CN101192922B - A method for establishing secure channel between both communication parties - Google Patents

A method for establishing secure channel between both communication parties Download PDF

Info

Publication number
CN101192922B
CN101192922B CN 200610156927 CN200610156927A CN101192922B CN 101192922 B CN101192922 B CN 101192922B CN 200610156927 CN200610156927 CN 200610156927 CN 200610156927 A CN200610156927 A CN 200610156927A CN 101192922 B CN101192922 B CN 101192922B
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
security
communication
level
parameters
transmit
Prior art date
Application number
CN 200610156927
Other languages
Chinese (zh)
Other versions
CN101192922A (en )
Inventor
何兴高
傅翀
刘勇
刘红军
吴晨
孟宪民
秦志光
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

The invention relates to a method for establishing a security channel between both communication sides. A security policy server is arranged to store the description information of the security policy; both communication sides carry out the maintenance operation to the description information of the security policy; a transmit leg selects and sends the communication security level and the algorithm and parameters to which the communication security level corresponds; a receiving side checks the security level, the algorithm and the parameters; if the security level, the algorithm and the parameters exist in a list of the security level, algorithm and parameters supported by the receiving side, then the security channel for both sides is established based on this, otherwise, if the agreement flag of the transmit leg is allowable for agreement, the receiving side sends the description information of the security policy to the transmit leg; the transmit leg selects the commonly supportedsecurity level, algorithm and parameters in the description information of the security policy so as to establish the security channel based on this. The invention solves the problem that the securityprotection is forced to be unused for the communication when the receiving side for communication can not meet the demand for security of the transmit leg for communication, lowers the probability ofthe negotiation failure and enhances the communication efficiency.

Description

一种在通信双方间建立安全信道的方法 A method for establishing a secure channel of communication between the two sides

技术领域 FIELD

[0001] 本发明适用于移动通信和信息安全领域,具体涉及一种在通信双方间通过安全协 [0001] The present invention is applicable to a mobile communications field of information security and in particular to a communication between parties through a secure co

商机制建立安全信道的方法。 Method for establishing a secure channel provider mechanism. 背景技术 Background technique

[0002] 专利CN 1764195A提出了一种非对等实体安全等级协商的方法,利用收方掌握的发方的身份信息,对双方先进行身份认证再协商安全参数,同时充分利用用户和网络相互认证过程中产生的会话密钥保护安全协商参数。 [0002] Patent CN 1764195A proposes a method of physical security level of a non-peer consultations, using the identity of the sender of the recipient grasp on both parties to authenticate re-negotiate security parameters, taking full advantage of users and network mutual authentication session key generated in the process to protect the security negotiation parameters. 专利CN 1764196A提出的安全等级协商方法是对SIP协议的改进,具体改进主要体现在安全协商的第二步中,接收方选择与发送方共同支持的安全等级中的最高安全等级发送到发送方,这样消除了SIP安全等级协商中可能遇到的二义性问题,对协商双方不需要安全假设,可应用于对等协商和非对等协商的场合。 Security level negotiation process patent CN 1764196A proposed is an improvement over the SIP protocol, specific improvements mainly in the second step in the negotiation of security, the highest security level security level to send the recipient and sender selected jointly supported to the sender, this eliminates the ambiguity problem SIP security level consultations may be encountered, does not require the parties to negotiate safe assumption can be applied to the case of negotiated and non-negotiated peer peer. 专利CN 1728632A提出了一种安全等级握手协商的方法和系统,通过在移动终端和服务器中分别设置有安全等级描述层和安全等级协商层,利用安全协议原有的握手信令携带等级描述信息,避免了增加安全等级描述信令带来潜在的安全威胁。 Patent CN 1728632A proposes a method and system for a secure handshake negotiation level by the mobile terminal and the server are provided with the security level and the level of security negotiation layer described layer, using the existing security protocol level handshake signaling carries description information, avoiding an increase in safety are described signaling potential security threats. 专利CN 1773904A提出了一种通用安全等级协商方法:第一步,发起方将其选择的安全等级发送到被叫方;第二步,双方协商出指定安全等级下共同支持安全性能最好的一个安全算法;第三步,通过协商出的安全算法,双方建立安全信道。 Patent CN 1773904A proposes a common level of security consultative approach: first, the initiator sends its security level selection to the called party; the second step, the two sides negotiated the best of a specified security level to jointly support the safety performance security algorithm; the third step, through the negotiated security algorithms, the two sides establish a secure channel.

[0003] 在以上专利的一次安全协商中,如果双方并没有共同支持的安全等级或安全算法时,此次安全协商便失败,通信过程无法使用任何安全保护,尽管专利CN1773904A提出了选择双方共同支持的最高安全等级算法,但其主动权掌握在通信接收方,在多种情况下无法满足通信安全需要。 [0003] In a security negotiations over patent, if the two sides did not support a common level of safety or security algorithms, then the security negotiation fails, the communication process can not use any security, despite the patent CN1773904A proposes selected by the parties jointly support the highest level of security algorithms, but the initiative lies in the communication recipient, in many cases unable to meet the communication security needs. 在大多数情况下,仅有通信发起方清楚通信内容以及需要什么程度的安全保护,然而,当通信接收方并不支持通信发起方选择的安全算法和参数时,通信发起方根据通信内容,选择一个与通信接收方共同支持的安全算法和参数保障通信安全是很有必要的。 In most cases, only the initiator clear communication communications content and what level of security required, however, when the communication receiver does not support secure communications algorithms and parameters selected initiator, the initiator of communication according to the communication content, select security algorithms and secure communications parameters with a common communications receiver support is necessary.

发明内容 SUMMARY

[0004] 本发明的目的是针对现有技术存在的问题,提出一种新的安全通信信道的方法, [0004] The object of the present invention is directed to the problem in the prior art, proposes a new method for secure communication channel,

在允许安全协商的情况下,通过安全协商,使通信双方能够协商出共同支持的安全算法和 In the case of allowing the security negotiation by security negotiations, the parties can negotiate a communication support and common security algorithms

参数。 parameter. 通过对安全算法和参数的执行,建立通信双方间的一条安全信道。 Through the implementation of security algorithms and parameters, to establish a secure channel of communication between the parties.

[0005] 本发明一种在通信双方间建立安全信道的方法,设置安全策略服务器存放安全策 Methods [0005] The present invention for establishing a secure channel of communication between the two sides, a security policy server storage security policy

略描述信息,包括安全等级及每一个安全等级下对应的安全算法和参数列表,通信双方按 A little descriptive information, including both the corresponding security algorithms and parameters list at each security level and a level of security, communications by

以下步骤建立安全信道: The following steps to establish a secure channel:

[0006] 第一步,通信双方对安全策略描述信息进行维护操作; [0006] The first step, the two sides described the communication of information security policy maintenance operations;

[0007] 第二步,发送方选择通信安全等级及其对应的算法和参数发给接收方; [0007] The second step, the sender selects its corresponding level of communication security algorithm and parameters to the receiving side;

[0008] 第三步,接收方校验安全等级及算法和参数,如果在其支持的安全等级及算法和参数列表中,则以此建立双方安全信道,进入第四步;否则,接收方查看发送方的协商标志,如果发送方协商标志为允许协商,则进入步骤六;如果不允许协商,协商失败; [0008] The third step, the receiver and check the security level and algorithm parameters, if the security level and the list of supported algorithms and parameters, then the two sides in order to establish a secure channel, to enter the fourth step; otherwise, the recipient view negotiation flag sender, if the sender is allowed to negotiate negotiation flag, step six; if not allow the negotiation fails;

[0009] 第四步,接收方通过建立的安全信道,返回收到的发送方选择的安全等级及算法 [0009] The fourth step, the recipient through a secure channel established, returned to the sender of the received security level selection algorithm and

和参数; And parameters;

[0010] 第五步,发送方对接收方的返回信息进行校验,如校验成功,安全信道成功建立;否则,协商失败; [0010] The fifth step, returned to the sender verify the information recipient, such as the verification is successful, the secure channel established successfully; otherwise, the negotiation fails;

[0011] 第六步,接收方将其安全策略描述信息发送给发送方; [0011] The sixth step, the receiver will send its security policy to the transmission side is described;

[0012] 第七步,发送方根据接收方发送的信息,从它们的安全策略描述信息中选择共同支持的安全等级及算法和参数,以此建立安全信道,并通过此安全信道,返回接收方安全等级及算法和参数; [0012] The seventh step, the sender based on information received by the sender, select jointly support from their security policy and description of the security level algorithms and parameters, in order to establish a secure channel, and through this secure channel, the receiver returns and security level algorithms and parameters;

[0013] 第八步,接收方对发送方的返回信息进行校验,如校验成功,安全信道成功建立;否则,协商失败。 [0013] The eighth step, the receiver returns information to verify the sender, such as the verification is successful, the secure channel established successfully; otherwise, negotiation fails.

[0014] 本发明中通信双方可以共用一个安全策略服务器或各用一个安全策略服务器。 [0014] In the present invention, a secure communication parties can share with each or a policy server security policy server. [0015] 本发明中在安全策略服务器器内部的安全策略信息,根据安全需要将安全等级划分为{Ll, L2,……,Ln} (n > l)n个安全等级,其中Li (1《i《n)安全等级下包括{Al,A2,……,Am} (m > l)m个安全算法。 [0015] In the present invention, the security policy information within the server security policy, according to the required security for the security classification {Ll, L2, ......, Ln} (n> l) n levels of security, wherein Li (1 " including {Al, A2, ......, Am} (m> l) m security algorithm i "n) security level.

[0016] 在移动终端内部,其安全等级划分为{Ll, L2,……,Ln} (n > l)n个安全等级,其中Li(l《i《n)安全等级下包括的安全算法有{Aj|Aj G (A1,A2,……,Am)}(m>l,1《j《m);当此移动终端不支持某一安全等级时,此安全等级下对应的安全算法为{。 [0016] inside the mobile terminal, the security level is divided into {Ll, L2, ......, Ln} (n> l) n levels of security, including security algorithm in Li (l "i" n) with a level of security {Aj | Aj G (A1, A2, ......, Am)} (m> l, 1 "j" m); when the mobile terminal does not support a security level corresponding to this security level security algorithm is { . }。 }. [0017] 在本发明中的第一步中的安全策略描述信息进行维护操作是指使通信双方的安全策略信息描述与安全策略服务器配置一致,若一方安全策略信息描述过期,则对其安全策略信息描述进行更新。 [0017] The first step in the information security policy described in the present invention refers to performing a maintenance operation of both the communication and security policy information described configuration consistent security policy server, if one of security policy information described expired, the information security policy its description updated.

[0018] 在本发明的第七步中,如果发送方发现接收方支持的安全等级和算法达不到安全需要时,放弃安全协商操作,协商失败。 [0018] In the seventh step of the present invention, the sender if the recipient was found to support the level of security and algorithms to meet the safety needs, give up the security negotiation operation, negotiation fails.

[0019] 采用本发明的安全协商方式,解决了在一次协商过程中,当通信接收方不能满足通信发起方安全需求时,通信被迫不能使用安全保护的问题,通信接收方可根据通信发起方的安全协商标志与通信发起方进一步进行安全参数的协商,最终由通信发起方选择一个双方共同支持的安全等级。 [0019] The security negotiation embodiment of the present invention, solves the problem in a negotiation process, the receiving party when the communication party can not meet the security needs to initiate communication, the communication can not be forced to use the security of the communication before receiving a communication initiator the security negotiation and communication initiating further signs negotiate security parameters, the final choice of a security level of mutual support by the communication originator. 终端用户通过灵活地对协商标志进行配置,提高了安全服务的机动性和多样性,同时,降低了协商失败的概率,减少了用户重新选择安全服务的次数,从一定程度提高了通信效率。 By the end user the flexibility to configure the negotiation signs, improve the security services of mobility and diversity, at the same time, reduces the probability of failure of negotiation, reducing the number of users to re-select the security services, improve the communication efficiency to some extent.

附图说明 BRIEF DESCRIPTION

[0020] 图1是策略服务器内部的通用安全策略信息结构图; [0020] FIG. 1 is a general configuration diagram of an internal security policy information of the policy server;

[0021] 图2是移动终端内部的安全策略信息结构图; [0021] FIG. 2 is a configuration diagram of an internal security policy information of the mobile terminal;

[0022] 图3是经过一次安全协商成功建立安全信道的的流程图; [0022] FIG. 3 is a flowchart of a security negotiation after the successful establishment of a secure channel;

[0023] 图4是双方共用安全策略服务器二次协商建立安全信道的流程图; [0023] FIG. 4 is a flow chart common to both the security policy server negotiate to establish a secure channel secondary;

[0024] 图5是双方各有一个安全策略服务器二次协商建立安全信道的流程图。 [0024] FIG. 5 is a flow chart of the two sides have negotiated a secondary server security policy to establish a secure channel.

具体实施方式 detailed description

[0025] 在本发明的发明内容中对本发明的步骤进行了介绍,包括一次协商和二次协商建立安全信道的情况。 [0025] The steps of the present invention is described in the present invention, including a consultation and establish a secure channel secondary negotiation. 下面的具体实施方式将对一次协商、二次协商建立安全信道,以及通信双方共用安全策略服务器、分别用安全策略服务器等分不同情况进行介绍。 The following specific embodiments will be a consultation, the second consultation to establish a secure channel, as well as communicating parties share the security policy server, aliquots were different circumstances introduced by the security policy server. [0026] 图l是在策略服务器内部的通用安全策略信息结构图。 [0026] Figure l is a general configuration diagram of the information security policy within the policy server. 在此具体实施方式中,安全等级被按照安全需要,划分为不同的n个等级,每个安全等级能够提供安全性能不同的安全保护。 In this particular embodiment, the security level is in accordance with the security needs, the n is divided into different levels, each security level can provide different safety security. 在具体的某一个等级下,又包括了该等级下对应的mk (1《mk, 1《k《n)个安全算法。 In a certain specific level, and comprising at the level corresponding mk (1 "mk, 1" k "n) security algorithm. 在该描述方式下,安全管理员根据安全需要将安全服务划分到不同的n个等级中——{Ll, L2,……,Ln} (1《n)。 In the described embodiment, the security administrator needs security according to the security service into different grades of the n - {Ll, L2, ......, Ln} (1 "n). 在L2下又包括了不同的m2个安全算法——{21,22,……,2m2} (1《m2)。 In L2 also includes a different security algorithm m2 - {21,22, ......, 2m2} (1 "m2). 同样地,该安全策略描述方式对其他的n_l个安全等级也有类似的描述。 Likewise, the security policy described manner n_l other security level has a similar description. [0027] 图2是在某一特定移动终端内部的安全策略信息结构图。 [0027] FIG. 2 is a configuration diagram of the security policy information inside a specific mobile terminal. 该结构方式也与策略服务器内部的通用安全策略的组织方式基本相同,所不同的是,该特定移动终端所支持的安全算法是策略服务器内部安全算法的一个子集。 This embodiment also organization structure inside the policy server a common security policy is basically the same, except that the particular security algorithm supported by the mobile terminal is inside a subset of the policy server security algorithms. 对安全服务的等级划分与通用安全策略的划分是相同的,即划分为n个安全等级——{Ll, L2,……,Ln} (1《n)。 Security service classification and division of a common security policy is the same, i.e., divided into n levels of security - {Ll, L2, ......, Ln} (1 "n). 但在某一特定的安全等级下,由于移动终端的局限性,其支持的安全算法是策略服务器所描述的安全算法的一个子集,如该特定移动终端对于安全等级L1,它仅包含安全算法{li,lj,……,lk}(i # j # k, 1《i, j,k《ml),其中的ml是策略服务器内部的通用安全策略在该等级下包括的安全算法总数。 However, in a particular security level, due to the limitations of the mobile terminal, which supports a subset of the security algorithm is the policy server security algorithm described, if the security level for the particular mobile terminal L1, it contains only security algorithm {li, lj, ......, lk} (i # j # k, 1 "i, j, k" ml), which is the total number of ml of the internal security algorithm policy server includes a common security policy at that level. 需要指出的是,当某一移动终端不支持该安全等级时,便不包括该安全等级下对应的安全算法,即包含算法为空{。 It is noted that, when a certain mobile terminal does not support this level of security, it does not include a security algorithm corresponding to this level of security, i.e., it contains an algorithm {empty. }。 }.

[0028] 图3是只经过一次安全协商即成功建立安全信道的流程图。 [0028] FIG. 3 is a flow chart after only one security negotiation secure channel that is successfully established. 在这个协商流程中,由于接收方能支持发送方选择的安全算法,因此协商标志并没有发挥作用,具体通信流程如下: In this negotiation process, because the receiver can support security algorithm selected by the sender, so the sign did not play a role in negotiations, specific communication process is as follows:

[0029] (1)发送方与接收方进行安全策略维护; [0029] (1) the sender and receiver maintain security policy;

[0030] (2)发送方将其选择的安全等级及算法、参数发送到接收方; [0030] (2) The sender transmits a security level and its selection algorithms, the parameters to the receiver;

[0031] (3)接收方对接收到的发送方选择的安全等级及算法、参数进行校验,如果它能支持其中所有算法、参数,则协商成功,建立双方安全通信信道;(否则,查看发送方协商标志,流程在图4中介绍的另一个例子中介绍) [0031] (3) the recipient received the sender and select the level of security algorithms, calibration parameters, which if it supports all the algorithms, parameters, the successful negotiation, the two sides establish a secure communication channel; (otherwise, see negotiation flag sender, the process described in another example described in FIG. 4)

[0032] (4)接收方通过安全通信信道返回收到的发送方选择的安全等级及算法、参数;[0033] (5)发送方在确认步骤(2)选择的安全等级及算法、参数未被篡改后,确认协商成功。 [0032] (4) the receiver returns the sender received via a secure communication channel selected level of security and algorithm parameters; [0033] (5) The sender's confirmation step (2) security level and the algorithm selection, parameter is not after being tampered with, confirmed the negotiation succeeds. (否则,协商失败)。 (Otherwise, the negotiation fails).

[0034] 图4所是发送方与接收方进行二次协商后才建立安全信道的流程图。 [0034] FIG. 4 is a flowchart of the establishment of a secure channel after the sender and recipient for the second negotiation. 在这个流程中,协商标志起到了作用,发送方用户将其协商标志置为允许协商,此时,如果在双方支持的安全算法不一致的情况下,双方能进行安全算法和参数再协商。 In this process, negotiation flag played a role, the sending user to consult its flag to permit consultation at this time, if the two sides do not match the supported security algorithms, the two sides can be re-negotiated security algorithms and parameters. 具体流程如下:[0035] (1)发送方与接收方进行安全策略维护; Specific process is as follows: [0035] (1) the sender and receiver maintain security policy;

[0036] (2)发送方将其选择的安全等级及算法、参数发送到接收方; [0036] (2) The sender transmits a security level and its selection algorithms, the parameters to the receiver;

[0037] (3)接收方对接收到的发送方选择的安全等级及算法、参数进行校验,发现它不能支持,于是进一步查看到发送方的协商标志,发现允许协商,便将其支持的安全等级及算法、参数列表(即接收方安全策略描述信息)返回给发送方;(如果协商标志为不允许,则协商失败) [0037] (3) the recipient received the sender selects the level of security algorithms and parameters for verification and found that it can not support, so the check mark to negotiate the sender found to allow consultations, they put their support level of security and algorithm parameter list (ie, the recipient description information security policy) is returned to the sender; (if the flag is not allowed to negotiate, the negotiation failed)

[0038] (4)发送方根据接收方返回信息,从它们安全算法中选择双方都支持的安全等级及算法、参数,并以此建立安全信道,通过安全信道返回接收方的安全策略信息;[0039] (5)接收方在确认步骤(3)发送的安全策略信息未被篡改后,确认协商成功;否则,协商失败。 [0038] (4) according to the recipient return sender information, select both support the level of security and algorithm parameters from their security algorithm, and to establish a secure channel to return to the receiving party's security policy through a secure channel; [ 0039] (5) recipient in the confirmation step (3) after sending the information security policy has not been tampered with, confirmed the negotiation is successful; otherwise, the negotiation fails.

[0040] 图5进行安全协商的流程与图4相同,它们的区别在于在图5的网络体系中,使用安全服务通信的双方各自拥有不同的策略服务器对安全策略进行维护。 The same [0040] FIG. 5 security negotiation processes and 4, which differ in the network system of FIG. 5, the use security services to communicate each of the parties have different policies on security policy server for maintenance. 如图5中策略服务器A与策略服务器B。 5 in the policy server A and server B. Policy 两个策略服务器间不进行安全参数的协商,但需要对安全策略或数据库进行同步,以此保证通信双方对安全策略有共同描述,达到顺利进行安全参数协商。 Not to negotiate security parameters between two policy server, but need to synchronize the database or security policy, in order to ensure communication both sides have a common description, to achieve the smooth progress of the security parameter negotiation of security policies.

Claims (6)

  1. 一种在通信双方间建立安全信道的方法,设置安全策略服务器存放安全策略描述信息,包括安全等级及每一个安全等级下对应的安全算法和参数列表,通信双方按以下步骤建立安全信道:第一步,通信双方对安全策略描述信息进行维护操作;第二步,发送方选择通信安全等级及其对应的算法和参数发给接收方;第三步,接收方校验安全等级及算法和参数,如果在其支持的安全等级及算法和参数列表中,则以此建立双方安全信道,进入第四步;否则,接收方查看发送方的协商标志,如果发送方协商标志为允许协商,则进入步骤六;如果不允许协商,协商失败;第四步,接收方通过建立的安全信道,返回收到的发送方选择的安全等级及算法和参数;第五步,发送方对接收方的返回信息进行校验,如校验成功,安全信道成功建立;否则,协商失败;第六 A method for establishing a secure channel of communication between the parties, a security policy server storing description information security policy, security algorithms and includes a list of parameters corresponding to a lower security level and every security level, communication parties establish a secure channel according to the following steps: a first step, both the description of the communication security policy information for maintenance operations; the second step, the sender selects its corresponding level of communication security algorithm and parameters to the receiving side; the third step, the recipient verification algorithms and parameters and security level, If the level of security algorithms and parameters and a list of its support, then the two sides in order to establish a secure channel, to enter the fourth step; otherwise, the recipient view the negotiation mark the sender, if the sender is allowed to negotiate negotiation flag, step six; If you do not allow the negotiation fails; the fourth step, the recipient through the establishment of a secure channel, and return the security level algorithms and parameters selected by the sender received; fifth step, the sender of the message recipient will be returned verification, such as the verification is successful, secure channel established successfully; otherwise, the negotiation fails; sixth ,接收方将其安全策略描述信息发送给发送方;第七步,发送方根据接收方发送的信息,从它们的安全策略描述信息中选择共同支持的安全等级及算法和参数,以此建立安全信道,并通过此安全信道,返回接收方安全等级及算法和参数;第八步,接收方对发送方的返回信息进行校验,如校验成功,安全信道成功建立;否则,协商失败。 , The receiver sends its information security policy description to the sender; seventh step, the sender based on information received by the sender, select the level of security and support for common algorithms and parameters from their description information security policy in order to establish security channel, and through this secure channel, return the receiver and the safety level and algorithm parameters; eighth step, the recipient of the sender's return information for verification, such verification is successful, secure channel established successfully; otherwise, the negotiation fails.
  2. 2. 根据权利要求1所述的在通信双方间建立安全信道的方法,其特征在于,通信双方共用一个安全策略服务器或各用一个安全策略服务器。 2. The method for establishing a secure channel of communication between the parties according to claim 1, characterized in that the communicating parties share a security policy for each server or server with a security policy.
  3. 3. 根据权利要求1所述的在通信双方间建立安全信道的方法,其特征在于,在安全策略服务器器内部,根据安全需要将安全等级划分为仏1,L2,……,Lnh个安全等级,其中n 大于等于l,其中每个安全等级下包括{A1,A2,……,Amlm个安全算法,其中m大于等于l。 The method for establishing a secure channel between the communicating parties claimed in claim 1, characterized in that, inside the server security policy, the security level according to security needs Fo is divided into 1, L2, ......, Lnh levels of security , where n is greater than equal to L, including {A1, A2, ......, Amlm security algorithm for each level of security, where m is greater than or equal l.
  4. 4. 根据权利要求1所述的在通信双方间建立安全信道的方法,其特征在于,在移动终端内部,其安全等级划分为{Ll, L2,……,Lnh个安全等级,其中n大于等于l,其中每个安全等级下包括的安全算法有{Aj|Aj G (A1,A2,……,AmM,其中m大于等于l, j大于等于1小于等于m ;当此移动终端不支持某一安全等级时,此安全等级下对应的安全算法为{。}。 The method for establishing a secure channel between the communicating parties claimed in claim 1, characterized in that, inside the mobile terminal, the security level is divided into {Ll, L2, ......, Lnh security levels, where n is greater than or equal l, wherein each security level security algorithm comprises there {Aj | Aj G (A1, A2, ......, AmM, wherein m is greater than or equal l, j is greater than or equal to 1 m or less; when the mobile terminal does not support a when the security level, the security algorithm corresponding to this level of security is {.}.
  5. 5. 根据权利要求1至4任一权利要求所述的在通信双方间建立安全信道的方法,其特征在于,所述第一步中的安全策略描述信息进行维护操作是指使通信双方的安全策略描述信息与安全策略服务器配置一致,若一方安全策略描述信息过期,则对其安全策略信息描述进行更新。 The method for establishing a secure channel of communication between the parties according to any one of claims 4 to claim, wherein the information security policy described in the first step is to perform a maintenance operation refers to both the communication security policy description of the security policy consistent server configuration, if the description of one of the security policy expired, update its security policy description.
  6. 6. 根据权利要求1至4任一权利要求所述的在通信双方间建立安全信道的方法,其特征在于,在第七步中,如果发送方发现接收方支持的安全等级和算法达不到安全需要时,放弃安全协商操作,协商失败。 The method for establishing a secure channel of communication between the parties according to any one of claims 4 to claim, characterized in that, in the seventh step, if the receiver transmits discovery and security levels supported algorithms fail when security needs, to give up the security negotiation operation, negotiation fails.
CN 200610156927 2006-11-17 2006-11-17 A method for establishing secure channel between both communication parties CN101192922B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200610156927 CN101192922B (en) 2006-11-17 2006-11-17 A method for establishing secure channel between both communication parties

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200610156927 CN101192922B (en) 2006-11-17 2006-11-17 A method for establishing secure channel between both communication parties

Publications (2)

Publication Number Publication Date
CN101192922A true CN101192922A (en) 2008-06-04
CN101192922B true CN101192922B (en) 2010-05-19

Family

ID=39487697

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200610156927 CN101192922B (en) 2006-11-17 2006-11-17 A method for establishing secure channel between both communication parties

Country Status (1)

Country Link
CN (1) CN101192922B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2957437B1 (en) * 2010-03-09 2012-03-30 Proton World Int Nv Protection against diversion of a communication channel of an NFC system
CN102223355B (en) * 2010-04-19 2015-09-16 中兴通讯股份有限公司 A secure communication apparatus and method for negotiating

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5784566A (en) 1996-01-11 1998-07-21 Oracle Corporation System and method for negotiating security services and algorithms for communication across a computer network
CN1764196A (en) 2005-11-15 2006-04-26 中兴通讯股份有限公司 Safety grade arranging method
CN1773904A (en) 2004-11-08 2006-05-17 中兴通讯股份有限公司 Universal safety grade consulting method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5784566A (en) 1996-01-11 1998-07-21 Oracle Corporation System and method for negotiating security services and algorithms for communication across a computer network
CN1773904A (en) 2004-11-08 2006-05-17 中兴通讯股份有限公司 Universal safety grade consulting method
CN1764196A (en) 2005-11-15 2006-04-26 中兴通讯股份有限公司 Safety grade arranging method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
钱伟光,傅翀,秦志光,陈剑勇.移动通信安全等级协商技术研究.2006通信理论与技术新进展—-第十一届全国青年通信学术会议论文集.2006,(2006),1068-1072.

Also Published As

Publication number Publication date Type
CN101192922A (en) 2008-06-04 application

Similar Documents

Publication Publication Date Title
Zhou et al. An efficient non-repudiation protocol
US20120284786A1 (en) System and method for providing access credentials
EP0689316A2 (en) Method and apparatus for user identification and verification of data packets in a wireless communications network
US20050074122A1 (en) Mass subscriber management
US20090100262A1 (en) Apparatus and method for detecting duplication of portable subscriber station in portable internet system
CN1351789A (en) Method and apparatus for initializing secure communications among and for exclusively pairing wireless devices
CN101005359A (en) Method and device for realizing safety communication between terminal devices
US20070033643A1 (en) User authentication in connection with a security protocol
US20040064741A1 (en) Method , system and devices for transferring accounting information
Weimerskirch et al. Zero common-knowledge authentication for pervasive networks
US20040030926A1 (en) Multi-session secured digital transmission process
CN101159640A (en) Ternary equal identification based reliable network access control system
CN101552669A (en) Method and system of data transmission
US20070101159A1 (en) Total exchange session security
JP2001186122A (en) Authentication system and authentication method
JP2001282742A (en) Method and system for authentication service
CN1956376A (en) Broadband access user authentication method
CN102571336A (en) Login authentication method, device and system
US20040215974A1 (en) System and method for establishing secondary channels
CN101106450A (en) Secure protection device and method for distributed packet transfer
JP2004207965A (en) High speed authentication system and method for wireless lan
US20060236109A1 (en) System and method for multi-session establishment for a single device
CN1350382A (en) PKI-based VPN cipher key exchange implementing method
CN101272301A (en) Safety access method of wireless metropolitan area network
JPH05347617A (en) Communication method for radio communication system

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
CF01