CN101192922B - A method for establishing secure channel between both communication parties - Google Patents
A method for establishing secure channel between both communication parties Download PDFInfo
- Publication number
- CN101192922B CN101192922B CN200610156927A CN200610156927A CN101192922B CN 101192922 B CN101192922 B CN 101192922B CN 200610156927 A CN200610156927 A CN 200610156927A CN 200610156927 A CN200610156927 A CN 200610156927A CN 101192922 B CN101192922 B CN 101192922B
- Authority
- CN
- China
- Prior art keywords
- security
- algorithm
- safe
- safe class
- recipient
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a method for establishing a security channel between both communication sides. A security policy server is arranged to store the description information of the security policy; both communication sides carry out the maintenance operation to the description information of the security policy; a transmit leg selects and sends the communication security level and the algorithm and parameters to which the communication security level corresponds; a receiving side checks the security level, the algorithm and the parameters; if the security level, the algorithm and the parameters exist in a list of the security level, algorithm and parameters supported by the receiving side, then the security channel for both sides is established based on this, otherwise, if the agreement flag of the transmit leg is allowable for agreement, the receiving side sends the description information of the security policy to the transmit leg; the transmit leg selects the commonly supported security level, algorithm and parameters in the description information of the security policy so as to establish the security channel based on this. The invention solves the problem that the security protection is forced to be unused for the communication when the receiving side for communication can not meet the demand for security of the transmit leg for communication, lowers the probability of the negotiation failure and enhances the communication efficiency.
Description
Technical field
The present invention is applicable to mobile communication and information security field, is specifically related to a kind of method of setting up safe lane between communicating pair by security negotiation mechanism.
Background technology
Patent CN 1764195A has proposed a kind of asymmetrical entity safety grade negotiation method; utilize the identity information of the originating party that the debit grasps; both sides are carried out authentication earlier consult security parameter again, make full use of the session key protection security negotiation parameter that produces in user and the network mutual authentication process simultaneously.The safety grade arranging method that patent CN 1764196A proposes is the improvement to Session Initiation Protocol, the concrete improvement in second step that is mainly reflected in security negotiation, the recipient select with the common safe class of supporting of transmit leg in high safety grade send to transmit leg, eliminated the ambiguity problem that may run into during the SIP safe class is consulted like this, do not need safe hypothesis to consulting both sides, can be applicable to the occasion of peer negotiation and asymmetrical negotiation.Patent CN 1728632A has proposed a kind of method and system of safe class hand shaking, safe class is described layer and safe class is consulted layer by being respectively arranged with in portable terminal and server, utilize the original signaling of shaking hands of security protocol to carry descriptive grade information, avoided the increase safe class to describe signaling and brought potential security threat.Patent CN 1773904A has proposed the machinery of consultation of a kind of universal safety grade: the first step, and the initiator sends to the callee with the safe class of its selection; In second step, both sides negotiate and specify the common best security algorithm of security performance of supporting under the safe class; The 3rd step, the security algorithm that goes out through consultation, both sides set up safe lane.
In the once safety of above patent is consulted; if when uncommon safe class of supporting of both sides or security algorithm; security negotiation is this time just failed; communication process can't use any safeguard protection; although patent CN1773904A has proposed to select the common high safety grade algorithm of supporting of both sides; but its initiative is grasped the communication receiver, can't satisfy the communication security needs under multiple situation.In most of the cases; the safeguard protection that only has the communication initiator to know Content of Communication and need what degree; yet; when the communication receiver does not support security algorithm that the communication initiator selects and parameter; the communication initiator selects one to be necessary with common security algorithm of supporting of communication receiver and parameter guarantee communication security according to Content of Communication.
Summary of the invention
The objective of the invention is the problem that exists at prior art, propose a kind of method of new secure communication channel, under the situation that allows security negotiation,, make communicating pair can negotiate the security algorithm and the parameter of common support by security negotiation.By execution, set up a safe lane between communicating pair to security algorithm and parameter.
A kind of method of between communicating pair, setting up safe lane of the present invention, Security Policy Server is set deposits the security strategy descriptor, comprise security algorithm and parameter list corresponding under safe class and each safe class, communicating pair is set up safe lane according to the following steps:
The first step, communicating pair carries out attended operation to the security strategy descriptor;
In second step, sender-selected communication security grade and corresponding algorithm thereof and parameter are issued the recipient;
In the 3rd step, recipient's verification safe class and algorithm and parameter if in the safe class and algorithm and parameter list of its support, then set up both sides' safe lane with this, entered for the 4th step; Otherwise the recipient checks the negotiation sign of transmit leg, allows to consult if transmit leg is consulted to be masked as, and then enters step 6; If do not allow to consult, consult failure;
In the 4th step, the safe lane of recipient by setting up returns sender-selected safe class and algorithm and the parameter received;
In the 5th step, transmit leg carries out verification to recipient's return information, and as verification succeeds, safe lane is successfully set up; Otherwise, consult failure;
In the 6th step, the recipient sends to transmit leg with its security strategy descriptor;
The 7th step, the information that transmit leg sends according to the recipient is selected common safe class and algorithm and the parameter of supporting from their security strategy descriptor, set up safe lane with this, and, return recipient's safe class and algorithm and parameter by this safe lane;
In the 8th step, the recipient carries out verification to the return information of transmit leg, and as verification succeeds, safe lane is successfully set up; Otherwise, consult failure.
Communicating pair can a shared Security Policy Server or each is with a Security Policy Server among the present invention.
In the security policy information of Security Policy Server device inside, safe class is divided into { L1, L2 among the present invention according to security needs,, Ln} (n 〉=a 1) n safe class, wherein Li (1≤i≤n) comprise { A1 under the safe class, A2 ..., Am} (m 〉=a 1) m security algorithm.
In portable terminal inside, its safe class be divided into L1, L2 ..., Ln} (n 〉=a 1) n safe class, wherein Li (security algorithm that comprises under the safe class of 1≤i≤n) have Aj|Aj ∈ (A1, A2 ..., Am) } (m 〉=1,1≤j≤m); When this portable terminal was not supported a certain safe class, security algorithm corresponding under this safe class was { Φ }.
It is to instigate the security policy information of communicating pair to be described and the Security Policy Server configuration consistency that security strategy descriptor in the first step is in the present invention carried out attended operation, if it is expired that side's security policy information is described, then its security policy information is described and upgraded.
In the 7th step of the present invention, if when transmit leg finds that safe class that the recipient supports and algorithm do not reach security needs, abandon the security negotiation operation, consult failure.
Adopt security negotiation mode of the present invention; solved in a negotiations process; when the communication receiver can not satisfy communication initiator's demand for security; communication be forced to can not protection safe in utilization problem; communications reception can further be carried out the negotiation of security parameter according to communication initiator's security negotiation sign and communication initiator, finally selects the common safe class of supporting of both sides by the communication initiator.The terminal use has improved the mobility and the diversity of security service by being configured consulting sign neatly, simultaneously, reduced the negotiation failed probability, has reduced the number of times that the user reselects security service, to a certain degree having improved communication efficiency.
Description of drawings
Fig. 1 is the communication security policy information structure diagram of strategic server inside;
Fig. 2 is the security policy information structure chart of portable terminal inside;
Fig. 3 be through once safety consult successfully to set up safe lane flow chart;
Fig. 4 is the flow chart of the shared Security Policy Server secondary of both sides negotiation to establish safety channel;
Fig. 5 is the flow chart that both sides respectively have a Security Policy Server secondary negotiation to establish safety channel.
Embodiment
In summary of the invention of the present invention, step of the present invention is introduced, comprised the situation of once negotiation and secondary negotiation to establish safety channel.Below embodiment will to once consult, secondary negotiation to establish safety channel, and the shared Security Policy Server of communicating pair, be introduced with branch different situations such as Security Policy Servers respectively.
Fig. 1 is the communication security policy information structure diagram in strategic server inside.In this embodiment, the safe class quilt is divided into a different n grade according to security needs, and each safe class can provide security performance different safeguard protections.Under concrete some grades, corresponding mk (1≤mk, the individual security algorithm of 1≤k≤n) have been comprised under this grade again.Under this describing mode, the safety officer is divided into security service in the different n grade according to security needs---and L1, L2 ..., Ln} (1≤n).Under L2, comprised a different m2 security algorithm again---21,22 ..., 2m2} (1≤m2).Similarly, this security strategy describing mode also has similar description to other n-1 safe class.
Fig. 2 is the security policy information structure chart in a certain specific portable terminal inside.This frame mode is also basic identical with the organizational form of the communication security policy of strategic server inside, and different is that the security algorithm that this specific portable terminal is supported is a subclass of strategic server internal security algorithm.Grade classification to security service is identical with the division of communication security policy, promptly is divided into n safe class---and L1, L2 ..., Ln} (1≤n).But under a certain specific safe class, because the limitation of portable terminal, the security algorithm of its support is a subclass of the described security algorithm of strategic server, as this specific portable terminal for safe class L1, it only comprises security algorithm { 1i, 1j ..., 1k} (i ≠ j ≠ k, 1≤i, j, k≤m1), ml wherein is the security algorithm sum that the communication security policy of strategic server inside comprises under this grade.It is pointed out that when a certain portable terminal is not supported this safe class, just do not comprise security algorithm corresponding under this safe class, promptly comprise algorithm and be empty { Φ }.
Fig. 3 is a flow chart of only consulting promptly successfully to set up safe lane through once safety.Consult in the flow process at this, can support sender-selected security algorithm owing to receive, therefore consult sign and do not play a role, concrete communication process is as follows:
(1) transmit leg and recipient carry out the security strategy maintenance;
(2) transmit leg sends to the recipient with the safe class of its selection and algorithm, parameter;
(3) recipient carries out verification to the sender-selected safe class that receives and algorithm, parameter, if it can support wherein all algorithms, parameter, then consults successfully, sets up both sides' secure communication channel; (otherwise, check transmit leg negotiation sign, introduce in another example that flow process is introduced in Fig. 4)
(4) recipient returns the sender-selected safe class received and algorithm, parameter by secure communication channel;
(5) transmit leg is confirmed to consult successfully after confirming that safe class that step (2) is selected and algorithm, parameter are not distorted.(otherwise, consult failure).
Fig. 4 is the flow chart that transmit leg and recipient carry out just setting up after secondary is consulted safe lane.In this flow process, consult sign and played effect, the transmit leg user consults it to indicate to be changed to and allows to consult that at this moment, if under the inconsistent situation of security algorithm that both sides support, both sides can carry out security algorithm and parameter is consulted again.Idiographic flow is as follows:
(1) transmit leg and recipient carry out the security strategy maintenance;
(2) transmit leg sends to the recipient with the safe class of its selection and algorithm, parameter;
(3) recipient carries out verification to the sender-selected safe class that receives and algorithm, parameter, find that it can not support, so further view the negotiation sign of transmit leg, find to allow consult, just the safe class of its support and algorithm, parameter list (being recipient's security strategy descriptor) are returned to transmit leg; (if consult to be masked as not allow, then consult failure)
(4) transmit leg is according to recipient's return information, selects safe class that both sides support and algorithm, parameter from their security algorithms, and sets up safe lane with this, returns recipient's security policy information by safe lane;
(5) recipient confirms to consult successfully after the security policy information of confirming step (3) transmission is not distorted; Otherwise, consult failure.
The flow process that Fig. 5 carries out security negotiation is identical with Fig. 4, and their difference is that in the network system of Fig. 5 the both sides of communication for service safe in utilization have different strategic servers separately security strategy is safeguarded.As tactful server A among Fig. 5 and strategic server B.Do not carry out the negotiation of security parameter between two strategic servers, but need carry out synchronously, guarantee that with this communicating pair has common description to security strategy, reach and carry out the security parameter negotiation smoothly security strategy or database.
Claims (6)
1. method of between communicating pair, setting up safe lane, Security Policy Server is set deposits the security strategy descriptor, comprise security algorithm and parameter list corresponding under safe class and each safe class, communicating pair is set up safe lane according to the following steps:
The first step, communicating pair carries out attended operation to the security strategy descriptor;
In second step, sender-selected communication security grade and corresponding algorithm thereof and parameter are issued the recipient;
In the 3rd step, recipient's verification safe class and algorithm and parameter if in the safe class and algorithm and parameter list of its support, then set up both sides' safe lane with this, entered for the 4th step; Otherwise the recipient checks the negotiation sign of transmit leg, allows to consult if transmit leg is consulted to be masked as, and then enters step 6; If do not allow to consult, consult failure;
In the 4th step, the safe lane of recipient by setting up returns sender-selected safe class and algorithm and the parameter received;
In the 5th step, transmit leg carries out verification to recipient's return information, and as verification succeeds, safe lane is successfully set up; Otherwise, consult failure;
In the 6th step, the recipient sends to transmit leg with its security strategy descriptor;
The 7th step, the information that transmit leg sends according to the recipient is selected common safe class and algorithm and the parameter of supporting from their security strategy descriptor, set up safe lane with this, and, return recipient's safe class and algorithm and parameter by this safe lane;
In the 8th step, the recipient carries out verification to the return information of transmit leg, and as verification succeeds, safe lane is successfully set up; Otherwise, consult failure.
2. the method for setting up safe lane between communicating pair according to claim 1 is characterized in that, the shared Security Policy Server of communicating pair or each are with a Security Policy Server.
3. the method for setting up safe lane between communicating pair according to claim 1 is characterized in that, in Security Policy Server device inside, according to security needs safe class is divided into { L1, L2 ..., Ln}n safe class, wherein n is more than or equal to 1, wherein comprise under each safe class A1, A2 ... Am}m security algorithm, wherein m is more than or equal to 1.
4. the method for setting up safe lane between communicating pair according to claim 1 is characterized in that, in portable terminal inside, its safe class be divided into L1, L2 ... Ln}n safe class, wherein n is more than or equal to 1, and wherein the security algorithm that comprises under each safe class has { Aj|Aj ∈ (A1, A2, Am) }, wherein m is more than or equal to 1, j more than or equal to 1 smaller or equal to m; When this portable terminal was not supported a certain safe class, security algorithm corresponding under this safe class was { Φ }.
5. according to the described method of between communicating pair, setting up safe lane of the arbitrary claim of claim 1 to 4, it is characterized in that, it is the security strategy descriptor and the Security Policy Server configuration consistency of instigating communicating pair that security strategy descriptor in the described first step is carried out attended operation, if side's security strategy descriptor is expired, then its security policy information is described and upgraded.
6. according to the described method of between communicating pair, setting up safe lane of the arbitrary claim of claim 1 to 4, it is characterized in that, in the 7th step, if when transmit leg finds that safe class that the recipient supports and algorithm do not reach security needs, abandon the security negotiation operation, consult failure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610156927A CN101192922B (en) | 2006-11-17 | 2006-11-17 | A method for establishing secure channel between both communication parties |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610156927A CN101192922B (en) | 2006-11-17 | 2006-11-17 | A method for establishing secure channel between both communication parties |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101192922A CN101192922A (en) | 2008-06-04 |
| CN101192922B true CN101192922B (en) | 2010-05-19 |
Family
ID=39487697
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610156927A Expired - Fee Related CN101192922B (en) | 2006-11-17 | 2006-11-17 | A method for establishing secure channel between both communication parties |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101192922B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2957440B1 (en) | 2010-03-09 | 2012-08-17 | Proton World Int Nv | PROTECTION OF A SECURITY MODULE IN A TELECOMMUNICATION DEVICE COUPLED TO AN NFC CIRCUIT |
| FR2957437B1 (en) * | 2010-03-09 | 2012-03-30 | Proton World Int Nv | PROTECTION AGAINST A DEROUTEMENT OF A COMMUNICATION CHANNEL OF AN NFC CIRCUIT |
| FR2957438B1 (en) | 2010-03-09 | 2012-03-30 | Proton World Int Nv | DETECTION OF A DEROUTEMENT OF A COMMUNICATION CHANNEL OF A TELECOMMUNICATION DEVICE COUPLED TO AN NFC CIRCUIT |
| FR2957439B1 (en) | 2010-03-09 | 2012-03-30 | Proton World Int Nv | PROTECTION OF A COMMUNICATION CHANNEL BETWEEN A SECURITY MODULE AND AN NFC CIRCUIT |
| CN102223355B (en) * | 2010-04-19 | 2015-09-16 | 中兴通讯股份有限公司 | A kind of secure communication machinery of consultation and device |
| FR2969341B1 (en) | 2010-12-20 | 2013-01-18 | Proton World Int Nv | MANAGING COMMUNICATION CHANNELS IN A TELECOMMUNICATION DEVICE COUPLED TO AN NFC CIRCUIT |
| CN105991558B (en) * | 2015-02-04 | 2019-09-17 | 中国移动通信集团公司 | Safe mode machinery of consultation, device and equipment under a kind of mobile network cloud scene |
| WO2020129073A1 (en) | 2018-12-19 | 2020-06-25 | Telefonaktiebolaget Lm Ericsson (Publ) | User configuration of services |
| CN110290151B (en) * | 2019-07-16 | 2021-10-08 | 迈普通信技术股份有限公司 | Message sending method and device and readable storage medium |
| CN115589321A (en) * | 2022-10-11 | 2023-01-10 | 中国电信股份有限公司 | Security context isolation policy negotiation method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5784566A (en) * | 1996-01-11 | 1998-07-21 | Oracle Corporation | System and method for negotiating security services and algorithms for communication across a computer network |
| CN1764196A (en) * | 2005-11-15 | 2006-04-26 | 中兴通讯股份有限公司 | Safety grade arranging method |
| CN1773904A (en) * | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | Universal safety grade consulting method |
-
2006
- 2006-11-17 CN CN200610156927A patent/CN101192922B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5784566A (en) * | 1996-01-11 | 1998-07-21 | Oracle Corporation | System and method for negotiating security services and algorithms for communication across a computer network |
| CN1773904A (en) * | 2004-11-08 | 2006-05-17 | 中兴通讯股份有限公司 | Universal safety grade consulting method |
| CN1764196A (en) * | 2005-11-15 | 2006-04-26 | 中兴通讯股份有限公司 | Safety grade arranging method |
Non-Patent Citations (1)
| Title |
|---|
| 钱伟光,傅翀,秦志光,陈剑勇.移动通信安全等级协商技术研究.2006通信理论与技术新进展—-第十一届全国青年通信学术会议论文集.2006,(2006),1068-1072. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101192922A (en) | 2008-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101192922B (en) | A method for establishing secure channel between both communication parties | |
| EP1471708B1 (en) | System and method for establishing secondary channels | |
| KR100747756B1 (en) | Peer-to-peer telephone system | |
| CN100505759C (en) | Non peer-to-peer entity safety grade arranging method | |
| CN101193068B (en) | A response request method and device | |
| CN103535004B (en) | Method for promoting anonymity audio and video communication and system based on web | |
| CN101039310B (en) | Link sharing service apparatus and communication method thereof | |
| EP2643944A1 (en) | A method, device and system for verifying communication sessions | |
| CN101192920A (en) | A response request method and device | |
| CN102685749A (en) | Wireless safety authentication method orienting to mobile terminal | |
| CN101159543A (en) | WAPI single broadcasting key negotiation method | |
| CN106027560A (en) | Intelligent terminal oriented security transmission method and system | |
| CN101742011A (en) | Lawful interception method for internetwork telephone domain and system thereof | |
| CN100394754C (en) | Identity identification method specially used in mobile phone networking insertion service | |
| WO2010145379A1 (en) | Method for downloading computer data to mobile terminal securely and system thereof | |
| CN101364866A (en) | Entity secret talk establishing system based on multiple key distribution centers and method therefor | |
| CN101635632B (en) | Method, system and device for authentication and configuration | |
| CN102158477A (en) | Communication system and information interaction method | |
| CN113194069B (en) | Communication tracing method, communication tracing device and medium based on block chain | |
| CN106375265A (en) | Household gateway and communication management method and communication system thereof | |
| CN102148688A (en) | Charging method and NAS (Network Access Server) | |
| CN102195943A (en) | Safety information interaction method and system | |
| CN107181798A (en) | A kind of realization method and system of network access | |
| CN100490375C (en) | Strong authentication method based on symmetric encryption algorithm | |
| CN103346889A (en) | Digital certificate authentication method, system, client-side and digital certificate carrier |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100519 Termination date: 20151117 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |