CN101459505B - Method, system for generating private key for user, user equipment and cipher key generating center - Google Patents

Method, system for generating private key for user, user equipment and cipher key generating center Download PDF

Info

Publication number
CN101459505B
CN101459505B CN2007101995801A CN200710199580A CN101459505B CN 101459505 B CN101459505 B CN 101459505B CN 2007101995801 A CN2007101995801 A CN 2007101995801A CN 200710199580 A CN200710199580 A CN 200710199580A CN 101459505 B CN101459505 B CN 101459505B
Authority
CN
China
Prior art keywords
private key
key
user
generates
center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2007101995801A
Other languages
Chinese (zh)
Other versions
CN101459505A (en
Inventor
高洪涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007101995801A priority Critical patent/CN101459505B/en
Publication of CN101459505A publication Critical patent/CN101459505A/en
Application granted granted Critical
Publication of CN101459505B publication Critical patent/CN101459505B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a method for generating user private keys, which comprises sharing a key and the mark of a key generating center in short-term by a user device through a preformed user device and a guide server functional unit to generate a sharing key between the user device and the key generating center, sending the private key generating request message to the key generating center by the user device, and receiving an encrypted user private key and decrypting by the user device, and obtaining the user private key. The invention further discloses an another method for generating user private key, which comprises sending a private key generating request message to a key generating center, wherein the private key generating request message carries the private key application type, selecting the appropriate algorithm by the key generating center according to the private key application type, generating a user private key and returning to the user device, and receiving the user private key returned by the key generating center. The invention further discloses a relative system and a device, which can effectively optimize the process of generating user private key.

Description

Method, system and the subscriber equipment, the key that generate private key for user generate the center
Technical field
The present invention relates to communication technical field, relate in particular to a kind of method, system, subscriber equipment and key that generates private key for user and generate the center.
Background technology
Cipher mechanism (IBC based on user identity, Identity-Based Cryptograph) be a kind of asymmetric key mechanisms, (ID is identification) as PKI in its use user's identify label, by certain mathematical algorithm, derive private key from user's ID.
Because client public key is exactly user's ID in IBC, does not need user ID and client public key are bound, and avoided a series of complex operations at PKI validity, so IBC becomes the important development direction of key mechanism now gradually.
When needs generate private key by user ID, usually by the user ID of oneself and the ID of the algorithm of wishing to use are sent to key generation center (KGC, Key Generate Center), after KGC generates private key, this private key is returned to the user, its flow process as shown in Figure 1:
Step 101, set up Transport Layer Security (TLS, Transport Layer Security Protocol) and connect.
Use TLS to connect between subscriber equipment (UE, User Equipment) and the KGC.
Step 102, UE send private key to KGC and generate request, this private key generate carry user ID (User ID) in the request and wish use the ID of algorithm.
Step 103, KGC remove selection algorithm according to the algorithm ID that UE sends, and use this algorithm of having selected to calculate private key for user according to User ID.
Step 104, KGC are to UE echo reply message, and this response message can be a successful respond, also can be that failure is replied, and carry the private key for user of generation when being successful respond, are that failure carries Fail Type when replying.
In step 101, KGC need carry out mutual authentication with UE could set up being connected of safety.And use TLS to connect, and just UE and KGC at first authenticate by TLS and could set up safe the connection after encryption key is consulted, and follow-up flow process is all carried out in this connects safely.
In research and practice process to prior art, the inventor finds that there is following problem in prior art:
At present, the Authentication and Key Agreement that TLS uses need carry out the operation based on certificate usually, by being user's grant a certificate with user ID and PKI binding, before using certificate, need to the digital certificate authentication center of grant a certificate (CA, Certificate Authority) validity of authentication certificate, this checking comprises: checking CA signature, the process of checking CA signature may relate to the cross-certification with certificate chain and CA; Whether checking is added into certificate revocation catalogue (CRL, Certificate Revocation List); Before the deadline whether checking.This a series of verification operation need expend a lot of storages and processor resource, and especially for portable terminal limited processor ability and the limited transmission speed of mobile network, problem can be more outstanding
Further, because IBC has encryption, signature and three kinds of main application of key agreement usually, according to different application, the generating algorithm of private key for user also can be different, and, even for a kind of application, a plurality of algorithms of different are also arranged, therefore, when UE generates private key in request, KGC will specify key schedule ID to KGC, so that can generate private key for user according to the algorithm of user's appointment.And domestic consumer does not understand the implication of key schedule usually, also be difficult to understanding and should select which kind of algorithm to generate the private key of wishing with, so prior art for domestic consumer, use difficulty very greatly.
Summary of the invention
The technical problem that the embodiment of the invention will solve provides a kind of method, system, subscriber equipment and key that generates private key for user and generates the center, to optimize the process that generates private key for user.
For solving the problems of the technologies described above, the embodiment of the invention provides a kind of method that generates private key for user on the one hand, and described method comprises:
Subscriber equipment is shared the sign generation subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the boortstrap server function unit short-term that generate in advance;
Described subscriber equipment sends private key and generates request message to described key generation center, so that receiving after described private key generates request message, described key generation center initiates authentication request to described boortstrap server function unit, and the authentication by after return described shared key, described key generates the center and generates request message generation private key for user according to described private key, with returning subscriber equipment after the described shared secret key encryption;
Described subscriber equipment receives the private key for user and the deciphering of described encryption, obtains described private key for user.
On the other hand, provide a kind of method that generates private key for user, described method comprises:
Key generation center receives the private key generation request message that subscriber equipment sends;
Described key generates the center and generates request message to boortstrap server function unit transmission authentication request message according to described private key, so that described boortstrap server function unit generates center for described key to the authentication of described key generation center by back return authentication response message according to authentication request message, described authentication response message comprises shared key;
Described key generation center receives described authentication response message, generates request message according to described private key and generates private key for user, and return to subscriber equipment after using described shared secret key encryption.
On the other hand, provide a kind of system that generates private key for user, described system comprises: subscriber equipment, key generate center, boortstrap server function unit;
Described subscriber equipment is used for sharing the sign acquisition subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the boortstrap server function unit short-term that generate in advance; Send private key and generate request message to described key generation center; Receive the private key for user and the deciphering of the encryption of returning at described key generation center, obtain described private key for user;
Described key generates the center, is used to receive described private key and generates request message; Sign according to described shared key sends authentication request message to described boortstrap server function unit; Receive the authentication response message that comprises shared key that described boortstrap server function unit returns; Generate private key for user according to described private key demand parameter, and return to subscriber equipment after using described shared secret key encryption;
Described boortstrap server function unit is used to receive described authentication request message, and the sign of the shared key that carries according to described authentication request message obtains described shared key, and turns back to key and generate the center.
On the other hand, provide a kind of subscriber equipment, described subscriber equipment comprises:
Share cipher key unit, be used for sharing the sign generation subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the short-term between the boortstrap server function unit that generate in advance;
Private key generates request unit, be used to send private key and generate request message to described key generation center, so that receiving after described private key generates request message, described key generation center initiates authentication request to described boortstrap server function unit, and the authentication by after return described shared key, described key generates the center and generates request message generation private key for user according to described private key, with returning subscriber equipment after the described shared secret key encryption;
Decrypting device is used to receive the private key for user and the deciphering of described encryption, obtains described private key for user.
On the other hand, provide a kind of key to generate the center, described key generation center comprises:
Private key generates request unit, is used to receive the private key generation request message that subscriber equipment sends;
The authentication request unit, be used for generating request message and send authentication request message to the boortstrap server function unit according to described private key, so that described boortstrap server function unit generates center for described key to the authentication of described key generation center by back return authentication response message according to authentication request message, described authentication response message comprises shared key;
The authentication response message unit is used to receive described authentication response message;
The private key for user unit is used for generating request message according to described private key and generates private key for user, and returns to subscriber equipment after using described shared secret key encryption.
As can be seen from the above technical solutions; the embodiment of the invention is because use GBA carries out authentication and the safeguard protection between KGC and the UE; no longer need to carry out a series of complex operations based on certificate; effectively alleviated the burden of system; the safe transmission that makes authentication between KGC and the UE and private key for user consumes a large amount of the minimizing to the storage and the processing time of user terminal; especially when UE is portable terminal; because the processor ability of portable terminal and mobile network's transmission speed are all very limited, effect is more obvious.
The embodiment of the invention provides a kind of method that generates private key for user on the other hand, and described method comprises:
Send private key and generate request message to described key generation center, described private key generates request message and carries the private key application type; Select suitable algorithm so that described key generates the center according to described private key application type, generate private key for user, and return to subscriber equipment;
Receive the private key for user that described key generation center is returned.
On the other hand, provide a kind of method that generates private key for user, described method comprises:
Receive the private key generation request message that has the private key application type that subscriber equipment sends;
Select suitable algorithm according to described private key application type, generate private key for user, and described private key for user is sent to described subscriber equipment.
On the other hand, provide a kind of system that generates private key for user, described system comprises:
Subscriber equipment is used to send private key and generates request message, and described private key generates request message and carries the private key application type; Receive private key for user;
Key generates the center, is used to receive the private key generation request message that has the private key application type that subscriber equipment sends; Select suitable algorithm according to described private key application type, generate private key for user, and return for described subscriber equipment to described private key for user.
On the other hand, provide a kind of subscriber equipment, described subscriber equipment comprises:
Private key generates request unit, is used to send private key and generates request message to described key generation center, and described private key generates request message and carries the private key application type; Select suitable algorithm so that described key generates the center according to described private key application type, generate private key for user, and return to subscriber equipment;
Receiving element is used to receive the private key for user that described key generation center is returned.
On the other hand, provide a kind of key to generate the center, described key generation center comprises:
Private key generates request unit, is used to receive the private key generation request message that has the private key application type that subscriber equipment sends;
The private key for user unit is used for selecting suitable algorithm according to described private key application type, generates private key for user, and returns for described subscriber equipment to described private key for user.
As can be seen from the above technical solutions, in embodiments of the present invention, the user only need specify the private key application type, the algorithm that KGC can select to meet generates private key, and the private key application type is more readily understood than algorithm ID for domestic consumer, also easier selection has reduced the use difficulty of domestic consumer
Description of drawings
Fig. 1 is the flow chart of existing generation private key for user;
Fig. 2 is the framework schematic diagram of GBA;
Method embodiment one flow chart of the generation private key for user that Fig. 3 provides for the embodiment of the invention;
System embodiment one structural representation of the generation private key for user that Fig. 4 provides for the embodiment of the invention;
Subscriber equipment embodiment one structure chart that Fig. 5 provides for the embodiment of the invention;
Fig. 6 generates center embodiment one structure chart for the key that the embodiment of the invention provides;
Method embodiment two flow charts of the generation private key for user that Fig. 7 provides for the embodiment of the invention;
System embodiment two structural representations of the generation private key for user that Fig. 8 provides for the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of method, system, subscriber equipment and key that generates private key for user to generate the center, has optimized the process that generates private key for user among the IBC.
In order to make the process that generates private key for user among the IBC not need to rely on certificate; simplify the flow process that generates private key for user; the embodiment of the invention has been used universal guiding structure (GBA; General BootstrapArchitecture) carries out authentication and safeguard protection between KGC and the UE; GBA is a kind of by 3GPP (3rd Generation Partnership Project; third generation partner program) the professional generic authentication architecture of Zhi Dinging, the common framework of GBA as shown in Figure 2, it specifically comprises:
Home subscriber system (HSS, Home Subscriber System) 201, the system of unified maintenance customer's ordering information is the home subscriber server of UE 203 among the 3GPP, wherein preserved user's GBA user security parameters collection (GUSS, GBA User Security Settings).Described GUSS comprises Basic Authentication information such as user's root key of network insertion, also comprises specific to the user security of using relevant information such as user security parameters collection (USS, User Security Settings).
Boortstrap server function unit (BSF, Bootstrapping Server Function) 202, itself and UE203 are based on Authentication and Key Agreement (AKA, Authentication and Key Agreement) agreement authenticates mutually, and the short-term between generation BSF 202 and the UE 203 is shared the sign (B-TID, Bootstrapping Transaction identifier Bootstrapping) of key and the shared key of this short-term.When this verification process generally occurs in UE start access network, when perhaps the shared expired need of key of short-term regenerate.
Network application server (NAF, Network Application Function) 204 is represented any service supplier in the network, as being presented as KGC in the present embodiment.
BSF 202 and HSS 201 generally are arranged in the core network of same operator.
When the application data of exchange between UE 203 and the NAF 204 need be protected, employed key was that the shared key of short-term is produced by AKA mechanism by UE and BSF.
Method embodiment one flow process of the generation private key for user that the embodiment of the invention provides is as shown in Figure 3:
(BSF, Bootstrapping Server Function) authenticates and generates key mutually for step 301, UE and boortstrap server function unit.
In this step, UE and BSF finish mutual authentication by AKA, and obtain the shared key of short-term of UE and BSF and the sign that this short-term is shared key, and this short-term is shared key can be made Ks by note, and the common example of the sign B-TID of Ks is as follows:
base64encode(RAND)@BSF_servers_domain_name
B-TID can Ks of unique identification, because for each Ks, BSF is that it generates different random numbers, and in example mentioned above, this random number can be by note RAND." BSF_servers_domain_name " in the example mentioned above is the sign of BSF, is generally the complete qualification domain name (FQDN, Full Qualified Domain Name) of BSF.
When occurring in UE start access network as this step 1, when perhaps the shared key K s need out of date of short-term regenerate.
Step 302, UE calculate the shared key (Ks_NAF) between UE and the KGC by the sign NAF_ID of Ks and KGC.
In the present embodiment, NAF is served as by KGC, and therefore, UE can calculate the shared key K s_NAF between UE and the NAF by the sign NAF_ID of Ks and KGC.
NAF_ID is the sign of NAF, is generally its complete qualification domain name FQDN, is the complete qualification domain name FQDN that key generates center KGC in the present embodiment.
Step 303, UE send private key and generate request message to KGC.
This private key generates request message and comprises message authentication code (MAC, the message authentication code) value that B-TID, user ID, private key demand parameter and this private key generate request message.
The MAC value that this private key generates request message is that UE is that cipher key calculation obtains with Ks_NAF, and KGC can verify whether user ID and private key demand parameter were distorted by checking MAC value after receiving this message.
Because IBC has the application of encryption, signature and three kinds of main types of key agreement usually, according to different application, the algorithm that uses when private key for user generates also can be different.And, even, a plurality of different algorithms are arranged also, therefore, when UE generates private key in request, should provide private key purposes relevant information, so that KGC can select to generate the employed algorithm of private key according to the demand of UE to KGC for the application of same type.The private key demand parameter is the demand information to private key that UE formulates, and carries information such as private key purposes.
Present embodiment provides the implementation of following two kinds of private key demand parameters:
First kind, in the private key demand parameter, specify the private key application type, make KGC select suitable algorithm generate private key according to this private key application type for the user.
The private key application type comprises encryption, signature and key agreement, and for instance, if the user specifies the private key application type for encrypting, then just can to select to generate encryption be that the user generates private key with the algorithm of private key to KGC.
For domestic consumer, specify the private key application type to be more readily understood, also being convenient to the user selects, reduced the difficulty that the user uses, because with respect to allowing the user in the private key demand parameter, specify key schedule in the prior art, KGC directly generates private key according to this algorithm, domestic consumer is more readily understood the application type of private key, because the user does not understand the implication that key generates employed algorithm usually, also just is difficult to select which kind of algorithm to generate the private key of wishing with.
Second kind, in the private key demand parameter, specify requirement of strength, the key length that KGC can be generated according to the decision of this requirement of strength.
For with a kind of algorithm, the difference of security intensity, the private key length of its generation also can be different, so the embodiment of the invention provides the execution mode of specifying requirement of strength in the private key demand parameter, can in the private key demand parameter, specify requirement of strength, make KGC can determine the length of the key of generation according to this requirement of strength.
When the user understands the implication of algorithm, the method that this aspect embodiment also can add prior art in the private key demand parameter provide is used together, can use together with the method that first method or prior art provide as second method, promptly in the private key demand parameter, specify in key schedule or the private key application type, in the private key demand parameter, specify requirement of strength, satisfy the demand of user secret key safety intensity.
Interactive information between UE and the KGC can be passed through HTML (Hypertext Markup Language) (HTTP, HypertextTransfer Protocol) carrying, private key generation request message can be extend markup language (XML in this step, Extensible Markup Language) form, also can be text formatting, be that example describes with the XML form below:
<ibc:request?xmlns:ibc="*******">
<ibc:header>
<ibc:client?version="clientID"/>
</ibc:header>
<ibc:body>
<ibc:keyRequest>
<ibc:requirement>
<ibc:keyusage>
<oid>usageOID</oid>
</ibc:keyusage>
</ibc:requirement>
<ibc:id>
ibcIdentityInfo
</ibc:id>
</ibc:keyRequest>
</ibc:body>
</ibc:request>
Wherein,<ibc:request xmlns:ibc=" * * * * * * * " in " xmlns " be NameSpace;<ibc:requirement〉be the private key for user demand parameter;<oid〉usageOID</oid〉//usageOID is the private key purposes, if its value equals SignOID, expression is used for signature; Equal EncrypOID, then expression is encrypted;<ibc:id〉be user ID; IbcIdentityInfo is user's a identity information.
Step 304, KGC send authentication request message to BSF.
After KGC receives that private key generates request message, ask the shared key of B-TID correspondence to BSF, also the short-term that promptly generates in step 301 is shared key K s.KGC can know the address FQDN of BSF by B-TID, and KGC sends authentication request message by the address FQDN of BSF to BSF.
This authentication request message comprises: B-TID, NAF_ID, KGC_USS (User Security Settings, user security parameters collection) request.Wherein NAF_ID is the sign of KGC, is generally the FQDN of KGC; B-TID is the Ks sign that UE sends in the step 303; The KGC_USS request is used for to the user USS parameter of BSF request specific to this KGC, and the KGC_USS request is an optional parameter, and can have not to have yet.
USS is user's the security parameter specific to KGC, is stored on the BSF usually, and KGC may use when handling the application request of UE.Use if desired, then KGC is with the KGC_USS request in issuing the authentication request of BSF, if BSF this locality does not have this up-to-date user GBA user security parameters collection (GUSS, GBA User Security Settings), then BSF to HSS obtain corresponding GUSS and the authentication KGC by after return to KGC.
Step 305, carry KGC_USS request, and BSF this locality sends and obtains GUSS message to HSS when not having this up-to-date user GUSS in authentication request message.
BSF receives the authentication request message that KGC sends, if comprise the KGC_USS request in this request, BSF at first judges by the timestamp (timestamp) among the GUSS of local storage whether the local GUSS that stores surpasses the term of validity.The GUSS of local storage obtained to HSS when carrying out AKA or GBA process last time, if it surpasses the term of validity, perhaps this user's GUSS is not preserved in this locality, then carried out step 305 transmission and obtained GUSS message to HSS, to the up-to-date GUSS of HSS request; If local preserve this user's GUSS, and do not exceed the time limit, then do not need carry out step 305, BSF authentication KGC by after this user's KGC_USS is returned to KGC.
Step 306, HSS receive obtain GUSS message and KGC authentication passed through after, return GUSS and give BSF.
Wherein GUSS can represent with the XML form, now is exemplified below:
<guss?id="358500004836551@ims.mnc050.mcc358.3gppnetwork.org">
// wherein id is a user ID
<bsfInfo>
<lifeTime〉86400</lifeTime〉// represent the valid expiration date of this USS, be unit with the second
</bsfInfo>
<ussList〉// can comprise a plurality of USS, different USS represent with id
<uss id=" 1 " type=" n "〉//type represents that this USS is that KGC is specific, n is concrete numeral
<uids>
<uid〉tel:358504836551</uid〉// user ID
// a plurality of user ID can be arranged, can be the ID that the user uses in business
</uids>
<flags〉// this part is the public part of USS, defines
<flag〉1</flag〉// expression need be done authentication (flag=1) to the user just can provide service
</flags>
<extension>
<ibcusage〉// expression is about the subscriber authorisation of ibc application type
<ibcencrypt〉1</ibcencrypt〉// encrypt application to be authorized to
</ibcusage>
// can define other expansions, as algorithm ID and security intensity
</extension>
</uss>
</ussList>
</guss>
Step 307, BSF according to the Ks of the sign NAF_ID of KGC and B-TID correspondence in accordance with regulations algorithm computation obtain Ks_NAF.If the authentication request message of step 304 carries the KGC_USS request, then BSF extracts the specific security parameter USS of KGC from GUSS, described security parameter USS generally includes the private key generation type that the user obtains the authorization, and it can also comprise private key intensity parameters and private key generating algorithm parameter etc.
The private key of this described mandate generates type, and generally to be the user open KGC when professional in application, selects according to user's actual demand and/or payment type, is kept among the GUSS as the parameter of user when using KGC professional afterwards.Be authorized to generate the private key that is used to encrypt as the user, or be authorized to generate and be used to the private key encrypting and sign, KGC checks the type parameter when generating private key for the user, judge whether the user is authorized to generate the private key of encryption or encryption and signature type.
Before carrying out step 305,306,307, BSF need authenticate KGC, has authority to obtain these services of BSF to confirm KGC.
Step 308, BSF return authentication response message are given KGC, and the data that this authentication response message comprises have Ks_NAF, when authentication request message carries the KGC_USS request, also include the specific USS of KGC.
At this moment, KGC obtains Ks_NAF, and what UE obtained in this Ks_NAF and the step 301 is identical, is the shared key between UE and the KGC.
Step 309, KGC selection algorithm generate private key.
KGC uses the MAC value in the Ks_NAF checking private key generation request message, and checking is passed through, and illustrates that then the private key generation request message of UE is not distorted.
If the private key demand parameter that the private key that step 303 sends generates in the request message has been specified key schedule, then compare private key in this step and generate the algorithm ID that carries in the request message whether in the algorithm ID that USS comprises, judge whether client is authorized to apply for the private key type of its appointment, if in the algorithm ID that USS comprises, be authorized to, then use the algorithm of user's appointment to generate private key for user; If promptly not uncommitted in the algorithm ID that USS comprises, then private key for user generates failure.If specified requirement of strength simultaneously in the private key demand parameter, need judge also then whether the private key for user of generation satisfies the security intensity requirement, if do not satisfy, then private key for user generates failure.
If the private key demand parameter that the private key that step 303 sends generates in the request message has been specified the private key application type, check directly then whether the subscriber authorisation private key type among the USS comprises this application type, select satisfactory algorithm to generate private key for user; If there is not satisfactory algorithm, then private key for user generates failure.If specified requirement of strength simultaneously in the private key demand parameter, then when selecting the private key generating algorithm, must consider also whether this algorithm meets the security intensity requirement, select promptly to meet the requirements and the algorithm that meets the security intensity requirement generates private key for user; If there is not satisfactory algorithm, then private key for user generates failure.
When whether the private key application type that does not need to judge user's appointment is authorized to, can directly use the algorithm of the private key application type that can generate user's appointment to generate private key.
Step 310, KGC echo reply message are to UE.
If KGC generates the private key for user success in step 309, then use Ks_NAF that the private key for user that generates is encrypted, the private key for user after encrypting is carried in the successful respond message sends to UE, in this response message, can also carry the term of validity of this private key for user.The structure example of private key for user is as follows:
<ibe:response?xmlns:ibe="****">
<ibe:responseType?value="100"/>
<ibe:body>
<ibe:privateKey withEncrypted=GBA〉// add with the GBA arranging key
Close private key for user
EncryptedPrivateKey //private key data of the encryption of Base64 coding
</ibe:privateKey>
</ibe:body>
</ibe:response>
Wherein, encryptedPrivateKey is the private key for user data after encrypting, and the private key for user data are a structure, and this structure can be defined as follows:
IBEPrivateKeyReply::=SEQUENCE{
PkgIdentity IBCIdentityInfo, // user ID ID
The algorithm sign of pgkAlgorithm OBJECT IDENTIFIER // generation private key
PkgKeyData OCTET STRING // private key
Other parameters of pkgOptions SEQUENCE OF Extensions.
}
After UE receives this successful respond message, extract the private key for user data after encrypting in this message, use Ks_NAF, can obtain private key for user the private key for user deciphering after encrypting.If carry the term of validity of this private key for user in this response message, also can obtain in the lump this moment.
If KGC generates the private key for user failure in step 309, then return the failure response message to UE, and in this failure response message, carry failure cause.
For instance, if reason is its private key type of being asked of the uncommitted acquisition of user, then response message is as follows:
<ibe:response?xmlns:ibc="***">
<ibe:responseType value=" 305 "/〉 // answer code 305 expression user lack of competence Shens
Please the type private key
<ibe:body>
<ibe:permission>
UserPermissionType // optionally, comprise the private key type that the user is authorized to
</ibe:permission>
</ibe:body>
</ibe:response>
More than be the detailed description of the method embodiment of the generation private key for user that the embodiment of the invention is provided; in the method embodiment of the generation private key for user that the embodiment of the invention provides; because use GBA carries out authentication and safeguard protection between KGC and the UE; no longer need to carry out a series of complex operations based on certificate; effectively alleviated the burden of system; the safe transmission that makes authentication between KGC and the UE and private key for user consumes a large amount of the minimizing to the storage and the processing time of user terminal; especially for UE the situation of portable terminal; because the processor ability of portable terminal and mobile network's transmission speed are all very limited, effect is more obvious.
Further, in prior art, the key schedule that needs user specifies to be very difficult to understand, and using the difficulty of bringing to the user, the method embodiment of the generation private key for user that the embodiment of the invention provides provides the technical scheme of specifying the private key application type in the private key demand parameter, specify the private key application type, for domestic consumer, will be more readily understood, and be convenient to the user and select, reduce the difficulty that the user uses.And after adopting this scheme, KGC can control private key flexibly according to the subscriber authorisation situation and generate, like this after new algorithm is adopted by KGC, do not need protocol message is made any change, only need to get final product in the inner support that increases new algorithm of KGC, thereby make agreement not be subjected to the influence of algorithm, have better practicality.The method embodiment of the generation private key for user that the embodiment of the invention provides, the technical scheme of specifying requirement of strength in the private key demand parameter also is provided, make KGC can be when generating private key require to generate private key to the security intensity of private key with reference to the user, improved user satisfaction, and the user is to the demand of fail safe.
Further, in the prior art, user's security parameter and user right parameter are managed independently by KGC, and same user may belong to different KGC, cause identical data to be repeated to preserve, and management is also comparatively complicated, the method embodiment of the generation private key for user that the embodiment of the invention provides, the security parameter that the user is provided is by the technical scheme of HSS with the mode unified management of USS, thereby avoid managing the repeated construction that brings independently by KGC, the problem of complex management well is fused under the 3GPP network KGC.
The system embodiment one of the generation private key for user that the embodiment of the invention provides comprises as shown in Figure 4: subscriber equipment 403, key generate center 404, boortstrap server function unit 402 and home subscriber system 401.
Wherein subscriber equipment 403, are used for sharing the sign acquisition subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the boortstrap server function unit short-term that generate in advance; Send private key and generate request message to described key generation center 404; Receive private key for user and deciphering that described key generates the encryption of returning at center 404, obtain described private key for user.
Key generates center 404, is used to receive described private key and generates request message; Sign according to described shared key sends authentication request message to described boortstrap server function unit 402; Receive the authentication response message that comprises shared key that described boortstrap server function unit 402 returns; Generate private key for user according to described private key demand parameter, and return to subscriber equipment 403 after using described shared secret key encryption.
Described boortstrap server function unit 402 is used to receive described authentication request message, and the sign of the shared key that carries according to described authentication request message obtains described shared key, and turns back to key and generate center 404.
Home subscriber system 401 is used to preserve user's GUSS.
The method basically identical of the working method of the system embodiment one of the generation private key for user that the embodiment of the invention provides and the generation private key for user that the embodiment of the invention provides no longer is repeated in this description at this.
Subscriber equipment embodiment one structure that the embodiment of the invention provides as shown in Figure 5, subscriber equipment 500 comprises:
Share cipher key unit 550, be used for sharing the sign generation subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the short-term between the boortstrap server function unit that generate in advance;
Private key generates request unit 530, be used to send private key and generate request message to described key generation center, so that receiving after described private key generates request message, described key generation center initiates authentication request to described boortstrap server function unit, and the authentication by after return described shared key, described key generates the center and generates request message generation private key for user according to described private key, with returning subscriber equipment after the described shared secret key encryption;
Decrypting device 560 is used to receive the private key for user and the deciphering of described encryption, obtains described private key for user.
Short-term is shared key identification unit 540, is used for generating request message at described private key and carries the sign that described short-term is shared key;
Private key demand parameter unit 510 is used for generating request message at described private key and carries the private key demand parameter;
Message authentication code element 520 is used for generating request message at described private key and portably uses the message authentication code that the shared key between described subscriber equipment and the key generation center generates.
Wherein, private key demand parameter unit 510 comprises:
Private key application type unit 511 is used for carrying the private key application type at described private key demand parameter, makes described key generate private key for user is selected to generate in the center according to described private key application type algorithm;
Or key schedule unit 512, be used for carrying key schedule at described private key demand parameter, make described key generation center use described key schedule to generate described private key for user.
Or requirement of strength unit 513, be used for carrying requirement of strength at described private key demand parameter, make described key generate the center generates described private key for user according to described requirement of strength decision length.
The key that the embodiment of the invention provides generates center embodiment one structure as shown in Figure 6, and key generates center 600 and comprises:
Private key generates request unit 620, is used to receive the private key generation request message that subscriber equipment sends;
Authentication request unit 650, be used for generating request message and send authentication request message to the boortstrap server function unit according to described private key, so that described boortstrap server function unit generates center for described key to the authentication of described key generation center by back return authentication response message according to authentication request message, described authentication response message comprises shared key;
Authentication response message unit 660 is used to receive described authentication response message;
Private key for user unit 630 is used for generating request message according to described private key and generates private key for user, and returns to subscriber equipment after using described shared secret key encryption.
Authentication unit 610 is used to use the described webserver to share the described private key of key authentication and generates the message authentication code that request message carries.
User security parameters unit 640 is used for carrying specific to the user security parameters at described key generation center in described authentication request message; So that described boortstrap server function unit is after passing through the authentication of described key generation center, obtain the described user security parameters that generates the center specific to described key, and be carried at and return to described private key for user unit in the authentication response message, so that described private key for user unit generates private key for user according to user security parameters in the described authentication response message and described private key demand parameter.
Wherein, private key for user unit 630 comprises again:
Private key application type unit is used for the algorithm according to described private key application type selection generation private key for user;
Or the key schedule unit, be used to use described key schedule to generate described private key for user.
The requirement of strength unit, the requirement of strength decision that is used for carrying according to described private key demand parameter generates the length of described private key for user.
Method embodiment two flow processs of the generation private key for user that the embodiment of the invention provides are as shown in Figure 7:
After step 701, UE and KGC connect, send private key and generate request message to KGC.
This private key generates request message and carries: user ID, private key demand parameter.
This private key demand parameter carries the private key application type, and making KGC select suitable algorithm according to the type is that the user generates private key.
The private key application type comprises: encrypt, signature or the like is dissimilar, for instance, if the user specifies the private key application type for encrypting, then just can to select to generate encryption be that the user generates private key with the algorithm of private key to KGC.
This be because, in the prior art, need the user to specify key schedule ID, and domestic consumer does not understand the implication of key schedule usually, also be difficult to understanding and should select which kind of algorithm to generate the private key of wishing, specify the private key application type, for domestic consumer, will be more readily understood with, be convenient to the user and select, reduced the difficulty that the user uses.
In the private key demand parameter, can also carry requirement of strength, make KGC can determine the key length of generation according to this requirement of strength.
This be because, for with a kind of algorithm, requirement according to security intensity, the private key length of its generation also can be different, so the embodiment of the invention provides the execution mode of specifying requirement of strength in the private key demand parameter, can generate at private key and specify requirement of strength in the demand parameter, make KGC can determine the key length of generation according to this requirement of strength.
Interactive information between UE and the KGC can be passed through HTML (Hypertext Markup Language) (HTTP, HypertextTransfer Protocol) carrying, private key generation request message can be extensible markup language (XML in this step, EXtensible Markup Language) form, also can be text formatting, be that example describes with the XML form below:
<ibc:request?xmlns:ibc="*******">
<ibc:header>
<ibc:client?version="clientID"/>
</ibc:header>
<ibc:body>
<ibc:keyRequest>
<ibc:requirement>
<ibc:keyusage>
<oid>usageOID</oid>
</ibc:keyusage>
</ibc:requirement>
<ibc:id>
ibcIdentityInfo
</ibc:id>
</ibc:keyRequest>
</ibc:body>
</ibc:request>
Wherein,<ibc:request xmlns:ibc=" * * * * * * * " in " xmlns " be NameSpace;<ibc:requirement〉be the private key for user demand parameter;<oid〉usageOID</oid〉//usageOID is the private key purposes, if its value equals SignOID, expression is used for signature; Equal EncrypOID, then expression is encrypted;<ibc:id〉be user ID; IbcIdentityInfo is user's a identity information.
Step 702, KGC obtain this user's private key type authorization message according to the user ID in the private key generation request message.
The private key type authorization message of obtaining the user is for whether the private key application type of judging user's appointment is authorized to, if whether the private key application type that does not need to judge user's appointment is authorized to, does not then need to carry out this step.
When on KGC, preserving user's private key type authorization message, can obtain, when on KGC, not preserving user's private key type authorization message, can obtain from home subscriber system (HSS, Home Subscriber System) from KGC this locality.Step 203, KGC selection algorithm generate private key.
When whether the private key application type that does not need to judge user's appointment was authorized to, directly the use algorithm that can generate the private key application type of user's appointment generated private key.
When needs judge whether the private key application type of user's appointment is authorized to, check the private key application type that whether comprises user's appointment in this user's the private key type authorization message, select satisfactory algorithm to generate private key for user; If there is not satisfactory algorithm, then private key for user generates failure.
Further,, then when selecting the private key generating algorithm, must consider also whether this algorithm meets the security intensity requirement, select promptly to meet the requirements and the algorithm that meets the security intensity requirement generates private key for user if specified requirement of strength simultaneously in the private key demand parameter; If there is not satisfactory algorithm, then private key for user generates failure.
Step 704, KGC echo reply message are to UE.
If KGC generates the private key for user success in step 203, then private key for user is carried in the successful respond message and sends to UE, in this response message, can also carry the term of validity of this private key for user.
If KGC generates the private key for user failure in step 203, then return the failure response message to UE, and in this failure response message, carry failure cause.
For instance, if reason is its private key type of being asked of the uncommitted acquisition of user, then response message is as follows:
<ibe:response?xmlns:ibc="***">
<ibe:responseType value=" 305 "/〉 // answer code 305 expression user lack of competence Shens
// please the type private key
<ibe:body>
<ibe:permission>
UserPermissionType // optionally, comprise the private key type that the user is authorized to.
</ibe:permission>
</ibe:body>
</ibe:response>
More than be the detailed description of the method embodiment of the generation private key for user that the embodiment of the invention is provided, in prior art, the key schedule that needs user specifies to be very difficult to understand, and use the difficulty bring to the user, the method embodiment of the generation private key for user that the embodiment of the invention provides, the technical scheme of specifying the private key application type in the private key demand parameter is provided, specify the private key application type, for domestic consumer, will be more readily understood, be convenient to the user and select, reduced the difficulty that the user uses.And after adopting this scheme, KGC can control private key flexibly according to the subscriber authorisation situation and generate, like this after new algorithm is adopted by KGC, do not need protocol message is made any change, only need to get final product in the inner support that increases new algorithm of KGC, thereby make agreement not be subjected to the influence of algorithm, have better practicality.The method embodiment of the generation private key for user that the embodiment of the invention provides, the technical scheme of specifying requirement of strength in the private key demand parameter also is provided, make KGC can be when generating private key require to generate private key to the security intensity of private key with reference to the user, improved user satisfaction, and the user is to the demand of fail safe.
System embodiment two structures of the generation private key for user that the embodiment of the invention provides comprise as shown in Figure 8:
Subscriber equipment 810 is used to send private key and generates request message, and described private key generates request message and carries the private key application type; Receive private key for user;
Key generates center 820, is used to receive the private key generation request message that has the private key application type that subscriber equipment sends; Select suitable algorithm according to described private key application type, generate private key for user, and return for described subscriber equipment to described private key for user.
Subscriber equipment embodiment two structures subscriber equipment 810 shown in Fig. 8 that the embodiment of the invention provides comprises:
Private key generates request unit 811, is used to send private key and generates request message to described key generation center, and described private key generates request message and carries the private key application type; Select suitable algorithm so that described key generates the center according to described private key application type, generate private key for user, and return to subscriber equipment;
Receiving element 812 is used to receive the private key for user that described key generation center is returned.
Requirement of strength unit 813 is used for generating request message at described private key and carries requirement of strength, makes described key generate the center generates described private key for user according to described requirement of strength decision length.
The key that the embodiment of the invention provides generates center embodiment two and comprises:
Private key generates request unit 821, is used to receive the private key generation request message that has the private key application type that subscriber equipment sends;
Private key for user unit 822 is used for selecting suitable algorithm according to described private key application type, generates private key for user, and returns for described subscriber equipment to described private key for user.
Requirement of strength unit 823 is used to make described private key for user unit to generate the described private key for user length that requirement of strength decision that request carries generates according to described private key.
Wherein, private key for user unit 822 comprises:
Generation unit is used for generating the private key type authorization message that user ID that request message carries is obtained this user according to described private key, selects suitable algorithm according to described private key application type from described private key type authorization message, generates private key for user;
Transmitting element is used for described private key for user is sent to described subscriber equipment.
The subscriber equipment that the embodiment of the invention provides, and the key that provides of the embodiment of the invention generate the working method at center and the method basically identical of the generation private key for user that the embodiment of the invention provides, no longer be repeated in this description at this.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, this program comprises the steps: when carrying out
Subscriber equipment is shared the sign generation subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the boortstrap server function unit short-term that generate in advance;
Described subscriber equipment sends private key and generates request message to described key generation center, so that receiving after described private key generates request message, described key generation center initiates authentication request to described boortstrap server function unit, and the authentication by after return described shared key, described key generates the center and generates request message generation private key for user according to described private key, with returning to subscriber equipment after the described shared secret key encryption;
Described subscriber equipment receives the private key for user and the deciphering of described encryption, obtains described private key for user.
Perhaps comprise:
Key generation center receives the private key generation request message that subscriber equipment sends;
Described key generates the center and generates request message to boortstrap server function unit transmission authentication request message according to described private key, so that described boortstrap server function unit generates center for described key to the authentication of described key generation center by back return authentication response message according to authentication request message, described authentication response message comprises shared key;
Described key generation center receives described authentication response message, generates request message according to described private key and generates private key for user, and return to subscriber equipment after using described shared secret key encryption.
Perhaps comprise:
Send private key and generate request message to described key generation center, described private key generates request message and carries the private key application type; Select suitable algorithm so that described key generates the center according to described private key application type, generate private key for user, and return to subscriber equipment;
Receive the private key for user that described key generation center is returned.
Perhaps comprise:
Receive the private key generation request message that has the private key application type that subscriber equipment sends;
Select suitable algorithm according to described private key application type, generate private key for user, and described private key for user is sent to described subscriber equipment.
The above-mentioned storage medium of mentioning can be a read-only memory, disk or CD etc.
More than to a kind of method that generates private key for user provided by the present invention, system, and subscriber equipment, key generation center be described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (29)

1. method that generates private key for user, it is characterized in that: described method comprises:
Subscriber equipment is shared the sign generation subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the boortstrap server function unit short-term that generate in advance;
Described subscriber equipment sends private key and generates request message to described key generation center, so that receiving after described private key generates request message, described key generation center sends authentication request message to described boortstrap server function unit, and the authentication by after return described shared key, described key generates the center and generates request message generation private key for user according to described private key, with returning to subscriber equipment after the described shared secret key encryption; Sign, private key demand parameter and described private key that described private key generation request message carries user ID, the shared key of described short-term generate the message authentication code of request message; Described private key demand parameter comprises the private key application type, so that described key generates private key for user is selected to generate in the center according to described private key application type algorithm;
Described subscriber equipment receives the private key for user and the deciphering of described encryption, obtains described private key for user.
2. the method for generation private key for user as claimed in claim 1 is characterized in that:
Carry short-term in the described authentication request message and share the sign of key and the sign that key generates the center, described boortstrap server function unit passes through the return authentication response message according to described authentication request message to the authentication of key generation center, and described authentication response message carries described shared key;
Described key generates the center according to the described message authentication code of described shared key authentication, after checking is passed through, generates private key for user according to described private key demand parameter, and returns to subscriber equipment after using described shared secret key encryption.
3. the method for generation private key for user as claimed in claim 2 is characterized in that:
Further carry the user security parameters at the center that generates specific to described key in the described authentication request message;
Described boortstrap server function unit obtains and describedly generates the user security parameters at center specific to described key after described key generation center authentication is passed through, and is carried at and returns to described key in the authentication response message and generate the center;
Described key generates the center and generates private key for user according to user security parameters in the described authentication response message and described private key demand parameter.
4. the method for generation private key for user as claimed in claim 1 is characterized in that: described private key demand parameter also comprises:
Requirement of strength is so that described key generates the center generates described private key for user according to described requirement of strength decision length.
5. the method for generation private key for user as claimed in claim 1 or 2 is characterized in that: described method also comprises:
Receive the term of validity of the described private key for user that returns at described key generation center.
6. method that generates private key for user, it is characterized in that: described method comprises:
Key generation center receives the private key generation request message that subscriber equipment sends; Described private key generates sign, private key demand parameter and the message authentication code that request message carries the shared key of short-term between user ID, described subscriber equipment and the boortstrap server function unit; Described private key demand parameter comprises the private key application type, so that described key generates private key for user is selected to generate in the center according to described private key application type algorithm;
Described key generates the center and generates request message to boortstrap server function unit transmission authentication request message according to described private key, so that described boortstrap server function unit generates center for described key to the authentication of described key generation center by back return authentication response message according to authentication request message, described authentication response message comprises shared key;
Described key generation center receives described authentication response message, generates request message according to described private key and generates private key for user, and return to subscriber equipment after using described shared secret key encryption.
7. the method for generation private key for user as claimed in claim 6 is characterized in that:
Described authentication request message comprises described short-term and shares the sign of key and the sign that described key generates the center, so that described boortstrap server function unit shares the sign of key according to described short-term and the sign at described key generation center authenticates and the return authentication response message described key generation center;
Described key generates the center according to the described message authentication code of described shared key authentication, after checking is passed through, generates private key for user according to described private key demand parameter.
8. the method for generation private key for user as claimed in claim 7 is characterized in that:
Further carry the user security parameters at the center that generates specific to described key in the described authentication request message; So that described boortstrap server function unit after described key generation center authentication is passed through, obtains and describedly generate the user security parameters at center specific to described key, and be carried at and return to described key in the authentication response message and generate the center;
Described key generates the center and generates private key for user according to user security parameters in the described authentication response message and described private key demand parameter.
9. the method for generation private key for user as claimed in claim 6 is characterized in that: described private key demand parameter also comprises:
Requirement of strength is so that described key generates the center generates described private key for user according to described requirement of strength decision length.
10. system that generates private key for user, it is characterized in that: described system comprises: subscriber equipment, key generate center and boortstrap server function unit;
Described subscriber equipment is used for sharing the sign acquisition subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the boortstrap server function unit short-term that generate in advance; Send private key and generate request message to described key generation center, sign, private key demand parameter and described private key that described private key generation request message carries user ID, the shared key of described short-term generate the message authentication code of request message, described private key demand parameter comprises the private key application type, so that described key generates private key for user is selected to generate in the center according to described private key application type algorithm; Receive the private key for user and the deciphering of the described shared secret key encryption of returning at described key generation center of use, obtain described private key for user;
Described key generates the center, is used to receive described private key and generates request message; Generate request message according to described private key and send authentication request message to described boortstrap server function unit; Receive the authentication response message that comprises shared key that described boortstrap server function unit returns; Generate request message according to described private key and generate private key for user, and return to subscriber equipment after using described shared secret key encryption;
Described boortstrap server function unit is used to receive described authentication request message, to described key generation center authentication by after return the authentication response message that comprises described shared key and generate the center to key.
11. a subscriber equipment is characterized in that: described subscriber equipment comprises:
Share cipher key unit, be used for sharing the sign generation subscriber equipment at key and key generation center and the shared key between the key generation center by the subscriber equipment and the short-term between the boortstrap server function unit that generate in advance;
Private key generates request unit, be used to send private key and generate request message to described key generation center, so that receiving after described private key generates request message, described key generation center initiates authentication request to described boortstrap server function unit, and the authentication by after return described shared key, described key generates the center and generates request message generation private key for user according to described private key, with returning subscriber equipment after the described shared secret key encryption;
Decrypting device is used to receive the private key for user and the deciphering of described encryption, obtains described private key for user;
Short-term is shared the key identification unit, is used for generating request message at described private key and carries the sign that described short-term is shared key;
Private key demand parameter unit is used for generating request message at described private key and carries the private key demand parameter; Described private key demand parameter unit comprises: private key application type unit, be used for carrying the private key application type at described private key demand parameter, and make described key generate private key for user is selected to generate in the center according to described private key application type algorithm;
The message authentication code element is used for generating request message at described private key and portably uses the message authentication code that the shared key between described subscriber equipment and the key generation center generates.
12. the subscriber equipment as claim 11 is stated is characterized in that: described private key demand parameter unit also comprises:
The requirement of strength unit is used for carrying requirement of strength at described private key demand parameter, makes described key generate the center generates described private key for user according to described requirement of strength decision length.
13. a key generates the center, it is characterized in that: described key generation center comprises:
Private key generates request unit, be used to receive the private key generation request message that subscriber equipment sends, sign, private key demand parameter and described private key that described private key generation request message carries user ID, the shared key of described short-term generate the message authentication code of request message, and described private key demand parameter comprises the private key application type;
The authentication request unit, be used for generating request message and send authentication request message to the boortstrap server function unit according to described private key, so that described boortstrap server function unit generates center for described key to the authentication of described key generation center by back return authentication response message according to authentication request message, described authentication response message comprises shared key;
The authentication response message unit is used to receive described authentication response message;
The private key for user unit is used for generating request message according to described private key and generates private key for user, and returns to subscriber equipment after using described shared secret key encryption; Described private key for user unit comprises: private key application type unit, the private key application type that is used for comprising according to described private key demand parameter selects to generate the algorithm of private key for user.
14. key as claimed in claim 13 generates the center, it is characterized in that: described key generates the center and also comprises:
Authentication unit is used to use the described private key of described shared key authentication to generate the message authentication code that request message carries, and generates private key for user by described private key for user unit, back according to described private key generation request message in checking.
15. key as claimed in claim 13 generates the center, it is characterized in that: described key generates the center and also comprises:
The user security parameters unit is used for carrying specific to the user security parameters at described key generation center in described authentication request message; So that described boortstrap server function unit is after passing through the authentication of described key generation center, obtain the described user security parameters that generates the center specific to described key, and be carried at and return to described private key for user unit in the authentication response message, so that generating the private key demand parameter that request message carries according to the user security parameters in the described authentication response message and described private key, described private key for user unit generates private key for user.
16. key as claimed in claim 13 generates the center, it is characterized in that: described private key for user unit also comprises:
The requirement of strength unit, the requirement of strength decision that is used for carrying according to described private key demand parameter generates the length of described private key for user.
17. a method that generates private key for user is characterized in that, described method comprises:
Send private key generation request message to key and generate the center, described private key generates request message and carries the private key application type; Select suitable algorithm so that described key generates the center according to described private key application type, generate private key for user, and return to subscriber equipment;
Receive the private key for user that described key generation center is returned.
18. the method for generation private key for user as claimed in claim 17 is characterized in that, described private key generates request message and also comprises:
Requirement of strength is so that described key generates the center generates described private key for user according to described requirement of strength decision length.
19. the method as claim 17 or 18 described generation private key for user is characterized in that, described method also comprises:
Receive the term of validity of the described private key for user that returns at described key generation center.
20. a method that generates private key for user is characterized in that, described method comprises:
Receive the private key generation request message that has the private key application type that subscriber equipment sends;
Select suitable algorithm according to described private key application type, generate private key for user, and described private key for user is sent to described subscriber equipment.
21. the method for generation private key for user as claimed in claim 20 is characterized in that, describedly selects suitable algorithm to comprise according to described private key application type:
Generate the private key type authorization message that user ID that request message carries is obtained this user according to described private key, from described private key type authorization message, select suitable algorithm according to described private key application type.
22. the method for generation private key for user as claimed in claim 21 is characterized in that, described method also comprises:
The described private key for user length that the requirement of strength decision of carrying according to described private key generation request message generates.
23. the method as claim 20,21 or 22 described generation private key for user is characterized in that, described method also comprises:
Send described private key for user valid until subscriber equipment.
24. a system that generates private key for user is characterized in that, described system comprises:
Subscriber equipment is used to send private key and generates request message, and described private key generates request message and carries the private key application type; Receive private key for user;
Key generates the center, is used to receive the private key generation request message that has the private key application type that subscriber equipment sends; Select suitable algorithm according to described private key application type, generate private key for user, and return to described subscriber equipment described private key for user.
25. a subscriber equipment is characterized in that, described subscriber equipment comprises:
Private key generates request unit, is used to send private key generation request message to key and generates the center, and described private key generates request message and carries the private key application type; Select suitable algorithm so that described key generates the center according to described private key application type, generate private key for user, and return to subscriber equipment;
Receiving element is used to receive the private key for user that described key generation center is returned.
26. subscriber equipment as claimed in claim 25 is characterized in that, described subscriber equipment also comprises:
The requirement of strength unit is used for generating request message at described private key and carries requirement of strength, makes described key generate the center generates described private key for user according to described requirement of strength decision length.
27. a key generates the center, it is characterized in that described key generation center comprises:
Private key generates request unit, is used to receive the private key generation request message that has the private key application type that subscriber equipment sends;
The private key for user unit is used for selecting suitable algorithm according to described private key application type, generates private key for user, and described private key for user is returned to described subscriber equipment.
28. key as claimed in claim 27 generates the center, it is characterized in that described private key for user unit comprises:
Generation unit is used for generating the private key type authorization message that user ID that request message carries is obtained this user according to described private key, selects suitable algorithm according to described private key application type from described private key type authorization message, generates private key for user;
Transmitting element is used for described private key for user is sent to described subscriber equipment.
29. key as claimed in claim 28 generates the center, it is characterized in that, described key generates the center and also comprises:
The requirement of strength unit is used to make described private key for user unit to generate the described private key for user length that requirement of strength decision that request carries generates according to described private key.
CN2007101995801A 2007-12-14 2007-12-14 Method, system for generating private key for user, user equipment and cipher key generating center Active CN101459505B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007101995801A CN101459505B (en) 2007-12-14 2007-12-14 Method, system for generating private key for user, user equipment and cipher key generating center

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101995801A CN101459505B (en) 2007-12-14 2007-12-14 Method, system for generating private key for user, user equipment and cipher key generating center

Publications (2)

Publication Number Publication Date
CN101459505A CN101459505A (en) 2009-06-17
CN101459505B true CN101459505B (en) 2011-09-14

Family

ID=40770150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101995801A Active CN101459505B (en) 2007-12-14 2007-12-14 Method, system for generating private key for user, user equipment and cipher key generating center

Country Status (1)

Country Link
CN (1) CN101459505B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102299797A (en) * 2010-06-23 2011-12-28 财团法人工业技术研究院 Authentication method, key distribution method and authentication and key distribution method
CN101908959B (en) * 2010-07-28 2012-08-22 北京握奇数据系统有限公司 Method, equipment and system thereof for establishing shared key
CN103124215A (en) * 2013-01-25 2013-05-29 匡创公司 Self-certifying method with time marks
CN103986573A (en) * 2014-05-17 2014-08-13 北京深思数盾科技有限公司 Information safety device supporting IBC system
US10103885B2 (en) * 2016-01-20 2018-10-16 Mastercard International Incorporated Method and system for distributed cryptographic key provisioning and storage via elliptic curve cryptography
CN106789014A (en) * 2016-12-22 2017-05-31 上海上讯信息技术股份有限公司 It is a kind of to generate and use the method and apparatus of user terminal key
CN108847942A (en) * 2018-06-03 2018-11-20 李维刚 A kind of authentication method and system based on mark public key
CN109687959B (en) * 2018-12-29 2021-11-12 上海唯链信息科技有限公司 Key security management system, key security management method, key security management medium, and computer program
TWI702820B (en) * 2019-05-03 2020-08-21 開曼群島商現代財富控股有限公司 Secret sharing signature system with hierarchical mechanism and method thereof
CN112311543B (en) * 2020-11-17 2023-04-18 中国联合网络通信集团有限公司 GBA key generation method, terminal and NAF network element

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1558594A (en) * 2004-01-14 2004-12-29 哈尔滨工业大学 Method of handling secrecy, authentication, authority management and dispersion control for electronic files
CN101064595A (en) * 2006-04-27 2007-10-31 联想(北京)有限公司 Computer network safe input authentication system and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1558594A (en) * 2004-01-14 2004-12-29 哈尔滨工业大学 Method of handling secrecy, authentication, authority management and dispersion control for electronic files
CN101064595A (en) * 2006-04-27 2007-10-31 联想(北京)有限公司 Computer network safe input authentication system and method

Also Published As

Publication number Publication date
CN101459505A (en) 2009-06-17

Similar Documents

Publication Publication Date Title
CN101459505B (en) Method, system for generating private key for user, user equipment and cipher key generating center
AU2021206913B2 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
CN107425983A (en) A kind of unified identity authentication method and system platform based on WEB service
CN101189827B (en) Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method
CN103490881B (en) Authentication service system, user authentication method, and authentication information processing method and system
EP2272202B1 (en) Method for distributed identification, a station in a network
US20090119763A1 (en) Method and system for providing single sign-on service
CN103220303B (en) The login method of server and server, authenticating device
EP2553894B1 (en) Certificate authority
CN101247407A (en) Network authentication service system and method
CN1977559B (en) Method and system for protecting information exchanged during communication between users
CN102055766B (en) Webservice service management method and system
CN102075327A (en) Method, device and system for unlocking electronic key
CN105208024A (en) Safe data transmission method and system adopting no HTTPS, client and server
CN102916965A (en) Safety authentication mechanism and safety authentication system thereof for cloud service interfaces
CN100450305C (en) Safety service communication method based on general authentification frame
CN104869000A (en) Identity-based cryptograph cross-domain secure communication method and system
JP3914193B2 (en) Method for performing encrypted communication with authentication, authentication system and method
Moon et al. An AAA scheme using ID-based ticket with anonymity in future mobile communication
Hada et al. Session authentication protocol for web services
Park et al. Open location-based service using secure middleware infrastructure in web services
Hoogenboom et al. Security for remote access and mobile applications
Sabouri A cloud-based model to facilitate mobility of privacy-preserving attribute-based credential users
Pitkanen et al. Initalizing mobile user's identity from federated security infrastructure
Moon et al. Device authentication/authorization protocol for home network in next generation security

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant