CN101060398A - A new safety group safety certificate generating method, communication method, and network system - Google Patents

A new safety group safety certificate generating method, communication method, and network system Download PDF

Info

Publication number
CN101060398A
CN101060398A CNA200610075537XA CN200610075537A CN101060398A CN 101060398 A CN101060398 A CN 101060398A CN A200610075537X A CNA200610075537X A CN A200610075537XA CN 200610075537 A CN200610075537 A CN 200610075537A CN 101060398 A CN101060398 A CN 101060398A
Authority
CN
China
Prior art keywords
group
key
safe
new
security credence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA200610075537XA
Other languages
Chinese (zh)
Inventor
邱川峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Panasonic Holdings Corp
Original Assignee
Matsushita Electric Industrial Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Matsushita Electric Industrial Co Ltd filed Critical Matsushita Electric Industrial Co Ltd
Priority to CNA200610075537XA priority Critical patent/CN101060398A/en
Priority to PCT/JP2007/058692 priority patent/WO2007123224A1/en
Publication of CN101060398A publication Critical patent/CN101060398A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications

Abstract

The disclosed security receipt generation method for new group comprises: when original group changes, such as new one adds or leaves, the central service center is notified to find out the minimal key in new group, generates relative security receipt with the key of the new group, and enciphers the receipt to send all members in new group. This invention reduces system loading.

Description

The security credence production method communication means of new safe group, and network system
Technical field
The present invention relates to kind of a group communication (Group Communication) method, particularly a kind of security credence manufacture method and device in dynamic group communication (Dynamic Group Communication).
Background technology
Because the progress of communication service, the convenience of its boundless nothing makes the service that is structured in the group communication also day by day increase, for example: video conference (Video Conference), the networking telephone (IPtelephone) or chatroom (Chat room) etc.And when group communication, guarantee that the privacy of communicating by letter is the emphasis that will consider.In order to set up group communication safety, can protect the information that passes mutually between group by group key safe in utilization (securegroup key) usually.This safe group key is by key distribution center (key Distribution Center; Hereinafter to be referred as KDC) produce and be sent in the group member (groupmembers).
Typical secure group communication system as shown in Figure 1, this system 1 has comprised KDC 11, and a plurality of group member A, B, C and D.Each member A, B, C and D be network connection mutually via world-wide web 115.Consult Fig. 2, for instance, suppose that member A, B have become a safe group, member C, D have become another safe group.When member A, B, C, D to form a new safe group and with member A as group originator (group initiator, or be called group leader) time, this member A can send earlier to ask to sentence to KDC 11 and ask for new safe group key (group key) (step 100), after KDC 11 receives this request, be in the corresponding new safe group each member A, B, C and D and make portion and contain group key k ABCDSecurity credence T A, T B, T CAnd T D(step 101).Then, KDC11 is again with security credence T A, T B, T CAnd T DRespectively via existing counterpart keys k A, k B, k C, k DReach member A (step 102) after the encryption earlier, be distributed to all the other member B, C and member D (step 103,104,105) by member A again.Security credence T wherein AThrough member A with key K AAfter the deciphering, with group key k ABCDBe stored among the member A.Security credence T BThen through member B with key k BDo to be stored among the member B after the deciphering.Security credence T CAlso as said method, through member C with key k CDo to be stored among the member C after the deciphering.Security credence T DThen through member D with key k DDo to be stored among the member D after the deciphering.After carrying out above-mentioned steps, promptly form a new safe group that comprises member A, B, C, D.
By top description as can be known, when group's change took place, for example, when original two cohort groups will form a new safe group, KDC 11 need make portion for each member A, B, C, the D in each new safe group and comprise key K ABCDSecurity credence T A, T B, T CAnd T DWith above-mentioned example, if the number of members of new safe group is 4 people (member A, B, C and D), then KDC11 must make 4 parts of security credences to utilize corresponding separately key k A, k B, k C, k DPass to member A, B, C and D after the encryption.That is to say that when desire forms the number of members of new safe group when huge more, it is many that the quantity of the security credence of KDC11 made also becomes relatively, the load of relative KDC11 (Loading) also becomes weight.
Above-mentioned problem also can betide the situation of following several groups change, it includes but not limited to following state: when having newcomer's desire to add a former safe group, when having a member will leave former safe group in perhaps original safe group, KDC11 needs to make a new security credence for each member in the new safe group again.For KDC11, not only the load that operand is bigger, relative is heavier and efficient is lower.
At present, for in the group communication about producing and the existing relevant case of dispensing group key, for example shown in the U.S. Patent Publication No. US20050050004, it mainly is to add in the safe group by the group key that receives contiguous wireless device (wireless device).Yet, the problem of this case is when number of members is huge in the safe group, because the key between all must having mutually between the member, therefore all must store a large amount of safe keys in each wireless module, therefore just each member can store each other member's the safe key and the key of all safe groups, can cause the burden on member's the wireless device secure key storage.
United States Patent (USP) has disclosed the management system and the method for another kind of group key for 6240188B1 number, it provides the many-many communication (secure many-to-many communication) of a safety, by a key tree (key tree), to transmit and the management group group key.The problem of this case is: owing to be the tree of hierarchy type, when a new safe group will form, need again the key tree to be produced one group of new group key again, therefore, for the central server of making group key, not only operand is bigger, and the load that causes relatively is also bigger.
U.S. Patent Publication No. US20050018853 also provides the method for upgrading safe group key in a group.The restriction of this application is also as aforementioned application, be because it is the tree of a hierarchy type, therefore when several groups will form new safe group, need again the key tree to be produced one group of new group key again, for the central server of making group key, not only operand is bigger, and the load that causes relatively is also bigger.
Summary of the invention
Therefore, the purpose of this invention is to provide a kind ofly when group's change takes place, utilize key existing between former group to make the system and method for security credence, use the production quantity that reduces security credence, to reduce the KDC operand and to reduce the load of KDC.
The security credence production method of new safe group of the present invention is that aforementioned each existing safe group comprises at least one member and has its corresponding exclusive group key when being applied to form when existing a plurality of safe group change new safe group; When receiving a group Notification of Changes, this method comprises the following steps.At first, produce new safe group key according to this group's Notification of Changes; Then,, find out and to form this new safe group and be the combination of minimum group number, and produce quantity to security credence that should group number according to this syntagmatic according to existing safe group; Wherein each in this security credence all has this new safe group key; At last, these a plurality of security credences are encrypted a plurality of enciphered messages of generation through the existing group key of correspondence.
The present invention also provides the recording medium of an embodied on computer readable, can be arranged in the calculator device, so that read to carry out the following step by computer.At first, the group's Notification of Changes according to receiving produces new safe group key; Then, according to established key, generation can comprise the security credence of the minimum number of all group members in the new safe group, and wherein each in this security credence all has this new safe group key; At last, a plurality of enciphered messages that output has security credence and encrypts through counterpart keys are upgraded in order to all member's safety of this new safe group are carried out new safe group key.
The present invention provides a kind of safe group network system again, is structured under the environment of world-wide web, and comprises at least one safe group and a central key distributing center.When group's change taking place when forming a new safe group, promptly send group's change notice to this central key distributing center, the new safe group key that comprises all new group members in this new safe group in order to generation, then, generation can comprise the security credence of the minimum number of all group members in the new safe group, and wherein each in this security credence all has this new safe group key; At last, transmit a plurality of enciphered messages have security credence and to encrypt through counterpart keys and carry out new safe group key renewal in order to safety to all members of this new safe group.
Description of drawings
Fig. 1 is the system block diagram of the traditional secure group communication system architecture of explanation;
When Fig. 2 is the change of explanation tradition generation group, the flow chart of the correlation step that system is performed;
Fig. 3 is the system block diagram of the secure group communication system architecture in the explanation preferred embodiment of the present invention;
Fig. 4 is the block diagram that the central authorities in the explanation preferred embodiment of the present invention distribute servomechanism installation;
Fig. 5 is the block diagram of the communicator in the explanation preferred embodiment of the present invention;
Fig. 6 is the flow chart of the step of explanation first preferred embodiment of the invention;
Fig. 7 is the flow chart of the detailed step of the step 403 in the key diagram 6;
Fig. 8 is the flow chart of the step of explanation second preferred embodiment of the invention;
Fig. 9 is the flow chart of the step of explanation third preferred embodiment of the invention;
Figure 10 is the flow chart of the step of explanation four preferred embodiment of the invention;
Figure 11 is the schematic diagram of the data show state of explanation first preferred embodiment of the invention;
Figure 12 is the schematic diagram of the data show state of explanation second preferred embodiment of the invention;
Figure 13 is the schematic diagram of the data show state of explanation third preferred embodiment of the invention; With
Figure 14 is the schematic diagram of the data show state of explanation four preferred embodiment of the invention.
Embodiment
About aforementioned and other technology contents, characteristics and effect of the present invention, with reference in several graphic DETAILED DESCRIPTION OF THE PREFERRED, can clearly present in following cooperation.
Be described in detail in before the present invention, it is pointed out that in the following description, similarly assembly is to represent with identical label.
First preferred embodiment:
As shown in Figure 3, first preferred embodiment of the present invention, the framework of wherein safe group network system 8 comprise key distribution center (hereinafter to be referred as KDC) 80, and a plurality of group member A, B, C and D.Each member A, B, C and D be network connection mutually via world-wide web 115.
Safe group is meant the single member (for example member A) who passes key with KDC80 mutually at this, or has safe group key can carry out a plurality of members of secure communication mutually.
As shown in Figure 4, KDC80 comprises that central authorities distribute servomechanism installation 110 among the figure, and it communicates to connect to world-wide web 115 (see figure 3)s.Central authorities distribute servomechanism installation 110 comprise in order to carry out the enciphering/deciphering action save unit 200 from damage, in order to the key database 203 of storage key, in order to the key generation unit 204 that produces new safe group key, in order to security credence generation unit 202 that produces security credence and the processing unit 201 of handling above-mentioned each unit action.These a plurality of unit for example can be software or the programs that is stored in the computer fetch medium, when reading and carrying out this program by known computer, can be used as the safe group key update method of carrying out the making security credence according to the present invention.Suitable computer reads medium and includes but not limited to CD, floppy disk, hard disk and calculator memory.Effect between relevant each unit will be in cooperating execution in step to be further described below after a while.
Each group member A, B, C and D among Fig. 3 comprises communicator 30 (see figure 5)s with calculator function, respectively the internal side framework structure of this communicator 30 comprises and saves unit 300, key database 303 and processing unit 301 from damage, and the effect between relevant each unit will cooperate execution in step to be further described below after a while.
Consult Fig. 4, Fig. 5 and Fig. 6, member A and member B constituted a safe group, member C and member D and were included in another safe group this moment.Therefore, store corresponding key K in the key database 203 of KDC11 a, K b, K c, K d, K AbAnd K CdWhen one of them safe group will add another safe group, be that member A, B, C and member D are will form a new safe group time, at first, member C and member D can send adding information earlier, and (at present embodiment is member A to group originator, step 400), in order to notify member C, D to add.Then, KDC11 can receive by group originator, and promptly the group that sends of member A initiates solicited message (step 401), and KDC11 will form a new safe group that comprises member A, B, C and member D with notice.
Group initiates solicited message and comprises all new safe group member list (not shown)s that new safe group is arranged, and with present embodiment, has comprised member A, B, C and member D.Receive the solicited message of this group's initiation as KDC11 after, processing unit 201 promptly can make key generation unit 204 produce the new safe group key K that comprises all members in this member list Abcd
Then, enter step 403, find out the minimum number safe key that comprises all group members in the new safe group.More particularly; processing unit 201 is according to established safe group in the group member data; (at present embodiment is two safe groups; be respectively safe group that comprises member A, B and the safe group that comprises member C, D), in key database 203, find out and can protect the minimum number key K that comprises new safe group all member A, B, C, D AbAnd K Cd
Consult Fig. 7, the detailed process of step 403 comprises the following steps: at first, looks for established safe group key in key database 203 in step 4030.Established in the present embodiment safe group member is respectively member A, B and member C, D.Therefore in step 4030, promptly can enter and look for corresponding safe group key K in the key database 203 AbAnd K CdThen, in step 4031, to the safe group key that finds, sort less by as many as according to contained number of members in the safe group key, so that select the group key of minimum number, for example in the present embodiment, because the contained number of members of two keys is identical, so the key after the ordering still is key K in regular turn AbAnd K Cd
Then, selecteed safe group key data in the query key database 203, and judge whether all members are all chosen (step 4032,4033) in the new safe group? if the result is then to continue to carry out subsequent step.If the result then looks for other member's (step 4034) who does not form safe group yet for not, and repeated execution of steps 4032~4034, till all members are chosen.With present embodiment, the selecteed safe group key data K of inquiry in step 4032 AbAnd K Cd, judge that in step 4033 all member A, B, C, D are chosen in the new safe group in back, therefore then carry out subsequent step 404, and execution in step 4034 again.
Get back to Fig. 6, after finding out all keys, follow execution in step 404, produce the security credence that comprises new safe group key of counterpart keys quantity.More particularly, when the key K of the minimum number of finding out the new safe A of group, B, C, D in step 403 AbAnd K CdAfter, processing unit 201 promptly can be with the new safe key K that produces through key generation unit 204 AbcdSpread out of to security credence generation unit 202, this security credence generation unit 202 produces the security credence T of two correspondences AbAnd T Cd, and with new safe group key K AbcdBe embedded in wherein.At last, the counterpart keys K that in key database 203, takes out of processing unit 201 AbAnd K Cd, security credence T AbAnd T CdRespectively via the key K of correspondence AbAnd K CdBy after saving unit 200 from damage and encrypting, form enciphered message K Ab(T Ab) and K Cd(T Cd), be sent to member A place (step 405) through world-wide web 115 again, by this with new safe group key K AbcdSafety is sent to member A place.Simultaneously, KDC11 can be with voucher all group members corresponding with it that produce, mode (as shown in figure 11) with a kind of electronic bits of data is shown on any device or medium that can represent data, for example electronic display unit or can note down the electronic storage device of data.
When member A receives enciphered message K Ab(T Ab) and K Cd(T Cd) after, promptly can enter step 406, with enciphered message K Ab(T Ab) with the internal memory key K AbAfter the deciphering with new safe group key K AbcdFrom security credence T AbTake out, then this new safe group key K of storage AbcdMore particularly, receive this enciphered message K as member A Ab(T Ab) after, the unit 300 of saving from damage of communicator 30 can be with the counterpart keys K by taking-up in the key database 303 Ab, to this enciphered message K Ab(T Ab) should new safe group key K after being decrypted AbcdTake out, again by processing unit 201 with new safe group key K AbcdBe stored in the key database 203.
In step 407, as the member A of group originator again with enciphered message K Ab(T Ab) be dispensed into member B, and dispensing enciphered message K Cd(T Cd) be sent to member C and member D (step 408 and 409).
When member B process key K AbPromptly take out this security credence T after the deciphering AbIn new safe group key K AbcdAnd be stored in wherein (step 410).Equally, when receiving, member C and member D comprise security credence T CdEnciphered message after, promptly can be with the key K of correspondence CdBe decrypted the back and take out new safe group key K AbcdAnd be stored in wherein (step 411 and 412).Its actual specific practice all specific practice with step 406 is identical, does not repeat them here.
At last, in step 413, member D transmits confirmation to member A (group originator), all receives new safe group key K in order to inform all members AbcdLike this, member A, B, C and the member D in the new safe group finishes the new safe group key K of security update AbcdProgram, next can carry out secure group communication.
By top description as can be known, the present invention can protect the existing safe group key K of all members in the safe group with minimum number AbWith K Cd, the corresponding voucher T that produces minimum number AbAnd T Cd, with conventional art at each member with its key (k separately A, k B, k C, k D) produce corresponding security credence (T A, T B, T C, T D) way compare, can significantly reduce the operand of KDC11, under the huge situation of group member amount, more can highlight the superior operation efficiency of the present invention.
Second preferred embodiment:
Second preferred embodiment of the present invention, the framework of wherein safe group network system 1 is identical with the framework of Fig. 3, and the internal side framework structure of the communicator 30 that KDC11 and each member are included is all identical with first preferred embodiment, and this repeats no more again.The main distinction of the situation that present embodiment is illustrated and the first preferred good embodiment is that this moment, safe group comprised member A, B, C and member D, performed process step when a new member E will add this safe group.
Consult Fig. 8, in this preferred embodiment, member A, B, C and D have become a safe group at this moment, to add fashionable as newcomer E, at first member E can send join request (JoinRequest) earlier to group originator, is example (step 501) at this with member A, when member A receives after this joins request, promptly can then transmit group and initiate solicited message, will form the information (step 502) of a new safe group to inform relevant member A, B, C, D and member E to the KDC11 place.When KDC11 receives after this group initiates request, at first can produce to comprise the new safe group key K of all members in the member list Abcde(step 503), and then according to present safe group data (member A, B, C, D), find out to comprise and can protect the minimum number key that comprises new safe group all member A, B, C, D, E, be K at present embodiment AbcdAnd K e(step 504), this minimum number key K AbcdAnd K eFinding method identical with the step 4030 of first preferred embodiment to step 4034, do not repeat them here.
Then, with this new safe group key K AbcdeEmbed corresponding security credence T AbcdAnd T eIn (step 505).At last, with this two security credence T AbcdAnd T eKey K through correspondence AbcdAnd key K eAfter the encryption, form enciphered message K Abcd(T Abcd) and K e(T e) and be sent to member A (step 506).Simultaneously, KDC11 can be shown in an any device or the medium that can represent data with voucher all group members corresponding with it that produce, for example electronic display unit or the electronic storage device of recorded data, as shown in figure 12.
Because member A, B, C and D are existing safe group, so all store key K among member A, B, C and the D AbcdWhen member A receives this enciphered message K Abcd(T Abcd) after, at first with key K AbcdTo enciphered message K Abcd(T Abcd) be decrypted, then with new safe group key K AbcdeFrom security credence T AbcdMiddle taking-up also is stored among the member A (step 507).Then, member A will include security credence T AbcdEnciphered message K Abcd(T Abcd) being dispensed among member B, member C and the member D (step 508,509 and step 510), this member B, member C and member D are equally with key K AbcdTo enciphered message K Abcd(T Abcd) be decrypted after with new safe group key K AbcdeFrom security credence T AbcdIn take out and stored respectively (step 511,512 and step 513).Then be with enciphered message K in the step 511 e(T e) reach among the member E, this member E receives enciphered message K e(T e) after, with the key K of internal memory eTo enciphered message K e(T e) be decrypted after with key K AbcdeFrom security credence T eMiddle taking-up also is stored in wherein (step 514).
Member A, B, C, D and member E all have key K at this moment Abcde, then entering step 515, member E passes confirmation back and has obtained new safe group key K to member A (because member A is a group originator) to inform last member of member A AbcdeAfter member A receives this confirmation, promptly finish the flow process of the new safe group key of security update, all members can begin to carry out secure communication in the new safe group.
The 3rd embodiment:
The 3rd preferred embodiment of the present invention, the internal side framework structure of the communicator 30 that the framework of wherein safe group network system 1 is identical with the framework of Fig. 3, KDC11 and each member are included and first preferred embodiment all identical, member A, member B are included in a safe group originally, member C, member D are included in another safe group, and member A, B, C, D integral body are included in again in the safe group.The illustrated situation of present embodiment is a process step performed when being that member's (is example with member B at this embodiment) as non-group originator will leave former safe group.
Consult Fig. 9, in this preferred embodiment, member A, B, C and D have become a safe group at this moment, when member B will leave, at first member B can send the request left (LeaveRequest) earlier to member A (step 601), when member A receives after this leaves request, promptly can then transmit group and initiate solicited message to the KDC11 place, to form new safe group (step 602) in order to notice.KDC11 at first can produce new safe group key K earlier after receiving this group's initiation solicited message Acd(step 603), and then according to safe group member A, C and the D that will form, seeking established safe group key with the flow process (see figure 7) of abovementioned steps 4030 to 4033, find out the minimum number key of the new safe group that comprises member A, C, D, is K at present embodiment aAnd K Cd(step 604).And with this new safe group key K AcdEmbed two security credence T aAnd T CdIn (step 605), with this two security credence T aAnd T CdKey K through correspondence aAnd key K CdAfter the encryption, form enciphered message K a(T a) and K Cd(T Cd) and be sent to member A place (step 606).Simultaneously, KDC11 can be shown in an any device or the medium that can represent data with voucher all group members corresponding with it that produce, electronic display unit or can note down the electronics memory bank of data for example, as shown in figure 13.
In step 607, when member A receives enciphered message K a(T a) and K Cd(T Cd) after, promptly with the key K of internal memory aTo this enciphered message K a(T a) after the deciphering with new safe group key K AcdFrom security credence T aBe stored in wherein after the taking-up.
Then, in step 608,609, member A is with enciphered message K Cd(T Cd) be distributed to member C and member D place respectively.When member C and member D receive this enciphered message K Cd(T Cd) after, promptly can be to this enciphered message K Cd(T Cd) with counterpart keys K CdTo this enciphered message K Cd(T Cd) deciphering is with new safe group key K AcdFrom security credence T CdBe stored in after the taking-up wherein and (see step 610,611).
Last member D obtains and stores new safe group key K in new safe group AcdAfter, promptly pass confirmation back and received new safe group key (step 612) to inform last member of member A to member A (because member A is a group originator).After member A receives this confirmation, promptly finish the flow process of the new safe group key of security update, all members can begin to carry out secure communication in the new safe group.
The 4th embodiment:
The 4th preferred embodiment of the present invention, the internal side framework structure and first preferred embodiment of the communicator 30 that the framework of wherein safe group network system 1 is identical with the framework of Fig. 3, KDC11 and each member are included are all identical, member A, member B are included in a safe group originally, member C, member D are included in another safe group, and member A, B, C, D integral body are included in a safe group again.The illustrated situation of present embodiment is group's change process step performed will leave former safe group as a group originator (is example with member A at this embodiment) time.
Consult Figure 10, when member A will leave former safe group, at first can send the request left (Leave Request) to KDC11 place in step 701, KDC11 will leave former safe group with notice, and new group originator of appointment.This leaves in the request and asks to produce the instruction of new safe group key except having, and also includes the data of specifying new group originator.With regard to this preferred embodiment, appointed new group originator is member B.Then, enter step 702, KDC11 produces new safe group key K according to the instruction that this request produces new safe group key Bcd, and according to already present safe group key, according to the flow process (see figure 7) of abovementioned steps 4030 to 4033 find out can protect new safe group member B, C and D, in order to generate the required key of minimum security credence quantity, be K at present embodiment bAnd K CdBack (step 703), and produce the K that comprises new safe group accordingly BcdSecurity credence T bAnd T Cd(step 704).With these two security credence T bAnd T CdKey K through correspondence bAnd key K CdEncrypt the back and form enciphered message K b(T b) and K Cd(T Cd) to member B place (step 705).Simultaneously, KDC11 can be presented at an any device or the medium that can represent data with voucher all group members corresponding with it that produce, for example electronic display unit or the electronic storage device of recorded data, as shown in figure 14.
In step 706, when member B receives enciphered message K b(T b) and K Cd(T Cd) after, promptly with the key K of internal memory bTo one of them enciphered message K b(T b) after the deciphering with new safe group key K BcdFrom security credence T bTake out, and be stored in wherein, and with enciphered message K Cd(T Cd) be sent to member C and member D (seeing step 707 and step 708) respectively, when member C and member D receive enciphered message K Cd(T Cd) after, promptly can be with the internal memory key K CdTo security credence T CdAfter being decrypted with new safe group key K BcdFrom security credence T CdIn take out, and be stored in wherein (step 709 and step 710).
When member D obtains new safe group key K BcdAfter, promptly pass confirmation back and received new safe group key (seeing step 711) to inform last member of member B to member B (because member B is new group originator).After member B receives this confirmation, promptly finish the flow process of the new safe group key of security update, all members can begin to carry out secure communication in the new safe group.
Conclude above-mentionedly, according to method of the present invention, all members' safe key can be stored in KDC11, and the key of each member storage security group and individual's key can not cause the burden on its wireless device secure key storage of member.In addition, by original already present safe group key, find out the minimum number security credence that includes whole safe group members, compare with the traditional way that need all make security credence for each member in the new safe group, can reduce the quantity of making security credence and the operand of KDC11, relatively reduce the load of KDC11, to reach the efficient of promoting the new safe group key of security update.
So far invention has been described in conjunction with the preferred embodiments.Should be appreciated that those skilled in the art can carry out various other change, replacement and interpolations under the situation that does not break away from the spirit and scope of the present invention.Therefore, scope of the present invention is not limited to above-mentioned specific embodiment, and should be limited by claims.

Claims (31)

1. the security credence production method of a new safe group is applied in when forming new safe group when existing a plurality of safe group change, and aforementioned each existing safe group comprises at least one member and has its corresponding exclusive group key; When receiving group's Notification of Changes, this method comprises the following steps:
(A). the group's Notification of Changes according to this reception produces new safe group key;
(B). according to existing safe group, find out and can form this new safe group and be the combination of minimum group number, and produce quantity to security credence that should group number according to this syntagmatic; Wherein each in this security credence all has this new safe group key; And
(C). these a plurality of security credences after encrypting, the existing group key of correspondence are produced a plurality of enciphered messages.
2. the security credence production method of new safe group according to claim 1, wherein, in this step (A), this group's Notification of Changes is sent by the group originator that the member played the part of in the wherein existing safe group, the group that this notice has new safe group member list initiates solicited message, in order to produce this new safe group key that comprises all members in this member list according to this member list.
3. the security credence production method of new safe group according to claim 2, wherein, transmit before this group initiates solicited message in this step (A), also comprise reception by adding group that the member the transmits step of information that join request to this group originator place.
4. the security credence production method of new safe group according to claim 2, wherein, transmit before this group initiates request message in this step (A), also comprise reception and leave the step of solicited message to this group originator place by leaving the group that former safe group member transmits.
5. the security credence production method of new safe group according to claim 2, wherein, in this step (A), this group's Notification of Changes also comprises specifies new group originator information, in order to specify the step of a new group originator.
6. the security credence production method of new safe group according to claim 1, wherein, in this step (B), this generation can comprise that the minimum number security credence of all group members is to comprise following substep in the new safe group:
(B1). look for existing safe group key;
(B2). according to the number of members in the safety group key what and sort less from as many as;
(B3). judge whether to have comprised all members in the new safe group; If the result is for being, then produce corresponding security credence, if the result for not, execution in step (B4) then; And
(B4) look for member's key of non-safe group, and get back to step (B3).
7. the security credence production method of new safe group according to claim 1, this safe group comprises group originator, in this step (C), should a plurality of enciphered messages be sent to the group originator place earlier, be dispensed into all the other corresponding members in the new safe group from this group originator again, after with the counterpart keys deciphering, obtain this new safe group key.
8. a utilization has formed the secure group communication method that key is made security credence, and it is applicable in the network that this network has at least one safe group, and this safe group has a plurality of members, and this method comprises following step:
(A). group's change takes place in this safe group, sends group's change notice, comprises the new safe group key of all group members in this new safe group in order to generation;
(B). according to established key, generation can comprise the minimum number security credence of all group members in the new safe group, and wherein each in this security credence all has this new safe group key; And
(C). will have security credence and be sent to all members of this new safe group, carry out new safe group key refresh routine in order to safety through a plurality of enciphered messages that counterpart keys is encrypted.
9. utilization according to claim 8 has formed the secure group communication method that key is made security credence, wherein, among these a plurality of members any is group originator, in this step (A), this group's Notification of Changes comprises that the group with new safe group member list that is sent by this group originator initiates solicited message, in order to produce this new safe group key that this comprises all members in this member list according to this member list.
10. utilization according to claim 9 has formed the secure group communication method that key is made security credence, wherein, before this group of the transmission of step (A) initiates solicited message, also comprise reception by the group that the member transmitted that will add join request information to this group originator place to step.
11. utilization according to claim 9 has formed the secure group communication method that key is made security credence, wherein, before this group of the transmission of step (A) initiates solicited message, also comprise reception and leave the step of solicited message to this group originator place by leaving the group that former safe group member transmits.
12. utilization according to claim 9 has formed the secure group communication method that key is made security credence, wherein, in this step (A), this group's Notification of Changes also comprises specifies new group originator information, in order to specify new group originator.
13. utilization according to claim 8 has formed the secure group communication method that key is made security credence, wherein, in this step (B), this generation can comprise that the minimum number security credence of all group members in the new safe group comprises following substep:
(B1). look for established safe group key;
(B2). sort less from as many as according to the number of members that comprises in the safety group key;
(B3). judge whether to comprise all members in the new safe group; If the result is for being, then produce corresponding security credence, if the result for not, execution in step (B4) then; And
(B4). look for member's key of non-safe group, and get back to step (B3).
14. utilization according to claim 8 has formed the secure group communication method that key is made security credence, this safe group comprises group originator, in this step (C), the program of carrying out this new safe group key renewal comprises: should a plurality of enciphered messages be sent to the group originator place earlier, be distributed in the new safe group corresponding this from this group originator again and respectively remain the member, after deciphering, obtain this new safe group key with counterpart keys.
15. the calculation element with recording medium utilizes to have formed key making security credence to guarantee group communication safety, this device is carried out the following step:
(A). the group's Notification of Changes according to receiving produces new safe group key;
(B). according to established key, generation can comprise the minimum number security credence of all group members in the new safe group, and wherein each in this security credence all has this new safe group key; And
(C). a plurality of enciphered messages that output has security credence and encrypts through counterpart keys.
16. the calculation element with recording medium according to claim 15, wherein, in this step (A), this group's Notification of Changes comprises the group with new safe group member list and initiates solicited message, in order to produce this new safe group key that this comprises all members in this member list according to this member list.
17. the calculation element with recording medium according to claim 15, wherein, in this step (B), this generation can comprise that the minimum number security credence of all group members in the new safe group comprises following substep:
(B1). look for established safe group key;
(B2). what from how to few sort according to the number of members in the safety group key;
(B3). judge whether to comprise all members in the new safe group; If the result is for being, then produce corresponding security credence, if the result for not, execution in step (B4) then; And
(B4). look for member's key of non-safe group, and get back to step (B3).
18. the calculation element with recording medium according to claim 15, the minimum number security credence that comprises all group members in the new safe group that in this step (B), is produced, all group members that wherein comprised and the minimum security credence that is produced, but be presented at the electronic display unit of any video data in a kind of mode of electronic data.
19. the calculation element with recording medium according to claim 15, the minimum number security credence that comprises all group members in the new safe group that in this step (B), is produced, all group members that wherein comprised and the minimum security credence that is produced are stored in the electronic storage medium in a kind of mode of electronic data.
20. a servomechanism installation is included in the safe group network system, in order to each safe group becomes network to be connected with this, this servomechanism installation comprises:
The key database that is used for storage key;
Be used to produce the key generation unit of new safe group key;
Be used to produce the security credence generation unit of security credence; And
Be used to handle the processing unit of above-mentioned each unit action;
This processing unit is used to receive group's Notification of Changes, produces new safe group key to make this key generation unit; In key database, find out the minimum number safe key that can comprise all group members in the new safe group then, and this safe key is sent to the security credence generation unit so that be embedded in the corresponding security credence.
21. servomechanism installation according to claim 20 also comprises and saves the unit from damage, is used for this security credence is spread out of after counterpart keys is encrypted.
22. servomechanism installation according to claim 20, wherein this group's Notification of Changes comprises the group's initiation solicited message with new safe group member list, is used for making this key generation unit to produce this new safe group key that this comprises all members of this member list according to this member list.
23. a safe group network system is structured under the world-wide web environment, and comprises:
At least one safe group, network is connected to described world-wide web;
Central key distributing center, network are connected to affiliated world-wide web, have the group key of this safe group;
Wherein, when this safe group group's change takes place and will form new safe group the time, this safe group sends group's change and notifies described central key distributing center, be used for making this central key center to produce the new safe group key that comprises these all new group members of new safe group, then according to established key, generation can comprise the minimum number security credence of all group members in the new safe group, and wherein each in this security credence all has this new safe group key; With all members that last transmission has security credence and arrives this new safe group through a plurality of enciphered messages that counterpart keys is encrypted, be used for safety and carry out new safe group key renewal.
24. safe group network system according to claim 23, wherein this group's change is that another each safe group will add in this safe group.
25. safe group network system according to claim 23, wherein this group's change is that at least one each member will add in this safe group.
26. safe group network system according to claim 23, wherein this group's change is that at least one each member will leave in this safe group.
27. safe group network system according to claim 23, wherein this safe group has the group originator that is used to send this group's change notice, and this group's Notification of Changes comprises the group's initiation solicited message of being sent by this group originator with new safe group member list.
28. safe group network system according to claim 27 is wherein transmitting before this group initiates solicited message, this group's Notification of Changes also comprises and will add the member by this and transmit group and join request information to this group originator place.
Transmit before this group's initiation solicited message 29. safe group network system according to claim 27, this group's change also are included in, will leave member's transmission by this and leave solicited message to this group originator.
30. safe group network system according to claim 29, wherein this member that will leave is this group originator.
31. safe group network system according to claim 27, wherein this group's Notification of Changes also comprises the new group originator information of appointment, is used to specify new group originator.
CNA200610075537XA 2006-04-20 2006-04-20 A new safety group safety certificate generating method, communication method, and network system Pending CN101060398A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CNA200610075537XA CN101060398A (en) 2006-04-20 2006-04-20 A new safety group safety certificate generating method, communication method, and network system
PCT/JP2007/058692 WO2007123224A1 (en) 2006-04-20 2007-04-17 Method of generating secure tickets for a new secure group, method of secure group communication, computing device having a recording medium, and network system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA200610075537XA CN101060398A (en) 2006-04-20 2006-04-20 A new safety group safety certificate generating method, communication method, and network system

Publications (1)

Publication Number Publication Date
CN101060398A true CN101060398A (en) 2007-10-24

Family

ID=38222484

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA200610075537XA Pending CN101060398A (en) 2006-04-20 2006-04-20 A new safety group safety certificate generating method, communication method, and network system

Country Status (2)

Country Link
CN (1) CN101060398A (en)
WO (1) WO2007123224A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103582157A (en) * 2012-07-18 2014-02-12 电信科学技术研究院 Parameter notification method, equipment and system
CN112422282A (en) * 2020-11-18 2021-02-26 中国电子科技集团公司第三十研究所 Centralized efficient group session key management method
CN113411540A (en) * 2021-06-21 2021-09-17 随锐科技集团股份有限公司 Control method and system for participants of video conference

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9584493B1 (en) * 2015-12-18 2017-02-28 Wickr Inc. Decentralized authoritative messaging
DE102016222523A1 (en) * 2016-11-16 2018-05-17 Siemens Aktiengesellschaft Method and device for transmitting data in a topic-based publish-subscribe system
DE102017102142A1 (en) 2017-02-03 2018-08-09 Insta Gmbh Method for the secure provision of a cryptographic key

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7065643B1 (en) * 2000-03-28 2006-06-20 Motorola, Inc. Network compromise recovery methods and apparatus
US7039803B2 (en) * 2001-01-26 2006-05-02 International Business Machines Corporation Method for broadcast encryption and key revocation of stateless receivers
US7949135B2 (en) * 2004-11-16 2011-05-24 Telefonaktiebolaget Lm Ericsson (Publ) Key distribution in systems for selective access to information

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103582157A (en) * 2012-07-18 2014-02-12 电信科学技术研究院 Parameter notification method, equipment and system
CN112422282A (en) * 2020-11-18 2021-02-26 中国电子科技集团公司第三十研究所 Centralized efficient group session key management method
CN112422282B (en) * 2020-11-18 2022-03-18 中国电子科技集团公司第三十研究所 Centralized efficient group session key management method
CN113411540A (en) * 2021-06-21 2021-09-17 随锐科技集团股份有限公司 Control method and system for participants of video conference
CN113411540B (en) * 2021-06-21 2023-01-31 随锐科技集团股份有限公司 Control method and system for participants of video conference

Also Published As

Publication number Publication date
WO2007123224A1 (en) 2007-11-01

Similar Documents

Publication Publication Date Title
CN101060398A (en) A new safety group safety certificate generating method, communication method, and network system
US10999261B1 (en) Message-based database replication
CN102045189B (en) Network management system and method
CN112307501B (en) Big data system based on block chain technology, storage method and using method
WO2010139167A1 (en) Expert support application system platform for government affair and business affair decision-making and its construction method
CN101043326A (en) Dynamic information encrypting system and method
CN108776758B (en) Block-level data deduplication method supporting dynamic ownership management in fog storage
CN112835977B (en) Database management method and system based on block chain
CN113094334B (en) Digital service method, device, equipment and storage medium based on distributed storage
CN1486014A (en) Method for safe data transmission based on public cipher key architecture and apparatus thereof
CN114153374A (en) Distributed storage system for storing metadata and data together
CN117149884B (en) Data processing transaction method
CN1291566C (en) Digital medium delivering method based on IP network
CN1992714A (en) Authority principal method based on trusted computing platform
CN1870512A (en) Method for implementing information management and device for implementing event route
CN1932810A (en) Method for storing and sharing data utilizing encrypted technology
CN1285195C (en) Method for creating a virtual private network through a public network
CN1652078A (en) Method for implementing remote-call by application program interface system on database
CN1320798C (en) Cipher key creating and distributing method and the computer network system therewith
CN111682934B (en) Method and system for storing, accessing and sharing comprehensive energy metering data
CN109949881A (en) A kind of big data processing method and equipment based on block chain
CN112199431B (en) Metadata-based data sharing method and data sharing system
CN101383849B (en) Railway emergency rescue information sharing model implementation method
Tabassum et al. Securely Transfer Information with RSA and Digital Signature by using the concept of Fog Computing and Blockchain
CN114372292A (en) Method and system for improving reliability of block chain differential authorization duplicate removal system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication