CN101119594B - Method of implementing home agent root key synchronization between home agent and foreign agent - Google Patents
Method of implementing home agent root key synchronization between home agent and foreign agent Download PDFInfo
- Publication number
- CN101119594B CN101119594B CN2007101451592A CN200710145159A CN101119594B CN 101119594 B CN101119594 B CN 101119594B CN 2007101451592 A CN2007101451592 A CN 2007101451592A CN 200710145159 A CN200710145159 A CN 200710145159A CN 101119594 B CN101119594 B CN 101119594B
- Authority
- CN
- China
- Prior art keywords
- authentication
- home agent
- key
- mobile
- home
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to a WiMAX system, which discloses a method of realizing the root key synchronization of the home agent between a home agent and a foreign agent, describes the synchronization mechanism of the root key of the home agent, and provides a synchronization proposal of the home agent root key HA-RK in the foreign agent and the home agent used in the mobile IPv4 authentication expansion. The synchronization proposal is generated by the authentication, authorization and accounting service of the home network, which pushes the home agent root key to the relative network element. The present invention solves the problem that as the HA-RKs possessed by the foreign agent and the home agent are not consistent in some conditions, so the authentication expansion of the foreign agent-home agent FA-HA is not permitted, causing a failing register of the mobile IP.
Description
Technical field
The present invention relates to micro-wave access global inter communication (Worldwide Interoperability for MicrowaveAccess; Be called for short WiMAX) communication field, relate in particular to a kind of in the WiMAX system and realize the synchronous method of home agent root secret key between home agent and Foreign Agent.
Background technology
The network work group of IETF has proposed the RFC2002 standard in October, 1996, has wherein set forth principle, realization and the various detailed problem of mobile IP in more detail.2003, IETF issued the new criteria RFC3344 of mobile IPv 4, had replaced the RFC2002 standard.Say that simply mobile IP can let mobile node when moving, not break off connection, and correct transceive data bag.
In the mobile IPv 4 agreement, each mobile node (Mobile Node is called for short MN) all has a unique home address, and its home address is constant when mobile node (MN) moves.Each mobile node also must have a home agent (HA HomeAgent) comes to safeguard current position information for this mobile node, and this just needs to introduce Care-of Address on the home network link.When mobile node (MN) was connected on the field network link, Care-of Address just was used for identifying the present residing position of mobile node (MN), so that carry out Route Selection.Uniting of the home address of mobile node (MN) and current Care-of Address is called mobility binding or is called for short binding.When mobile node (MN) obtains a new Care-of Address, register to home agent (HA) through binding, so that let home agent (HA) in time understand the current location of mobile node (MN).
The computing environment of mobile node (MN) maybe be very different with common computing environment.Under many circumstances, mobile computer will be connected to network through Radio Link.Such link is easy to receive passive eavesdropping, initiatively Replay Attack and other active attack to attack.A significant process in the mobile IPv 4 is exactly a registration process, and the authentication extension of registration process must be done thus.
The registration of mobile IPv 4 provides a kind of mechanism flexibly to make mobile node be sent to its home agent (HA) to their current reachability informations.The method that mobile node (MN) uses is:
---service is transmitted in request when the visit field network;
---inform home agent (HA) to their present care-of address;
---heavy hour of log-on arrives, and registers again to home agent (HA); And/or
---when coming back to hometown, remove registration.
Define in the RFC agreement; Each mobile node, Foreign Agent and home agent must be able to be supported the mobile security associating of mobile entity; Secure federation set up in Security Parameter Index (Security Parameter Index is called for short SPI) and IP allocation index by them.Registration message between mobile node and its home agent must use mobile node-home agent (Mobile-Home) authentication extension (Mobile HomeAuthentication Externsion is called for short MN-HA AE) to carry out authentication.Mobile node-external agent (Mobile-Foreign) authentication extension (Mobile ForeignAuthentication Externsion between mobile node and its Foreign Agent; Abbreviation MN-FA AE), Foreign-Home authentication extension (Foreign Home Authentication Externsion is called for short FA-HAAE) is optional between Foreign Agent and the home agent.
Mobile IPv 4 is exactly the framework that adopts RFC3344 in the WiMAX network, and explicitly calls in mobile IPv 4, and MN-HA AE and FA-HA AE are essential, and MN-FA AE is optional.
MN-HA and MN-FA authentication extension key (being called for short MN-HA Key and MN-FA Key) are by extended authentication agreement (Extensible Authentication Protocol; Abbreviation EAP) extended master session key (the Extended Master Session Keys of process generation; Be called for short EMSK) derive from; Therefore the term of validity of MN-HA Key and MN-FA Key is identical with EMSK, when MN access WiMAX network is done initialization EAP authentication or re-authentication, and will be at MN side and attribution authentication, mandate and charging (Home Authentication; Authorization; And Accounting is called for short HAAA) server side uses same algorithm and parameter to produce new EMSK respectively, and with new MN-HA Key and Foreign Agent root key (the Foreign Agent Root Key of this EMSK generation; Be called for short FA-RK, be used to produce the root key of MN-FA Key.The Foreign Agent root key sends to the authentication device (Authenticator) in the WiMAX access service network (Access Service Network is called for short ASN) respectively by HAAA in authorization messages.When MN when FA initiates mobile IP registration; FA obtains the key (comprising MN-HA Key and MN-FAKey) that moves IP from authentication device (Authenticator); After the authentication extension checking of MN-FA was passed through, FA transmitted the mobile IP login request of this MN and carries the MN-HA Key that obtains from authentication device and give home agent HA.Home agent HA receives the mobile IP login request of the MN that foreign agent FA is transmitted; Whether can obtaining MN-HA Key again to HAAA through the RADIUS authentication request again, to be used for the MN-HA Key that comparatively validate FA forwards correct, and the authentication extension key that so just can guarantee MN and FA/HA is synchronous all the time.
The FA-HA authentication extension key that FA-HA AE uses (being called for short FA-HA Key) is to be derived from by home agent root secret key (being called for short HA-RK); And HA-RK is the random number that is produced 20 bytes by HAAA; And HA-RK has life cycle, and HAAA must produce HA-RK again before finishing life cycle.WiMAX network work group related protocol regulation; Obtain HA-RK in the authorization messages of FA through MN authentication initialization or re-authentication; HA sends the HA-RK that obtains in the authorization messages of authentication to HAAA when the MN mobile IP registration; But because the mobile IP registration process of the authentication initialization of MN or re-authentication process and MN does not have inevitable relation, also do not define related mechanism and guarantee that HA-RK upgrades at FA and HA synchronously, so FA possibly appear in certain period and there is inconsistent situation in HA inside HA-RK; So just possibly cause when MN initiates mobile IP registration; Possibly not pass through and cause the FA-HA authentication extension to be verified because the HA-RK that FA and HA hold is inconsistent, thereby cause the mobile IP registration of MN to be failed.
Equally, because in user's mobile IP session, the HA-RK that HA and FA hold is inconsistent, when HA initiatively initiates to move IP and cancels flow process, cancels the FA-HA authentication extension parameter of carrying in the request, and the FA authentication is obstructed out-of-dately also can be caused moving IP and cancel flow process and fail.
At present still unresolved HA-RK and does not still have related patent U.S. Patent No. solution is provided at the stationary problem of FA and HA in the WiMAX network work group agreement.
Summary of the invention
Technical problem to be solved by this invention is; The synchronization solutions of HA-RK in FA and HA about using in the mobile IPv 4 authentication extension in the WiMAX network is provided; Solution is initiated the mobile IP that mobile IP registration flow process and HA initiate at mobile node and is cancelled in the flow process, because of the inconsistent FA-HA of the causing authentication extension of HA-RK that FA and HA hold is not passed through failure problem.
The present invention provides a kind of synchronous method of home agent root secret key between home agent and Foreign Agent that realizes, is used for safeguarding the effective synchronously of home agent root secret key by authentication, mandate and the accounting server of home network, comprises the steps:
(1) authentication of home network, mandate and accounting server are when the authentication device of mobile node through access service network carries out authentication or re-authentication; In authorization message, return mobile IP cipher key information and the key term of validity and corresponding Security Parameter Index of this mobile node, said key information comprises home agent root secret key;
(2) authentication of said home network, mandate and accounting server are after mobile node carries out mobile IP registration and sets up mobile IP session; Safeguard the mobile IP session that continues on the home agent; When the angelica agent root key term of validity closes to an end; Produce the new home agent root secret key and the term of validity according to the strategy of this locality, send the dynamic authorization request message with the renewal home agent root secret key to the Foreign Agent of this home agent and the access service network relevant with this home agent;
(3) authentication of said home network, mandate and accounting server move the IP session when existing on home agent, stop the maintenance to the home agent root secret key term of validity, the deletion relevant information.
Further, key information further comprises described in the step (1): Foreign Agent root key, mobile node-home agent authentication extension key and the key term of validity and corresponding Security Parameter Index.
Further, step (1) further can be divided into:
(11) mobile node request access authentication or re-authentication to the authentication device transmission access request of access service network, send authentication, mandate and the accounting server of access request message to home network by it;
(12) authentication of this home network, mandate and accounting server judge whether the root key of distributing to this home agent that moves the IP session is effective, then produce new home agent root secret key and reset the corresponding term of validity according to local policy as if invalid;
(13) authentication of this home network, mandate and accounting server return the access response message that comprises the mobile IP cipher key parameter to said authentication device, comprise the term of validity and the Security Parameter Index information of Foreign Agent root key and home agent root secret key or mobile node-home agent authentication extension key and association key in the mobile IP cipher key parameter;
(14) the access response message that returns according to authentication, mandate and the accounting server of home network of said authentication device is confirmed the success of mobile node authentication or re-authentication, sends that authentication response is given mobile node and with this mobile node access service network.
Further, mobile IP registration in the step (2) and session are set up process and are comprised the steps:
(211) behind the mobile node access service network, to the Foreign Agent transmission mobile IP login request of access service network;
(212) Foreign Agent obtains to authentication device and moves IP KI parameter; When judging that home agent root secret key is not out of date, generate mobile node-Foreign Agent authentication extension key according to the Foreign Agent root key; Generate Foreign Agent-home agent authentication extension key according to home agent root secret key simultaneously; After utilizing said each key authentication to pass through, mobile IP login request is sent to corresponding home agent;
(213) after home agent receives register requirement, initiate authentication request to authentication, mandate and the accounting server of home network, acquisition request moves IP mobile node-home agent authentication extension key and/or home agent root secret key;
(214) authentication of said home network, mandate and accounting server are relevant with this mobile node mobile node-home agent authentication extension key and/or home agent root secret key send to home agent in authentication response;
(215) home agent allows this mobile node to succeed in registration at checking mobile node-home agent authentication extension key with after Foreign Agent-home agent authentication extension key passes through, and outwards the agency sends the mobile IP registration response message;
(216) Foreign Agent is transmitted this mobile IP registration response message and is given mobile node, moves session foundation or continuation.
Further, further can be divided in the step (2):
(21) authentication of said home network, mandate and accounting server are safeguarded the root key of home agent, lay equal stress on according to local policy renewal root key before this home agent root secret key term of validity finishes and put the term of validity;
(22) authentication of said home network, mandate and accounting server use the dynamic authorization request message to notify this home agent with newly-generated root key information, upgrade root key;
(23) after home agent upgrades successfully, reply to authentication, mandate and the accounting server transmission dynamic authorization of said home network, expression is upgraded successfully;
(24) authentication of said home network, mandate and accounting server are according to the mobile IP session information of its buffer memory; Judge the term of validity of the home agent root secret key of the access service network relevant with this home agent, the authentication device of use authority request message notice access service network upgrades home agent root secret key before the term of validity finishes;
(25) after the authentication device of access service network upgrades successfully, reply to authentication, mandate and the accounting server transmission dynamic authorization of home network, expression is upgraded successfully.
Further, said step (3) specifically comprises:
After mobile node or network finish to move the IP session, after the authentication of home network, mandate and accounting server judge that this home agent has not had the mobile IP session of registration, the root key relevant information of this home agent of deletion local maintenance.
Further, described mobile node is the network terminal that has mobile IP or do not have mobile IP function.
Further; Said access service network is to have the access network of realizing foreign agent functionality and authentication device function; Be used to mobile node access service is provided, the portable terminal for not having mobile IP function provides the proxy-mobile IP function by this access service network.
Further, said authentication request is that far-end authentication dial-in customer serves the RADIUS authentication request message; Said authentication response is that far-end authentication dial-in customer serves the RADIUS authentication response message; Said dynamic authorization request is that far-end authentication dial-in customer serves the request of RADIUS dynamic authorization; Said dynamic authorization response is that far-end authentication dial-in customer serves the response of RADIUS dynamic authorization.
Method of the present invention has remedied the deficiency of WiMAX network work group agreement; The synchronization mechanism of home agent root secret key has been described clearly; The home agent root secret key HA-RK that uses in the relevant mobile IPv 4 authentication extension is provided the synchronization scenario in Foreign Agent and home agent, has solved the inconsistent Foreign Agent-home agent FA-HA authentication extension that causes of HA-RK held in some cases because of Foreign Agent and home agent not through causing the mobile IP registration failure problem.
Equally, because in user's mobile IP session, the HA-RK that HA and FA hold is inconsistent, when HA initiatively initiates to move IP and cancels flow process, cancels the FA-HA authentication extension parameter of carrying in the request, and the FA authentication is obstructed out-of-dately also can be caused moving IP and cancel flow process and fail.
Further; The synchronization scenario of HA-RK in Foreign Agent and home agent of using in the mobile IPv 4 authentication extension that the present invention realizes; Need not increase extras; Only need revise and support dynamic authorization flow process (CoA) in the WiMAX network work group protocol definition mobile IPv 4 basic procedure, upgrade HA-RK.
Whether further, the present invention only needs authentication, mandate and accounting server to safeguard HA-RK, sent out through dynamic authorization message informing Foreign Agent and home agent by authentication, mandate and accounting server decision and upgrade HA-RK.Only need increase processing for Foreign Agent and home agent to dynamic authorization, simple and convenient.
Description of drawings
Fig. 1 is the system construction drawing of the mobile IPv 4 function that the present invention relates to;
Fig. 2 is that the present invention realizes that authentication in the WiMAX mobile IPv 4, mandate and accounting server produce and push the flow chart of home agent root secret key method.
Embodiment
Below in conjunction with accompanying drawing the enforcement of technical scheme is done further to describe in detail.
The present invention relates to a kind of synchronous method of home agent root secret key between home agent and Foreign Agent that realizes.Especially relate to micro-wave access global inter communication (Worldwide Interoperability for MicrowaveAccess; When abbreviation WiMAX) mobile IPv 4 inserts in the communication field; Authentication, mandate and charging (Authentication, Authorization, and Accouting; Be called for short AAA) server generation home agent root secret key (Home Agent Root Key; Be called for short HA-RK) and the home agent (Home Agent is called for short HA) that arrives to endpoint registration and the method for Foreign Agent (Foreign Agent is called for short FA) propelling movement home agent root secret key.
Described method comprises the steps:
(1) authentication of home network, mandate and accounting server are when the authentication device of mobile node through access service network carries out authentication or re-authentication; In authorization message, return mobile IP cipher key information and the key term of validity and corresponding Security Parameter Index of this mobile node, said key information comprises home agent root secret key;
(2) authentication of said home network, mandate and accounting server are after mobile node carries out mobile IP registration and sets up mobile IP session; Safeguard the mobile IP session that continues on the home agent; When the angelica agent root key term of validity closes to an end; Produce the new home agent root secret key and the term of validity according to the strategy of this locality, send the dynamic authorization request message with the renewal home agent root secret key to the Foreign Agent of this home agent and the access service network relevant with this home agent;
(3) authentication of said home network, mandate and accounting server move the IP session when existing on home agent, stop the maintenance to the home agent root secret key term of validity, the deletion relevant information.
Be example with system shown in Figure 1 below, specify method for synchronous of the present invention.Fig. 1 is the system construction drawing of the mobile IPv 4 function that the present invention relates to, wherein:
Mobile node MN 11: it is the WiMAX terminal that has mobile IP or do not have mobile IP function.
Access service network ASN 12: realize the function of foreign agent FA and the function of authentication device, simultaneously for portable terminal provides access service, for the terminal that does not have mobile IP function, ASN provides the proxy-mobile IP function.In the present invention, authentication device sends access authentication/re-authentication request to authentication, mandate and accounting server AAA, and preserves the mobile IP cipher key information of authentication, mandate and accounting server aaa authorization.The register requirement of the mobile IP that foreign agent FA checking and forwarding mobile node MN are sent, and safeguard that during the terminal is online it moves IP relevant information and mobile IP cipher key term of validity information.
Authentication, mandate and accounting server AAA 14: for the user provides authentication, mandate and the service of chargeing.When request is inserted at the terminal of receiving the access server transmission, will carry out authentication to the terminal, and authorize accordingly.In the present invention, AAA comprises the mandate of terminal mobile IP cipher key information and the update functions of completion HA-RK when terminal authentication.
Home agent HA 13: accept the mobile IP login request that access server sends, and carry out the mobile IP registration response, cooperate the service that mobile IP is provided for portable terminal with access server.
Fig. 2 is that the present invention realizes that authentication in the WiMAX mobile IPv 4, mandate and accounting server produce and push the flow chart of home agent root secret key method.Concrete steps are following:
Step 201: mobile node request access authentication is perhaps being asked authentication again behind the connecting system;
Step 202: after access service network authentication device (hereinafter to be referred as authentication device) is received the access request of mobile node, send and insert request message to authentication, mandate and accounting server AAA;
Step 203: authentication, mandate and accounting server AAA judge whether effectively the root key that will distribute to this home agent that moves the IP session (judges whether to exist perhaps before the deadline); If it is invalid; Then produce new home agent root secret key, and be provided with the effect phase again according to local policy;
Step 204: authentication, mandate and accounting server return the access response message for the authentication device Authenticator among the ASN; Comprise the mobile IP cipher key parameter, comprise the term of validity and the Security Parameter Index information (FA-RK is derived out by the EMSK that produces in the authentication process) of Foreign Agent root key FA-RK, home agent root secret key HA-RK and association key.If what this inserted use is the proxy-mobile IP access technology, also need carry the information such as authentication extension key MN-HA Key of mobile node and home agent;
Step 205: the response message that authentication device returns according to authentication, mandate and accounting server, judge and operation mobile node authentication or re-authentication success, send authentication response and give mobile node and move the mobile node access service network;
Step 206: after mobile node inserts the WiMAX network, receive the Foreign Agent advertisement after, outwards the agency initiates mobile IP login request;
Step 207: Foreign Agent obtains to authentication device and moves IP KI parameter, and authentication device judges that HA-RK is not out of date, then generates MN-FA key, generates FA-HAKey according to HA-RK according to FA-RK.The mobile IP login request of Foreign Agent checking mobile node is legal in (comprising the authentication extension authentication), and Foreign Agent appends FA-HA authentication extension parameter, and mobile IP login request is sent to corresponding home agent;
Step 208: after home agent is received the mobile IP login request of Foreign Agent transmission; Initiate RADIUS authentication request immediately to ownership authentication, mandate and accounting server AAA; Requirement is obtained and is moved IP MN-HA authentication extension key; Home agent obtains home agent root secret key HA-RK if desired simultaneously, then carries and obtains sign;
Step 209: ownership authentication, mandate and accounting server AAA send to home agent with the association key of this mobile node in the RADIUS authentication response; Comprise MN-HA Key and relevant parameter; If home agent requires to obtain HA-RK, then in authentication response, authorize HA-RK and relevant parameter;
Step 210: home agent checking MN-HA authentication extension and FA-HA authentication extension are passed through, and allow mobile node to succeed in registration, and then outwards the agency sends the mobile IP registration response message;
Step 211: Foreign Agent is transmitted mobile IP registration and is replied to mobile node, at this moment, moves IP session foundation or continuation;
Step 212: authentication, mandate and accounting server are safeguarded the root key of this home agent, lay equal stress on according to local policy decision renewal root key before this root key term of validity finishes and put the term of validity;
Step 213: authentication, mandate and accounting server use RADIUS dynamic authorization (CoA) request message to notify this home agent, upgrade root key;
Step 214: after home agent upgrades successfully, send dynamic authorization (CoA) to authentication, mandate and accounting server and reply, expression is upgraded successfully;
Step 215: authentication, mandate and accounting server are according to the mobile IP session information of its buffer memory; Judge the access service network relevant with this home agent, the authentication device that re-uses authorization requests (CoA) message informing access service network upgrades home agent root secret key;
Step 216: after the authentication device of service network upgrades successfully, send dynamic authorization (CoA) to authentication, mandate and accounting server and reply, expression is upgraded successfully;
Step 217: after terminal or network finish to move the IP session, after authentication, mandate and accounting server judge that this home agent has not had the mobile IP session of registration, the root key relevant information of this home agent of deletion local maintenance.
The objective of the invention is for the synchronization solutions of HA-RK in FA and HA about using in the mobile IPv 4 authentication extension in the WiMAX network is provided; Solution is initiated the mobile IP that mobile IP registration flow process and HA initiate at mobile node and is cancelled in the flow process, because of the inconsistent FA-HA of the causing authentication extension of HA-RK that FA and HA hold is not passed through failure problem.Improve the problem that the home agent root secret key in the WiMAX network work group agreement upgrades.
Method of the present invention has remedied the deficiency of WiMAX network work group agreement; The synchronization mechanism of home agent root secret key has been described clearly; The home agent root secret key HA-RK that uses in the relevant mobile IPv 4 authentication extension is provided the synchronization scenario in Foreign Agent and home agent, has solved the inconsistent Foreign Agent-home agent FA-HA authentication extension that causes of HA-RK held in some cases because of Foreign Agent and home agent not through causing the mobile IP registration failure problem.
Equally, because in user's mobile IP session, the HA-RK that HA and FA hold is inconsistent, when HA initiatively initiates to move IP and cancels flow process, cancels the FA-HA authentication extension parameter of carrying in the request, and the FA authentication is obstructed out-of-dately also can be caused moving IP and cancel flow process and fail.
Further; The synchronization scenario of HA-RK in Foreign Agent and home agent of using in the mobile IPv 4 authentication extension that the present invention realizes; Need not increase extras; Only need revise and support dynamic authorization flow process (CoA) in the WiMAX network work group protocol definition mobile IPv 4 basic procedure, upgrade HA-RK.
Whether further, the present invention only needs authentication, mandate and accounting server to safeguard HA-RK, sent out through dynamic authorization message informing Foreign Agent and home agent by authentication, mandate and accounting server decision and upgrade HA-RK.Only need increase processing for Foreign Agent and home agent to dynamic authorization, simple and convenient.
Claims (10)
1. realize the synchronous method of home agent root secret key between home agent and Foreign Agent for one kind, be used for safeguarding the effective synchronously of home agent root secret key, it is characterized in that, comprise the steps: by authentication, mandate and the accounting server of home network
(1) authentication of home network, mandate and accounting server are when the authentication device of mobile node through access service network carries out authentication or re-authentication; In authorization message, return mobile IP cipher key information and the key term of validity and corresponding Security Parameter Index of this mobile node, said key information comprises home agent root secret key;
(2) authentication of said home network, mandate and accounting server are after mobile node carries out mobile IP registration and sets up mobile IP session; Safeguard the mobile IP session that continues on the home agent; When the angelica agent root key term of validity closes to an end; Produce the new home agent root secret key and the term of validity according to the strategy of this locality, send the dynamic authorization request message with the renewal home agent root secret key to the Foreign Agent of this home agent and the access service network relevant with this home agent;
(3) authentication of said home network, mandate and accounting server move the IP session when existing on home agent, stop the maintenance to the home agent root secret key term of validity, the deletion relevant information.
2. the method for claim 1 is characterized in that, key information further comprises described in the step (1): Foreign Agent root key, mobile node-home agent authentication extension key and the key term of validity and corresponding Security Parameter Index.
3. method as claimed in claim 2 is characterized in that, step (1) further can be divided into:
(11) mobile node request access authentication or re-authentication to the authentication device transmission access request of access service network, send authentication, mandate and the accounting server of access request message to home network by it;
(12) authentication of this home network, mandate and accounting server judge whether the root key of distributing to this home agent that moves the IP session is effective, then produce new home agent root secret key and reset the corresponding term of validity according to local policy as if invalid;
(13) authentication of this home network, mandate and accounting server return the access response message that comprises the mobile IP cipher key parameter to said authentication device, comprise the term of validity and the Security Parameter Index information of Foreign Agent root key and home agent root secret key or mobile node-home agent authentication extension key and association key in the mobile IP cipher key parameter;
(14) the access response message that returns according to authentication, mandate and the accounting server of home network of said authentication device is confirmed the success of mobile node authentication or re-authentication, sends that authentication response is given mobile node and with this mobile node access service network.
4. method as claimed in claim 3 is characterized in that, mobile IP registration in the step (2) and session are set up process and comprised the steps:
(211) behind the mobile node access service network, to the Foreign Agent transmission mobile IP login request of access service network;
(212) Foreign Agent obtains to authentication device and moves IP KI parameter; When judging that home agent root secret key is not out of date, generate mobile node-Foreign Agent authentication extension key according to the Foreign Agent root key; Generate Foreign Agent-home agent authentication extension key according to home agent root secret key simultaneously; After utilizing said each key authentication to pass through, mobile IP login request is sent to corresponding home agent;
(213) after home agent receives register requirement, initiate authentication request to authentication, mandate and the accounting server of home network, acquisition request moves IP mobile node-home agent authentication extension key and/or home agent root secret key;
(214) authentication of said home network, mandate and accounting server are relevant with this mobile node mobile node-home agent authentication extension key and/or home agent root secret key send to home agent in authentication response;
(215) home agent allows this mobile node to succeed in registration at checking mobile node-home agent authentication extension key with after Foreign Agent-home agent authentication extension key passes through, and outwards the agency sends the mobile IP registration response message;
(216) Foreign Agent is transmitted this mobile IP registration response message and is given mobile node, moves session foundation or continuation.
5. method as claimed in claim 4 is characterized in that, step further can be divided in (2):
(21) authentication of said home network, mandate and accounting server are safeguarded the root key of home agent, lay equal stress on according to local policy renewal root key before this home agent root secret key term of validity finishes and put the term of validity;
(22) authentication of said home network, mandate and accounting server use the dynamic authorization request message to notify this home agent with newly-generated root key information, upgrade root key;
(23) after home agent upgrades successfully, reply to authentication, mandate and the accounting server transmission dynamic authorization of said home network, expression is upgraded successfully;
(24) authentication of said home network, mandate and accounting server are according to the mobile IP session information of its buffer memory; Judge the term of validity of the home agent root secret key of the access service network relevant with this home agent, the authentication device of use authority request message notice access service network upgrades home agent root secret key before the term of validity finishes;
(25) after the authentication device of access service network upgrades successfully, reply to authentication, mandate and the accounting server transmission dynamic authorization of home network, expression is upgraded successfully.
6. like claim 1 or 5 described methods, it is characterized in that said step (3) specifically comprises:
After mobile node or network finish to move the IP session, after the authentication of home network, mandate and accounting server judge that this home agent has not had the mobile IP session of registration, the root key relevant information of this home agent of deletion local maintenance.
7. the method for claim 1 is characterized in that, described mobile node is the network terminal that has mobile IP or do not have mobile IP function.
8. method as claimed in claim 7; It is characterized in that; Said access service network is to have the access network of realizing foreign agent functionality and authentication device function; Be used to mobile node access service is provided, the portable terminal for not having mobile IP function provides the proxy-mobile IP function by this access service network.
9. method as claimed in claim 4 is characterized in that:
Said authentication request is that far-end authentication dial-in customer serves the RADIUS authentication request message;
Said authentication response is that far-end authentication dial-in customer serves the RADIUS authentication response message;
Said dynamic authorization request is that far-end authentication dial-in customer serves the request of RADIUS dynamic authorization.
10. the method for claim 1 is characterized in that:
Said dynamic authorization request is that far-end authentication dial-in customer serves the request of RADIUS dynamic authorization.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101451592A CN101119594B (en) | 2007-08-23 | 2007-08-23 | Method of implementing home agent root key synchronization between home agent and foreign agent |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101451592A CN101119594B (en) | 2007-08-23 | 2007-08-23 | Method of implementing home agent root key synchronization between home agent and foreign agent |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101119594A CN101119594A (en) | 2008-02-06 |
| CN101119594B true CN101119594B (en) | 2012-03-07 |
Family
ID=39055474
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101451592A Expired - Fee Related CN101119594B (en) | 2007-08-23 | 2007-08-23 | Method of implementing home agent root key synchronization between home agent and foreign agent |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101119594B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102440061A (en) * | 2009-04-15 | 2012-05-02 | 华为技术有限公司 | Wimax and wifi networks converging system and apparatus |
| CN103369526A (en) * | 2012-03-31 | 2013-10-23 | 华为终端有限公司 | Key information processing method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004320494A (en) * | 2003-04-16 | 2004-11-11 | Ntt Communications Kk | Device, method and program for verifying document with electronic signature and program recording medium |
| CN1714560A (en) * | 2002-11-22 | 2005-12-28 | 思科技术公司 | Methods and apparatus for dynamic session key generation and rekeying in mobile IP |
-
2007
- 2007-08-23 CN CN2007101451592A patent/CN101119594B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1714560A (en) * | 2002-11-22 | 2005-12-28 | 思科技术公司 | Methods and apparatus for dynamic session key generation and rekeying in mobile IP |
| JP2004320494A (en) * | 2003-04-16 | 2004-11-11 | Ntt Communications Kk | Device, method and program for verifying document with electronic signature and program recording medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101119594A (en) | 2008-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4723158B2 (en) | Authentication methods in packet data networks | |
| KR101401605B1 (en) | Method and system for providing an access-specific key | |
| CN101682630B (en) | Methods and apparatus for providing pmip key hierarchy in wireless communication networks | |
| US20030147537A1 (en) | Secure key distribution protocol in AAA for mobile IP | |
| US8150317B2 (en) | Method and system for managing mobility of an access terminal in a mobile communication system using mobile IP | |
| CN101300543A (en) | Method and apparatus for providing authorization material | |
| US20040157585A1 (en) | Mobile communication network system and mobile terminal authentication method | |
| KR20070061619A (en) | Network system and communication methof for secure bootstrapping of mobile ipv6 mobile node based on psk(pre-shared key) | |
| US8447981B2 (en) | Method and system for generating and distributing mobile IP security key after re-authentication | |
| KR20070110178A (en) | Authentication system in a communication system and method thereof | |
| CN102783218A (en) | Method and apparatus for redirecting data traffic | |
| CN101079705B (en) | Generation and distribution method and system of mobile IP secret key after second authentication | |
| CN101106806A (en) | Method, system and mobile terminal for wireless network to capture mobile IP style of mobile terminal | |
| CN101075870B (en) | Method for generating and distributing movable IP Key | |
| CN101123815B (en) | Method for microwave to access home agent root secret key synchronization in global intercommunication mobile IPv4 | |
| CN101119594B (en) | Method of implementing home agent root key synchronization between home agent and foreign agent | |
| CN101569160B (en) | Method for transmission of DHCP messages | |
| CN101599878A (en) | Re-authentication method, system and authentication device | |
| CN101447978B (en) | Method for acquiring correct HA-RK Context by accessing AAA server in WiMAX network | |
| CN101227458B (en) | Mobile IP system and method for updating local agent root key | |
| CN101222319B (en) | Cryptographic key distribution method and system in mobile communication system | |
| You et al. | ESS-FH: Enhanced security scheme for fast handover in hierarchical mobile IPv6 | |
| CN101325804B (en) | Method, device and system for acquiring cryptographic key | |
| CN101754200B (en) | Registration method, registration system and registration device | |
| CN101094066A (en) | Method for generating and distributing mobile IP cipher key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: NANTONG WELL ELECTRIC MOTOR CO., LTD. Free format text: FORMER OWNER: ZTE CORPORATION Effective date: 20141106 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 518057 SHENZHEN, GUANGDONG PROVINCE TO: 226000 NANTONG, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20141106 Address after: 226000 No. 885, Qingdao Road, Nantong hi tech Industrial Development Zone, Nantong, Jiangsu, Tongzhou District Patentee after: Nantong Well Electric Moto Co., Ltd. Address before: 518057 Nanshan District high tech Industrial Park, Guangdong, South Road, science and technology, ZTE building, legal department Patentee before: ZTE Corporation |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120307 Termination date: 20160823 |