CN100442923C - A periodical updating method for transmission encrypted symmetric keys - Google Patents
A periodical updating method for transmission encrypted symmetric keys Download PDFInfo
- Publication number
- CN100442923C CN100442923C CNB2005100816260A CN200510081626A CN100442923C CN 100442923 C CN100442923 C CN 100442923C CN B2005100816260 A CNB2005100816260 A CN B2005100816260A CN 200510081626 A CN200510081626 A CN 200510081626A CN 100442923 C CN100442923 C CN 100442923C
- Authority
- CN
- China
- Prior art keywords
- tek
- time
- key
- grace
- life cycle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
A method for updating periodicity of transmission enciphering cipher code pair includes setting lifetime period of each TEK to be two update periods, generating one new TEK at time when each update period is ended by BS to supplement TEK that lifetime period is ended in update period, sending current two TEK to MS/SS through response message of cipher code when cipher code request message is sent in TEK Grace Time by MS/SS is received at each time, setting start-up time of TEK Grace Time to be in two idle-port time delay before lifetime of TEK being formed previously is ended.
Description
Technical field
The present invention relates to mobile communication technology, particularly a kind of right periodical update method of traffic encryption key of eating dishes without rice or wine to encrypt of being used to.
Background technology
In communication system, fail safe is an important indicator of estimating a communication system quality always.Along with the development of cryptography and cryptoanalysis,, also more challenge has been proposed for the safety of system simultaneously for the safety of communication system provides how available advanced technology.Particularly in mobile radio system, because the opening and the mobility of mobile radio system, the assailant can be easily monitors user's communications eating dishes without rice or wine, and therefore need encrypt and authenticate the data of eating dishes without rice or wine.And in moving process, more restriction and requirement have been proposed also for the distribution of key and management, make safety issue seem particularly important.
802.16d/e serial protocols has defined WiMAX and has fixed and moved the standard that inserts the part of eating dishes without rice or wine, safety for the data that guarantee to eat dishes without rice or wine, protocol definition a Security Sublayer (Privacy Sublayer), be used to realize the encryption and the authentication of authentication, key distribution management and follow-up data to the user.In the verification process, BS (Base Station, the base station) and MS/SS (Mobile Station, travelling carriage) passes through PKM (Privacy Key Management between (hereinafter to be referred as MS), security key management) agreement produces, distributes and managing keys, and authentication result is exactly to have had a basic key AK who is used to derive from other key resource between MS and BS.Communicating pair derives KEK (KeyEncryption Key, key-encrypting key) according to the algorithm of a safety from AK.AK or KEK are not directly used in data encryption, are used for the cipher key T EK Traffic Encryption Key of data encryption, traffic encryption key) produce at random by BS, and be distributed to MS after using KEK to encrypt.In order further to strengthen fail safe, AK and TEK are set in certain life cycle effective.In the guard time before the end of life of AK, MS must finish and BS between re-authentication (Re-authentication) to produce new AK; In the guard time before the TEK end of life, the TEK that MS must please look for novelty to BS by interacting message.In addition, in 802.16e, when MS roams into a new target BS, also to carry out network (network re-entry) process of reentrying,, obtain the key resource by re-authentication or back-end network (Backhaul) according to corresponding security strategy.
As shown in Figure 1, in order in the TEK renewal process, to guarantee service transmission continuity, MS and BS are synchronously safeguarding a plurality of SA (Security Association, safety connects) information, comprised SAID (being used to identify a safety connects), corresponding cryptographic algorithm parameter and TEK key information etc. in the safe link information.In the BS side is that each SA regularly produces new TEK, to guarantee at each is that a SA is safeguarding two available TEK constantly, the time used of each TEK is shown in shade line segment among Fig. 1, the life cycle length of each TEK is identical, but all exist the overlapping of half life cycle, for example overlapping etc. between overlapping, the TEK2TEK3 between overlapping, TEK1 between TEK0 among Fig. 1 and the TEK1 and the TEK2.MS need be to the safe link information of BS request to its mandate after access is finished and passed through authentication.This process may be to finish in the message interaction process of authentication, sends SA information by authentication response message Auth Reply to MS as BS in the Revest-Shamir-Adleman Algorithm (RSA) authentication mode among the 802.16d; Also may be after authentication is finished, finish,, finish the distribution of SA information by a SA-TEK three-way handshake message interaction process as in the PKMV2 of 802.16e/D8 by a specific message interaction process.In addition, BS also may send SA information to MS by the mode that initiatively sends message, as SAAdd message.MS is after the SA information that obtains the BS mandate, MS or BS connect the mapping relations of specifying with a SA, after connection is set up successfully, all data of transmitting in this connection all will use the cryptographic algorithm and the key of appointment among the corresponding SA to encrypt.In order further to strengthen fail safe, MS must be that the SA of current maintenance begins the key resource that please look for novelty in the suitable moment.Current 802.16d/e agreement has defined a TEK state machine for each SA on MS, in this state machine, defined a TEK Grace Time, it is illustrated in a time interval territory before the TEK life cycle finishes, starting point x as shown in Figure 1 in this time-domain, on the y, MS must begin to initiate the key resource of Key Request looking for novelty, BS responds with Key Reply message after receiving request message, comprised two the available TEK of current time that use KEK to encrypt in this message, and Ciphering Key Sequence Number separately and residue life cycle length.After MS received Key Reply, judgement was existed side by side and is promptly used new TEK that upstream data is encrypted according to Ciphering Key Sequence Number.On BS, use all the time that older TEK encrypts downlink data among two available TEK, detailed process is as shown in Figure 1.
BS has comprised the TEK that uses KEK to encrypt in the Key Reply message that MS sends, the sequence number of TEK and residue life cycle length, according to analysis, BS structure also sends moment of this message and MS receives this message and brings into use between moment of new key and differs a time delay of eating dishes without rice or wine.Just two time points of a in the drawings, b differ the time delay of eating dishes without rice or wine, and are made as Tdelay.Generally speaking, this time delay is a Millisecond.But the TEK Grace Time that defines in the agreement is recommended as 5 minutes~3.5 days (seeing agreement 10.2 for details) at present, and its concluding time point is identical with the out-of-service time of TEK.Therefore, if on the x time point, begin to send Key Request message, BS receives that in most cases the time of this message is before time point a, before this time point, BS does not also produce new key, like this, BS will be two available keys of current time, for example: TEK0 and TEK1 send to MS by Key Reply message once more.MS receives the key information of finding not comprise renewal after the Key Reply message, will initiate key request Key Request once more, though the last length TEK0 Key Request message that a very short moment sends before losing efficacy may reach BS behind time point a, thereby obtains new cipher key T EK2.But; the Key Request message of MS transmission all reaches BS before time point a in most cases; thereby greatly wasted interface-free resources; and to some degree, effective in the agreement for guaranteeing that key updating completed successfully in guard time TEK Grace Time the time interval very short before old TEK lost efficacy that provides.If the Key Request message that MS sends in this very short guard time has taken place to lose, will cause MS can't obtain new key, thereby cause the discontinuity of business data transmission.
Summary of the invention
The present invention discloses the right periodical update method of a kind of traffic encryption key, the problem of low, the waste interface-free resources of success rate when upgrading traffic encryption key to solve in the prior art.
The periodical update method that a kind of traffic encryption key is right is two update cycles according to the life cycle of each TEK of 802.16d/e agreement, and BS generates a new TEK when each update cycle finishes, in order to replenish the TEK that life cycle wherein finishes; Described update method comprises the steps:
Mobile station MS/SS determines the out-of-service time of the TEK that elder generation generates according to current two TEK residue life cycle length the key response message Key Reply that obtains from BS;
The zero-time that described MS/SS sets TEK guard time TEK Grace Time deducts the difference of two time delays of eating dishes without rice or wine more than or equal to the described out-of-service time and smaller or equal to the described out-of-service time;
Described MS/SS begins to send secret key request message in the zero-time of TEK Grace Time.
Set at described MS/SS before the zero-time of TEK guard time TEK Grace Time, also comprise:
Described MS/SS utilizes two TEK of the current preservation of BS side of obtaining to upgrade local two TEK that preserve, and judge whether two TEK before and after described the renewal are corresponding identical, if then send secret key request message once more to BS, otherwise with TEK Grace Time zero clearing.
Described TEK Grace Time is 5 minutes~3.5 days.
The described time delay of eating dishes without rice or wine is by measuring statistics or calculating and estimate to obtain.
The periodical update method that a kind of traffic encryption key is right, life cycle according to each traffic encryption key TEK of 802.16d/e agreement is two update cycles, base station BS generates a new TEK when each update cycle finishes, in order to replenish the wherein TEK of life cycle end; Described update method comprises the steps:
Mobile station MS/SS remains service time according to current two TEK the key response message Key Reply that obtains from BS, determines the out-of-service time of the TEK that elder generation generates; Described TEK residue service time, the residue life cycle length for each TEK added a time expand, and this time expand deducts two differences of eating dishes without rice or wine to delay time and is less than or equal to TEK Grace Time more than or equal to TEK Grace Time;
The zero-time that described MS/SS sets TEK guard time TEK Grace Time is to deduct TEK Grace Time the described out-of-service time;
Described MS/SS begins to send secret key request message in the zero-time of TEK Grace Time.
Described TEK Grace Time is 5 minutes~3.5 days of agreement regulation.
The described time delay of eating dishes without rice or wine is by measuring statistics or calculating and estimate to obtain.
The beneficial effect that technical solution of the present invention is brought: the time that begins to send the key updating request message by modification MS side, improve the BS that knows clearly receives this request message after having produced new key probability, therefore improved interacting message just can be successfully the probability of new key more, reduced the waste of interface-free resources.
Description of drawings
Fig. 1 is the TEK new technological process sequential chart more in the existing protocol;
Fig. 2 is the TEK new technological process sequential chart more of embodiment one of the present invention;
Fig. 3 is the TEK new technological process sequential chart more of embodiment two of the present invention.
Embodiment
In the definition about TEK Grace Time in the present 802.16d/e agreement, the concluding time of TEK Grace Time was defined on the out-of-service time of TEK, corresponding zero-time then deducts the length of TEK Grace Time for the out-of-service time of TEK, this has just caused repeatedly useless mutual Key Request and the Key Reply before new key more that exists in the prior art, thus the problem of waste interface-free resources.
Technical scheme provided by the invention has solved in the prior art and has had problems, guaranteed that the secret key request message that MS sends can be received after BS has produced new key in a suitable time interval, thereby successfully finish key updating, guaranteed the continuity of business data transmission in key updating process.
In order to realize purpose of the present invention, need to revise the strategy that MS initiates the key updating request, make MS on a proper time point, begin to send the key updating request message, and guarantee that BS receives this message after having produced new key in most cases.Like this, preferably under the situation, only need an interacting message just can complete successfully key updating at channel circumstance between MS and the BS.Simultaneously, owing to guaranteed that the secret key request message of MS transmission arrives BS after BS has produced new key in most cases.Even, the situation of information drop-out frequently occurs so current channel circumstance is relatively poor, as long as guard time definition is fit to, still can be through repeatedly completing successfully key updating behind the interacting message.According to above-mentioned design, this method provides two embodiments.
Embodiment one:
In order to reach the foregoing invention purpose, need to revise in the present 802.16d/e agreement definition about TEK GraceTime.With the zero-time of TEK Grace Time be defined as the old TEK life cycle of MS side finish before some moment within two time delays of eating dishes without rice or wine at the most.When MS sends Key Request message in this time interval TEK GraceTime, can guarantee after the key of BS adnation Cheng Xin, to receive this message, carry new key in the response message that returns, make the renewal of finishing transmission security key of MS success thereby make.As shown in Figure 2, the implementation method among Fig. 2 is that the starting point that will send Key Request message is set in the TEK life cycle when finishing, and specific implementation comprises following two steps:
1, BS determines the residue life cycle length of current two TEK respectively and is arranged in the Key Reply message to send to MS/SS;
2, MS obtains the residue life cycle length of each TEK and the concluding time of calculating the TEK that generates earlier from Key Reply message, for example: TEK0, the TEK1 of MS/SS side shown in Figure 2 or the concluding time of TEK2, the zero-time of setting TEK Grace Time then is to deduct at least two time delays of eating dishes without rice or wine the concluding time.
Embodiment two:
In order to reach the foregoing invention purpose, also can not revise in the current agreement definition about TEK Grace Time, only need BS when the key request of using Key Reply to MS responds, the residue life cycle of current available two TEK is added a time expand, in general, require this time expand to deduct two length and be less than or equal to TEKGrace Time of eating dishes without rice or wine to delay time more than or equal to TEK Grace Time.Like this, as shown in Figure 3, the time that the last TEK of MS lost efficacy will lag behind a time expand.In this way, the last Key Request message of initiating in the time interval at TEK Grace Time of MS can guarantee to be received after BS has produced new key in most cases.Specific implementation comprises following two steps:
1, BS determines the residue service time of current two TEK respectively and is arranged in the Key Reply message to send to MS, residue service time of TEK, the residue life cycle length for each TEK added a time expand, and this time expand deducts two length and be less than or equal to TEK Grace Time of eating dishes without rice or wine to delay time more than or equal to TEK Grace Time;
2, MS obtains the residue service time of each TEK and the out-of-service time of calculating the TEK that generates earlier from Key Reply message, and the zero-time of setting described TEK Grace Time then is to deduct TEK Grace Time the described out-of-service time.
In fact, the residue life cycle length of the residue of TEK being set each TEK service time adds that the method for a time expand is identical with embodiment one, all be that zero-time with TEK Grace Time is to pusher, message Key Request message to avoid receiving that after the key of BS adnation Cheng Xin the MS side sends has reduced message overhead.
And, as shown in Figure 1, because mutual Key Request message and the opportunity of Key Reply message and the influence of the time delay of eating dishes without rice or wine between BS and the MS, though the more preceding TEK of sequence number is more late than the BS side in the out-of-service time of MS side, but the influence of time delay and scheduling owing to eat dishes without rice or wine, MS may just receive the corresponding TEK encrypted data packet of usefulness that BS sends after TEK lost efficacy, at this moment, the MS side can't correctly be deciphered BS and be encrypted the data that send with this more preceding TEK.Present embodiment two can to a certain degree improve this problem, reason is: after the residue life cycle prolongation of BS side with TEK, the time that makes the MS side keep the more preceding TEK of sequence number prolongs relatively, encrypt the data of transmission by BS when arriving the MS side with the more preceding TEK of sequence number, even the reason of channel circumstance or scheduling caused transfer of data than long time delay, the MS side still can guarantee to use the correct data decryption of corresponding old TEK, has improved reliability of data transmission.
Among the present invention, the time delay of eating dishes without rice or wine is by measuring statistics or calculating and estimate to obtain.
The beneficial effect that technical solution of the present invention is brought: begin to send the key updating request by revising the MS side The time of message, improved BS and after having produced new key, received the probability of this request message, so carried A high interacting message just can be successfully the probability of new key more, reduced the waste of interface-free resources.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from this Bright spirit and scope. Like this, if belonging to claim of the present invention, these modifications of the present invention and modification reach The range of its equivalent technologies, then the present invention also be intended to comprise these change and modification interior.
Claims (7)
1, the right periodical update method of a kind of traffic encryption key, life cycle according to each traffic encryption key TEK of 802.16d/e agreement is two update cycles, base station BS generates a new TEK when each update cycle finishes, in order to replenish the wherein TEK of life cycle end; It is characterized in that described update method comprises the steps:
Mobile station MS/SS determines the out-of-service time of the TEK that elder generation generates according to current two TEK residue life cycle length the key response message Key Reply that obtains from BS;
The zero-time that described MS/SS sets TEK guard time TEK Grace Time deducts the difference of two time delays of eating dishes without rice or wine more than or equal to the described out-of-service time and smaller or equal to the described out-of-service time;
Described MS/SS begins to send secret key request message in the zero-time of TEK Grace Time.
2, the method for claim 1 is characterized in that, sets at described MS/SS before the zero-time of TEK guard time TEK Grace Time, also comprises:
Described MS/SS utilizes two TEK of the current preservation of BS side of obtaining to upgrade local two TEK that preserve, and judge whether two TEK before and after described the renewal are corresponding identical, if then send secret key request message once more to BS, otherwise with TEK Grace Time zero clearing.
3, method as claimed in claim 1 or 2 is characterized in that, described TEK Grace Time is 5 minutes~3.5 days.
4, method as claimed in claim 3 is characterized in that, the described time delay of eating dishes without rice or wine is by measuring statistics or calculating and estimate to obtain.
5, the right periodical update method of a kind of traffic encryption key, life cycle according to each traffic encryption key TEK of 802.16d/e agreement is two update cycles, base station BS generates a new TEK when each update cycle finishes, in order to replenish the wherein TEK of life cycle end; It is characterized in that described update method comprises the steps:
Mobile station MS/SS remains service time according to current two TEK the key response message Key Reply that obtains from BS, determines the out-of-service time of the TEK that elder generation generates; Described TEK residue service time, the residue life cycle length for each TEK added a time expand, and this time expand deducts two differences of eating dishes without rice or wine to delay time and is less than or equal to TEK Grace Time more than or equal to TEK Grace Time;
The zero-time that described MS/SS sets TEK guard time TEK GraceTime is to deduct TEK Grace Time the described out-of-service time;
Described MS/SS begins to send secret key request message in the zero-time of TEK Grace Time.
6, as one of any described method of claim 5, it is characterized in that described TEK Grace Time is 5 minutes~3.5 days.
7, method as claimed in claim 6 is characterized in that, the described time delay of eating dishes without rice or wine is by measuring statistics or calculating and estimate to obtain.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100816260A CN100442923C (en) | 2005-06-29 | 2005-06-29 | A periodical updating method for transmission encrypted symmetric keys |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100816260A CN100442923C (en) | 2005-06-29 | 2005-06-29 | A periodical updating method for transmission encrypted symmetric keys |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889769A CN1889769A (en) | 2007-01-03 |
| CN100442923C true CN100442923C (en) | 2008-12-10 |
Family
ID=37579027
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100816260A Expired - Fee Related CN100442923C (en) | 2005-06-29 | 2005-06-29 | A periodical updating method for transmission encrypted symmetric keys |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100442923C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101237444B (en) * | 2007-01-31 | 2013-04-17 | 华为技术有限公司 | Secret key processing method, system and device |
| CN100461974C (en) * | 2007-05-09 | 2009-02-11 | 中兴通讯股份有限公司 | Method and apparatus for triggering key updating |
| US8392711B2 (en) * | 2009-05-27 | 2013-03-05 | Avaya Inc. | Staged establishment of secure strings of symbols |
| CN104917595B (en) * | 2015-06-16 | 2018-04-27 | 四川长虹通信科技有限公司 | Key switching method and system during a kind of coded communication |
| CN111489566A (en) * | 2020-05-19 | 2020-08-04 | 王辉 | Encryption and decryption type traffic signal control system and method for self health state monitoring |
| CN112291060A (en) * | 2020-08-08 | 2021-01-29 | 北京天润海图科技有限公司 | Secure communication method, sending end and receiving end |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030078061A1 (en) * | 2001-10-23 | 2003-04-24 | Samsung Electronics Co., Ltd. | Method and apparatus for providing commercial broadcasting service in cellular mobile communication network |
| CN1588844A (en) * | 2004-09-30 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Method for realizing movable node and basic field managing entity key consultation |
-
2005
- 2005-06-29 CN CNB2005100816260A patent/CN100442923C/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030078061A1 (en) * | 2001-10-23 | 2003-04-24 | Samsung Electronics Co., Ltd. | Method and apparatus for providing commercial broadcasting service in cellular mobile communication network |
| CN1588844A (en) * | 2004-09-30 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Method for realizing movable node and basic field managing entity key consultation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1889769A (en) | 2007-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8559642B2 (en) | Cryptographic communication with mobile devices | |
| US20020120844A1 (en) | Authentication and distribution of keys in mobile IP network | |
| US7793103B2 (en) | Ad-hoc network key management | |
| KR101137340B1 (en) | Method of Providing Security for Relay Station | |
| US10523447B2 (en) | Obtaining and using time information on a secure element (SE) | |
| CN108683501B (en) | Multiple identity authentication system and method with timestamp as random number based on quantum communication network | |
| CN100442923C (en) | A periodical updating method for transmission encrypted symmetric keys | |
| US20090271626A1 (en) | Methods and devices for establishing security associations in communications systems | |
| US20020197979A1 (en) | Authentication system for mobile entities | |
| CN1937489A (en) | Network key management and session key updating method | |
| WO2006126801A1 (en) | Key handshaking method and system for wireless local area networks | |
| WO2010077910A3 (en) | Enhanced security for direct link communications | |
| CN101159639A (en) | One-way access authentication method | |
| CN100456884C (en) | Re-identifying method in wireless communication system | |
| CN102340775B (en) | Method for quickly roaming wireless client in AP (Assembly Program) and AP | |
| CN101772024A (en) | User identification method, device and system | |
| CN105407109A (en) | Data secure transmission method between Bluetooth devices | |
| US20020199102A1 (en) | Method and apparatus for establishing a shared cryptographic key between energy-limited nodes in a network | |
| Khan et al. | Secure authentication and key management protocols for mobile multihop WiMAX networks | |
| EP3506137A1 (en) | User authentication at an offline secured object | |
| CN104883372B (en) | A kind of data transmission method of anti-fraud and attack resistance based on mobile Ad hoc network | |
| EP2320691A1 (en) | Method for enhancing the security of the multicast or broadcast system | |
| KR20110058067A (en) | System and method for authenticating sink using mobile network | |
| CN101599878A (en) | Re-authentication method, system and authentication device | |
| CN110166460A (en) | Register method and device, storage medium, the electronic device of service account |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081210 Termination date: 20130629 |