CN101043333A - Process method against terminal safety information of wireless network - Google Patents
Process method against terminal safety information of wireless network Download PDFInfo
- Publication number
- CN101043333A CN101043333A CN 200610071347 CN200610071347A CN101043333A CN 101043333 A CN101043333 A CN 101043333A CN 200610071347 CN200610071347 CN 200610071347 CN 200610071347 A CN200610071347 A CN 200610071347A CN 101043333 A CN101043333 A CN 101043333A
- Authority
- CN
- China
- Prior art keywords
- authentication device
- sequence number
- security information
- portable terminal
- authorization key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a processing method and system for the terminal safe information on the wireless network. The invention includes: firstly, when the new identify authority device obtains the safe information of the original identify authority device and sends the deleted message to the original identify authority device, and the message takes the identifier information of terminal; and the original identify authority device receives the announcement message, and deletes the safe information stored in the original identify authority device for the mobile terminal. So, the invention can delete the safe information stored in the original identify authority device when the mobile terminal moves to the new identify authority device to avoid the invalid safe information occupy the source of identify authority device.
Description
Technical field
The present invention relates to wireless communication technology field, relate in particular in a kind of wireless network processing scheme at the security information of the terminal in the authentication device.
Background technology
Usually be provided with authentication device in the cordless communication network, authentication device needs to preserve some security information for terminal as the access control point in the network therein.
For example, in WiMAX (micro-wave access to global intercommunication) network, the information that need preserve for terminal in authentication device comprises: PMK (antithesis master key) and contextual information thereof, specifically comprise the sequence number of PMK and the life time of PMK, wherein the sequence number of PMK further comprises the sequence number of the PMK that produces in the single authentication process, perhaps, the sequence number of the sequence number of the PMK that produces in the verification process first time in two verification process and the PMK that produces in the verification process for the second time.
In cordless communication network,, promptly switch under the new authentication device from former authentication device because the mobility of portable terminal makes it be moved to another authentication device from an authentication device through regular meeting.At this moment, for needing new authentication device, the reliable communication that guarantees terminal can obtain security information on the former authentication device.
At present, after the security information of the corresponding terminal of new authentication device in obtaining former authentication device, the security information of this terminal still can keep in the former authentication device, but this moment this terminal security information be retained on the former authentication device and do not had in all senses, and, also taking the resource in the authentication device.
Summary of the invention
The purpose of this invention is to provide in a kind of wireless network processing method, thereby can delete the invalid security information that is retained in the authentication device in time, save the resource of authentication device at terminal safety information.
The objective of the invention is to be achieved through the following technical solutions:
The invention provides in a kind of wireless network at the processing method of terminal safety information, comprising:
A, after new authentication device acquires the security information that the former authentication device of portable terminal preserves, send the deletion notification message to former authentication device, carrying identifiers of terminals information in the message;
After B, former authentication device receive described notification message, delete the security information of preserving for this portable terminal on the former authentication device.
Described steps A comprises:
A1, in handoff procedure, gateway initiatively sends to described new authentication device with the security information of portable terminal;
Perhaps,
A2, in handoff procedure, new authentication device obtains the security information of portable terminal to the gateway request, and gateway sends to new authentication device with security information;
Perhaps,
A3, in handoff procedure, new authentication device obtains the authorization key sequence number of portable terminal from gateway, and determines the security information of portable terminal according to described authorization key sequence number;
Perhaps,
The re-authentication that A4, new authentication device are sent from the base station begins to obtain the authorization key sequence number that portable terminal is using the message, and determines the security information of portable terminal according to this authorization key sequence number;
Perhaps,
The re-authentication that A5, new authentication device are sent from the base station begins to obtain the authorization key sequence number that portable terminal is using the message, and obtains new authorization key sequence number according to described authorization key sequence number and re-authentication result.
Wherein, described security information is: the antithesis master key sequence number in the single authentication process, perhaps, antithesis Ciphering Key Sequence Number that the first time in two verification process, verification process produced and the antithesis Ciphering Key Sequence Number that produces of verification process for the second time.
Among the present invention, when adopting two verification process, described steps A 4 comprises:
The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the first time is set to equal the insignificant dibit position of authorization key; The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the second time is set to equal the significant dibit position of authorization key.
Perhaps,
The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the first time is set to equal the significant dibit position of authorization key; The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the second time is set to equal the insignificant dibit position of authorization key.
Among the present invention, when adopting the single authentication process, described steps A 4 comprises:
The meaningless dibit of antithesis Ciphering Key Sequence Number is set to equal the meaningless dibit of authorization key;
Perhaps,
The meaningless dibit of antithesis Ciphering Key Sequence Number is set to equal the meaningful dibit of authorization key.
The dibit position of described authorization key is two higher bit positions or two low bits.
Described re-authentication begins that loaded information comprises in the message: the identifier of re-authentication indication and/or former authentication device.
The present invention also provides in a kind of wireless network at the treatment system of terminal safety information, comprising:
Information is obtained recognition unit, is arranged in the new authentication device in the current place of portable terminal, is used to discern the security information whether new authentication device obtains portable terminal, and after obtaining corresponding security information, triggers security information deletion control unit;
Security information deletion control unit is arranged in the new authentication device in the current place of portable terminal, is used for obtaining the notification message that sends the deletion security information under the triggering of recognition unit to the former authentication device of portable terminal in information;
Security information deletion processing unit is arranged in the former authentication device in the original place of portable terminal, is used for after receiving the notification message that security information deletion control unit sends the security information of this portable terminal correspondence in the former authentication device of control deletion.
Described new authentication device also is connected communication with gateway, be used for obtaining to gateway the security information of portable terminal.
Described new authentication device also is connected communication with the base station, be used to receive the re-authentication of sending the base station and begin message.
As seen from the above technical solution provided by the invention, the present invention can move to new authentication device following time at portable terminal, delete the security information of this terminal of preserving in the former authentication device (being anchoring authentication device) in time, thereby avoid invalid security information that the unreasonable of authentication device resource taken.And implementation provided by the invention also has realizes easy advantage.
Description of drawings
Fig. 1 is the realization principle schematic of method of the present invention;
Fig. 2 is the specific implementation process schematic diagram one of the method for the invention;
Fig. 3 is the specific implementation process schematic diagram two of the method for the invention;
Fig. 4 is the specific implementation structural representation of system of the present invention.
Embodiment
The present invention when switching on the new authentication device, can delete the relevant information that anchoring authentication device is preserved by anchoring authentication device (being the authentication device at the former serving BS place of portable terminal) when portable terminal in order to guarantee in time.That is to say that after new authentication device obtained the information consistent with the security information of storing on the anchoring authentication device, new authentication device need send a notification message to anchoring authentication device, deletes the security information of portable terminal preservation for this reason with the notice anchoring authentication device.
The present invention for the processing scheme that new authentication device is provided in the wireless network obtains Ciphering Key Sequence Number and notified anchoring authentication device deletion counterpart terminal security information as shown in Figure 1, comprise following treatment step:
Step 11: obtain on the new authentication device with anchoring authentication device on the consistent information of security information of storing;
For example, the Ciphering Key Sequence Number that produces in the single authentication process, perhaps, Ciphering Key Sequence Number that the first time in two verification process, verification process produced and the Ciphering Key Sequence Number that produces in the verification process for the second time etc.;
Step 12: receive the authentication success message of sending from certificate server when new authentication device, and new authentication device confirms that this portable terminal finished networking or network re-entry process on Current Serving BTS (i.e. the base station that directly links to each other with new authentication device), then will send the notice of deleting security information to anchoring authentication device;
Step 13: will delete the security information of portable terminal preservation for this reason after anchoring authentication device is received, at network side, maker is distributed to the use device with the Ciphering Key Sequence Number that generates;
Anchoring authentication device needs to reply response message to new authentication device after finishing aforesaid operations, to indicate whether successfully to delete the information of corresponding portable terminal.
In above-mentioned processing procedure, the specific implementation process that obtains the information consistent with the security information of storing on the anchoring authentication device on the new authentication device is as follows:
In handoff procedure, gateway will be initiatively sends to new authentication device to antithesis Ciphering Key Sequence Number that the first time in the antithesis Ciphering Key Sequence Number that produces in the single authentication process of portable terminal or two the verification process, verification process produced and the security information such as the close sequence number of antithesis key that produce in the verification process second time;
Perhaps, can also adopt following process to realize:
In handoff procedure, antithesis Ciphering Key Sequence Number that the first time in the antithesis Ciphering Key Sequence Number that is produced in gateway request single authentication process by new authentication device/gateway or two the verification process, verification process produced and the security information such as the close sequence number of antithesis key that produce in the verification process for the second time, afterwards, by gateway corresponding security information is sent to authentication device/gateway;
Perhaps, also can adopt following process to realize:
In handoff procedure, new authentication device/gateway obtains the authorization key sequence number of terminal from gateway, then, the security information such as the close sequence number of antithesis key that obtain verification process produces as the first time in the antithesis Ciphering Key Sequence Number that produces in the single authentication process or two the verification process antithesis Ciphering Key Sequence Number and produce in the verification process for the second time according to the authorization key sequence number;
Perhaps, also can adopt following process to realize:
Receive the re-authentication of sending from the base station when new authentication device/gateway and begin message, and contain the current authorization key sequence number that is using in the message, then can according to this authorization key sequence number obtain as the antithesis Ciphering Key Sequence Number that produces in the single authentication process or two verification process in antithesis Ciphering Key Sequence Number that verification process produces and the security information such as the close sequence number of antithesis key that produce in the verification process second time first time.
Perhaps, also can adopt following process to realize:
Receive the re-authentication of sending from the base station when new authentication device/gateway and begin message, and contain the current authorization key sequence number that is using in the message, then can directly obtain new authorization key sequence number according to this authorization key sequence number and authentication result.
For ease of the understanding of the present invention, be that example describes several embodiments provided by the invention to be applied to the WiMAX network below in conjunction with accompanying drawing.
Embodiment one
As shown in Figure 2, the present invention is applied to verification process and mainly comprises following processing procedure:
Step 21: in handoff procedure, carry out the mutual of security information between gateway and the new authentication device/gateway, thereby make new authentication device/gateway obtain the security information consistent with anchoring authentication device;
Described security information comprises: antithesis Ciphering Key Sequence Number that the first time in the antithesis Ciphering Key Sequence Number that produces in the single authentication process or two the verification process, verification process produced and the close sequence number of antithesis key that produces in the verification process for the second time etc.;
In handoff procedure, specifically can realize the interactive operation of security information by in following several modes any:
(1) gateway can initiatively send to new authentication device/gateway with security information;
(2) by new authentication device/gateway to gateway request security information, afterwards, gateway initiatively sends to new authentication device/gateway with security information again;
(3) new authentication device/gateway afterwards, is determined corresponding security information according to the authorization key sequence number that obtains from the authorized Ciphering Key Sequence Number of gateway.
Step 22: receive from certificate server when new authentication device and to receive authentication success message, and new authentication device knows that this portable terminal having finished networking or network re-entry process as on Current Serving BTS and the base station that new authentication device directly links to each other, then will send the notice of deleting security information to anchoring authentication device;
Step 23: anchoring authentication device will be deleted the security information of preserving into the corresponding mobile terminal after receiving described notice, and can reply response message to new authentication device, to indicate whether successfully to delete the information of corresponding portable terminal.
Implement two
As shown in Figure 3, when being applied to verification process, the present invention includes following processing procedure:
Step 31: receive the re-authentication of sending from the base station when new authentication device/gateway and begin message, and contain the current authorization key sequence number that is using in the message;
Begin in the message at described re-authentication, can also comprise at least one information in the identifier of re-authentication indication and anchoring authentication device;
New authentication device/gateway is the authorization key sequence number thus, the security information such as the close sequence number of antithesis key that new authentication device/gateway can obtain verification process produces as the first time in the antithesis Ciphering Key Sequence Number that produces in the single authentication process or two the verification process antithesis Ciphering Key Sequence Number and produce in the verification process for the second time;
Perhaps, new authentication device/gateway is authorization key sequence number thus also, directly obtains new authorization key sequence number according to authentication result.
(1) in two verification process:
The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the first time equals the insignificant dibit position of authorization key.The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the second time equals the significant dibit position of authorization key.
Perhaps,
The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the first time equals the significant dibit position of authorization key.The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the second time equals the insignificant dibit position of authorization key.
(2) in the single authentication process:
The meaningless dibit of antithesis Ciphering Key Sequence Number equals the meaningless dibit of authorization key.
Perhaps,
The meaningless dibit of antithesis Ciphering Key Sequence Number equals the meaningful dibit of authorization key.
Step 32: receive from certificate server when new authentication device and to receive authentication success message, and new authentication device knows that this portable terminal finished networking or network re-entry process on Current Serving BTS (base station that directly links to each other with new authentication device), then will send the notice of deleting security information to anchoring authentication device.After receiving, will delete anchoring authentication device the security information of portable terminal preservation for this reason.
Step 33: anchoring authentication device replys response message for new authentication device, indicates whether to delete successfully.
The present invention also provides in a kind of wireless network at the treatment system of terminal safety information, and the specific implementation structure of this system mainly comprises as shown in Figure 4:
Information is obtained recognition unit, is arranged in the new authentication device in the current place of portable terminal, is used to discern the security information whether new authentication device obtains portable terminal, and after obtaining corresponding security information, triggers security information deletion control unit;
Security information deletion control unit is arranged in the new authentication device in the current place of portable terminal, is used for obtaining the notification message that sends the deletion security information under the triggering of recognition unit to the former authentication device of portable terminal in information;
Security information deletion processing unit is arranged in the former authentication device in the original place of portable terminal, is used for after receiving the notification message that security information deletion control unit sends the security information of this portable terminal correspondence in the former authentication device of control deletion.
In the system of the present invention, obtain the security information of the portable terminal of preserving in the former authentication device for ease of new authentication device, described new authentication device also is connected communication with gateway, be used for obtaining to gateway the security information of portable terminal; Perhaps, described new authentication device also is connected communication with the base station, is used to receive the re-authentication of sending the base station and begins message, thereby begin the security information that loaded information in the message is determined the portable terminal consistent with preservation information in the former authentication device according to re-authentication.
In sum, realization of the present invention can be so that after portable terminal switches under the new authentication device, the security information that still can delete the portable terminal of preserving in the former authentication device timely and accurately, the resource of effectively saving authentication device.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (10)
1, in a kind of wireless network at the processing method of terminal safety information, it is characterized in that, comprising:
A, after new authentication device acquires the security information that the former authentication device of portable terminal preserves, send the deletion notification message to former authentication device, carrying identifiers of terminals information in the message;
After B, former authentication device receive described notification message, delete the security information of preserving for this portable terminal on the former authentication device.
2, method according to claim 1 is characterized in that, described steps A comprises:
A1, in handoff procedure, gateway initiatively sends to described new authentication device with the security information of portable terminal;
Perhaps,
A2, in handoff procedure, new authentication device obtains the security information of portable terminal to the gateway request, and gateway sends to new authentication device with security information;
Perhaps,
A3, in handoff procedure, new authentication device obtains the authorization key sequence number of portable terminal from gateway, and determines the security information of portable terminal according to described authorization key sequence number;
Perhaps,
The re-authentication that A4, new authentication device are sent from the base station begins to obtain the authorization key sequence number that portable terminal is using the message, and determines the security information of portable terminal according to this authorization key sequence number;
Perhaps,
The re-authentication that A5, new authentication device are sent from the base station begins to obtain the authorization key sequence number that portable terminal is using the message, and obtains new authorization key sequence number according to described authorization key sequence number and re-authentication result.
3, method according to claim 2 is characterized in that, described security information is:
Antithesis master key sequence number in the single authentication process, perhaps, antithesis Ciphering Key Sequence Number that the first time in two verification process, verification process produced and the antithesis Ciphering Key Sequence Number that produces of verification process for the second time.
4, method according to claim 2 is characterized in that, when adopting two verification process, described steps A 4 comprises:
The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the first time is set to equal the insignificant dibit position of authorization key; The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the second time is set to equal the significant dibit position of authorization key.
Perhaps,
The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the first time is set to equal the significant dibit position of authorization key; The meaningless dibit of the authorization key of the antithesis Ciphering Key Sequence Number of verification process generation for the second time is set to equal the insignificant dibit position of authorization key.
5, method according to claim 2 is characterized in that, when adopting the single authentication process, described steps A 4 comprises:
The meaningless dibit of antithesis Ciphering Key Sequence Number is set to equal the meaningless dibit of authorization key;
Perhaps,
The meaningless dibit of antithesis Ciphering Key Sequence Number is set to equal the meaningful dibit of authorization key.
According to claim 4 or 5 described methods, it is characterized in that 6, the dibit position of described authorization key is two higher bit positions or two low bits.
7, method according to claim 2 is characterized in that, described re-authentication begins that loaded information comprises in the message: the identifier of re-authentication indication and/or former authentication device.
8, in a kind of wireless network at the treatment system of terminal safety information, it is characterized in that, comprising:
Information is obtained recognition unit, is arranged in the new authentication device in the current place of portable terminal, is used to discern the security information whether new authentication device obtains portable terminal, and after obtaining corresponding security information, triggers security information deletion control unit;
Security information deletion control unit is arranged in the new authentication device in the current place of portable terminal, is used for obtaining the notification message that sends the deletion security information under the triggering of recognition unit to the former authentication device of portable terminal in information;
Security information deletion processing unit is arranged in the former authentication device in the original place of portable terminal, is used for after receiving the notification message that security information deletion control unit sends the security information of this portable terminal correspondence in the former authentication device of control deletion.
9, system according to claim 8 is characterized in that, described new authentication device also is connected communication with gateway, is used for obtaining to gateway the security information of portable terminal.
10, system according to claim 8 is characterized in that, described new authentication device also is connected communication with the base station, is used to receive the re-authentication of sending the base station and begins message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610071347 CN101043333A (en) | 2006-03-25 | 2006-03-25 | Process method against terminal safety information of wireless network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610071347 CN101043333A (en) | 2006-03-25 | 2006-03-25 | Process method against terminal safety information of wireless network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101043333A true CN101043333A (en) | 2007-09-26 |
Family
ID=38808568
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610071347 Pending CN101043333A (en) | 2006-03-25 | 2006-03-25 | Process method against terminal safety information of wireless network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101043333A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102780991A (en) * | 2011-05-13 | 2012-11-14 | 中兴通讯股份有限公司 | Roaming user data migration method and device |
| CN113032761A (en) * | 2016-03-29 | 2021-06-25 | 微软技术许可有限责任公司 | Securing remote authentication |
-
2006
- 2006-03-25 CN CN 200610071347 patent/CN101043333A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102780991A (en) * | 2011-05-13 | 2012-11-14 | 中兴通讯股份有限公司 | Roaming user data migration method and device |
| CN113032761A (en) * | 2016-03-29 | 2021-06-25 | 微软技术许可有限责任公司 | Securing remote authentication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1185903C (en) | A system for ensuring encrypted communication after handover | |
| CN1870808A (en) | Key updating method | |
| CN101060405A (en) | A method and system for preventing the replay attack | |
| CN101056171A (en) | An encryption communication method and device | |
| CN1819698A (en) | Method for acquring authentication cryptographic key context from object base station | |
| CN101060712A (en) | Wireless connecting establishment method | |
| CN1835641A (en) | Method and system of realizing data synchronization of user's terminal and server | |
| CN101039312A (en) | Method and apparatus for preventing service function entity of general authentication framework from attack | |
| CN1794682A (en) | Method of establishing safety channel in radio access network | |
| CN101043710A (en) | Terminal process instructing system and method and terminal processing system and method | |
| CN1921379A (en) | Method for object discriminator/key supplier to get key | |
| CN1901486A (en) | Tunnel establishing method and system in radio local area net | |
| CN1885770A (en) | Authentication method | |
| CN101043333A (en) | Process method against terminal safety information of wireless network | |
| CN1925671A (en) | Method for realizing system switch in encryption mode | |
| CN1835623A (en) | Updating method of controlled secret key | |
| CN1794878A (en) | Processing method for nonaccess layer signalling in mobile terminal station conversion procedure | |
| CN100346668C (en) | Updating protocal method of secret keys | |
| CN1871778A (en) | Method and apparatus for parameter recoding | |
| CN1549621A (en) | Method for realizing legal monitoring | |
| CN1294785C (en) | Switching method between systems | |
| CN1728635A (en) | Authentication method in use for digital clustering operation in CDMA system | |
| CN1992971A (en) | Method for avoiding data loss in switching process | |
| CN1315344C (en) | Method of transmitting data in cluster business | |
| CN101079702A (en) | A transmission method and device of secure information in wireless network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20070926 |