CN101110672A - Method and system for establishing ESP security alliance in communication system - Google Patents
Method and system for establishing ESP security alliance in communication system Download PDFInfo
- Publication number
- CN101110672A CN101110672A CNA2006101035249A CN200610103524A CN101110672A CN 101110672 A CN101110672 A CN 101110672A CN A2006101035249 A CNA2006101035249 A CN A2006101035249A CN 200610103524 A CN200610103524 A CN 200610103524A CN 101110672 A CN101110672 A CN 101110672A
- Authority
- CN
- China
- Prior art keywords
- security association
- key
- aaa server
- cryptographic algorithm
- esp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
To create an ESP security association in a communication system, three methods are provided. I. A AAA server directly creates a security key and a mobile node MN for the ESP security association to obtain a security key from the AAA server or independently work out a safety security key, a preset a cryptographic algorithm and a SPI configured in advance. II. ESP security association parameters and MN are coordinated between a home agent HA and the mobile node MN to obtain a security key from the AAA server or independently calculate a same security key. III. The MN accesses to a shared key for bound updating of the current MN and the HA created during authentication as a preset key in the process of key interaction protocol, thus completing mutual authentication in the key protocol authentication and creating an ESP security association based on negotiation of the key interaction protocol. A security association is created between a HA and a MN with three methods above to ensure safety of service between consequent HA and MN.
Description
Technical field
The present invention relates to set up in the communication system in the communications field method and system of Security Association, relate in particular to mobile node (Mobile Node, MN) and home agent (Home Agent, HA) set up the method and system of ESP (Encapsulating Security Payload, safe load encapsulation) Security Association between.
Background technology
In existing mobile IP technology, mobile IP v 6 is the today of one of removable suggestion most effectively.As shown in Figure 1, it is that a basic mobile Ipv6 forms schematic diagram.Mobile Ipv6 comprises three entities: mobile node MN, home agent HA and communication node CN.An Ipv6 mobile node is a host address node more than.It has a Care-of Address and a home address simultaneously, and wherein Care-of Address is used for the routing IP bag, and its prefix is the prefix of institute's access link network.Care-of Address is interim, must return the routing capabilities inspection to it and could use this address to participate in communication afterwards; Home address is used for discerning mobile node, and its prefix is the prefix of home link network.Mobile Ipv6 allows mobile node to need not to change home address from a link moving to another link.
Mobile node and communication node have two kinds of communication patterns.First kind of pattern is can be routed to home agent from the packet that communication node sends, and mails to mobile node by the tunnel again; The packet that sends from mobile node mails to home agent by the tunnel earlier, is routed to communication node again.In this pattern, home agent uses the intercepting of proxy neighbor discovery agreement to point to the packet of moving nodes local address on home link.The packet that is intercepted mails to the mobile node present care-of address by the tunnel.The two-way data of this pattern all must be drawn network congestion easily through home agent HA, and act on behalf of and relevant link influences communication between mobile node and the communication node after breaking down when the local.
Second kind of pattern is the routing optimality pattern.The data of intercommunication needn't communicate and directly pass through route via HA.This pattern has obtained great development owing to route having been carried out optimize.Under the routing optimality pattern, but having introduced one, mobile Ipv6 returns routing procedure (RRP), the safety when guaranteeing that by it MN communicates by letter with CN, its principle is by the signaling that exchanges between MN and the CN is encrypted the registration between them to be authenticated.By RRP, CN knows whether the Care-of Address and the home address visit MN that can use the MN announcement; If the RRP test crash, CN can not send packets directly to the Care-of Address of MN.Its method of testing be by two message to (HoTI and HoT, CoTI and CoT) respectively the test purpose address be whether the grouping of home address and reference address can arrive MN, receive binding (seeing also Fig. 2) in view of the above from MN.
In the RRP process, HoTI is used for the home address of MN and Cookie notice CN, and request CN provides the local key to generate token.And CoTI mainly is the Care-of Address of MN and Cookie notice CN, and request CN provides and delivers key generation token.MN is by generating token, delivering key and generate token and carry out the computing of SHA1 hash and obtain a shared key K bm to the local key.By this shared key K bm BU between follow-up MN and the CN (Binding Update) and BA (binding response) are authenticated.
In the PPR process, these two message of HoTI and HoT are to transmit with clear-text way, but can't guarantee to return between mobile node MN and the home agent HA privacy of routing procedure, are monitored easily thus.After malicious attacker obtains H-Token and C-Token in HoT and the CoT message, can calculate the key information kbm of BU process between follow-up MN and the CN, can not guarantee that thus subsequent communications occurs between mobile node MN and the interdependent node CN as expecting.Finally, wireless networks such as WiMax can't normally be supported routing optimality R0, reduce the WiMax network efficiency.That is to say wireless network such as WiMAX if support the R0 of IPv6, just must consider the ESP Security Association between mobile node MN and the home agent HA, to guarantee the privacy of routing optimality R0 signaling.
Except the above-mentioned RRP process need of mentioning is set up ESP Security Association between MN and the HA in advance, in some other occasion, data transmission procedure as mobile prefix request process, MN and HA all needs to guarantee service security between MN and the HA, equally also needs to set up the ESP Security Association between MN and the HA.
Summary of the invention
The object of the present invention is to provide the method and system of setting up the ESP Security Association in a kind of communication system, to increase service security between MN and the HA.
In order to achieve the above object, the invention provides and disclose the method for setting up the ESP Security Association in a kind of communication system, may further comprise the steps:
(1) aaa server generates the safe key of ESP Security Association, and with described safe key notice home agent HA;
(2) mobile node MN receives the safe key that sends from aaa server, and perhaps MN generates identical safe key according to the create-rule with the pre-agreement of aaa server;
(3) MN and HA adopt described safe key, preestablish or set up the ESP Security Association by the cryptographic algorithm of aaa server appointment and pre-configured Security Parameter Index SPI.
Step (1) is specially: aaa server directly with the root key of first key or first key as described safe key, perhaps derive described safe key by first key or by the root key of first key, wherein, described first key is the shared key that this MN and HA carry out Binding Update that is used for that produces in mobile node MN access authentication verification process or HA and the MN Binding Update initial procedure.
Preferably, in the step (1), aaa server is sent to HA issuing first key in HA with described safe key.Aaa server is to notify MN at MN access authentication verification process with safe key in the step (2).
Set up the method for ESP Security Association in second kind of communication system disclosed by the invention, comprising:
(1) aaa server is consulted the Security Association parameter between mobile node MN and the home agent HA, and notifies MN and HA respectively with the Security Association parameter that consults, and described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
(2) aaa server generates the safe key of ESP Security Association, and notice HA;
(3) MN obtains described safe key or generates identical safe key according to the create-rule with the pre-agreement of aaa server from aaa server;
(4) MN and HA adopt described safe key, cryptographic algorithm and SPI pre-configured or that consult to set up the ESP Security Association.
Preferably, aaa server generates described safe key and is specially in the step (2): aaa server directly with the root key of first key or first key as described safe key, perhaps derive described safe key by first key or by the root key of first key, wherein, described first key is the shared key that this MN and HA carry out Binding Update that is used for that produces in mobile node MN access authentication verification process or HA and the MN Binding Update initial procedure.
The Security Association parameter that aaa server is consulted between mobile node MN and the home agent HA in the step (1) is specially: all cryptographic algorithm that this node of (11) mobile node MN notice aaa server is supported and the SPI that distributes to ESP Security Association between this node MN and the HA; (12) to obtain home agent HA be the SPI that the ESP Security Association distributes between this HA and the MN to aaa server, and the cryptographic algorithm that consults of a kind of cryptographic algorithm conduct of selecting HA to support among the cryptographic algorithm that can support from MN.
MN is sent to aaa server in access authentication process with described cryptographic algorithm and described SPI.
Aaa server is in MN access authentication verification process or Binding Update BU process in the step (12), and inquiry HA supports the SPI that all cryptographic algorithm and HA distribute for ESP Security Association between this HA and the MN.
Step (12) further comprises: in advance HA is configured to support identical cryptographic algorithm or HA is configured to support all cryptographic algorithm with aaa server; The cryptographic algorithm that consults is a kind of cryptographic algorithm that aaa server selects book server to support from the cryptographic algorithm that MN can support.
Set up the method for ESP Security Association in the third communication system disclosed by the invention, comprising: (1) with in the mobile node MN access authentication verification process or produce in HA and the MN Binding Update BU process be used for this MN and HA carries out the pre-configured key of the shared key of Binding Update as the cipher key interaction protocol procedures; (2) in the cipher key interaction protocol procedures, consult to set up the ESP Security Association between MN and the HA.Step (2) is specially: consult to set up an escape way between (21) MN and the HA; (22) utilize described pre-configured key to carry out the mutual checking of MN and HA, set up first Ipsec Security Association in the reciprocal process; (23) with described first Ipsec Security Association as the ESP Security Association that is used to encrypt between MN and the HA or, utilize first Ipsec Security Association to consult the ESP Security Association that is used to encrypt again.
The method of the generation key in the described ESP Security Association is set in the cipher key interaction negotiations process, and the method for the generation key in the perhaps described ESP Security Association is to set in the MN access authentication verification process of finishing in advance.
Accordingly, set up the system of ESP Security Association in first kind of communication system disclosed by the invention, also comprise aaa server, described aaa server comprises the first safe key generation unit, be used to generate the safe key of ESP Security Association, and with described safe key notice home agent HA;
Described mobile node comprises that also the second safe key generation unit and first sets up the Security Association unit, the described first safe key generation unit: be used for generating safe key according to the identical create-rule with the aaa server agreement of pre-preservation; Described first sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured Security Parameter Index and the safe key foundation of generation and the ESP Security Association of home agent HA;
Described home agent comprises that second sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured security parameter and the ESP Security Association of the safe key foundation that receives with MN.
Described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
Set up the system of ESP Security Association in second kind of communication system disclosed by the invention, also comprise aaa server, described aaa server comprises the first safe key generation unit, is used to generate the safe key of ESP Security Association, and with described safe key notice home agent HA and mobile node MN;
Described mobile node comprises that also first sets up the Security Association unit, is used for cryptographic algorithm, the pre-configured security parameter by pre-preservation and receives safe key setting up ESP Security Association with home agent HA;
Described home agent comprises that second sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured security parameter and the ESP Security Association of the safe key foundation that receives with MN.
Described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
Set up the system of ESP Security Association in the third communication system disclosed by the invention, also comprise aaa server, described aaa server comprises the negotiation element and the first safe key generation unit,
Negotiation element, be used to consult the Security Association parameter between mobile node MN and the home agent HA, and notify MN and HA respectively with the Security Association parameter that consults, described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
The first safe key generation unit is used to generate the safe key of ESP Security Association, and with described safe key notice home agent HA;
Described mobile node comprises that also the second safe key generation unit and first sets up the Security Association unit, the described first safe key generation unit: be used for generating safe key according to the identical create-rule with the aaa server agreement of pre-preservation; Described first sets up the Security Association unit, is used for the cryptographic algorithm by receiving, the safe key pre-configured or Security Parameter Index that receives and generation is set up and the ESP Security Association of home agent HA;
Described home agent comprises that second sets up the Security Association unit, be used for by receive cryptographic algorithm and safe key, the pre-configured or security parameter that receives is set up and the ESP Security Association of MN.
Described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
Set up the system of ESP Security Association in the 4th kind of communication system disclosed by the invention, also comprise aaa server,
Described aaa server comprises the negotiation element and the first safe key generation unit,
Negotiation element, be used to consult the Security Association parameter between mobile node MN and the home agent HA, and notify MN and HA respectively with the Security Association parameter that consults, described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
The first safe key generation unit is used to generate the safe key of ESP Security Association, and with described safe key notice home agent HA and mobile node MN;
Described mobile node comprises that also first sets up the Security Association unit, is used for the cryptographic algorithm by receiving, the pre-configured or security parameter that receives and the safe key that receives is set up ESP Security Association with home agent HA;
Described home agent comprises that second sets up the Security Association unit, is used for by the cryptographic algorithm that receives, pre-configured or security parameter that receives and the safe key foundation that the receives ESP Security Association with MN.
Described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
Set up the system of ESP Security Association in the 5th kind of communication system disclosed by the invention, all be provided with pre-configured cipher key unit and negotiation element in described mobile node and the home agent,
Described pre-configured key: be used for produce in mobile node MN access authentication verification process or HA and the MN Binding Update initial procedure be used for this MN and HA carries out the pre-configured key of the shared key of Binding Update as the cipher key interaction protocol procedures; Negotiation element: be used at the cipher key interaction protocol procedures, consult to set up the ESP Security Association between MN and the HA.
The present invention can set up ESP Security Association between HA and the MN by three kinds of modes, can guarantee privacy professional between HA and the MN.Particularly, when this Security Association is used for encrypting the relevant signaling that the RRP process relates to, can increase the fail safe in the route optimization process.Make networks such as WiMax can normally support routing optimality R0, improved networks efficiency.
Description of drawings
Fig. 1 is that a basic mobile Ipv6 forms schematic diagram;
Fig. 2 is existing RRP process schematic diagram;
Fig. 3 is for setting up the flow chart of the method for ESP Security Association in first kind of communication system disclosed by the invention;
Fig. 4 is for setting up the system configuration schematic diagram of ESP Security Association in first kind of communication system disclosed by the invention;
Fig. 5 is for setting up the system configuration schematic diagram of ESP Security Association in second kind of communication system disclosed by the invention;
Fig. 6 is for setting up the flow chart of the method for ESP Security Association in second kind of communication system disclosed by the invention;
Fig. 7 is for setting up the system configuration schematic diagram of ESP Security Association in the third communication system disclosed by the invention;
Fig. 8 is for setting up the structural representation of the system of ESP Security Association in the 4th kind of communication system disclosed by the invention;
Fig. 9 is for setting up the flow chart of the method for ESP Security Association in the third communication system disclosed by the invention;
Figure 10 is for setting up the structural representation of the system of ESP Security Association in the 5th kind of communication system disclosed by the invention.
Embodiment
Below in conjunction with accompanying drawing, specify the present invention.
In order to guarantee service security between HA and the MN, need carry out in advance setting up Security Association between HA and the MN.Core of the present invention is: the invention provides the method for setting up Security Association between three kinds of HA and the MN, set up scheme for first kind and be: the safe key by directly being generated the ESP Security Association by aaa server, mobile node MN obtain safe key or independently calculate identical safe key, preestablish cryptographic algorithm and pre-configured SPI from aaa server; Setting up scheme for second kind is: consult to comprise cryptographic algorithm between home agent HA and the MN or comprise cryptographic algorithm and the ESP Security Association parameter of SPI, mobile node MN obtain safe key or independently calculate identical safe key from aaa server; The third scheme is: utilize with produce in the mobile node MN access authentication verification process be used for this MN and HA carries out the pre-configured key of the shared key of Binding Update as the cipher key interaction protocol procedures, finish the mutual results card of both sides in the cipher key interaction protocol procedures, produce the ESP Security Association by the cipher key interaction protocol negotiation then.Set up Security Association between HA and the MN by above-mentioned three kinds of modes, guarantee service security between follow-up HA and the MN with this.Business between described HA and the MN comprises the data transmission procedure of RRP process, mobile prefix request process, MN and HA etc.Follow-up is that example illustrates the present invention with the RRP process just.
Along with rapid development of network technique, online data safety problem is a problem of greatest concern.Now, all provide encryption or authentication function in many communication protocols and the method, guaranteed the safe transmission of data with this to data.Widely used is IPSec (Internet Protocol Security) agreement.Ipsec protocol is a kind of protocol suite, comprises AH (Authentication Header) checking agreement, ESP (Encapsulation Security Protocol) encapsulating security payload (esp), IKE (InternetKey Exchange) internet key exchange protocol etc.Ipsec protocol supports manual configuration mode or the automatic negotiation mode of IKE agreement to generate security alliance SA (Security Association).Security Association is the basis of IPSec, and it has determined to be used for the key of ipsec protocol of protected data bag safety and key rise time etc., and the major parameter of Security Association has SPI, key, algorithm etc.That is to say that Security Association is the basic foundation that data are encrypted or verified, we can say that also each packet that need encrypt or verify processing all can dispose or generate specific security alliance SA.What set up between HA of the present invention and the MN in addition, is the ESP Security Association.
See also Fig. 3, it is for setting up the flow chart of the method for ESP Security Association in first kind of communication system disclosed by the invention.It may further comprise the steps:
The S110:AAA server generates the safe key of ESP Security Association, and with described safe key notice home agent HA;
S120: mobile node MN receives the safe key that sends from aaa server, and perhaps MN generates identical safe key according to the create-rule with the pre-agreement of aaa server;
S130:MN and HA adopt described safe key, preestablish or set up the ESP Security Association by the cryptographic algorithm of aaa server appointment and pre-configured Security Parameter Index SPI.
Below specify each step.
One, step S110
MN is at the access authentication verification process with first after the home agent HA registration process; a shared key information is arranged between MN and the HA; should share the integrality that key information is mainly used in BU (Binding Update)/BA (binding response) process between follow-up MN of protection and the HA, the present invention should share key and be referred to as first key.Aaa server can also can go out described safe key by first key derivation directly with the safe key of this first key as the ESP Security Association.Preferably execution mode is to go out safe key by aaa server by first key derivation.Derivation mainly is meant according to a predefined computing formula or function, first key is obtained the safe key of correspondence as the known factor of a formula or function.
Except first key, also can produce safe key by the root key MSK or the EMSK of access authentication verification process first key.That is, directly with the root key MSK of first key or EMSK as safe key, perhaps, derive safe key by the root key of first key.Certainly, except the root key of first key and first key, aaa server also can utilize the key information of possessing before other MN and aaa server or MN and the HA, generates the key of the ESP Security Association between MN and the HA.
Aaa server is issuing first key in HA, this safe key can be sent to HA.In other words, aaa server is included in AAA with first key and safe key and sends in the interaction message Access-Accept of HA.In addition, when the cryptographic algorithm of ESP Security Association is when being specified by aaa server, aaa server can be sent to HA simultaneously with the cryptographic algorithm of first key, safe key and appointment.
Two, step S120
MN can obtain safe key by dual mode, and first kind of mode is to obtain described safe key by the safe key that receives the aaa server transmission, such as, aaa server is sent to MN at MN access authentication verification process with safe key; The second way is that MN preserves the create-rule that is used to generate safe key in advance, the create-rule that generates safe key on described create-rule and the aaa server is identical, like this, the safe key that generates on the safe key that generates according to this rule of MN and the aaa server is identical.Described create-rule is meant mainly how aaa server among the step S110 obtains the flow process and the corresponding parameters of safe key.
When cryptographic algorithm is when being specified by aaa server, aaa server also can be sent to MN at MN access authentication verification process with safe key together with the cryptographic algorithm after specifying.
Three, step S130
SPI (Security Parameter Index Security Parameter Index) is unique in an entity.Here entity is HA and MN, can be dynamically for Security Association distribute SPI, and the newly-increased exactly Security Association of simple example just distributes one for it does not have used SPI.Can reserve a SPI in advance, can not reallocate, but and only be used in and return routing procedure to the Security Association of other purposes.If other application scenarioss are arranged certainly, SPI of predefine perhaps just shares and uses in addition.
The ESP Security Association of giving tacit consent between MN and the HA other parameter that must satisfy: for empty, ESP pattern are the numerical value that tunnel mode, SPI know for both sides, these information are all pre-configured as cryptographic algorithm.
Utilize safe key, SPI and cryptographic algorithm to set up the ESP Security Association between HA and the MN.
See also Fig. 4, its structure for the system that sets up the ESP Security Association in first kind of communication system disclosed by the invention is former in the reason schematic diagram.Also comprise aaa server, described aaa server comprises the first safe key generation unit, is used to generate the safe key of ESP Security Association, and with described safe key notice home agent HA;
Described mobile node comprises that also the second safe key generation unit and first sets up the Security Association unit, the described first safe key generation unit: be used for generating safe key according to the identical create-rule with the aaa server agreement of pre-preservation; Described first sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured Security Parameter Index and the safe key foundation of generation and the ESP Security Association of home agent HA;
Described home agent comprises that second sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured security parameter and the ESP Security Association of the safe key foundation that receives with MN.
Described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.If specify cryptographic algorithm by the cryptographic algorithm designating unit, then need not to preserve in advance cryptographic algorithm between HA and the MN.
Mobile node is to generate safe key by self the second safe key generation unit in the said system, in addition, also can directly receive the safe key that sends from aaa server.That is,
See also Fig. 5, it is for setting up the structural representation of the system of ESP Security Association in second kind of communication system disclosed by the invention.It also comprises aaa server, and described aaa server comprises the first safe key generation unit, is used to generate the safe key of ESP Security Association, and with described safe key notice home agent HA and mobile node MN;
Described mobile node comprises that also first sets up the Security Association unit, is used for cryptographic algorithm, the pre-configured security parameter by pre-preservation and receives safe key setting up ESP Security Association with home agent HA;
Described home agent comprises that second sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured security parameter and the ESP Security Association of the safe key foundation that receives with MN.
Described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
See also Fig. 6, it is for setting up the flow chart of the method for ESP Security Association in second kind of communication system disclosed by the invention.It comprises:
Security Association parameter between S210:AAA server negotiate mobile node MN and the home agent HA, and notify MN and HA respectively with the Security Association parameter that consults, described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
The S220:AAA server generates the safe key of ESP Security Association, and notice HA;
S230:MN obtains described safe key or generates identical safe key according to the create-rule with the pre-agreement of aaa server from aaa server;
S240:MN and HA adopt described safe key, cryptographic algorithm and SPI pre-configured or that consult to set up the ESP Security Association.
The Security Association parameter that aaa server is consulted between mobile node MN and the home agent HA among the step S210 can be finished by following steps:
(1) all cryptographic algorithm supported of this node of MN notice aaa server and the SPI that distributes to ESP Security Association between this node MN and the HA.MN can be sent to aaa server with described cryptographic algorithm and described SPI in access authentication process.
(2) to obtain home agent HA be the SPI that the ESP Security Association distributes between this HA and the MN to aaa server, and the cryptographic algorithm that consults of a kind of cryptographic algorithm conduct of selecting HA to support among the cryptographic algorithm that can support from MN.
When the network planning, HA can be pre-configured into aaa server and support identical cryptographic algorithm, and predefine is used for this professional SPI.After aaa server receives all cryptographic algorithm of MN, from those cryptographic algorithm, find wherein a kind of cryptographic algorithm that aaa server supports cryptographic algorithm as the ESP Security Association between HA and the MN.
In addition, can also on HA, preset all cryptographic algorithm, like this, after aaa server receives all cryptographic algorithm of MN, from those cryptographic algorithm, find wherein a kind of cryptographic algorithm that aaa server supports cryptographic algorithm as the ESP Security Association between HA and the MN.
Also have, aaa server can also be in MN access authentication verification process or Binding Update BU process, inquiry HA supports the SPI that all cryptographic algorithm and HA distribute for ESP Security Association between this HA and the MN, and aaa server finds the cryptographic algorithm of wherein a kind of algorithm as the ESP Security Association between HA and the MN from the cryptographic algorithm that HA, MN and aaa server are all supported.
Cryptographic algorithm and the preallocated SPI that is used for this professional ESP Security Association of HA that aaa server notice MN finally determines.Aaa server can be notified cryptographic algorithm and SPI to MN at MN access authentication verification process.And cryptographic algorithm that aaa server will finally be determined and MN distribute to the SPI of ESP Security Association between HA and this MN.
Step S220 is similar to step S130 to the step S110 that sets up in the ESP Security Association method between step S240 and above-mentioned disclosed first kind of HA and the MN, omits earlier at this.Need to prove that safe key can be notified to MN together with cryptographic algorithm, SPI in the access authentication verification process.
What need in addition to illustrate a bit is: when HA and MN consulted to finish setting up of ESP Security Association at MN access authentication verification process, it and mobile IP registration process can not have context.
See also Fig. 7, it is for setting up the structural representation of the system of ESP Security Association in the third communication system disclosed by the invention.It also comprises aaa server, and described aaa server comprises the negotiation element and the first safe key generation unit,
Negotiation element, be used to consult the Security Association parameter between mobile node MN and the home agent HA, and notify MN and HA respectively with the Security Association parameter that consults, described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
The first safe key generation unit is used to generate the safe key of ESP Security Association, and with described safe key notice home agent HA;
Described mobile node comprises that also the second safe key generation unit and first sets up the Security Association unit, the described second safe key generation unit: be used for generating safe key according to the identical create-rule with the aaa server agreement of pre-preservation; Described first sets up the Security Association unit, is used for the cryptographic algorithm by receiving, the safe key pre-configured or Security Parameter Index that receives and generation is set up and the ESP Security Association of home agent HA;
Described home agent comprises that second sets up the Security Association unit, be used for by receive cryptographic algorithm and safe key, the pre-configured or security parameter that receives is set up and the ESP Security Association of MN.
Described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
Mobile node is to generate safe key by self the second safe key generation unit in the said system, in addition, also can directly receive the safe key that sends from aaa server.That is,
See also Fig. 8, it is for setting up the structural representation of the system of ESP Security Association in the 4th kind of communication system disclosed by the invention.It also comprises aaa server, and described aaa server comprises the negotiation element and the first safe key generation unit,
Negotiation element, be used to consult the Security Association parameter between mobile node MN and the home agent HA, and notify MN and HA respectively with the Security Association parameter that consults, described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
The first safe key generation unit is used to generate the safe key of ESP Security Association, and with described safe key notice home agent HA and mobile node MN;
Described mobile node comprises that also first sets up the Security Association unit, is used for the cryptographic algorithm by receiving, the pre-configured or security parameter that receives and the safe key that receives is set up ESP Security Association with home agent HA;
Described home agent comprises that second sets up the Security Association unit, is used for by the cryptographic algorithm that receives, pre-configured or security parameter that receives and the safe key foundation that the receives ESP Security Association with MN.
Described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
See also Fig. 9, it is for setting up the flow chart of the method for ESP Security Association in the third communication system disclosed by the invention.It comprises:
S310: with mobile node MN access authentication verification process in or produce in HA and the MN Binding Update initial procedure be used for this MN and HA carries out the pre-configured key of the shared key of Binding Update as the cipher key interaction protocol procedures;
S320: in the cipher key interaction protocol procedures, consult to set up the ESP Security Association between MN and the HA
Consult to set up an escape way between S21:MN and the HA;
S22: utilize described pre-configured key to carry out the mutual checking of MN and HA, set up first Ipsec Security Association in the reciprocal process;
S23: with described first Ipsec Security Association as the ESP Security Association between MN and the HA or, utilize first Ipsec Security Association to consult the ESP Security Association again.
Present cipher key interaction agreement mainly is exactly IKEv1 and IKEv2.The IKE process can be divided into initialization subprocess, checking subprocess and sub-Security Association and consult subprocess.In the initialization subprocess, mutual both sides send the needed data of Diffie-Hellman method, negotiation algorithm and random number mutually, create a Security Association that is specific to the ike negotiation process; Under the privacy protection of the Security Association that the initialization subprocess is set up, mutual both sides carry out mutual checking, and checking can be proved to be successful back first sub-Security Association and also be established based on digital certificates or wildcard; After the checking subprocess completed successfully, mutual both sides just can consult to create more sub-Security Association.
This method mainly is to finish the foundation of the ESP Security Association between mobile node MN and the home agent HA by the cipher key interaction agreement, promptly introduce the cipher key interaction protocol procedures and consult to set up the foundation of the Security Association between MN and the HA, simultaneously because cipher key interaction agreement (IKEv2 is an example) process itself also needs the checking mutually between end points of pre-configured key, the present invention consults to set up Security Association between MN and the HA by cipher key interaction agreement (IKEv2 is an example) process, and the key information that will consult in the authentication process between mobile node MN and the aaa server to produce is as the pre-configured key in the cipher key interaction agreement (IKEv2 is an example).
If there is not the Security Association of an ESP between mobile node MN and the home agent HA, must initiate a cipher key interaction process (being example with IKEv2) between mobile node MN and the home agent HA here.
At first consult between IKE-SA-INIT process (initialization subprocess) mobile node MN and the home agent HA to set up a path with respect to other node securities, setting up security path is prior art, can be with reference to RFC4306.Roughly process is, both sides exchange random number, according to the DH algorithm, calculates the key that both sides only know, and is all then follow-up alternately all by this secret key encryption.Other nodes also just can't be seen above-mentioned both sides' Content of Communication owing to there is not this key information.
In IKE-AUTH process (checking subprocess), utilize wildcard to verify mutually respectively then, and set up first IPsec Security Association in the IKE process.After both sides' authentication is passed through, can on the security path of setting up in advance, consult ESP Security Association (comprising association key and cryptographic algorithm), or conferred first IPsec Security Association as ESP Security Association (comprising association key and cryptographic algorithm), to guarantee to have the ability between mobile node MN and home agent HA, to provide the privacy of signaling or data.The ESP Security Association of setting up between HA and the MN must comprise the algorithm and the private key (being described safe key) that guarantee privacy.
The method of the generation key in the ESP Security Association is set in the cipher key interaction negotiations process, and the method for the generation key in the perhaps described ESP Security Association is to set in the MN access authentication verification process of finishing in advance.
See also 10, it is to the invention provides the structural representation of setting up the system of ESP Security Association in the 5th kind of communication system.All be provided with pre-configured cipher key unit and negotiation element in described mobile node and the home agent,
Described pre-configured key: be used for produce in mobile node MN access authentication verification process or HA and the MN Binding Update initial procedure be used for this MN and HA carries out the pre-configured key of the shared key of Binding Update as the cipher key interaction protocol procedures;
Negotiation element: be used at the cipher key interaction protocol procedures, consult to set up the ESP Security Association between MN and the HA.
Behind one of them generation HA and the ESP Security Association between the MN of above-mentioned three kinds of methods, in the RRP process, can utilize the ESP Security Association of foundation to communicate, but guaranteed to return between MN and the HA privacy of routing procedure thus, and then guaranteed the fail safe of the key information kbm of BU process between follow-up MN and the CN.Finally, wireless networks such as WiMax can normally be supported routing optimality R0, guarantee the privacy of routing optimality R0 signaling.
More than disclosed only be several specific embodiment of the present invention, but the present invention is not limited thereto, any those skilled in the art can think variation, all should drop in protection scope of the present invention.
Claims (22)
1. set up the method for ESP Security Association in the communication system, it is characterized in that, may further comprise the steps:
Aaa server generates the safe key of ESP Security Association, and with described safe key notice home agent HA;
Mobile node MN receives the safe key that sends from aaa server, and perhaps MN generates identical safe key according to the create-rule with the pre-agreement of aaa server;
MN and HA adopt described safe key, preestablish or set up the ESP Security Association by the cryptographic algorithm of aaa server appointment and pre-configured Security Parameter Index SPI.
2. the method for claim 1 is characterized in that, the safe key that aaa server generates the ESP Security Association is specially:
Aaa server directly with the root key of first key or first key as described safe key, perhaps
Derive described safe key by first key or by the root key of first key, wherein, described first key is the shared key that this MN and HA carry out Binding Update that is used for that produces in MN access authentication verification process or HA and the MN Binding Update initial procedure.
3. method as claimed in claim 2 is characterized in that, aaa server is sent to HA issuing first key in HA with described safe key.
4. as claim 1 or 3 described methods, it is characterized in that aaa server is to notify MN at MN access authentication verification process with safe key.
5. set up the system of ESP Security Association in the communication system, comprise MN, HA and aaa server, it is characterized in that described aaa server comprises the first safe key generation unit, be used to generate the safe key of ESP Security Association, and with described safe key notice HA;
Described MN comprises that also the second safe key generation unit and first sets up the Security Association unit, the described first safe key generation unit: be used for generating safe key according to the identical create-rule with the aaa server agreement of pre-preservation; Described first sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured Security Parameter Index and the safe key foundation of generation and the ESP Security Association of HA;
Described HA comprises that second sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured security parameter and the ESP Security Association of the safe key foundation that receives with MN.
6. system as claimed in claim 5 is characterized in that described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
7. set up the system of ESP Security Association in the communication system, comprise MN, HA and aaa server, it is characterized in that, described aaa server comprises the first safe key generation unit, is used to generate the safe key of ESP Security Association, and with described safe key notice HA and MN;
Described MN comprises that also first sets up the Security Association unit, is used for cryptographic algorithm, the pre-configured security parameter by pre-preservation and receives safe key setting up ESP Security Association with HA;
Described HA comprises that second sets up the Security Association unit, is used for the cryptographic algorithm by pre-preservation, pre-configured security parameter and the ESP Security Association of the safe key foundation that receives with MN.
8. system as claimed in claim 7 is characterized in that described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
9. set up the method for ESP Security Association in the communication system, it is characterized in that, comprising:
Aaa server is consulted the Security Association parameter between MN and the HA, and notifies MN and HA respectively with the Security Association parameter that consults, and described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
Aaa server generates the safe key of ESP Security Association, and notice HA;
MN obtains described safe key or generates identical safe key according to the create-rule with the pre-agreement of aaa server from aaa server;
MN and HA adopt described safe key, cryptographic algorithm and SPI pre-configured or that consult to set up the ESP Security Association.
10. method as claimed in claim 9 is characterized in that, aaa server generates described safe key and is specially:
Aaa server directly with the root key of first key or first key as described safe key, perhaps
Derive described safe key by first key or by the root key of first key, wherein, described first key is the shared key that this MN and HA carry out Binding Update that is used for that produces in MN access authentication verification process or HA and the MN Binding Update initial procedure.
11. method as claimed in claim 9 is characterized in that, the Security Association parameter that aaa server is consulted between MN and the HA is specially:
All cryptographic algorithm that this node of MN notice aaa server is supported and distribute to this MN and HA between the SPI of ESP Security Association;
It is the SPI that the ESP Security Association distributes between this HA and the MN that aaa server obtains HA, and the cryptographic algorithm that consults of a kind of cryptographic algorithm conduct of selecting HA to support among the cryptographic algorithm that can support from MN.
12. method as claimed in claim 11 is characterized in that, MN is sent to aaa server in access authentication process with described cryptographic algorithm and described SPI.
13. as claim 11 or 12 described methods, it is characterized in that,
Aaa server is in MN access authentication verification process or Binding Update BU process, and inquiry HA supports the SPI that all cryptographic algorithm and HA distribute for ESP Security Association between this HA and the MN.
14. method as claimed in claim 12 is characterized in that, further comprises:
In advance HA is configured to support identical cryptographic algorithm or HA is configured to support all cryptographic algorithm with aaa server;
The cryptographic algorithm that consults is a kind of cryptographic algorithm that aaa server selects book server to support from the cryptographic algorithm that MN can support.
15. set up the system of ESP Security Association in the communication system, comprise MN, HA and aaa server is characterized in that, described aaa server comprises the negotiation element and the first safe key generation unit,
Negotiation element is used to consult the Security Association parameter between MN and the HA, and notifies MN and HA respectively with the Security Association parameter that consults, and described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
The first safe key generation unit is used to generate the safe key of ESP Security Association, and with described safe key notice HA;
Described MN comprises that also the second safe key generation unit and first sets up the Security Association unit, the described first safe key generation unit: be used for generating safe key according to the identical create-rule with the aaa server agreement of pre-preservation; Described first sets up the Security Association unit, is used for the cryptographic algorithm by receiving, the safe key pre-configured or Security Parameter Index that receives and generation is set up and the ESP Security Association of HA;
Described HA comprises that second sets up the Security Association unit, be used for by receive cryptographic algorithm and safe key, the pre-configured or security parameter that receives is set up and the ESP Security Association of MN.
16. system as claimed in claim 15 is characterized in that, described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
17. set up the system of ESP Security Association in the communication system, comprise MN, HA and aaa server is characterized in that,
Described aaa server comprises the negotiation element and the first safe key generation unit,
Negotiation element is used to consult the Security Association parameter between MN and the HA, and notifies MN and HA respectively with the Security Association parameter that consults, and described Security Association parameter comprises cryptographic algorithm or comprises cryptographic algorithm and Security Parameter Index SPI;
The first safe key generation unit is used to generate the safe key of ESP Security Association, and with described safe key notice HA and MN;
Described MN comprises that also first sets up the Security Association unit, is used for the cryptographic algorithm by receiving, the pre-configured or security parameter that receives and the safe key that receives is set up ESP Security Association with HA;
Described HA comprises that second sets up the Security Association unit, is used for by the cryptographic algorithm that receives, pre-configured or security parameter that receives and the safe key foundation that the receives ESP Security Association with MN.
18. system as claimed in claim 17 is characterized in that, described aaa server also comprises the cryptographic algorithm designating unit, is used to specify the cryptographic algorithm of the ESP Security Association between HA and the MN, and notice HA and MN.
19. set up the method for ESP Security Association in the communication system, it is characterized in that, comprising:
With in the MN access authentication verification process or produce in HA and the MN Binding Update initial procedure be used for this MN and HA carries out the pre-configured key of the shared key of Binding Update as the cipher key interaction protocol procedures;
In the cipher key interaction protocol procedures, consult to set up the ESP Security Association between MN and the HA.
20. method as claimed in claim 19 is characterized in that, in the cipher key interaction protocol procedures, the ESP Security Association of consulting to set up between MN and the HA is specially:
Consult to set up an escape way between MN and the HA;
Utilize described pre-configured key to carry out the mutual checking of MN and HA, set up first Ipsec Security Association in the reciprocal process;
With described first Ipsec Security Association as the ESP Security Association that is used to encrypt between MN and the HA or, utilize first Ipsec Security Association to consult the ESP Security Association that is used to encrypt again.
21. method as claimed in claim 19 is characterized in that, the method for the generation key in the described ESP Security Association is set in the cipher key interaction negotiations process, perhaps
The method of the generation key in the described ESP Security Association is to set in the MN access authentication verification process of finishing in advance.
22. set up the system of ESP Security Association in the communication system, comprise MN and HA, it is characterized in that, be provided with pre-configured cipher key unit and negotiation element among described MN and the HA respectively,
Described pre-configured key: be used for produce in MN access authentication verification process or HA and the MN Binding Update initial procedure be used for this MN and HA carries out the pre-configured key of the shared key of Binding Update as the cipher key interaction protocol procedures;
Negotiation element: be used at the cipher key interaction protocol procedures, consult to set up the ESP Security Association between MN and the HA.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101035249A CN101110672A (en) | 2006-07-19 | 2006-07-19 | Method and system for establishing ESP security alliance in communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101035249A CN101110672A (en) | 2006-07-19 | 2006-07-19 | Method and system for establishing ESP security alliance in communication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101110672A true CN101110672A (en) | 2008-01-23 |
Family
ID=39042583
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006101035249A Pending CN101110672A (en) | 2006-07-19 | 2006-07-19 | Method and system for establishing ESP security alliance in communication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101110672A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009117844A1 (en) * | 2008-03-25 | 2009-10-01 | Alcatel Shanghai Bell Co., Ltd. | Methods and entities using ipsec esp to support security functionality for udp-based oma enablers |
| CN101478389B (en) * | 2009-01-16 | 2010-10-13 | 西安电子科技大学 | Multi-stage security supporting mobile IPSec transmission authentication method |
| CN101499867B (en) * | 2008-02-02 | 2010-12-08 | 中兴通讯股份有限公司 | Method for ciphering multimedia broadcast content |
| CN101945105A (en) * | 2010-08-31 | 2011-01-12 | 施昊 | Network information transmission/reception system and method |
| WO2011026320A1 (en) * | 2009-09-04 | 2011-03-10 | 中兴通讯股份有限公司 | Session key update method and system |
| CN101309273B (en) * | 2008-07-16 | 2011-06-01 | 杭州华三通信技术有限公司 | Method and device for generating safety alliance |
| CN102131192A (en) * | 2010-01-15 | 2011-07-20 | 中兴通讯股份有限公司 | Method and system for protecting layer-3 mobility user plane data security in next generation network (NGN) |
| CN103475598A (en) * | 2013-08-23 | 2013-12-25 | 天津汉柏汉安信息技术有限公司 | Method for partitioning user priorities through SPI (serial peripheral interface) |
| WO2017000237A1 (en) * | 2015-06-30 | 2017-01-05 | 华为技术有限公司 | Algorithm update method, device to be updated, and server |
| CN106664195A (en) * | 2014-08-01 | 2017-05-10 | 华为技术有限公司 | Data processing method, apparatus, and system |
| CN109688115A (en) * | 2018-12-11 | 2019-04-26 | 北京数盾信息科技有限公司 | A kind of data safe transmission system |
| CN110366177A (en) * | 2013-12-24 | 2019-10-22 | 日本电气株式会社 | Master base station, prothetic group station and user equipment and its communication means in communication system |
| CN111711785A (en) * | 2020-06-30 | 2020-09-25 | 苏州科达科技股份有限公司 | Video conference media stream key updating method, system, device and storage medium |
| CN113169959A (en) * | 2018-11-15 | 2021-07-23 | 华为技术有限公司 | Rekeying security alliance SA |
-
2006
- 2006-07-19 CN CNA2006101035249A patent/CN101110672A/en active Pending
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101499867B (en) * | 2008-02-02 | 2010-12-08 | 中兴通讯股份有限公司 | Method for ciphering multimedia broadcast content |
| CN101981885B (en) * | 2008-03-25 | 2013-07-10 | 上海贝尔股份有限公司 | Methods and entities using IPSEC ESP to support security functionality for UDP-based OMA enablers |
| EP2272235A1 (en) * | 2008-03-25 | 2011-01-12 | Alcatel Lucent | Methods and entities using ipsec esp to support security functionality for udp-based oma enablers |
| EP2272235A4 (en) * | 2008-03-25 | 2017-05-03 | Alcatel Lucent | Methods and entities using ipsec esp to support security functionality for udp-based oma enablers |
| CN101981885A (en) * | 2008-03-25 | 2011-02-23 | 上海贝尔股份有限公司 | Methods and entities using IPSEC ESP to support security functionality for UDP-based OMA enablers |
| WO2009117844A1 (en) * | 2008-03-25 | 2009-10-01 | Alcatel Shanghai Bell Co., Ltd. | Methods and entities using ipsec esp to support security functionality for udp-based oma enablers |
| CN101309273B (en) * | 2008-07-16 | 2011-06-01 | 杭州华三通信技术有限公司 | Method and device for generating safety alliance |
| CN101478389B (en) * | 2009-01-16 | 2010-10-13 | 西安电子科技大学 | Multi-stage security supporting mobile IPSec transmission authentication method |
| WO2011026320A1 (en) * | 2009-09-04 | 2011-03-10 | 中兴通讯股份有限公司 | Session key update method and system |
| CN102014382A (en) * | 2009-09-04 | 2011-04-13 | 中兴通讯股份有限公司 | Update method and system of session key |
| CN102014382B (en) * | 2009-09-04 | 2015-08-12 | 中兴通讯股份有限公司 | A kind of update method of session key and system |
| CN102131192B (en) * | 2010-01-15 | 2016-06-15 | 中兴通讯股份有限公司 | NGN protects the method and system of three layers mobility user face data safety |
| US8862867B2 (en) | 2010-01-15 | 2014-10-14 | Zte Corporation | Method and system for protecting security of the third layer mobility user plane data in NGN |
| CN102131192A (en) * | 2010-01-15 | 2011-07-20 | 中兴通讯股份有限公司 | Method and system for protecting layer-3 mobility user plane data security in next generation network (NGN) |
| CN101945105B (en) * | 2010-08-31 | 2013-05-08 | 施昊 | Network information transmission/reception system and method |
| CN101945105A (en) * | 2010-08-31 | 2011-01-12 | 施昊 | Network information transmission/reception system and method |
| CN103475598A (en) * | 2013-08-23 | 2013-12-25 | 天津汉柏汉安信息技术有限公司 | Method for partitioning user priorities through SPI (serial peripheral interface) |
| US11228904B2 (en) | 2013-12-24 | 2022-01-18 | Nec Corporation | Apparatus, system and method for SCE |
| US11729613B2 (en) | 2013-12-24 | 2023-08-15 | Nec Corporation | Apparatus, system and method for SCE |
| CN110366177B (en) * | 2013-12-24 | 2022-06-14 | 日本电气株式会社 | Main base station, auxiliary base station and user equipment in communication system and communication method thereof |
| CN110366177A (en) * | 2013-12-24 | 2019-10-22 | 日本电气株式会社 | Master base station, prothetic group station and user equipment and its communication means in communication system |
| CN106664195A (en) * | 2014-08-01 | 2017-05-10 | 华为技术有限公司 | Data processing method, apparatus, and system |
| CN106664195B (en) * | 2014-08-01 | 2020-05-15 | 广州小熊信息科技有限公司 | Data processing method, device and system |
| WO2017000237A1 (en) * | 2015-06-30 | 2017-01-05 | 华为技术有限公司 | Algorithm update method, device to be updated, and server |
| CN107925565B (en) * | 2015-06-30 | 2020-08-07 | 华为技术有限公司 | Algorithm updating method, equipment to be updated and server |
| CN107925565A (en) * | 2015-06-30 | 2018-04-17 | 华为技术有限公司 | Algorithm update method, equipment to be updated and server |
| CN113169959A (en) * | 2018-11-15 | 2021-07-23 | 华为技术有限公司 | Rekeying security alliance SA |
| CN113169959B (en) * | 2018-11-15 | 2023-03-24 | 华为技术有限公司 | Rekeying security alliance SA |
| US11943209B2 (en) | 2018-11-15 | 2024-03-26 | Huawei Technologies Co., Ltd. | Rekeying a security association SA |
| CN109688115A (en) * | 2018-12-11 | 2019-04-26 | 北京数盾信息科技有限公司 | A kind of data safe transmission system |
| CN111711785A (en) * | 2020-06-30 | 2020-09-25 | 苏州科达科技股份有限公司 | Video conference media stream key updating method, system, device and storage medium |
| CN111711785B (en) * | 2020-06-30 | 2022-07-05 | 苏州科达科技股份有限公司 | Video conference media stream key updating method, system, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101110672A (en) | Method and system for establishing ESP security alliance in communication system | |
| Ramezan et al. | A blockchain-based contractual routing protocol for the internet of things using smart contracts | |
| US8495360B2 (en) | Method and arrangement for providing a wireless mesh network | |
| EP2506491B1 (en) | Encryption information transmission terminal | |
| CN101150849B (en) | Method for binding management secret key, system, mobile node and communication node | |
| CN101150572B (en) | Binding and update method and device for mobile node and communication end | |
| CN108075890A (en) | Data sending terminal, data receiver, data transmission method and system | |
| CN101356759A (en) | Token-based distributed generation of security keying material | |
| WO2003014935A1 (en) | Efficient security association establishment negotiation technique | |
| KR20080075008A (en) | Method for encryption key management for use in a wireless mesh network | |
| EP1458163B1 (en) | Return routability method for secure communication | |
| EP3231151B1 (en) | Commissioning of devices in a network | |
| KR100948604B1 (en) | Security method of mobile internet protocol based server | |
| He et al. | An identity-based authentication and key establishment scheme for multi-operator maintained wireless mesh networks | |
| CN1980231B (en) | Method for renewing fire-retardant wall in mobile IPv6 | |
| Han et al. | A back-end offload architecture for security of resource-constrained networks | |
| Toledo Gandarias et al. | Analytical efficiency evaluation of a network mobility management protocol for Intelligent Transportation Systems | |
| CN100536471C (en) | Method for effective protecting signalling message between mobile route and hometown agent | |
| Gupta et al. | Security mechanisms of Internet of things (IoT) for reliable communication: a comparative review | |
| Song et al. | LAA: Link-layer anonymous access for tactical MANETs | |
| KR101989147B1 (en) | Method for handshake of MPTCP using asymmetric key exchange | |
| Moustafa | Providing authentication, trust, and privacy in wireless mesh networks | |
| EP3231207A1 (en) | Secure message exchange in a network | |
| Modares et al. | Protection of binding update message in Mobile IPv6 | |
| KR100596397B1 (en) | Method for distributing session key of radius-based AAA server in a mobile IPv6 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |