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group. The security of multicast services improves the security guarantee mechanism of multicast services. In addition, the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated However, since the terminal equipment exits the multicast service group, the multicast service group is updated, the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group After the security key is updated, the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
下面对安全密钥更新过程进行介绍说明。The following describes the security key update process.
在一个示例中,上述步骤720,包括如下几个步骤:In an example, the above step 720 includes the following steps:
步骤722,第一终端设备根据密钥更新消息,更新第一组播业务对应的业务密钥。Step 722: The first terminal device updates the service key corresponding to the first multicast service according to the key update message.
由上述密钥体系的介绍说明可知,安全密钥并非直接由核心网设备下发给终端设备,而是终端设备根据核心网设备下发的根密钥层层衍生得到的。为了兼容已建立的密钥体系,本申请实施例中,第一终端设备在接收到来自于核心网设备的密钥更新消息后,先更新第一组播业务对应的业务密钥,之后再根据业务密钥进一步更新安全密钥。It can be seen from the above description of the key system that the security key is not directly issued by the core network device to the terminal device, but is derived by the terminal device layer by layer according to the root key issued by the core network device. In order to be compatible with the established key system, in this embodiment of the present application, after receiving the key update message from the core network device, the first terminal device first updates the service key corresponding to the first multicast service, and then The business key further updates the security key.
在不同的组播业务通信系统中,业务密钥的名称有所区别。示例性地,在第一组播业务包括V2X中的组播业务或ProSe中的组播业务的情况下,业务密钥就是称为业务密钥;在第一组播业务包括MBMS的情况下,业务密钥可以称为业务密钥,也可以称为服务密钥。应理解,在通信协议的演进过程中,业务密钥可能会产生新的名称,但执行的均是相同的功能,这些新的名称也应当属于本申请的保护范围之内。In different multicast service communication systems, the names of service keys are different. Exemplarily, when the first multicast service includes the multicast service in V2X or the multicast service in ProSe, the service key is called the service key; when the first multicast service includes MBMS, The service key may be called a service key or a service key. It should be understood that during the evolution of the communication protocol, the service key may generate new names, but all perform the same function, and these new names should also fall within the protection scope of this application.
参考上述表三,业务密钥在衍生过程中,使用的参数包括组密钥(或称为根密钥)和密钥计算参数。可选地,密钥计算参数包括随机数。例如,本申请实施例针对V2X组播通信系统中的业务密钥(PTK),在其衍生输入参数中将原本的P0设计为随机数。也即,在上述表三的基础上,将P0(群组成员标识)修改为(Nonce_1),如下述表五所示。Referring to Table 3 above, in the process of derivation of the service key, the parameters used include a group key (or called a root key) and a key calculation parameter. Optionally, the key calculation parameter includes a random number. For example, for the service key (PTK) in the V2X multicast communication system, the original P0 is designed as a random number in its derived input parameters. That is, on the basis of the above Table 3, the P0 (group member identifier) is modified to (Nonce_1), as shown in the following Table 5.
表五 PTK衍生输入参数Table 5 PTK derived input parameters
KDF输入参数KDF input parameters 具体值specific value
FCFC 0X4A0X4A
P0P0 Nonce_1(随机数)Nonce_1 (random number)
L0L0 P0长度P0 length
P1P1 PTK IdentityPTK Identity
L1L1 P1长度P1 length
P2P2 Group IdentityGroup Identity
L2L2 P2长度P2 length
Input Key(输入密钥)Input Key 256位VGK256-bit VGK
其中,P0(Nonce_1)是一个随机数,L0表示随机数Nonce_1的长度。从上述表五可以看出,为了更新业务密钥,就需要更新业务密钥衍生过程中使用的参数,基于此,在一个示例中,密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。Among them, P0 (Nonce_1) is a random number, and L0 represents the length of the random number Nonce_1. It can be seen from the above Table 5 that in order to update the service key, it is necessary to update the parameters used in the service key derivation process. Based on this, in an example, the key update message includes at least one of the following: the updated key Calculation parameters, updated group key.
由于更新组密钥相比于更新密钥计算参数需要耗费的计算资源更多,为了减轻核心网设备计算更新后的组密钥需要耗费的计算资源,避免频繁更新组密钥,在一个示例中,核心网设备在第一组播业务组发生更新的情况下,检验第一组播业务组对应的组密钥是否到期,可选地,核心网设备为组密钥设置的使用时间限制,在组密钥位于该使用时间限制之外时,表示组密钥到期,在组密钥位于该使用时间限制之内时,表示组密钥未到期;在第一组播业务组对应的组密钥到期的情况下,核心网设备生成更新后的组密钥并下发给第一终端设备,也即,密钥更新消息包括更新后的组密钥;在第一组播业务对应的组密钥未到期的情况下,核心网设备生成更新后的密钥计算参数并下发给第一终端设备,也即,密钥更新消息包括更新后的密钥计算参数。Since updating the group key requires more computing resources than updating the key calculation parameters, in order to reduce the computing resources required by the core network device to calculate the updated group key and avoid frequent updating of the group key, in an example , the core network device checks whether the group key corresponding to the first multicast service group expires when the first multicast service group is updated, optionally, the use time limit set by the core network device for the group key, When the group key is outside the usage time limit, it means that the group key has expired, and when the group key is within the usage time limit, it means that the group key has not expired; When the group key expires, the core network device generates an updated group key and issues it to the first terminal device, that is, the key update message includes the updated group key; In the case where the group key of the device has not expired, the core network device generates the updated key calculation parameter and delivers it to the first terminal device, that is, the key update message includes the updated key calculation parameter.
步骤724,第一终端设备根据更新后的业务密钥,更新安全密钥。Step 724, the first terminal device updates the security key according to the updated service key.
第一终端设备在根据密钥更新消息衍生出更新后的业务密钥之后,为兼容已建立的密钥体系,进一步根据更新后的业务密钥更新安全密钥。第一终端设备根据更新后的业务密钥更新安全密钥的方式可以参见上述表四,此处不多赘述。After deriving the updated service key according to the key update message, the first terminal device further updates the security key according to the updated service key in order to be compatible with the established key system. For the manner in which the first terminal device updates the security key according to the updated service key, reference may be made to the foregoing Table 4, and details are not repeated here.
在不同的组播业务通信系统中,安全密钥的内容和名称有所区别。示例性地,在第一组播业务包括V2X中的组播业务或ProSe中的组播业务的情况下,安全密钥包括以下至少一项:加密密钥、完整性保护密钥;在第一组播业务包括MBMS的情况下,安全密钥可以包括流量密钥,也可以包括以下至少一项:加密密钥、完整性保护密钥。应理解,在通信协议的演进过程中,业务密钥可能会产生新的名称,但执行的均是相同的功能,这些新的名称也应当属于本申请的保护范围之内。In different multicast service communication systems, the content and name of the security key are different. Exemplarily, when the first multicast service includes the multicast service in V2X or the multicast service in ProSe, the security key includes at least one of the following: an encryption key, an integrity protection key; When the multicast service includes MBMS, the security key may include a traffic key, or at least one of the following: an encryption key and an integrity protection key. It should be understood that during the evolution of the communication protocol, the service key may generate new names, but all perform the same function, and these new names should also fall within the protection scope of this application.
综上所述,本申请实施例提供的技术方案,通过更新后的组播业务组中包括的终端设备根据密钥更新消息衍生更新后的业务密钥,并进一步由更新后的业务密钥衍生更新后的安全密钥,有效兼容了组播业务中已建立的密钥体系。并且,本申请实施例中,核心网设备针对组播业务对应的组密钥是否到期,采用了不同的密钥更新方式,在组密钥到期的情况下,更新组密钥,在组密钥未到期的情况下,更新密钥计算参数,由于更新密钥计算参数需要耗费的计算资源小于更新组密钥需要耗费的计算资源,因而本申请实施例提出了轻量化的密钥更新方式,有助于降低核心网设备产生更新内容的计算开销,并降低终端设备衍生安全密钥的计算开销。To sum up, in the technical solutions provided by the embodiments of the present application, the updated service key is derived from the updated key update message by the terminal equipment included in the updated multicast service group, and further derived from the updated service key. The updated security key is effectively compatible with the established key system in the multicast service. In addition, in the embodiment of the present application, the core network device adopts different key update methods to determine whether the group key corresponding to the multicast service expires. When the key is not expired, the key calculation parameters are updated. Since the computing resources required to update the key calculation parameters are less than the computing resources required to update the group key, the embodiment of the present application proposes a lightweight key update. In this way, it helps to reduce the calculation overhead of the core network device to generate updated content, and to reduce the calculation overhead of the terminal device to derive the security key.
下面对第一组播业务组发生更新的情况进行介绍说明。由上述实施例的介绍说明可知,第一组播业务组发生更新包括以下至少一种可能:第一组播业务组中存在UE主动退出、核心网设备撤销第一组播业务组中的终端设备。下面针对这几种情况分别进行说明。The following describes a situation in which the first multicast service group is updated. It can be seen from the description of the above embodiment that the update of the first multicast service group includes at least one of the following possibilities: there is a UE in the first multicast service group that actively withdraws, and the core network device cancels the terminal equipment in the first multicast service group. . The following describes these situations respectively.
在一个示例中,如图8所示,上述方法还包括如下几个步骤:In an example, as shown in Figure 8, the above method further includes the following steps:
步骤801,第二终端设备向核心网设备发送业务撤销请求。Step 801, the second terminal device sends a service cancellation request to the core network device.
第二终端设备是指更新前的第一组播业务组中存在组播业务撤销需求的终端设备,第二终端设备可以向核心网设备发送业务撤销请求,以请求退出第一组播业务组。可选地,业务撤销请求为NAS消息。本申请实施例对业务撤销请求的内容不作限定,可选地,业务撤销请求包括以下至少一项:组播业务组标识(GID)、第一终端设备的标识。The second terminal device refers to a terminal device that needs to cancel the multicast service in the first multicast service group before the update. The second terminal device can send a service cancellation request to the core network device to request to quit the first multicast service group. Optionally, the service withdrawal request is a NAS message. This embodiment of the present application does not limit the content of the service revocation request. Optionally, the service revocation request includes at least one of the following: a multicast service group identifier (GID) and an identifier of the first terminal device.
步骤803,核心网设备根据业务撤销请求,从第一组播业务组中撤销第二终端设备。Step 803, the core network device cancels the second terminal device from the first multicast service group according to the service cancellation request.
核心网设备在接收到第二终端设备的业务撤销请求后,解析该业务撤销请求,即可确定请求退出组播业务的终端设备,即第二终端设备,并且确定第二终端设备所在的组播业务组,即第一组播业务组。从而,核心网设备从第一组播业务组中撤销第二终端设备,以响应于第二终端设备的业务撤销请求。可选地,核心网设备从第一组播业务组中撤销第二终端设备包括:从第一组播业务组对应的成员列表中删除第二终端设备相关的信息,如第二终端设备的标识。After receiving the service cancellation request from the second terminal equipment, the core network device parses the service cancellation request, and can determine the terminal equipment that requests to withdraw from the multicast service, that is, the second terminal equipment, and determine the multicast group where the second terminal equipment is located. Service group, that is, the first multicast service group. Thus, the core network device withdraws the second terminal device from the first multicast service group in response to the service withdrawal request of the second terminal device. Optionally, the core network device revoking the second terminal device from the first multicast service group includes: deleting information related to the second terminal device, such as the identifier of the second terminal device, from the member list corresponding to the first multicast service group. .
为了使得第二终端设备在发送业务撤销请求后,明确是否成功退出组播业务,可选地,上述步骤803之后,还包括步骤805:核心网设备向第二终端设备发送业务撤销响应,业务 撤销响应用于指示第二终端设备从第一组播业务组中撤销完成。本申请实施例中,为了减少核心网设备与终端设备之间的信令往来,降低核心网设备的信令开销,核心网设备也可以不向第二终端设备发送业务撤销响应,由于后续更新后的组播业务组中其余终端设备更新了安全密钥,第二终端设备也无法使用其明确的安全密钥继续进行组播业务。可选地,第二终端设备在发送业务撤销请求后,默认其退出组播业务,也即,默认其从第一组播业务组中撤销;或者,第二终端设备在发送业务撤销请求后的一段时间内未接收到来自于核心网设备针对业务撤销请求的响应消息,默认其退出组播业务,例如,第二终端设备可以在发送业务撤销请求时或发送业务撤销请求后的某一时刻,启动定时器,若第二终端设备在定时器的工作时间内接收到来自于核心网设备的业务撤销响应,则确定其从第一组播业务组中撤销,若第二终端设备在定时器超时的情况下,还未接收到来自于核心网设备的业务撤销响应,则默认其从第一组播业务组中撤销。可选地,第二终端设备在定时器超时的情况下,还未接收到来自于核心网设备的业务撤销响应,也可以默认其未从第一组播业务组中撤销,此时,第二终端设备可以重新向核心网设备发送业务撤销请求。In order to make the second terminal equipment clear whether to successfully withdraw from the multicast service after sending the service cancellation request, optionally, after the above step 803, step 805 is further included: the core network equipment sends a service cancellation response to the second terminal equipment, and the service withdraws The response is used to instruct the second terminal device to complete the withdrawal from the first multicast service group. In the embodiment of the present application, in order to reduce the signaling exchange between the core network device and the terminal device, and reduce the signaling overhead of the core network device, the core network device may not send a service cancellation response to the second terminal device, because after the subsequent update The remaining terminal devices in the multicast service group of the first terminal have updated their security keys, and the second terminal device cannot use its explicit security key to continue the multicast service. Optionally, after sending the service cancellation request, the second terminal device defaults to withdraw from the multicast service, that is, defaults to withdraw from the first multicast service group; or, after the second terminal device sends the service cancellation request If it does not receive a response message from the core network device to the service cancellation request within a period of time, it quits the multicast service by default. Start the timer. If the second terminal device receives a service cancellation response from the core network device within the working time of the timer, it is determined to be cancelled from the first multicast service group. If the second terminal device expires in the timer If the service revocation response has not been received from the core network device, it will be revoked from the first multicast service group by default. Optionally, when the timer expires, the second terminal device has not yet received a service cancellation response from the core network device, and may also default that it has not been withdrawn from the first multicast service group. The terminal device may re-send the service cancellation request to the core network device.
在另一个示例中,如图8所示,上述方法还包括如下几个步骤:In another example, as shown in Figure 8, the above method further includes the following steps:
步骤802,核心网设备在第三终端设备针对第一组播业务的订阅服务到期的情况下,从第一组播业务组中撤销第三终端设备。Step 802, the core network device cancels the third terminal device from the first multicast service group when the subscription service of the third terminal device for the first multicast service expires.
第三终端设备是指更新前的第一组播业务组中的终端设备。核心网设备在为第一组播业务组中的终端设备提供组播业务的过程中,确定各个终端设备针对第一组播业务的订阅服务是否到期。可选地,核心网设备实时确定各个终端设备的订阅服务器是否到期;或者,核心网设备每隔预设时间确定各个终端设备的订阅服务是否到期。在核心网设备确定第一组播业务组中的第三终端设备的订阅服务到期的情况下,将第三终端设备从第一组播业务组中撤销。The third terminal device refers to the terminal device in the first multicast service group before the update. During the process of providing the terminal equipment in the first multicast service group with the multicast service, the core network equipment determines whether the subscription service of each terminal equipment for the first multicast service expires. Optionally, the core network device determines in real time whether the subscription server of each terminal device expires; or, the core network device determines whether the subscription service of each terminal device expires every preset time. In the case that the core network device determines that the subscription service of the third terminal device in the first multicast service group expires, the third terminal device is withdrawn from the first multicast service group.
可选地,本申请实施例针对各个终端设备订阅第一组播业务设置有订阅时长,或者设置有订阅终止时刻,以便于核心网设备确定各个终端设备是否能够获取第一组播业务。例如,在各个终端设备对应有订阅时长的情况下,核心网设备确定各个终端设备获取第一组播业务的时长是否达到订阅时长,若达到订阅时长,则确定该终端设备针对第一组播业务的订阅服务到期。又例如,在各个终端设备对应有订阅终止时刻的情况下,核心网设备确定各个终端设备获取第一组播业务的当前时刻是否达到订阅终止时刻,若达到订阅终止时刻,则确定该终端设备针对第一组播业务的订阅服务到期。可选地,针对第一组播业务组中的各个终端设备,设置有相同的订阅时长或订阅终止时刻;或者,针对第一组播业务组中不同的终端设备,设置有不同的订阅时长或订阅终止时刻,例如,针对费用缴纳较多的终端设备,设置有较长的订阅时长等。Optionally, in this embodiment of the present application, a subscription duration or subscription termination time is set for each terminal device to subscribe to the first multicast service, so that the core network device can determine whether each terminal device can obtain the first multicast service. For example, when each terminal device corresponds to a subscription duration, the core network device determines whether the duration for each terminal device to obtain the first multicast service reaches the subscription duration. 's subscription service expires. For another example, in the case where each terminal device corresponds to a subscription termination time, the core network device determines whether the current time at which each terminal device obtains the first multicast service reaches the subscription termination time, and if it reaches the subscription termination time, then determines that the terminal device targets the subscription termination time. The subscription service of the first multicast service expires. Optionally, for each terminal device in the first multicast service group, the same subscription duration or subscription termination time is set; or, for different terminal devices in the first multicast service group, different subscription durations or different subscription durations are set. The subscription termination time, for example, for a terminal device that pays more fees, a longer subscription duration is set.
为了使得订阅服务到期的终端设备及时明确针对第一组播业务的订阅服务到期,便于及时恢复第一组播业务,可选地,上述步骤802之后,还包括步骤804:核心网设备向第三终端设备发送撤销提示信息,撤销提示信息用于指示第三终端设备从第一组播业务组中撤销完成。为了使得第三终端设备进一步明确其从第一组播业务组中撤销的原因,可选地,核心网设备向第三终端设备发送业务撤销原因,该业务撤销原因用于指示核心网设备将第三终端设备从第一组播业务组中撤销的原因,如业务撤销原因为第三终端设备针对第一组播业务的订阅服务到期。可选地,业务撤销原因承载在撤销提示信息中,以减少核心网设备和终端设备之间的信令往来,以及降低核心网设备的信令开销。In order to make the terminal equipment whose subscription service expires clearly know that the subscription service for the first multicast service expires in time, so as to facilitate the timely restoration of the first multicast service, optionally, after the above step 802, step 804 is further included: the core network equipment sends The third terminal device sends revocation prompt information, where the revocation prompt information is used to instruct the third terminal device to complete the revocation from the first multicast service group. In order for the third terminal device to further clarify the reason for its cancellation from the first multicast service group, optionally, the core network device sends the service cancellation reason to the third terminal device, and the service cancellation reason is used to instruct the core network device to Three reasons for the terminal equipment to be withdrawn from the first multicast service group, for example, the reason for the service withdrawal is that the subscription service of the third terminal equipment for the first multicast service expires. Optionally, the reason for service revocation is carried in the revocation prompt information, so as to reduce the signaling exchange between the core network device and the terminal device, and reduce the signaling overhead of the core network device.
综上所述,本申请实施例提供的技术方案,通过终端设备在存在组播业务撤销需求的情况下,向核心网设备发送业务撤销请求,以退出其所在的组播业务组,丰富了组播业务的功能,实现了灵活退出组播业务的目的。并且,本申请实施例中,核心网设备在从组播业务组中撤销发送业务撤销请求的终端设备后,向该终端设备发送业务撤销响应,以便于该终端设备明确掌握其是否成功退出组播业务。To sum up, the technical solutions provided by the embodiments of the present application enable the terminal equipment to send a service cancellation request to the core network equipment when there is a need for cancellation of the multicast service, so as to withdraw from the multicast service group in which it is located, thereby enriching the group. The function of multicast service realizes the purpose of flexibly withdrawing from multicast service. In addition, in this embodiment of the present application, the core network device sends a service revocation response to the terminal device after revoking the terminal device that sends the service revocation request from the multicast service group, so that the terminal device can clearly grasp whether it has successfully withdrawn from the multicast service. business.
另外,本申请实施例提供的技术方案,通过核心网设备确定组播业务组中各个终端设备针对组播业务的订阅服务是否到期,以及时撤销订阅服务到期的终端设备,避免这些终端设 备免费获取组播业务,从而避免给组播业务的提供商造成不必要的损失。另外,本申请实施例中,核心网设备在撤销订阅服务到期的终端设备之后,进一步向终端设备发送撤销提示信息,以及时通知该终端设备,便于终端设备及时掌握其无法获取组播业务的情况,从而针对该情况及时做出处理,以恢复组播业务。In addition, the technical solutions provided by the embodiments of the present application determine whether the subscription service of each terminal device in the multicast service group for the multicast service has expired through the core network device, and cancel the terminal device whose subscription service has expired in time to avoid these terminal devices. Free access to multicast services, thus avoiding unnecessary losses to providers of multicast services. In addition, in the embodiment of the present application, after revoking the terminal device whose subscription service has expired, the core network device further sends revocation prompt information to the terminal device, so as to notify the terminal device in time, so that the terminal device can timely grasp the fact that it cannot obtain the multicast service. situation, so as to deal with the situation in time to restore the multicast service.
下面,以V2X组播通信系统为例,对本申请的技术方案进行介绍说明。应理解,图9仅以V2X组播通信系统为示例,并不构成对本申请技术方案的限定,本领域技术人员在了解了图9所示的技术方案后,将很容易想到将图9所示的技术方案适应性应用于其它的组播通信系统,如MBMS(或称为MBS)中,这些均应属于本申请的保护范围之内。Hereinafter, the technical solution of the present application will be introduced and explained by taking the V2X multicast communication system as an example. It should be understood that FIG. 9 only takes the V2X multicast communication system as an example, and does not constitute a limitation on the technical solution of the present application. After understanding the technical solution shown in FIG. The technical solution of the invention is applicable to other multicast communication systems, such as MBMS (or referred to as MBS), which shall fall within the protection scope of the present application.
请参考图9,其示出了本申请实施例提供的一种密钥更新方法的流程图,该方法可应用于图1和图2所示的系统架构中,该方法可以包括如下步骤:Please refer to FIG. 9 , which shows a flowchart of a key update method provided by an embodiment of the present application. The method can be applied to the system architecture shown in FIG. 1 and FIG. 2 , and the method may include the following steps:
步骤910,第二终端设备向核心网设备发送业务撤销请求。第二终端设备是指第一组播业务组中存在组播业务撤销需求的终端设备。业务撤销请求用于请求退出第一组播业务组。可选地,业务撤销请求包括以下至少一项:组播业务组标识、第一终端设备的标识。Step 910, the second terminal device sends a service cancellation request to the core network device. The second terminal device refers to a terminal device in the first multicast service group that needs to cancel the multicast service. The service withdrawal request is used to request to withdraw from the first multicast service group. Optionally, the service revocation request includes at least one of the following: a multicast service group identifier and an identifier of the first terminal device.
步骤920,核心网设备根据业务撤销请求,从第一组播业务组中撤销第二终端设备。可选地,核心网设备从第一组播业务组中撤销第二终端设备包括:从第一组播业务组对应的成员列表中删除第二终端设备相关的信息,如第二终端设备的标识。Step 920: The core network device cancels the second terminal device from the first multicast service group according to the service cancellation request. Optionally, the core network device revoking the second terminal device from the first multicast service group includes: deleting information related to the second terminal device, such as the identifier of the second terminal device, from the member list corresponding to the first multicast service group. .
步骤930,核心网设备向第二终端设备发送业务撤销响应。业务撤销响应用于指示第二终端设备从第一组播业务组中撤销完成。可选地,核心网设备直接从第一组播业务组中撤销第二终端设备,而无需向第二终端设备发送业务撤销响应(无需执行步骤930)。Step 930: The core network device sends a service cancellation response to the second terminal device. The service revocation response is used to instruct the second terminal device to complete revocation from the first multicast service group. Optionally, the core network device directly cancels the second terminal device from the first multicast service group without sending a service cancellation response to the second terminal device (step 930 does not need to be executed).
步骤940,核心网设备确定第一组播业务组对应的组密钥是否到期。可选地,核心网设备为组密钥设置的使用时间限制,在组密钥位于该使用时间限制之外时,表示组密钥到期,在组密钥位于该使用时间限制之内时,表示组密钥未到期。需要说明的一点是,本申请实施例对步骤940和步骤930的执行先后顺序不作限定,图9仅是为了便于描述,在步骤930之后执行步骤940。Step 940, the core network device determines whether the group key corresponding to the first multicast service group expires. Optionally, the use time limit set by the core network device for the group key, when the group key is outside the use time limit, indicates that the group key expires, and when the group key is within the use time limit, Indicates that the group key has not expired. It should be noted that this embodiment of the present application does not limit the execution sequence of step 940 and step 930 . FIG. 9 is only for convenience of description, and step 940 is executed after step 930 .
步骤950,核心网设备向第一终端设备发送密钥更新消息。第一终端设备是指更新后的第一组播业务组中包括的终端设备,也即,第一终端设备为第一组播业务组中除撤销的终端设备(第二终端设备)之外的剩余终端设备。密钥更新消息用于更新第一终端设备在第一组播业务组中使用的安全密钥。在第一组播业务组对应的组密钥到期的情况下,密钥更新消息包括更新后的组密钥;在第一组播业务对应的组密钥未到期的情况下,密钥更新消息包括更新后的密钥计算参数。可选地,密钥计算参数包括随机数。可选地,核心网设备在确定第一组播业务组发生更新的情况下(如接收到第二终端设备的业务撤销请求),直接向第一终端设备发送密钥更新信息。也即,核心网设备无需确定第一组播业务组对应的组密钥是否到期(无需执行上述步骤940),此时,密钥更新消息中可以默认承载的是更新后的组密钥,或者,默认承载的是更新后的密钥计算参数。需要说明的一点是,本申请实施例对步骤950的执行时机不作限定,可选地,步骤950在步骤910之后执行;或者,步骤950在步骤920之后执行;或者,步骤950与步骤920同时执行。Step 950: The core network device sends a key update message to the first terminal device. The first terminal device refers to the terminal device included in the updated first multicast service group, that is, the first terminal device is a terminal device other than the revoked terminal device (second terminal device) in the first multicast service group. remaining terminal equipment. The key update message is used to update the security key used by the first terminal device in the first multicast service group. When the group key corresponding to the first multicast service group expires, the key update message includes the updated group key; when the group key corresponding to the first multicast service group has not expired, the key The update message includes the updated key calculation parameters. Optionally, the key calculation parameter includes a random number. Optionally, the core network device directly sends the key update information to the first terminal device when it is determined that the first multicast service group is updated (eg, receiving a service revocation request from the second terminal device). That is, the core network device does not need to determine whether the group key corresponding to the first multicast service group expires (the above step 940 does not need to be performed), and at this time, the key update message may carry the updated group key by default, Alternatively, the updated key calculation parameters are carried by default. It should be noted that this embodiment of the present application does not limit the execution timing of step 950. Optionally, step 950 is executed after step 910; or, step 950 is executed after step 920; or, step 950 and step 920 are executed simultaneously .
步骤960,第一终端设备根据密钥更新消息,更新第一组播业务对应的业务密钥(PTK);根据更新后的业务密钥(PTK),更新安全密钥(PEK和PIK)。Step 960, the first terminal device updates the service key (PTK) corresponding to the first multicast service according to the key update message; and updates the security keys (PEK and PIK) according to the updated service key (PTK).
需要说明的一点是,在上述方法实施例中,主要从第一终端设备、第二终端设备和核心网设备之间交互的角度,对本申请提供的密钥更新方法进行了介绍说明。上述有关第一终端设备执行的步骤,可以单独实现成为第一终端设备侧密钥更新方法;上述有关核心网设备执行的步骤,可以单独实现成为核心网设备侧密钥更新方法。It should be noted that, in the above method embodiments, the key update method provided by the present application is described mainly from the perspective of interaction between the first terminal device, the second terminal device and the core network device. The above-mentioned steps performed by the first terminal device can be independently implemented as a key update method on the first terminal device side; the above-mentioned steps performed by the core network device can be implemented independently as a key network device side key update method.
下述为本申请装置实施例,可以用于执行本申请方法实施例。对于本申请装置实施例中 未披露的细节,请参照本申请方法实施例。The following are apparatus embodiments of the present application, which can be used to execute the method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.
请参考图10,其示出了本申请一个实施例提供的密钥更新装置的框图。该装置具有实现上述第一终端设备侧方法示例的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该装置可以是上文所述的终端设备,也可以设置在终端设备中。如图10所示,该装置1000可以包括:消息接收模块1010、密钥更新模块1020。Please refer to FIG. 10 , which shows a block diagram of a key update apparatus provided by an embodiment of the present application. The apparatus has the function of implementing the above-mentioned first terminal device-side method example, and the function may be implemented by hardware or by executing corresponding software in hardware. The apparatus may be the above-mentioned terminal equipment, or may be set in the terminal equipment. As shown in FIG. 10 , the apparatus 1000 may include: a message receiving module 1010 and a key updating module 1020 .
消息接收模块1010,用于接收来自于网络设备的密钥更新消息。The message receiving module 1010 is configured to receive a key update message from a network device.
密钥更新模块1020,用于根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。A key update module 1020, configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first Multicast service.
在一个示例中,所述密钥更新模块,用于:根据所述密钥更新消息,更新所述第一组播业务对应的业务密钥;根据更新后的业务密钥,更新所述安全密钥。In an example, the key update module is configured to: update the service key corresponding to the first multicast service according to the key update message; update the security key according to the updated service key key.
在一个示例中,所述密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。In one example, the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
在一个示例中,所述密钥计算参数包括随机数。In one example, the key calculation parameter includes a random number.
在一个示例中,在所述第一组播业务对应的组密钥到期的情况下,所述密钥更新消息包括更新后的组密钥;在所述第一组播业务对应的组密钥未到期的情况下,所述密钥更新消息包括更新后的密钥计算参数。In an example, when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
在一个示例中,所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。In an example, the first multicast service includes any one of the following: a multicast service in V2X, a multicast service in ProSe, and MBMS.
在一个示例中,所述业务密钥包括服务密钥;所述第一组播业务包括MBMS。In one example, the service key includes a service key; and the first multicast service includes MBMS.
在一个示例中,所述安全密钥包括以下至少一项:加密密钥、完整性保护密钥;所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。In an example, the security key includes at least one of the following: an encryption key and an integrity protection key; the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
在一个示例中,所述安全密钥包括流量密钥;所述第一组播业务包括MBMS。In one example, the security key includes a traffic key; and the first multicast service includes MBMS.
综上所述,本申请实施例提供的技术方案,通过核心网设备在其管理的某一组播业务组发生更新的情况下,向更新后的组播业务组中包括的终端设备发送密钥更新消息,以及时响应于该组播业务组的更新,丰富了组播业务对应的功能。并且,更新后的组播业务组中包括的终端设备在接收到密钥更新消息后,及时更新在该组播业务组中使用的安全密钥,保障了更新后的组播业务组中进行的组播业务的安全性,完善了组播业务的安全保障机制。另外,核心网设备是向更新后的组播业务组中包括的终端设备发送密钥更新消息,也即,若某一终端设备在该组播业务组更新前使用该组播业务组提供的组播业务,但是由于该终端设备退出该组播业务组导致该组播业务组发生更新,则更新后的组播业务组中不包括该终端设备,由于更新后的组播业务组中的终端设备更新了安全密钥,该退出的终端设备没有接收到密钥更新消息,也就无法获知更新后的安全密钥,进而为组播业务组中剩余终端设备开展组播业务提供了良好的安全性保障。To sum up, the technical solutions provided by the embodiments of the present application, when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group The update message, in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service. In addition, after receiving the key update message, the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group. The security of multicast services improves the security guarantee mechanism of multicast services. In addition, the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated However, since the terminal equipment exits the multicast service group, the multicast service group is updated, the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group After the security key is updated, the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
请参考图11,其示出了本申请一个实施例提供的密钥更新装置的框图。该装置具有实现上述核心网设备侧方法示例的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该装置可以是上文所述的核心网设备,也可以设置在核心网设备中。如图11所示,该装置1100可以包括:消息发送模块1110。Please refer to FIG. 11 , which shows a block diagram of a key update apparatus provided by an embodiment of the present application. The apparatus has the function of implementing the above-mentioned method example on the device side of the core network, and the function may be implemented by hardware, or by executing corresponding software in the hardware. The apparatus may be the core network equipment described above, or may be provided in the core network equipment. As shown in FIG. 11 , the apparatus 1100 may include: a message sending module 1110 .
消息发送模块1110,用于在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,所述密钥更新消息用于更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。The message sending module 1110 is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first group. The security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
在一个示例中,所述密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。In one example, the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
在一个示例中,所述密钥计算参数包括随机数。In one example, the key calculation parameter includes a random number.
在一个示例中,在所述第一组播业务对应的组密钥到期的情况下,所述密钥更新消息包括更新后的组密钥;在所述第一组播业务对应的组密钥未到期的情况下,所述密钥更新消息 包括更新后的密钥计算参数。In an example, when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
在一个示例中,所述安全密钥包括以下至少一项:加密密钥、完整性保护密钥;所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。In an example, the security key includes at least one of the following: an encryption key and an integrity protection key; the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
在一个示例中,所述安全密钥包括流量密钥;所述第一组播业务包括MBMS。In one example, the security key includes a traffic key; and the first multicast service includes MBMS.
在一个示例中,如图12所示,所述装置1100还包括:请求接收模块1120,用于接收来自于第二终端设备的业务撤销请求;设备撤销模块1130,用于根据所述业务撤销请求,从第一组播业务组中撤销所述第二终端设备。In an example, as shown in FIG. 12 , the apparatus 1100 further includes: a request receiving module 1120 for receiving a service cancellation request from the second terminal device; a device cancellation module 1130 for receiving a service cancellation request according to the service cancellation request , withdraw the second terminal device from the first multicast service group.
在一个示例中,所述业务撤销请求包括以下至少一项:组播业务组标识、所述第一终端设备的标识。In an example, the service revocation request includes at least one of the following items: a multicast service group identifier, and an identifier of the first terminal device.
在一个示例中,如图12所示,所述装置1100还包括:响应发送模块1140,用于向所述第二终端设备发送业务撤销响应,所述业务撤销响应用于指示所述第二终端设备从所述第一组播业务组中撤销完成。In an example, as shown in FIG. 12 , the apparatus 1100 further includes: a response sending module 1140, configured to send a service withdrawal response to the second terminal device, where the service withdrawal response is used to instruct the second terminal The revocation of the device from the first multicast service group is completed.
综上所述,本申请实施例提供的技术方案,通过核心网设备在其管理的某一组播业务组发生更新的情况下,向更新后的组播业务组中包括的终端设备发送密钥更新消息,以及时响应于该组播业务组的更新,丰富了组播业务对应的功能。并且,更新后的组播业务组中包括的终端设备在接收到密钥更新消息后,及时更新在该组播业务组中使用的安全密钥,保障了更新后的组播业务组中进行的组播业务的安全性,完善了组播业务的安全保障机制。另外,核心网设备是向更新后的组播业务组中包括的终端设备发送密钥更新消息,也即,若某一终端设备在该组播业务组更新前使用该组播业务组提供的组播业务,但是由于该终端设备退出该组播业务组导致该组播业务组发生更新,则更新后的组播业务组中不包括该终端设备,由于更新后的组播业务组中的终端设备更新了安全密钥,该退出的终端设备没有接收到密钥更新消息,也就无法获知更新后的安全密钥,进而为组播业务组中剩余终端设备开展组播业务提供了良好的安全性保障。To sum up, the technical solutions provided by the embodiments of the present application, when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group The update message, in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service. In addition, after receiving the key update message, the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group. The security of multicast services improves the security guarantee mechanism of multicast services. In addition, the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated However, since the terminal equipment exits the multicast service group, the multicast service group is updated, the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group After the security key is updated, the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
需要说明的一点是,上述实施例提供的装置在实现其功能时,仅以上述各个功能模块的划分进行举例说明,实际应用中,可以根据实际需要而将上述功能分配由不同的功能模块完成,即将设备的内容结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。It should be noted that, when the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.
关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Regarding the apparatus in the above-mentioned embodiment, the specific manner in which each module performs operations has been described in detail in the embodiment of the method, and will not be described in detail here.
请参考图13,其示出了本申请一个实施例提供的终端设备130的结构示意图,例如,该终端设备可以用于执行上述第一终端设备侧密钥更新方法。具体来讲,该终端设备130可以包括:处理器131,以及与所述处理器131相连的收发器132;其中:Please refer to FIG. 13 , which shows a schematic structural diagram of a terminal device 130 provided by an embodiment of the present application. For example, the terminal device can be used to execute the above-mentioned first terminal device side key update method. Specifically, the terminal device 130 may include: a processor 131, and a transceiver 132 connected to the processor 131; wherein:
处理器131包括一个或者一个以上处理核心,处理器131通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。The processor 131 includes one or more processing cores, and the processor 131 executes various functional applications and information processing by running software programs and modules.
收发器132包括接收器和发射器。可选地,收发器132是一块通信芯片。 Transceiver 132 includes a receiver and a transmitter. Optionally, transceiver 132 is a communication chip.
在一个示例中,终端设备130还包括:存储器和总线。存储器通过总线与处理器相连。存储器可用于存储计算机程序,处理器用于执行该计算机程序,以实现上述方法实施例中的第一终端设备执行的各个步骤。In one example, the terminal device 130 further includes: a memory and a bus. The memory is connected to the processor through a bus. The memory can be used to store a computer program, and the processor is used to execute the computer program, so as to implement each step performed by the first terminal device in the above method embodiment.
此外,存储器可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,易失性或非易失性存储设备包括但不限于:RAM(Random-Access Memory,随机存储器)和ROM(Read-Only Memory,只读存储器)、EPROM(Erasable Programmable Read-Only Memory,可擦写可编程只读存储器)、EEPROM(Electrically Erasable Programmable Read-Only Memory,电可擦写可编程只读存储器)、闪存或其他固态存储其技术,CD-ROM(Compact Disc Read-Only Memory,只读光盘)、DVD(Digital Video Disc,高密度数字视频光盘)或其他光学存储、磁带盒、磁带、磁盘存储或其他磁性存储设备。其中:In addition, the memory can be implemented by any type of volatile or non-volatile storage device or a combination thereof. Volatile or non-volatile storage devices include but are not limited to: RAM (Random-Access Memory, random access memory) and ROM (Read-Only Memory), EPROM (Erasable Programmable Read-Only Memory, Erasable Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory, Electrically Erasable Programmable Read-Only Memory) ), flash memory or other solid-state storage technology, CD-ROM (Compact Disc Read-Only Memory), DVD (Digital Video Disc, high-density digital video disc) or other optical storage, tape cassettes, tapes, disk storage or other magnetic storage devices. in:
所述收发器132,用于接收来自于网络设备的密钥更新消息。The transceiver 132 is configured to receive a key update message from a network device.
所述处理器131,用于根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。The processor 131 is configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first Multicast service.
在一个示例中,所述处理器131,用于:根据所述密钥更新消息,更新所述第一组播业务对应的业务密钥;根据更新后的业务密钥,更新所述安全密钥。In an example, the processor 131 is configured to: update the service key corresponding to the first multicast service according to the key update message; update the security key according to the updated service key .
在一个示例中,所述密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。In one example, the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
在一个示例中,所述密钥计算参数包括随机数。In one example, the key calculation parameter includes a random number.
在一个示例中,在所述第一组播业务对应的组密钥到期的情况下,所述密钥更新消息包括更新后的组密钥;在所述第一组播业务对应的组密钥未到期的情况下,所述密钥更新消息包括更新后的密钥计算参数。In an example, when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
在一个示例中,所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。In an example, the first multicast service includes any one of the following: a multicast service in V2X, a multicast service in ProSe, and MBMS.
在一个示例中,所述业务密钥包括服务密钥;所述第一组播业务包括MBMS。In one example, the service key includes a service key; and the first multicast service includes MBMS.
在一个示例中,所述安全密钥包括以下至少一项:加密密钥、完整性保护密钥;所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。In an example, the security key includes at least one of the following: an encryption key and an integrity protection key; the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
在一个示例中,所述安全密钥包括流量密钥;所述第一组播业务包括MBMS。In one example, the security key includes a traffic key; and the first multicast service includes MBMS.
请参考图14,其示出了本申请一个实施例提供的核心网设备1413的结构示意图,例如,该核心网设备可以用于执行上述核心网设备侧密钥更新方法。具体来讲,该核心网设备1413可以包括:处理器141,以及与所述处理器141相连的收发器142;其中:Please refer to FIG. 14 , which shows a schematic structural diagram of a core network device 1413 provided by an embodiment of the present application. For example, the core network device can be used to execute the above-mentioned core network device-side key update method. Specifically, the core network device 1413 may include: a processor 141, and a transceiver 142 connected to the processor 141; wherein:
处理器141包括一个或者一个以上处理核心,处理器141通过运行软件程序以及模块,从而执行各种功能应用以及信息处理。The processor 141 includes one or more processing cores, and the processor 141 executes various functional applications and information processing by running software programs and modules.
收发器142包括接收器和发射器。可选地,收发器142是一块通信芯片。 Transceiver 142 includes a receiver and a transmitter. Optionally, transceiver 142 is a communication chip.
在一个示例中,核心网设备1413还包括:存储器和总线。存储器通过总线与处理器相连。存储器可用于存储计算机程序,处理器用于执行该计算机程序,以实现上述方法实施例中的核心网设备执行的各个步骤。In one example, the core network device 1413 further includes: a memory and a bus. The memory is connected to the processor through a bus. The memory can be used to store a computer program, and the processor is used to execute the computer program, so as to implement various steps performed by the core network device in the above method embodiments.
此外,存储器可以由任何类型的易失性或非易失性存储设备或者它们的组合实现,易失性或非易失性存储设备包括但不限于:RAM和ROM、EPROM、EEPROM、闪存或其他固态存储其技术,CD-ROM、DVD或其他光学存储、磁带盒、磁带、磁盘存储或其他磁性存储设备。其中:Furthermore, the memory may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to: RAM and ROM, EPROM, EEPROM, flash memory or other Solid-state storage technology, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices. in:
所述收发器142,用于在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,所述密钥更新消息用于更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。The transceiver 142 is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first terminal device. The security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
在一个示例中,所述密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。In one example, the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
在一个示例中,所述密钥计算参数包括随机数。In one example, the key calculation parameter includes a random number.
在一个示例中,在所述第一组播业务对应的组密钥到期的情况下,所述密钥更新消息包括更新后的组密钥;在所述第一组播业务对应的组密钥未到期的情况下,所述密钥更新消息包括更新后的密钥计算参数。In an example, when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
在一个示例中,所述安全密钥包括以下至少一项:加密密钥、完整性保护密钥;所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。In an example, the security key includes at least one of the following: an encryption key and an integrity protection key; the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
在一个示例中,所述安全密钥包括流量密钥;所述第一组播业务包括MBMS。In one example, the security key includes a traffic key; and the first multicast service includes MBMS.
在一个示例中,所述收发器142,用于接收来自于第二终端设备的业务撤销请求;所述处理器141,用于根据所述业务撤销请求,从第一组播业务组中撤销所述第二终端设备。In an example, the transceiver 142 is configured to receive a service withdrawal request from the second terminal device; the processor 141 is configured to withdraw all services from the first multicast service group according to the service withdrawal request. the second terminal device.
在一个示例中,所述业务撤销请求包括以下至少一项:组播业务组标识、所述第一终端 设备的标识。In an example, the service withdrawal request includes at least one of the following items: a multicast service group identifier, and an identifier of the first terminal device.
在一个示例中,所述收发器142,用于向所述第二终端设备发送业务撤销响应,所述业务撤销响应用于指示所述第二终端设备从所述第一组播业务组中撤销完成。In an example, the transceiver 142 is configured to send a service withdrawal response to the second terminal device, where the service withdrawal response is used to instruct the second terminal device to withdraw from the first multicast service group Finish.
本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序用于被终端设备的处理器执行,以实现如上述第一终端设备侧密钥更新方法。Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a terminal device to implement the first terminal device side key as described above. Update method.
本申请实施例还提供了一种计算机可读存储介质,所述存储介质中存储有计算机程序,所述计算机程序用于被核心网设备的处理器执行,以实现如上述核心网设备侧密钥更新方法。Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a core network device, so as to implement the above-mentioned core network device side key Update method.
本申请实施例还提供了一种芯片,所述芯片包括可编程逻辑电路和/或程序指令,当所述芯片在终端设备上运行时,用于实现如上述第一终端设备侧密钥更新方法。An embodiment of the present application further provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a terminal device, it is used to implement the above-mentioned first method for updating a key on the terminal device side .
本申请实施例还提供了一种芯片,所述芯片包括可编程逻辑电路和/或程序指令,当所述芯片在核心网设备上运行时,用于实现如上述核心网设备侧密钥更新方法。An embodiment of the present application further provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a core network device, it is used to implement the above method for updating a key on the core network device side .
本申请实施例还提供了一种计算机程序产品,当计算机程序产品在终端设备上运行时,使得计算机执行如上述第一终端设备侧密钥更新方法。The embodiments of the present application further provide a computer program product, which, when the computer program product runs on the terminal device, causes the computer to execute the above-mentioned first method for updating the key on the side of the terminal device.
本申请实施例还提供了一种计算机程序产品,当计算机程序产品在核心网设备上运行时,使得计算机执行如上述核心网设备侧密钥更新方法。The embodiment of the present application also provides a computer program product, which when the computer program product runs on the core network device, causes the computer to execute the above-mentioned method for updating the key on the side of the core network device.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请实施例所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。Those skilled in the art should realize that, in one or more of the above examples, the functions described in the embodiments of the present application may be implemented by hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
以上所述仅为本申请的示例性实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only exemplary embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present application shall be included in the protection of the present application. within the range.

Claims (44)

  1. 一种密钥更新方法,其特征在于,应用于第一终端设备中,所述方法包括:A key update method, characterized in that, applied to a first terminal device, the method comprising:
    接收来自于网络设备的密钥更新消息;Receive a key update message from a network device;
    根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。According to the key update message, the security key used by the first terminal device in the first multicast service group is updated, and the first multicast service group is used for performing the first multicast service.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,包括:The method according to claim 1, wherein, according to the key update message, updating the security key used by the first terminal device in the first multicast service group comprises:
    根据所述密钥更新消息,更新所述第一组播业务对应的业务密钥;updating the service key corresponding to the first multicast service according to the key update message;
    根据更新后的业务密钥,更新所述安全密钥。The security key is updated according to the updated service key.
  3. 根据权利要求2所述的方法,其特征在于,所述密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。The method according to claim 2, wherein the key update message includes at least one of the following: an updated key calculation parameter and an updated group key.
  4. 根据权利要求3所述的方法,其特征在于,所述密钥计算参数包括随机数。The method according to claim 3, wherein the key calculation parameter comprises a random number.
  5. 根据权利要求2所述的方法,其特征在于,The method of claim 2, wherein:
    在所述第一组播业务对应的组密钥到期的情况下,所述密钥更新消息包括更新后的组密钥;When the group key corresponding to the first multicast service expires, the key update message includes the updated group key;
    在所述第一组播业务对应的组密钥未到期的情况下,所述密钥更新消息包括更新后的密钥计算参数。In the case that the group key corresponding to the first multicast service has not expired, the key update message includes the updated key calculation parameter.
  6. 根据权利要求2至5任一项所述的方法,其特征在于,所述第一组播业务包括以下任意一项:车用无线通信技术V2X中的组播业务、近距离通讯服务ProSe中的组播业务、多媒体广播组播业务MBMS。The method according to any one of claims 2 to 5, wherein the first multicast service includes any one of the following: a multicast service in the vehicle wireless communication technology V2X, and a short-range communication service ProSe. Multicast service, multimedia broadcast multicast service MBMS.
  7. 根据权利要求2至5任一项所述的方法,其特征在于,所述业务密钥包括服务密钥;所述第一组播业务包括MBMS。The method according to any one of claims 2 to 5, wherein the service key comprises a service key; and the first multicast service comprises MBMS.
  8. 根据权利要求1至5任一项所述的方法,其特征在于,所述安全密钥包括以下至少一项:加密密钥、完整性保护密钥;所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。The method according to any one of claims 1 to 5, wherein the security key includes at least one of the following: an encryption key and an integrity protection key; the first multicast service includes any one of the following Items: multicast service in V2X, multicast service in ProSe, MBMS.
  9. 根据权利要求1至5任一项所述的方法,其特征在于,所述安全密钥包括流量密钥;所述第一组播业务包括MBMS。The method according to any one of claims 1 to 5, wherein the security key comprises a traffic key; and the first multicast service comprises MBMS.
  10. 一种密钥更新方法,其特征在于,应用于核心网设备中,所述方法包括:A key update method, characterized in that, applied to core network equipment, the method comprising:
    在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,所述密钥更新消息用于更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。When the first multicast service group is updated, send a key update message to the first terminal device, where the key update message is used to update the security code used by the first terminal device in the first multicast service group key, the first multicast service group is used to perform the first multicast service.
  11. 根据权利要求10所述的方法,其特征在于,所述密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。The method according to claim 10, wherein the key update message includes at least one of the following: an updated key calculation parameter and an updated group key.
  12. 根据权利要求11所述的方法,其特征在于,所述密钥计算参数包括随机数。The method of claim 11, wherein the key calculation parameter comprises a random number.
  13. 根据权利要求10所述的方法,其特征在于,The method of claim 10, wherein:
    在所述第一组播业务对应的组密钥到期的情况下,所述密钥更新消息包括更新后的组密钥;When the group key corresponding to the first multicast service expires, the key update message includes the updated group key;
    在所述第一组播业务对应的组密钥未到期的情况下,所述密钥更新消息包括更新后的密钥计算参数。In the case that the group key corresponding to the first multicast service has not expired, the key update message includes the updated key calculation parameter.
  14. 根据权利要求10至13任一项所述的方法,其特征在于,所述安全密钥包括以下至少一项:加密密钥、完整性保护密钥;所述第一组播业务包括以下任意一项:车用无线通信技术V2X中的组播业务、近距离通讯服务ProSe中的组播业务、多媒体广播组播业务MBMS。The method according to any one of claims 10 to 13, wherein the security key includes at least one of the following: an encryption key and an integrity protection key; the first multicast service includes any one of the following Items: Multicast service in vehicle wireless communication technology V2X, multicast service in short-range communication service ProSe, multimedia broadcast multicast service MBMS.
  15. 根据权利要求10至13任一项所述的方法,其特征在于,所述安全密钥包括流量密钥;所述第一组播业务包括MBMS。The method according to any one of claims 10 to 13, wherein the security key comprises a traffic key; and the first multicast service comprises MBMS.
  16. 根据权利要求10至15任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 10 to 15, wherein the method further comprises:
    接收来自于第二终端设备的业务撤销请求;receiving a service cancellation request from the second terminal device;
    根据所述业务撤销请求,从所述第一组播业务组中撤销所述第二终端设备。According to the service revocation request, the second terminal device is revoked from the first multicast service group.
  17. 根据权利要求16所述的方法,其特征在于,所述业务撤销请求包括以下至少一项:组播业务组标识、所述第一终端设备的标识。The method according to claim 16, wherein the service revocation request comprises at least one of the following: a multicast service group identifier and an identifier of the first terminal device.
  18. 根据权利要求10或17所述的方法,其特征在于,所述方法还包括:The method according to claim 10 or 17, wherein the method further comprises:
    向所述第二终端设备发送业务撤销响应,所述业务撤销响应用于指示所述第二终端设备从所述第一组播业务组中撤销完成。Sending a service revocation response to the second terminal device, where the service revocation response is used to instruct the second terminal device to complete the revocation from the first multicast service group.
  19. 根据权利要求10至18任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 10 to 18, wherein the method further comprises:
    在第三终端设备针对所述第一组播业务的订阅服务到期的情况下,从所述第一组播业务组中撤销所述第三终端设备。In the case that the subscription service of the third terminal device for the first multicast service expires, the third terminal device is withdrawn from the first multicast service group.
  20. 根据权利要求19所述的方法,其特征在于,所述从所述第一组播业务组中撤销所述第三终端设备之后,还包括:The method according to claim 19, wherein after the revocation of the third terminal device from the first multicast service group, the method further comprises:
    向所述第三终端设备发送撤销提示信息,所述撤销提示信息用于指示所述第三终端设备从所述第一组播业务组中撤销完成。Sending revocation prompt information to the third terminal device, where the revocation prompt information is used to instruct the third terminal device to complete the revocation from the first multicast service group.
  21. 一种密钥更新装置,其特征在于,设置在第一终端设备中,所述装置包括:A key update device, characterized in that it is set in a first terminal device, and the device includes:
    消息接收模块,用于接收来自于网络设备的密钥更新消息;a message receiving module for receiving a key update message from a network device;
    密钥更新模块,用于根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。A key update module, configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first group broadcast business.
  22. 根据权利要求21所述的装置,其特征在于,所述密钥更新模块,用于:The device according to claim 21, wherein the key update module is used for:
    根据所述密钥更新消息,更新所述第一组播业务对应的业务密钥;updating the service key corresponding to the first multicast service according to the key update message;
    根据更新后的业务密钥,更新所述安全密钥。The security key is updated according to the updated service key.
  23. 根据权利要求22所述的装置,其特征在于,所述密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。The apparatus according to claim 22, wherein the key update message includes at least one of the following: an updated key calculation parameter and an updated group key.
  24. 根据权利要求23所述的装置,其特征在于,所述密钥计算参数包括随机数。The apparatus of claim 23, wherein the key calculation parameter comprises a random number.
  25. 根据权利要求22所述的装置,其特征在于,The apparatus of claim 22, wherein:
    在所述第一组播业务对应的组密钥到期的情况下,所述密钥更新消息包括更新后的组密钥;When the group key corresponding to the first multicast service expires, the key update message includes the updated group key;
    在所述第一组播业务对应的组密钥未到期的情况下,所述密钥更新消息包括更新后的密钥计算参数。In the case that the group key corresponding to the first multicast service has not expired, the key update message includes the updated key calculation parameter.
  26. 根据权利要求22至25任一项所述的装置,其特征在于,所述第一组播业务包括以下任意一项:车用无线通信技术V2X中的组播业务、近距离通讯服务ProSe中的组播业务、多媒体广播组播业务MBMS。The device according to any one of claims 22 to 25, wherein the first multicast service includes any one of the following: a multicast service in the vehicle wireless communication technology V2X, a short-range communication service ProSe Multicast service, multimedia broadcast multicast service MBMS.
  27. 根据权利要求22至25任一项所述的装置,其特征在于,所述业务密钥包括服务密钥;所述第一组播业务包括MBMS。The apparatus according to any one of claims 22 to 25, wherein the service key comprises a service key; and the first multicast service comprises MBMS.
  28. 根据权利要求21至25任一项所述的装置,其特征在于,所述安全密钥包括以下至少一项:加密密钥、完整性保护密钥;所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。The apparatus according to any one of claims 21 to 25, wherein the security key includes at least one of the following: an encryption key and an integrity protection key; the first multicast service includes any one of the following Items: multicast service in V2X, multicast service in ProSe, MBMS.
  29. 根据权利要求21至25任一项所述的装置,其特征在于,所述安全密钥包括流量密钥;所述第一组播业务包括MBMS。The apparatus according to any one of claims 21 to 25, wherein the security key comprises a traffic key; and the first multicast service comprises MBMS.
  30. 一种密钥更新装置,其特征在于,设置在核心网设备中,所述装置包括:A key update device, characterized in that it is set in core network equipment, and the device includes:
    消息发送模块,用于在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,所述密钥更新消息用于更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。A message sending module, configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first multicast The security key used in the service group, the first multicast service group is used to perform the first multicast service.
  31. 根据权利要求30所述的装置,其特征在于,所述密钥更新消息包括以下至少一项:更新后的密钥计算参数、更新后的组密钥。The apparatus according to claim 30, wherein the key update message includes at least one of the following: an updated key calculation parameter and an updated group key.
  32. 根据权利要求31所述的装置,其特征在于,所述密钥计算参数包括随机数。The apparatus of claim 31, wherein the key calculation parameter comprises a random number.
  33. 根据权利要求30所述的装置,其特征在于,The apparatus of claim 30, wherein:
    在所述第一组播业务对应的组密钥到期的情况下,所述密钥更新消息包括更新后的组密钥;When the group key corresponding to the first multicast service expires, the key update message includes the updated group key;
    在所述第一组播业务对应的组密钥未到期的情况下,所述密钥更新消息包括更新后的密钥计算参数。In the case that the group key corresponding to the first multicast service has not expired, the key update message includes the updated key calculation parameter.
  34. 根据权利要求30至33任一项所述的装置,其特征在于,所述安全密钥包括以下至少一项:加密密钥、完整性保护密钥;所述第一组播业务包括以下任意一项:V2X中的组播业务、ProSe中的组播业务、MBMS。The apparatus according to any one of claims 30 to 33, wherein the security key includes at least one of the following: an encryption key and an integrity protection key; the first multicast service includes any one of the following Items: multicast service in V2X, multicast service in ProSe, MBMS.
  35. 根据权利要求30至33任一项所述的装置,其特征在于,所述安全密钥包括流量密钥;或者,所述第一组播业务包括MBMS。The apparatus according to any one of claims 30 to 33, wherein the security key comprises a traffic key; or the first multicast service comprises MBMS.
  36. 根据权利要求30至35任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 30 to 35, wherein the device further comprises:
    请求接收模块,用于接收来自于第二终端设备的业务撤销请求;a request receiving module, configured to receive a service cancellation request from the second terminal device;
    第一设备撤销模块,用于根据所述业务撤销请求,从所述第一组播业务组中撤销所述第 二终端设备。A first device revocation module, configured to revoke the second terminal device from the first multicast service group according to the service revocation request.
  37. 根据权利要求36所述的装置,其特征在于,所述业务撤销请求包括以下至少一项:组播业务组标识、所述第一终端设备的标识。The apparatus according to claim 36, wherein the service cancellation request comprises at least one of the following: a multicast service group identifier and an identifier of the first terminal device.
  38. 根据权利要求36或37所述的装置,其特征在于,所述装置还包括:The device according to claim 36 or 37, wherein the device further comprises:
    响应发送模块,用于向所述第二终端设备发送业务撤销响应,所述业务撤销响应用于指示所述第二终端设备从所述第一组播业务组中撤销完成。A response sending module, configured to send a service revocation response to the second terminal device, where the service revocation response is used to instruct the second terminal device to complete the revocation from the first multicast service group.
  39. 根据权利要求30至38任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 30 to 38, wherein the device further comprises:
    第二设备撤销模块,用于在第三终端设备针对所述第一组播业务的订阅服务到期的情况下,从所述第一组播业务组中撤销所述第三终端设备。A second device revocation module, configured to revoke the third terminal device from the first multicast service group when the subscription service of the third terminal device for the first multicast service expires.
  40. 根据权利要求39所述的装置,其特征在于,所述装置还包括:The apparatus of claim 39, wherein the apparatus further comprises:
    提示信息发送模块,用于向所述第三终端设备发送撤销提示信息,所述撤销提示信息用于指示所述第三终端设备从所述第一组播业务组中撤销完成。The prompt information sending module is configured to send revocation prompt information to the third terminal device, where the revocation prompt information is used to instruct the third terminal device to complete the revocation from the first multicast service group.
  41. 一种终端设备,其特征在于,所述终端设备包括:处理器,以及与所述处理器相连的收发器;其中:A terminal device, characterized in that the terminal device comprises: a processor, and a transceiver connected to the processor; wherein:
    所述收发器,用于接收来自于网络设备的密钥更新消息;the transceiver for receiving a key update message from a network device;
    所述处理器,用于根据所述密钥更新消息,更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。The processor is configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first group broadcast business.
  42. 一种核心网设备,其特征在于,所述核心网设备包括:处理器,以及与所述处理器相连的收发器;其中:A core network device, characterized in that the core network device comprises: a processor, and a transceiver connected to the processor; wherein:
    所述收发器,用于在第一组播业务组发生更新的情况下,向第一终端设备发送密钥更新消息,所述密钥更新消息用于更新所述第一终端设备在第一组播业务组中使用的安全密钥,所述第一组播业务组用于进行第一组播业务。The transceiver is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first group. The security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
  43. 一种计算机可读存储介质,其特征在于,所述存储介质中存储有计算机程序,所述计算机程序用于被终端设备的处理器执行,以实现如权利要求1至9任一项所述的密钥更新方法。A computer-readable storage medium, characterized in that a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a terminal device, so as to realize the method according to any one of claims 1 to 9. Key update method.
  44. 一种计算机可读存储介质,其特征在于,所述存储介质中存储有计算机程序,所述计算机程序用于被核心网设备的处理器执行,以实现如权利要求10至20任一项所述的密钥更新方法。A computer-readable storage medium, characterized in that, a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a core network device, so as to realize any one of claims 10 to 20. key update method.
PCT/CN2020/110081 2020-08-19 2020-08-19 Key update methods, apparatus and devices, and storage medium WO2022036600A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080101919.3A CN115918119A (en) 2020-08-19 2020-08-19 Key updating method, device, equipment and storage medium
PCT/CN2020/110081 WO2022036600A1 (en) 2020-08-19 2020-08-19 Key update methods, apparatus and devices, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/110081 WO2022036600A1 (en) 2020-08-19 2020-08-19 Key update methods, apparatus and devices, and storage medium

Publications (1)

Publication Number Publication Date
WO2022036600A1 true WO2022036600A1 (en) 2022-02-24

Family

ID=80322398

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/110081 WO2022036600A1 (en) 2020-08-19 2020-08-19 Key update methods, apparatus and devices, and storage medium

Country Status (2)

Country Link
CN (1) CN115918119A (en)
WO (1) WO2022036600A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102552A (en) * 2007-08-16 2008-01-09 中兴通讯股份有限公司 Update method and system for service secret key
CN101141789A (en) * 2006-09-07 2008-03-12 华为技术有限公司 Method and system for determining cipher key updating time
CN101800943A (en) * 2010-03-31 2010-08-11 西安西电捷通无线网络通信股份有限公司 Multicasting key negotiation method and system suitable for group calling system
CN102711104A (en) * 2006-09-07 2012-10-03 华为技术有限公司 Method for determining secret key updating time and secret key using entity

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141789A (en) * 2006-09-07 2008-03-12 华为技术有限公司 Method and system for determining cipher key updating time
CN102711104A (en) * 2006-09-07 2012-10-03 华为技术有限公司 Method for determining secret key updating time and secret key using entity
CN101102552A (en) * 2007-08-16 2008-01-09 中兴通讯股份有限公司 Update method and system for service secret key
CN101800943A (en) * 2010-03-31 2010-08-11 西安西电捷通无线网络通信股份有限公司 Multicasting key negotiation method and system suitable for group calling system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAWEI, HISILICON: "Discussion on Unified Group Key Management", 3GPP DRAFT; S3-201201, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Online Meeting ;20200511 - 20200515, 1 May 2020 (2020-05-01), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051879839 *

Also Published As

Publication number Publication date
CN115918119A (en) 2023-04-04

Similar Documents

Publication Publication Date Title
US10594672B2 (en) Secure node admission in a communication network
EP3726797B1 (en) Key distribution method, device and system
EP3627794B1 (en) Discovery method and apparatus based on service-oriented architecture
US20190149990A1 (en) Unified authentication for heterogeneous networks
JP5393871B2 (en) Protection of messages related to multicast communication sessions within a wireless communication system
WO2017114123A1 (en) Key configuration method and key management center, and network element
WO2010020186A1 (en) Multicast key distribution method, update method, and base station based on unicast conversation key
KR20050057090A (en) Method and apparatus for security data transmission in a mobile communication systeme
WO2013165695A1 (en) Secure communications for computing devices utilizing proximity services
US11652646B2 (en) System and a method for securing and distributing keys in a 3GPP system
EP3387855A1 (en) Methods and arrangements for authenticating a communication device
US20090196424A1 (en) Method for security handling in a wireless access system supporting multicast broadcast services
EP4238273A1 (en) Method and device for distributing a multicast encryption key
WO2022027476A1 (en) Key management method and communication apparatus
US20090136043A1 (en) Method and apparatus for performing key management and key distribution in wireless networks
WO2022036600A1 (en) Key update methods, apparatus and devices, and storage medium
CN101267590B (en) Service unsubscription method and system, mobile terminal, card and service server
CN114466318A (en) Method, system and equipment for realizing multicast service effective authentication and key distribution protocol
WO2022027696A1 (en) Method and apparatus for configuring security information
CN116830533A (en) Method and apparatus for distributing multicast encryption keys
CN116633612A (en) Cloud mobile phone login method and device, storage medium and electronic equipment
CN116918300A (en) Method for operating a cellular network
Hwang et al. New key management approach for broadcast and multicast services

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20949811

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20949811

Country of ref document: EP

Kind code of ref document: A1