WO2022036600A1 - Procédés, appareil et dispositifs de mise à jour de clé et support de stockage - Google Patents

Procédés, appareil et dispositifs de mise à jour de clé et support de stockage Download PDF

Info

Publication number
WO2022036600A1
WO2022036600A1 PCT/CN2020/110081 CN2020110081W WO2022036600A1 WO 2022036600 A1 WO2022036600 A1 WO 2022036600A1 CN 2020110081 W CN2020110081 W CN 2020110081W WO 2022036600 A1 WO2022036600 A1 WO 2022036600A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
multicast service
group
terminal device
service
Prior art date
Application number
PCT/CN2020/110081
Other languages
English (en)
Chinese (zh)
Inventor
许阳
曹进
熊丽晖
孙韵清
李晖
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to PCT/CN2020/110081 priority Critical patent/WO2022036600A1/fr
Priority to CN202080101919.3A priority patent/CN115918119A/zh
Publication of WO2022036600A1 publication Critical patent/WO2022036600A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]

Definitions

  • the embodiments of the present application relate to the field of communication technologies, and in particular, to a key update method, apparatus, device, and storage medium.
  • Some of these multimedia services require multiple UEs (User Equipment, user equipment) to be able to receive the same data at the same time, such as video-on-demand, TV broadcasting, online education, in-vehicle communication, and so on. Compared with ordinary data, these multimedia services have the characteristics of large amount of data and long duration. In order to effectively utilize mobile network resources and provide better services for UEs, a multicast (Multicast) service is produced.
  • UEs User Equipment, user equipment
  • Multicast Multicast
  • the multicast service refers to a UE point-to-multipoint sending the same information content to the UEs in the multicast service group;
  • MBMS Multimedia Broadcast/Multicast Service, Multimedia Broadcast Multicast Service
  • the multicast service refers to the wireless network point-to-multipoint sending the same information content to the UEs in the multicast service group.
  • Multicast services can realize network resource sharing, improve the utilization rate of network resources, especially air interface resources, and efficiently provide users with high-speed and stable multimedia services.
  • Embodiments of the present application provide a key update method, apparatus, device, and storage medium.
  • the technical solution is as follows:
  • an embodiment of the present application provides a method for updating a key, which is applied to a terminal device, and the method includes:
  • the security key used by the first terminal device in the first multicast service group is updated, and the first multicast service group is used for performing the first multicast service.
  • an embodiment of the present application provides a method for updating a key, which is applied to a core network device, and the method includes:
  • the first multicast service group When the first multicast service group is updated, send a key update message to the first terminal device, where the key update message is used to update the security code used by the first terminal device in the first multicast service group key, the first multicast service group is used to perform the first multicast service.
  • an embodiment of the present application provides a key update apparatus, which is set in a terminal device, and the apparatus includes:
  • a message receiving module for receiving a key update message from a network device
  • a key update module configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first group broadcast business.
  • an embodiment of the present application provides a key update apparatus, which is set in a core network device, and the apparatus includes:
  • a message sending module configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first multicast
  • the security key used in the service group, the first multicast service group is used to perform the first multicast service.
  • an embodiment of the present application provides a terminal device, where the terminal device includes: a processor, and a transceiver connected to the processor; wherein:
  • the transceiver for receiving a key update message from a network device
  • the processor is configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first group broadcast business.
  • an embodiment of the present application provides a core network device, where the core network device includes: a processor, and a transceiver connected to the processor; wherein:
  • the transceiver is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first group.
  • the security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
  • an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a terminal device, so as to implement the above-mentioned first terminal device Side key update method.
  • an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a core network device, so as to implement the above-mentioned core network device Side key update method.
  • an embodiment of the present application provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a terminal device, it is used to implement the above-mentioned first terminal device side encryption key update method.
  • an embodiment of the present application provides a chip, the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a core network device, it is used to implement the above-mentioned core network device side encryption key update method.
  • an embodiment of the present application provides a computer program product, which, when the computer program product runs on a terminal device, causes the computer to execute the above-mentioned first terminal device side key update method.
  • an embodiment of the present application provides a computer program product, which, when the computer program product runs on a core network device, causes a computer to execute the above method for updating a key on the core network device side.
  • a certain multicast service group managed by the core network device When a certain multicast service group managed by the core network device is updated, send a key update message to the terminal equipment included in the updated multicast service group, and timely respond to the update of the multicast service group , which enriches the functions corresponding to multicast services.
  • the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group.
  • the security of multicast services improves the security guarantee mechanism of multicast services.
  • the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated
  • the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group
  • the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
  • FIG. 1 is a schematic diagram of a system architecture provided by an embodiment of the present application.
  • FIG. 2 is a schematic diagram of a multicast communication system architecture provided by an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a multicast communication process provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of a multicast communication process provided by another embodiment of the present application.
  • FIG. 5 is a schematic diagram of a key system provided by an embodiment of the present application.
  • FIG. 6 is a schematic diagram of a key system provided by another embodiment of the present application.
  • FIG. 7 is a flowchart of a key update method provided by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of a method for updating a multicast service group provided by an embodiment of the present application.
  • FIG. 9 is a flowchart of a key update method provided by another embodiment of the present application.
  • FIG. 10 is a block diagram of a key update device provided by an embodiment of the present application.
  • FIG. 11 is a block diagram of a key update device provided by another embodiment of the present application.
  • FIG. 12 is a block diagram of a key update device provided by another embodiment of the present application.
  • FIG. 13 is a block diagram of a terminal device provided by an embodiment of the present application.
  • FIG. 14 is a block diagram of a core network device provided by an embodiment of the present application.
  • the network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application.
  • the evolution of new business scenarios and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
  • FIG. 1 shows a schematic diagram of a system architecture provided by an embodiment of the present application.
  • the system architecture 100 may include: a terminal device 10 , an access network device 20 , and a core network device 30 .
  • Terminal equipment 10 may refer to a UE, access terminal, subscriber unit, subscriber station, mobile station, mobile station, remote station, remote terminal, mobile device, wireless communication device, user agent, or user equipment.
  • the terminal device may also be a cellular phone, a cordless phone, a SIP (Session Initiation Protocol, session initiation protocol) phone, a WLL (Wireless Local Loop, wireless local loop) station, a PDA (Personal Digita1 Assistant, personal digital processing) , handheld devices with wireless communication functions, computing devices or other processing devices connected to wireless modems, in-vehicle devices, wearable devices, terminal devices in 5G (5th-Generation, fifth-generation mobile communication technology), or future evolved PLMNs (Pub1ic Land Mobi1e Network, public land mobile communication network) terminal equipment and the like, which are not limited in this embodiment of the present application.
  • the devices mentioned above are collectively referred to as terminal devices.
  • the number of terminal devices 10 is usually multiple, and one
  • the access network device 20 is a device deployed in the access network to provide the terminal device 10 with a wireless communication function.
  • the access network device 20 may include various forms of macro base stations, micro base stations, relay stations, access points, and the like.
  • the names of devices with access network device functions may be different, for example, in a 5G NR (New Radio, new air interface) system, it is called gNodeB or gNB.
  • gNodeB New Radio, new air interface
  • the name "Access Network Equipment” may change.
  • access network devices For convenience of description, in the embodiments of the present application, the above-mentioned apparatuses for providing a wireless communication function for the terminal device 10 are collectively referred to as access network devices.
  • the access network device 20 may be an EUTRAN (Evolved Universal Terrestrial Radio Access Network, Evolved Universal Terrestrial Radio Access Network) or one or more eNodeBs (eNodeBs) in the EUTRAN. evolved Node B); in a 5G NR system, the access network device 20 may be a RAN (Radio Access Network, radio access network) or one or more gNBs in the RAN.
  • EUTRAN Evolved Universal Terrestrial Radio Access Network
  • eNodeBs evolved Node B
  • the access network device 20 in a 5G NR system, the access network device 20 may be a RAN (Radio Access Network, radio access network) or one or more gNBs in the RAN.
  • the functions of the core network device 30 are mainly to provide user connection, manage users, and carry out services, and serve as an interface for the bearer network to provide an external network.
  • the core network device 30 in the 5G NR system may include an AMF (Access and Mobility Management Function) entity, a UPF (User Plane Function, user plane function) entity and an SMF (Session Management Function, session) entity management functions) entities and other equipment.
  • AMF Access and Mobility Management Function
  • UPF User Plane Function, user plane function
  • SMF Session Management Function, session
  • the access network device 20 and the core network device 30 communicate with each other through some air technology, such as the NG interface in the 5G NR system.
  • the access network device 20 and the terminal device 10 communicate with each other through some air technology, such as a Uu interface.
  • Multicast service types include: a UE point-to-multipoint sending the same information content to UEs in a multicast service group (such as the multicast service in V2X and the multicast service in ProSe), wireless network (application server) point-to-multipoint The point sends the same information content to the UEs in the multicast service group (such as MBMS).
  • FIG. 2 shows a schematic diagram of the architecture of a multicast communication system provided by an embodiment of the present application.
  • the architecture of the multicast communication system includes: an application server 210 and a terminal device 220 .
  • the application server 210 refers to the server corresponding to the multicast service.
  • the application server 210 can be a BM-SC; in the 5G system, the application server 210 can be an MBSF (Multimedia Broadcast Service Function, multimedia broadcast service function). function) and MBSU (Multimedia Broadcast Service User plane).
  • the application server may be located outside the mobile network, that is, the application server is independent of the core network device.
  • the interaction between the application server and the terminal device may be implemented through an application layer protocol, such as HTTP (Hyper Text Transfer Protocol, hypertext transfer protocol) protocol.
  • the application server may also be located within the mobile network, that is, the function of the application server is implemented by core network equipment (or referred to as network elements) and/or access network equipment (such as base stations) in the core network,
  • the function of the application server MBSF is implemented by the core network device SMF
  • the function of the application server MBSU is implemented by the core network device UPF or the access network device (eg, base station).
  • the interaction between the application server and the terminal device may be performed through the control plane and/or the user plane, wherein the control plane interaction may use NAS (Non-Access-Stratum, non-access stratum) messages; user plane interaction can be implemented through the radio bearer of the air interface and/or the GTP (GPRS Tunneling Protocol, GPRS Tunneling Protocol) of the core network.
  • the above interaction may include messages related to group establishment, service request or service revocation between the terminal device and the application server, such as identity authentication request, key acquisition request or service revocation request in the following embodiments.
  • the multicast communication system includes at least one multicast service group.
  • each multicast service group corresponds to a different application server 210, that is, the number of application servers 210 in the multicast communication system is the same as the number of multicast service groups;
  • the application server 210 that is, the multicast communication system includes an application server 210, and the application server 210 is configured to provide multicast services for different multicast service groups in the multicast communication system.
  • each multicast service group includes at least two terminal devices 220, and the device types of the terminal devices 220 in each multicast service group may be the same (for example, both are handheld devices), or may be different (for example, some are Handheld devices, some in-vehicle devices).
  • the multicast service types of the multicast services in the same multicast communication system are the same, for example, one UE sends the same information content to other UEs in the multicast service group point-to-multipoint.
  • the transmitted information may be encrypted.
  • the keys used in the information encryption process in different multicast service groups are different. The following describes the keys used in the information encryption process for several typical multicast communication systems.
  • V2X multicast communication system The terminal device applies to the application server (V2X Application Server) in V2X to join the multicast service group and obtains the authorization of the group service. At this time, the terminal device will obtain the GID (Group Identifier, group identifier). After the terminal device obtains the GID, the KMF (Key Management Function, key management function) in V2X securely distributes the group key for the terminal device. Furthermore, in the multicast service group that the terminal device applies to join, each terminal device builds a secure connection with the assistance of the group key and some other keys, ID (Identity), etc., so as to realize safe and accurate multicast communication.
  • the application server V2X Application Server
  • GID Group Identifier, group identifier
  • KMF Key Management Function, key management function
  • ProSe multicast communication system As shown in Figure 3, the terminal device implements group service authorization with ProSe Function and ProSe KMF, and the terminal device sends a key acquisition request to ProSe KMF, which includes the GID and the security of the terminal device. After checking the key acquisition request, ProSe KMF uses the MIKEY (Multimedia Network Encryption) protocol to encrypt and issue the group key (PGK), the ID of the group key and the expiration time of the group key (or issue the group member ID, Master Key (PMK), Master Key ID, and other information). Secondly, the terminal device uses the information sent by the ProSe KMF to achieve a secure and accurate multicast service between other terminal devices in the multicast service group.
  • MIKEY Multimedia Network Encryption
  • the terminal device calculates the encryption key (PEK) and integrity protection based on the information sent by the ProSe KMF. Key (PIK) and other keys to protect the information transmitted in the multicast service.
  • PEK encryption key
  • PIK Key
  • the multicast communication process of the V2X multicast communication system may refer to the multicast communication process of the ProSe multicast communication system.
  • the MBMS server authenticates the terminal device, and the terminal device can send an identity authentication request to the MBSF.
  • the MBSF stores the device information of the terminal device.
  • the terminal device may initiate a key acquisition request to the MBSF, and the key acquisition request is used to request to acquire a service key (MSK).
  • the key acquisition request includes the Key Domain ID and MSK ID.
  • the server authenticates the key authentication request, and executes the distribution of the service key (MSK) and the traffic key (MTK) in sequence after the authentication is passed.
  • the service key (MSK) uses the MIKEY message protected by the user key (MUK) to encrypt and deliver, and the service key (MSK) uses the Key Domain ID and MSK ID identification; the traffic key (MTK) uses the service key
  • the MIKEY message protected by (MSK) is encrypted and delivered, and the traffic key (MTK) is identified by Key domain ID, MSK ID, and MTK ID.
  • the terminal device can send an identity authentication request and a key acquisition request to the MBSF at the same time, that is, the identity authentication request and the key authentication request can be carried in the same message, as shown in Figure 4.
  • the identity authentication request and the key authentication request are NAS messages.
  • each terminal device in the multicast service group that the terminal device joins can establish a secure connection through the service key and the traffic key, so as to protect the transmitted multicast information.
  • MBMS may also be called MBS (Multicast Broadcast Service, multicast broadcast service) in the 5G system, and those skilled in the art should understand its meaning.
  • the MIKEY protocol is used to deliver the key to the terminal device by the application server, that is, the message carrying the key delivered by the application server to the terminal device may be called a MIKEY message.
  • the MIKEY message can protect the confidentiality and integrity of the key.
  • the encryption algorithm used by MIKEY is AES (Advanced Encryption Standard)-CM-128 or AES-KW-128, and the message verification code is HMAC (Hash-based Message Authentication Code, Hash Message Authentication Code)-SHA (Secure Hash Algorithm, Secure Hash Algorithm)-1-160.
  • HMAC Hash-based Message Authentication Code
  • Hash Message Authentication Code Hash Message Authentication Code
  • SHA Secure Hash Algorithm
  • the application server executes the distribution of the service key (MSK) and the traffic key (MTK) in sequence.
  • Table 1 shows the logical structure of the MIKEY message of the MSK protected by the MUK provided by an embodiment of the present application. in:
  • EXT Contains the MSK ID and MSK type, and the ID of the key domain where the MSK is located;
  • IDi ID of the application server (BM-SC);
  • IDr ID of the terminal device
  • MIKEY RAND used to generate encryption keys and authentication keys to handle traffic keys that need to be protected (MTK);
  • ⁇ SP ⁇ used in the multicast service data service, it can include: information related to the security protocol (such as the algorithm used, the length of the key, the initial value of the algorithm, etc.);
  • KEMAC It includes the MSK ciphertext encrypted by MUK and the MAC (Media Access Control, media access control) of MSK, and the rest is plaintext.
  • MIKEY RAND is not required in the message structure of MTK.
  • EXT including MTK, the ID, type and key domain ID of the MSK used to protect the MTK;
  • KEMAC Contains the MTK ciphertext and MAC encrypted by the MSK-derived key.
  • the key used for encryption and integrity protection of multicast service information in the multicast service is derived from the root key layer by layer according to the key system.
  • the following describes the generation of keys for encrypting and integrity-protecting multicast service information based on the key system in the V2X multicast communication system.
  • FIG. 5 shows a schematic diagram of a key system in MBMS provided by an embodiment of the present application.
  • the key system consists of the following three layers: MUK (user key), MSK (service key), and MTK (traffic key).
  • the user key (MUK) is used to protect the delivery of the service key (MSK)
  • the service key (MSK) is used to protect the delivery of the traffic key (MTK).
  • the service key (MSK) may be derived from the user key (MUK), or it may be selected and issued by the application server;
  • the traffic key (MTK) may be derived from the service key (MSK) , or it can be selected and delivered by the application server.
  • the connection between the MUK and the MSK and the connection between the MSK and the MTK are only used to represent the protection relationship, but not used to limit the derivative relationship.
  • FIG. 6 shows a schematic diagram of a key system in a V2X multicast communication system provided by an embodiment of the present application.
  • the key system consists of the following three layers: VGK (group key), PTK (traffic key), PEK (encryption key) and PIK (integrity protection key) key).
  • VGK group key
  • PTK traffic key
  • PEK encryption key
  • PIK integrated protection key
  • VGK or root key, which occupies 256 bits.
  • PTK or service key, which occupies 256 bits and is calculated and generated by the terminal device after decrypting the MIKEY message sent by the application server.
  • PEK and PIK used in confidentiality algorithm and integrity algorithm respectively to protect multicast service information.
  • PEK and PIK are calculated and generated by terminal equipment using PTK.
  • the PTK can be updated by updating the VGK.
  • Table 4 shows the input parameters required for derivation of PEK and PIK provided by an embodiment of the present application.
  • the PEK and PIK are updated by updating the PTK.
  • the security of the multicast service information and the multicast communication system can be improved.
  • the above example only considers the security guarantee when the terminal device joins the multicast service group, but does not consider how to ensure the multicast service information transmitted between the remaining terminal devices in the multicast service group when the terminal device exits the multicast service group security.
  • the embodiments of the present application provide a key update method, which can be used to ensure the security of multicast service information transmitted between other terminal devices when a terminal device exits a multicast service group, and reduce security risks.
  • the technical solutions of the present application will be described through several exemplary embodiments.
  • FIG. 7 shows a flowchart of a key update method provided by an embodiment of the present application.
  • the method can be applied to the system architectures shown in FIG. 1 and FIG. 2 , and the method may include the following steps (710 ⁇ 720):
  • Step 710 when the first multicast service group is updated, the core network device sends a key update message to the first terminal device, and the key update message is used to update the first terminal device to use in the first multicast service group.
  • the first multicast service group is used to perform the first multicast service.
  • the core network device refers to a device that can provide multicast service services for the first terminal device.
  • the core network device is a server (ie, an application server) of a multicast service.
  • the first multicast service group is used to perform the first multicast service.
  • the core network device may provide at least one multicast service, that is, the core network device manages at least one multicast service group.
  • the number of terminal devices in the first multicast service group is greater than or equal to two.
  • the first multicast service group will also be updated.
  • This embodiment of the present application does not limit the situation in which the first multicast service group is updated.
  • the first multicast service group is updated, it means that a terminal device in the first multicast service group exits (or cancels). Please refer to In the following embodiments, details are not repeated here; or, the update of the first multicast service group is manifested as a change in the security requirements of the terminal equipment in the first multicast service group for the multicast service.
  • the security requirements of the service are more stringent, and it is expected that the purpose of strictly protecting the information related to the multicast service can be achieved by continuously updating the security key.
  • the core network device determines that the subscription service of a terminal device for the first multicast service expires, the terminal device is withdrawn from the first multicast service group, or the core network device is When the security policy of the first multicast service group is updated, the terminal equipment in the first multicast service group is actively cancelled.
  • the core network device When determining that the first multicast service group is updated, the core network device generates a key update message, and delivers the key update message to the first terminal device in the first multicast service group, and responds to the The update of the first multicast service group.
  • the first terminal device when the update of the first multicast service group indicates that the terminal device is withdrawn, the first terminal device is the remaining terminal equipment in the first multicast service group except the withdrawn terminal equipment.
  • the key update message is used to update the security key used by the first terminal device in the first multicast service group, where the security key is used to encrypt and protect the integrity of information related to the first multicast service.
  • the key update message is a MIKEY message, that is, the key update message is delivered by the core network device to the first terminal device through the MIKEY protocol.
  • the key update message includes a random number required for deriving the security key or a root key for deriving the security key.
  • Step 720 The first terminal device updates the security key according to the key update message.
  • the first terminal device After receiving the key update message, the first terminal device parses the key update message to extract the update content carried in the key update message, and updates the security key according to the update content.
  • the key update message is a MIKEY message
  • the first terminal device needs to use the encryption key of the key update message to parse the key update message.
  • the key update message Encrypted by user key (MUK). Since the key update message carries the content required for deriving the security key, after parsing the key update message to obtain the update content, the first terminal device may regenerate a new security key according to the update content.
  • the technical solutions provided by the embodiments of the present application when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group
  • the update message in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service.
  • the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group.
  • the security of multicast services improves the security guarantee mechanism of multicast services.
  • the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated
  • the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group
  • the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
  • step 720 includes the following steps:
  • Step 722 The first terminal device updates the service key corresponding to the first multicast service according to the key update message.
  • the security key is not directly issued by the core network device to the terminal device, but is derived by the terminal device layer by layer according to the root key issued by the core network device.
  • the first terminal device after receiving the key update message from the core network device, the first terminal device first updates the service key corresponding to the first multicast service, and then The business key further updates the security key.
  • the names of service keys are different.
  • the service key when the first multicast service includes the multicast service in V2X or the multicast service in ProSe, the service key is called the service key; when the first multicast service includes MBMS, The service key may be called a service key or a service key. It should be understood that during the evolution of the communication protocol, the service key may generate new names, but all perform the same function, and these new names should also fall within the protection scope of this application.
  • the parameters used include a group key (or called a root key) and a key calculation parameter.
  • the key calculation parameter includes a random number.
  • the original P0 is designed as a random number in its derived input parameters. That is, on the basis of the above Table 3, the P0 (group member identifier) is modified to (Nonce_1), as shown in the following Table 5.
  • the key update message includes at least one of the following: the updated key Calculation parameters, updated group key.
  • the core network device checks whether the group key corresponding to the first multicast service group expires when the first multicast service group is updated, optionally, the use time limit set by the core network device for the group key, When the group key is outside the usage time limit, it means that the group key has expired, and when the group key is within the usage time limit, it means that the group key has not expired; When the group key expires, the core network device generates an updated group key and issues it to the first terminal device, that is, the key update message includes the updated group key; In the case where the group key of the device has not expired, the core network device generates the updated key calculation parameter and delivers it to the first terminal device, that is, the key update message includes the updated key calculation parameter.
  • Step 724 the first terminal device updates the security key according to the updated service key.
  • the first terminal device After deriving the updated service key according to the key update message, the first terminal device further updates the security key according to the updated service key in order to be compatible with the established key system.
  • the first terminal device For the manner in which the first terminal device updates the security key according to the updated service key, reference may be made to the foregoing Table 4, and details are not repeated here.
  • the security key includes at least one of the following: an encryption key, an integrity protection key;
  • the security key may include a traffic key, or at least one of the following: an encryption key and an integrity protection key. It should be understood that during the evolution of the communication protocol, the service key may generate new names, but all perform the same function, and these new names should also fall within the protection scope of this application.
  • the updated service key is derived from the updated key update message by the terminal equipment included in the updated multicast service group, and further derived from the updated service key.
  • the updated security key is effectively compatible with the established key system in the multicast service.
  • the core network device adopts different key update methods to determine whether the group key corresponding to the multicast service expires. When the key is not expired, the key calculation parameters are updated. Since the computing resources required to update the key calculation parameters are less than the computing resources required to update the group key, the embodiment of the present application proposes a lightweight key update. In this way, it helps to reduce the calculation overhead of the core network device to generate updated content, and to reduce the calculation overhead of the terminal device to derive the security key.
  • the update of the first multicast service group includes at least one of the following possibilities: there is a UE in the first multicast service group that actively withdraws, and the core network device cancels the terminal equipment in the first multicast service group. .
  • the above method further includes the following steps:
  • Step 801 the second terminal device sends a service cancellation request to the core network device.
  • the second terminal device refers to a terminal device that needs to cancel the multicast service in the first multicast service group before the update.
  • the second terminal device can send a service cancellation request to the core network device to request to quit the first multicast service group.
  • the service withdrawal request is a NAS message.
  • This embodiment of the present application does not limit the content of the service revocation request.
  • the service revocation request includes at least one of the following: a multicast service group identifier (GID) and an identifier of the first terminal device.
  • GID multicast service group identifier
  • Step 803 the core network device cancels the second terminal device from the first multicast service group according to the service cancellation request.
  • the core network device After receiving the service cancellation request from the second terminal equipment, the core network device parses the service cancellation request, and can determine the terminal equipment that requests to withdraw from the multicast service, that is, the second terminal equipment, and determine the multicast group where the second terminal equipment is located. Service group, that is, the first multicast service group. Thus, the core network device withdraws the second terminal device from the first multicast service group in response to the service withdrawal request of the second terminal device.
  • the core network device revoking the second terminal device from the first multicast service group includes: deleting information related to the second terminal device, such as the identifier of the second terminal device, from the member list corresponding to the first multicast service group. .
  • step 805 the core network equipment sends a service cancellation response to the second terminal equipment, and the service withdraws The response is used to instruct the second terminal device to complete the withdrawal from the first multicast service group.
  • the core network device may not send a service cancellation response to the second terminal device, because after the subsequent update The remaining terminal devices in the multicast service group of the first terminal have updated their security keys, and the second terminal device cannot use its explicit security key to continue the multicast service.
  • the second terminal device after sending the service cancellation request, defaults to withdraw from the multicast service, that is, defaults to withdraw from the first multicast service group; or, after the second terminal device sends the service cancellation request If it does not receive a response message from the core network device to the service cancellation request within a period of time, it quits the multicast service by default. Start the timer. If the second terminal device receives a service cancellation response from the core network device within the working time of the timer, it is determined to be cancelled from the first multicast service group. If the second terminal device expires in the timer If the service revocation response has not been received from the core network device, it will be revoked from the first multicast service group by default.
  • the second terminal device when the timer expires, has not yet received a service cancellation response from the core network device, and may also default that it has not been withdrawn from the first multicast service group.
  • the terminal device may re-send the service cancellation request to the core network device.
  • the above method further includes the following steps:
  • Step 802 the core network device cancels the third terminal device from the first multicast service group when the subscription service of the third terminal device for the first multicast service expires.
  • the third terminal device refers to the terminal device in the first multicast service group before the update.
  • the core network equipment determines whether the subscription service of each terminal equipment for the first multicast service expires.
  • the core network device determines in real time whether the subscription server of each terminal device expires; or, the core network device determines whether the subscription service of each terminal device expires every preset time. In the case that the core network device determines that the subscription service of the third terminal device in the first multicast service group expires, the third terminal device is withdrawn from the first multicast service group.
  • a subscription duration or subscription termination time is set for each terminal device to subscribe to the first multicast service, so that the core network device can determine whether each terminal device can obtain the first multicast service. For example, when each terminal device corresponds to a subscription duration, the core network device determines whether the duration for each terminal device to obtain the first multicast service reaches the subscription duration. 's subscription service expires. For another example, in the case where each terminal device corresponds to a subscription termination time, the core network device determines whether the current time at which each terminal device obtains the first multicast service reaches the subscription termination time, and if it reaches the subscription termination time, then determines that the terminal device targets the subscription termination time. The subscription service of the first multicast service expires.
  • the same subscription duration or subscription termination time is set; or, for different terminal devices in the first multicast service group, different subscription durations or different subscription durations are set.
  • the subscription termination time for example, for a terminal device that pays more fees, a longer subscription duration is set.
  • step 804 the core network equipment sends The third terminal device sends revocation prompt information, where the revocation prompt information is used to instruct the third terminal device to complete the revocation from the first multicast service group.
  • the core network device sends the service cancellation reason to the third terminal device, and the service cancellation reason is used to instruct the core network device to Three reasons for the terminal equipment to be withdrawn from the first multicast service group, for example, the reason for the service withdrawal is that the subscription service of the third terminal equipment for the first multicast service expires.
  • the reason for service revocation is carried in the revocation prompt information, so as to reduce the signaling exchange between the core network device and the terminal device, and reduce the signaling overhead of the core network device.
  • the technical solutions provided by the embodiments of the present application enable the terminal equipment to send a service cancellation request to the core network equipment when there is a need for cancellation of the multicast service, so as to withdraw from the multicast service group in which it is located, thereby enriching the group.
  • the function of multicast service realizes the purpose of flexibly withdrawing from multicast service.
  • the core network device sends a service revocation response to the terminal device after revoking the terminal device that sends the service revocation request from the multicast service group, so that the terminal device can clearly grasp whether it has successfully withdrawn from the multicast service. business.
  • the technical solutions provided by the embodiments of the present application determine whether the subscription service of each terminal device in the multicast service group for the multicast service has expired through the core network device, and cancel the terminal device whose subscription service has expired in time to avoid these terminal devices. Free access to multicast services, thus avoiding unnecessary losses to providers of multicast services.
  • the core network device after revoking the terminal device whose subscription service has expired, the core network device further sends revocation prompt information to the terminal device, so as to notify the terminal device in time, so that the terminal device can timely grasp the fact that it cannot obtain the multicast service. situation, so as to deal with the situation in time to restore the multicast service.
  • FIG. 9 only takes the V2X multicast communication system as an example, and does not constitute a limitation on the technical solution of the present application.
  • the technical solution of the invention is applicable to other multicast communication systems, such as MBMS (or referred to as MBS), which shall fall within the protection scope of the present application.
  • FIG. 9 shows a flowchart of a key update method provided by an embodiment of the present application.
  • the method can be applied to the system architecture shown in FIG. 1 and FIG. 2 , and the method may include the following steps:
  • Step 910 the second terminal device sends a service cancellation request to the core network device.
  • the second terminal device refers to a terminal device in the first multicast service group that needs to cancel the multicast service.
  • the service withdrawal request is used to request to withdraw from the first multicast service group.
  • the service revocation request includes at least one of the following: a multicast service group identifier and an identifier of the first terminal device.
  • Step 920 The core network device cancels the second terminal device from the first multicast service group according to the service cancellation request.
  • the core network device revoking the second terminal device from the first multicast service group includes: deleting information related to the second terminal device, such as the identifier of the second terminal device, from the member list corresponding to the first multicast service group. .
  • Step 930 The core network device sends a service cancellation response to the second terminal device.
  • the service revocation response is used to instruct the second terminal device to complete revocation from the first multicast service group.
  • the core network device directly cancels the second terminal device from the first multicast service group without sending a service cancellation response to the second terminal device (step 930 does not need to be executed).
  • Step 940 the core network device determines whether the group key corresponding to the first multicast service group expires.
  • the use time limit set by the core network device for the group key when the group key is outside the use time limit, indicates that the group key expires, and when the group key is within the use time limit, Indicates that the group key has not expired. It should be noted that this embodiment of the present application does not limit the execution sequence of step 940 and step 930 . FIG. 9 is only for convenience of description, and step 940 is executed after step 930 .
  • Step 950 The core network device sends a key update message to the first terminal device.
  • the first terminal device refers to the terminal device included in the updated first multicast service group, that is, the first terminal device is a terminal device other than the revoked terminal device (second terminal device) in the first multicast service group. remaining terminal equipment.
  • the key update message is used to update the security key used by the first terminal device in the first multicast service group.
  • the key update message includes the updated group key; when the group key corresponding to the first multicast service group has not expired, the key
  • the update message includes the updated key calculation parameters.
  • the key calculation parameter includes a random number.
  • the core network device directly sends the key update information to the first terminal device when it is determined that the first multicast service group is updated (eg, receiving a service revocation request from the second terminal device). That is, the core network device does not need to determine whether the group key corresponding to the first multicast service group expires (the above step 940 does not need to be performed), and at this time, the key update message may carry the updated group key by default, Alternatively, the updated key calculation parameters are carried by default. It should be noted that this embodiment of the present application does not limit the execution timing of step 950.
  • step 950 is executed after step 910; or, step 950 is executed after step 920; or, step 950 and step 920 are executed simultaneously .
  • Step 960 the first terminal device updates the service key (PTK) corresponding to the first multicast service according to the key update message; and updates the security keys (PEK and PIK) according to the updated service key (PTK).
  • PTK service key
  • PEK and PIK security keys
  • the key update method provided by the present application is described mainly from the perspective of interaction between the first terminal device, the second terminal device and the core network device.
  • the above-mentioned steps performed by the first terminal device can be independently implemented as a key update method on the first terminal device side; the above-mentioned steps performed by the core network device can be implemented independently as a key network device side key update method.
  • FIG. 10 shows a block diagram of a key update apparatus provided by an embodiment of the present application.
  • the apparatus has the function of implementing the above-mentioned first terminal device-side method example, and the function may be implemented by hardware or by executing corresponding software in hardware.
  • the apparatus may be the above-mentioned terminal equipment, or may be set in the terminal equipment.
  • the apparatus 1000 may include: a message receiving module 1010 and a key updating module 1020 .
  • the message receiving module 1010 is configured to receive a key update message from a network device.
  • a key update module 1020 configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first Multicast service.
  • the key update module is configured to: update the service key corresponding to the first multicast service according to the key update message; update the security key according to the updated service key key.
  • the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
  • the key calculation parameter includes a random number.
  • the key update message when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
  • the first multicast service includes any one of the following: a multicast service in V2X, a multicast service in ProSe, and MBMS.
  • the service key includes a service key; and the first multicast service includes MBMS.
  • the security key includes at least one of the following: an encryption key and an integrity protection key;
  • the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
  • the security key includes a traffic key; and the first multicast service includes MBMS.
  • the technical solutions provided by the embodiments of the present application when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group
  • the update message in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service.
  • the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group.
  • the security of multicast services improves the security guarantee mechanism of multicast services.
  • the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated
  • the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group
  • the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
  • FIG. 11 shows a block diagram of a key update apparatus provided by an embodiment of the present application.
  • the apparatus has the function of implementing the above-mentioned method example on the device side of the core network, and the function may be implemented by hardware, or by executing corresponding software in the hardware.
  • the apparatus may be the core network equipment described above, or may be provided in the core network equipment.
  • the apparatus 1100 may include: a message sending module 1110 .
  • the message sending module 1110 is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first group.
  • the security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
  • the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
  • the key calculation parameter includes a random number.
  • the key update message when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
  • the security key includes at least one of the following: an encryption key and an integrity protection key;
  • the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
  • the security key includes a traffic key; and the first multicast service includes MBMS.
  • the apparatus 1100 further includes: a request receiving module 1120 for receiving a service cancellation request from the second terminal device; a device cancellation module 1130 for receiving a service cancellation request according to the service cancellation request , withdraw the second terminal device from the first multicast service group.
  • the service revocation request includes at least one of the following items: a multicast service group identifier, and an identifier of the first terminal device.
  • the apparatus 1100 further includes: a response sending module 1140, configured to send a service withdrawal response to the second terminal device, where the service withdrawal response is used to instruct the second terminal The revocation of the device from the first multicast service group is completed.
  • a response sending module 1140 configured to send a service withdrawal response to the second terminal device, where the service withdrawal response is used to instruct the second terminal The revocation of the device from the first multicast service group is completed.
  • the technical solutions provided by the embodiments of the present application when a certain multicast service group managed by the core network device is updated, send a key to the terminal equipment included in the updated multicast service group
  • the update message in response to the update of the multicast service group in time, enriches the functions corresponding to the multicast service.
  • the terminal equipment included in the updated multicast service group updates the security key used in the multicast service group in time, which ensures the security keys used in the updated multicast service group.
  • the security of multicast services improves the security guarantee mechanism of multicast services.
  • the core network device sends a key update message to the terminal devices included in the updated multicast service group, that is, if a certain terminal device uses the group provided by the multicast service group before the multicast service group is updated
  • the updated multicast service group does not include the terminal equipment, because the terminal equipment in the updated multicast service group
  • the exiting terminal device does not receive the key update message, so it cannot learn the updated security key, thereby providing good security for the remaining terminal devices in the multicast service group to carry out multicast services. Assure.
  • the device provided in the above embodiment realizes its functions, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated to different functional modules according to actual needs. That is, the content structure of the device is divided into different functional modules to complete all or part of the functions described above.
  • FIG. 13 shows a schematic structural diagram of a terminal device 130 provided by an embodiment of the present application.
  • the terminal device can be used to execute the above-mentioned first terminal device side key update method.
  • the terminal device 130 may include: a processor 131, and a transceiver 132 connected to the processor 131; wherein:
  • the processor 131 includes one or more processing cores, and the processor 131 executes various functional applications and information processing by running software programs and modules.
  • Transceiver 132 includes a receiver and a transmitter.
  • transceiver 132 is a communication chip.
  • the terminal device 130 further includes: a memory and a bus.
  • the memory is connected to the processor through a bus.
  • the memory can be used to store a computer program, and the processor is used to execute the computer program, so as to implement each step performed by the first terminal device in the above method embodiment.
  • volatile or non-volatile storage devices include but are not limited to: RAM (Random-Access Memory, random access memory) and ROM (Read-Only Memory), EPROM (Erasable Programmable Read-Only Memory, Erasable Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory, Electrically Erasable Programmable Read-Only Memory) ), flash memory or other solid-state storage technology, CD-ROM (Compact Disc Read-Only Memory), DVD (Digital Video Disc, high-density digital video disc) or other optical storage, tape cassettes, tapes, disk storage or other magnetic storage devices. in:
  • the transceiver 132 is configured to receive a key update message from a network device.
  • the processor 131 is configured to update the security key used by the first terminal device in the first multicast service group according to the key update message, and the first multicast service group is used to perform the first Multicast service.
  • the processor 131 is configured to: update the service key corresponding to the first multicast service according to the key update message; update the security key according to the updated service key .
  • the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
  • the key calculation parameter includes a random number.
  • the key update message when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
  • the first multicast service includes any one of the following: a multicast service in V2X, a multicast service in ProSe, and MBMS.
  • the service key includes a service key; and the first multicast service includes MBMS.
  • the security key includes at least one of the following: an encryption key and an integrity protection key;
  • the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
  • the security key includes a traffic key; and the first multicast service includes MBMS.
  • FIG. 14 shows a schematic structural diagram of a core network device 1413 provided by an embodiment of the present application.
  • the core network device can be used to execute the above-mentioned core network device-side key update method.
  • the core network device 1413 may include: a processor 141, and a transceiver 142 connected to the processor 141; wherein:
  • the processor 141 includes one or more processing cores, and the processor 141 executes various functional applications and information processing by running software programs and modules.
  • Transceiver 142 includes a receiver and a transmitter.
  • transceiver 142 is a communication chip.
  • the core network device 1413 further includes: a memory and a bus.
  • the memory is connected to the processor through a bus.
  • the memory can be used to store a computer program, and the processor is used to execute the computer program, so as to implement various steps performed by the core network device in the above method embodiments.
  • the memory may be implemented by any type or combination of volatile or non-volatile storage devices including, but not limited to: RAM and ROM, EPROM, EEPROM, flash memory or other Solid-state storage technology, CD-ROM, DVD or other optical storage, tape cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices. in:
  • the transceiver 142 is configured to send a key update message to the first terminal device when the first multicast service group is updated, where the key update message is used to update the first terminal device in the first terminal device.
  • the security key used in the multicast service group, the first multicast service group is used to perform the first multicast service.
  • the key update message includes at least one of the following: an updated key calculation parameter, and an updated group key.
  • the key calculation parameter includes a random number.
  • the key update message when the group key corresponding to the first multicast service expires, the key update message includes the updated group key; If the key is not expired, the key update message includes the updated key calculation parameter.
  • the security key includes at least one of the following: an encryption key and an integrity protection key;
  • the first multicast service includes any one of the following: a multicast service in V2X, a group in ProSe broadcast service, MBMS.
  • the security key includes a traffic key; and the first multicast service includes MBMS.
  • the transceiver 142 is configured to receive a service withdrawal request from the second terminal device; the processor 141 is configured to withdraw all services from the first multicast service group according to the service withdrawal request. the second terminal device.
  • the service withdrawal request includes at least one of the following items: a multicast service group identifier, and an identifier of the first terminal device.
  • the transceiver 142 is configured to send a service withdrawal response to the second terminal device, where the service withdrawal response is used to instruct the second terminal device to withdraw from the first multicast service group Finish.
  • Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a terminal device to implement the first terminal device side key as described above. Update method.
  • Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored in the storage medium, and the computer program is used to be executed by a processor of a core network device, so as to implement the above-mentioned core network device side key Update method.
  • An embodiment of the present application further provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a terminal device, it is used to implement the above-mentioned first method for updating a key on the terminal device side .
  • An embodiment of the present application further provides a chip, where the chip includes a programmable logic circuit and/or program instructions, and when the chip runs on a core network device, it is used to implement the above method for updating a key on the core network device side .
  • the embodiments of the present application further provide a computer program product, which, when the computer program product runs on the terminal device, causes the computer to execute the above-mentioned first method for updating the key on the side of the terminal device.
  • the embodiment of the present application also provides a computer program product, which when the computer program product runs on the core network device, causes the computer to execute the above-mentioned method for updating the key on the side of the core network device.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente demande se rapporte au domaine technique des communications et sont divulgués par celle-ci des procédés, un appareil et des dispositifs de mise à jour de clé et un support de stockage. Un procédé comprend les étapes suivantes dans lesquelles : un dispositif de réseau central envoie un message de mise à jour de clé à un premier dispositif terminal lorsqu'un premier groupe de services de multidiffusion est mis à jour, le message de mise à jour de clé étant utilisé pour mettre à jour une clé de sécurité utilisée par le premier dispositif terminal dans le premier groupe de services de multidiffusion et le premier groupe de services de multidiffusion étant utilisé pour effectuer un premier service de multidiffusion ; et le premier dispositif terminal met à jour la clé de sécurité en fonction du message de mise à jour de clé. Des modes de réalisation de la présente demande enrichissent des fonctions correspondant à un service de multidiffusion, garantissent la sécurité d'un service de multidiffusion effectué dans un groupe de services de multidiffusion mis à jour et améliorent le mécanisme de garantie de sécurité du service de multidiffusion.
PCT/CN2020/110081 2020-08-19 2020-08-19 Procédés, appareil et dispositifs de mise à jour de clé et support de stockage WO2022036600A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2020/110081 WO2022036600A1 (fr) 2020-08-19 2020-08-19 Procédés, appareil et dispositifs de mise à jour de clé et support de stockage
CN202080101919.3A CN115918119A (zh) 2020-08-19 2020-08-19 密钥更新方法、装置、设备及存储介质

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/110081 WO2022036600A1 (fr) 2020-08-19 2020-08-19 Procédés, appareil et dispositifs de mise à jour de clé et support de stockage

Publications (1)

Publication Number Publication Date
WO2022036600A1 true WO2022036600A1 (fr) 2022-02-24

Family

ID=80322398

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/110081 WO2022036600A1 (fr) 2020-08-19 2020-08-19 Procédés, appareil et dispositifs de mise à jour de clé et support de stockage

Country Status (2)

Country Link
CN (1) CN115918119A (fr)
WO (1) WO2022036600A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102552A (zh) * 2007-08-16 2008-01-09 中兴通讯股份有限公司 业务密钥更新方法和系统
CN101141789A (zh) * 2006-09-07 2008-03-12 华为技术有限公司 确定密钥更新时间的方法及系统
CN101800943A (zh) * 2010-03-31 2010-08-11 西安西电捷通无线网络通信股份有限公司 一种适合组呼系统的组播密钥协商方法及系统
CN102711104A (zh) * 2006-09-07 2012-10-03 华为技术有限公司 确定密钥更新时间的方法及密钥使用实体

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141789A (zh) * 2006-09-07 2008-03-12 华为技术有限公司 确定密钥更新时间的方法及系统
CN102711104A (zh) * 2006-09-07 2012-10-03 华为技术有限公司 确定密钥更新时间的方法及密钥使用实体
CN101102552A (zh) * 2007-08-16 2008-01-09 中兴通讯股份有限公司 业务密钥更新方法和系统
CN101800943A (zh) * 2010-03-31 2010-08-11 西安西电捷通无线网络通信股份有限公司 一种适合组呼系统的组播密钥协商方法及系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HUAWEI, HISILICON: "Discussion on Unified Group Key Management", 3GPP DRAFT; S3-201201, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Online Meeting ;20200511 - 20200515, 1 May 2020 (2020-05-01), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051879839 *

Also Published As

Publication number Publication date
CN115918119A (zh) 2023-04-04

Similar Documents

Publication Publication Date Title
US10594672B2 (en) Secure node admission in a communication network
EP3726797B1 (fr) Procédé, dispositif, et système de distribution de clé
EP3627794B1 (fr) Procédé et appareil de découverte basés sur une architecture orientée service
US20190149990A1 (en) Unified authentication for heterogeneous networks
WO2017114123A1 (fr) Procédé de configuration de clé et centre de gestion de clé, et élément de réseau
JP5393871B2 (ja) ワイヤレス通信システム内のマルチキャスト通信セッションに関連するメッセージの保護
WO2010020186A1 (fr) Procédé de distribution de clé de multidiffusion, procédé de mise à jour et station de base utilisant une clé de conversation d'unidiffusion
KR20050057090A (ko) 모바일 통신 시스템에서의 안전한 데이터 송신을 위한 방법 및 장치
WO2013165695A1 (fr) Communications sécurisées pour des dispositifs informatiques utilisant des services de proximité
US11652646B2 (en) System and a method for securing and distributing keys in a 3GPP system
EP3387855A1 (fr) Procédés et agencements permettant d'authentifier un dispositif de communication
US20090196424A1 (en) Method for security handling in a wireless access system supporting multicast broadcast services
CN114466318A (zh) 组播服务有效认证和密钥分配协议实现方法、系统及设备
EP4238273A1 (fr) Procédé et dispositif de distribution d'une clé de chiffrement de multidiffusion
WO2022027476A1 (fr) Procédé de gestion de clés et appareil de communication
US20090136043A1 (en) Method and apparatus for performing key management and key distribution in wireless networks
WO2022036600A1 (fr) Procédés, appareil et dispositifs de mise à jour de clé et support de stockage
WO2022027696A1 (fr) Procédé et appareil permettant de configurer des informations de sécurité
CN101267590B (zh) 业务退订方法与系统、移动终端、卡及业务服务器
CN116830533A (zh) 用于分发多播加密密钥的方法和设备
CN116633612A (zh) 云手机登录方法、装置、存储介质及电子设备
CN116918300A (zh) 用于操作蜂窝网络的方法
Hwang et al. New key management approach for broadcast and multicast services

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20949811

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20949811

Country of ref document: EP

Kind code of ref document: A1