CN101800981A - Management method of dynamic security association and communication entity - Google Patents
Management method of dynamic security association and communication entity Download PDFInfo
- Publication number
- CN101800981A CN101800981A CN201010104374A CN201010104374A CN101800981A CN 101800981 A CN101800981 A CN 101800981A CN 201010104374 A CN201010104374 A CN 201010104374A CN 201010104374 A CN201010104374 A CN 201010104374A CN 101800981 A CN101800981 A CN 101800981A
- Authority
- CN
- China
- Prior art keywords
- communication entity
- security association
- dynamic security
- message
- dsa
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The embodiment of the invention provides a management method of dynamic security association and a communication entity, aiming to solve the problems that the communication entity can not acquire supporting capability for the dynamic security association through negotiation and needs to match with other processes to complete the management of the dynamic security association in the prior art. The management method of the dynamic security association comprises the following steps that: a first communication entity operates the dynamic security association and sends an operation event to a second communication entity through operation information; the first communication entity receives confirmation information from the second communication entity; and the first communication entity correspondingly processes the dynamic security association according to the confirmation information. On the basis of the invention, the first communication entity and the second communication entity can know mutual capability and establish good coordination, thereby better protecting the service flows by using a DSA (directory system agent).
Description
Technical field
The present invention relates to the wireless access network field, be specifically related to management method and a kind of communication entity of dynamic security association.
Background technology
Security association (Security Association, SA) be communication entity, base station (Base Station for example, BS) and subscriber station (Subscriber Station, SS) a series of security information parameter sets of sharing between, be used to guarantee the communication security between the communication entity, the security association content comprises SA sign (SecurityAssociation IDentifier, SA ID), security association type (Security Association Type, SAT), encryption suite (Cryptographic Suite, CS) and Business Stream encryption key parameters (TrafficEncryption Key Parameter, TEKP) or the like, wherein, TEKP comprise the Business Stream encryption key (Traffic Encryption Key, TEK), the TEK life cycle, TEK sequence number and initialization vector or the like.Data service encrypt or authentication process in, use TEK to carry out data encryption and authentication.For the long-time maintenance that realizes TEK is upgraded and professional continuity, usually by two TEK of SA management and attribute thereof.
In basic SA, the static SA and dynamic these three kinds of association types of SA of SA definition, (Dynamic Security Association is a kind of technology of security association more flexibly DSA) to dynamic security association, and itself and dynamic service flow interrelate.Before setting up dynamic service flow, just can protect Business Stream better by creating a DSA.Dynamic security association also can be created the free time or be eliminated, with initialization or stop special Business Stream.Therefore, with main security association (Primary Security Association, PSA) related with static security (Static Security Association, SSA) this security association of two types is compared, DSA receives the concern of industry more.
Yet, existing global microwave access intercommunication (Worldwide Interoperability of MicrowaveAccess, WiMAX) technical scheme has only defined the visioning procedure of DSA; In the IEEE802.16e agreement, the tenability of DSA can not be obtained through consultation, can only be before producer is to the communication entity input practicality of its production comes the regulation communication entity whether to support DSA by interoperability test or the constraint by WiMAX Forum.So, the cooperation between the different communication entity of function tenability will go wrong, and for example, for old subscriber station or do not pass through the subscriber station of interoperability test, the base station will be compatible on function is used.According to existing WiMAX technical scheme, even created a DSA, communication entity also can't know whether create success, perhaps, and flow processs such as but not corresponding deletion, the old DSA of modification after creating a new DSA.Therefore, be to create new DSA or discharge old security association all to need to finish by cooperating with other flow processs.
Summary of the invention
The embodiment of the invention provides management method and a kind of communication entity of dynamic security association, is intended to solve that communication entity in the prior art can not obtain through consultation to the tenability of dynamic security association and dynamic security association managed need by cooperating the problem of finishing with other flow processs.
A kind of management method of dynamic security association comprises: first communication entity is operated dynamic security association, and Action Events is sent to second communication entity by operation information; Described first communication entity receives the affirmation message from second communication entity; Described first communication entity carries out respective handling according to described acknowledge message to described dynamic security association.
A kind of communication entity comprises: operational module is used for dynamic security association is operated, and Action Events is sent to second communication entity by operation information; Receiver module is used to receive the affirmation message from described second communication entity; Processing module is used for according to described acknowledge message described dynamic security association being carried out respective handling.
A kind of management method of dynamic security association comprises: second communication entity receives that first communication entity sends is used for negotiation message with the described second communication entity negotiation dynamic security association; Described second communication entity is operated described dynamic security association according to described negotiation message and self-ability parameter, and sends response message to described first communication entity; Described second communication entity receives from described first communication entity at affirmation message that described response message sent, if described acknowledge message is represented described first communication entity and accepts the operation of described second communication entity to described dynamic security association that then described second communication entity carries out respective handling according to described acknowledge message to described dynamic security association.
A kind of communication entity comprises: receiver module is used to receive that first communication entity sends is used for negotiation message with described communication entity negotiation dynamic security association; Operational module is used for operating described dynamic security association and sending response message to described first communication entity according to described negotiation message and self-ability parameter; Processing module, be used to receive from described first communication entity at affirmation message that described response message sent, when described acknowledge message represents that described base station is accepted described communication entity to the operation of described dynamic security association, the dynamic security association after the described operation is carried out respective handling according to described acknowledge message.
The embodiment of the invention is operated a certain dynamic security association by first communication entity, Action Events is sent to second communication entity by operation information and receives the affirmation message of operation information, first communication entity carries out respective handling according to this acknowledge message to a certain dynamic security association.Because technical scheme of the present invention makes communication entity one side (base station or user terminal) when operating at a certain dynamic security association DSA, can allow communication entity the opposing party in time know Action Events and feed back corresponding message, not need production firm to carry out interoperability test in advance.Based on these operations, first communication entity and second communication entity can be known ability each other, set up good cooperation, thereby use DSA better Business Stream to be protected.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the management method basic procedure schematic diagram of a kind of dynamic security association of providing of the embodiment of the invention one;
Fig. 2 is the management method basic procedure schematic diagram of a kind of dynamic security association of providing of the embodiment of the invention two;
Mutual schematic diagram when Fig. 3 is a certain DSA of the establishment that provides of the embodiment of the invention between first communication entity and second communication entity;
Mutual schematic diagram when Fig. 4 is a certain DSA of the modification that provides of the embodiment of the invention between first communication entity and second communication entity;
Mutual schematic diagram when Fig. 5 is a certain DSA of the deletion that provides of the embodiment of the invention between first communication entity and second communication entity;
Fig. 6 is a kind of communication entity basic logical structure schematic diagram that the embodiment of the invention one provides;
Fig. 7 is a kind of communication entity basic logical structure schematic diagram that the embodiment of the invention two provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Please refer to Fig. 1, the management method of a kind of dynamic security association that the embodiment of the invention one provides comprises:
Step S101, first communication entity is operated dynamic security association, and Action Events is sent to second communication entity by operation information.
In the present embodiment, DSA is operated can be to create a certain DSA, revise a certain DSA or delete a certain DSA to first communication entity (for example, base station).First communication entity is sent to second communication entity (for example, user terminal or subscriber station SS) with Action Events by operation information after finishing these operations.Second communication entity sends an acknowledge message at this operation information after receiving aforesaid operations message, show that it is to accept or the operation performed to DSA of refusal first communication entity.
Key can the part as the security association attribute issue down in aforesaid operations message, also can transmit by independent message.When key transmits by independent message, can finish by two handshake procedure of asking/replying or active transmission/answer being confirmed, tighter flow process can be finished by three handshake procedure of request/affirmation.
Creating a certain DSA with first communication entity is example.First communication entity if start encryption function, then starts the TEK state machine after creating a certain DSA success, just can enable the encrypting and decrypting function of data behind the TEK key of sending encryption and decryption for the opposite end entity.The operation information of the described DSA of establishment that first communication entity sends to second communication entity, SA_Addition message for example indicates the association attributes of the DSA that creates.In the present embodiment, the SA_Addition message format can be as shown in table 1 below:
Table 1
| The attribute item | Particular content |
| ?Transaction?ID | Unique identification is created the shake hands Transaction Identifier of signaling procedure of this DSA |
| ?Key?Sequence?Number | The KI sequence number that generates when creating this DSA |
| ?(one?or?more)SA-Descriptor(s) | One or more DSA characterising parameters, each DSA comprises safety |
| Attributes such as association identification, security association type, security association type of service, encryption suite, traffic encryption key, cryptographic key existence time | |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
SA_Addition message can also comprise frame number (Frame Number), and frame number is used to indicate the due in of the frame that first communication entity and second communication entity will represent in this frame number to enable newly-built DSA.If not with frame number then represent to bring into use newly-built DSA from the moment of the affirmation message of receiving the opposite end entity.
Revising a certain DSA with first communication entity is example.First communication entity is revised after a certain DSA, does not enable the DSA after revising immediately.First communication entity will be revised this Action Events of DSA by operation information, and for example, SA_Change message is sent to second communication entity.In the present embodiment, SA_Change message can be as shown in table 2 below:
Table 2
| The attribute item | Particular content |
| ??Transaction?ID | Unique identification is revised the shake hands Transaction Identifier of signaling procedure of this DSA |
| ??Old?SAID | Old security association sign |
| ??New?SAID | New security association sign (amended security association sign) |
| ??Old?SA?Parameter | Old security association parameters (security association parameters that promptly is modified) |
| ??New?SA?Parameter | New security association parameters (security association parameters after promptly revising) |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
SA_Change message can also comprise frame number (Frame Number), frame number is used to indicate the due in of the frame that first communication entity and second communication entity represent at frame number, former DSA is replaced by modification DSA afterwards, that is, enable DSA after revising in the moment that frame that this frame number is represented arrives.If not with frame number then represent to bring into use DSA after revising from the affirmation message of receiving the opposite end entity.
Deleting a certain DSA with first communication entity again is example.First communication entity deletes in a certain DSA or afterwards, by operation information, for example, SA_Delete message is sent to second communication entity with this Action Events.In the present embodiment, SA_Delete message can be as shown in table 3 below:
Table 3
| The attribute item | Particular content |
| ??Transaction?ID | Unique identification is deleted the shake hands Transaction Identifier of signaling procedure of this DSA |
| ??SAID | The secure ID of deleted DSA |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
SA_Delete message comprises the sign of deleted DSA at least.
First communication entity to second communication entity send be used to delete dynamic security association deletion message (for example, SA_Delete message) promptly stop using the encryption function of the TEK among the deleted DSA time and keep decipher function, second communication entity sends and the just inactive decipher function of affirmation message of this DSA of expression acceptance deletion up to receiving, and discharges the TEK state machine.
SA_Delete message can also comprise frame number (Frame Number), and frame number is used to indicate the due in deletion DSA of the frame that first communication entity and second communication entity will represent in this frame number, that is, the moment that the frame of representing at this frame number begins is stopped using DSA.If not with frame number then represent to begin to delete dynamic security association from the moment of the affirmation message of receiving the opposite end communication entity.
In addition, in the present embodiment, after first communication entity was operated a certain dynamic security association and Action Events is sent to second communication entity by operation information, first communication entity was waited for the affirmation message of second communication entity to described operation information.Acknowledge message then stop waiting timer if before waiting timer is overtime, receive; If waiting timer surpasses the time of setting, the affirmation message of second communication entity is not received in first communication yet, and then first communication entity repeats to the second communication entity transmit operation message and restarts waiting timer.If do not receive acknowledge message yet after surpassing the time that waiting timer sets, then retransmit operation message once more surpasses the number of times of setting until the number of times that repeats to send.
Step S102, first communication entity receives the affirmation message from second communication entity.
Creating a certain DSA, send SA_Addition message with first communication entity is example.When first communication entity was created a certain DSA and sent SA_Addition message to the second communication entity, second communication entity feeds back to the affirmation message SA_ACK of first communication entity according to self ability can be as shown in table 4 below:
Table 4
| The attribute item | Particular content |
| ??Transaction?ID | Unique identification is created the shake hands Transaction Identifier of signaling procedure of this DSA |
| ??SA?ID | The security association sign of the DSA that creates |
| ??Conformation?Code | The state that expression is confirmed |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
Wherein, whether Conformation Code attribute item is used for indicating accepts first communication entity and creates a certain DSA, then indicates the reason of not accepting by error reason sign indicating number (ErrCode) as not accepting.
Revise a certain DSA with first communication entity, sending SA_Change message is example.First communication entity is revised a certain DSA and this Action Events (is for example passed through operation information, SA_Change message) send to second communication entity after, second communication entity according to self ability to the first communication entity feedback acknowledgment message SA_ACK, wherein indicate and whether accept first communication entity and revise this DSA, then indicate the reason of not accepting as not accepting by error reason sign indicating number (ErrCode), for example, can be that the corresponding DSA of SA sign does not exist or the corresponding DSA of SA sign is using and do not allowing modification or the like.
Delete a certain DSA with first communication entity again, sending SA_Delete message is example.First communication entity is deleted after a certain DSA, and this Action Events is sent to second communication entity by operation information (for example, SA_Delete message).Second communication entity according to self ability to the first communication entity feedback acknowledgment message SA_ACK, wherein indicate and whether accept first communication entity and delete this DSA, then indicate the reason of not accepting as not accepting by error reason sign indicating number (ErrCode), for example, can be that the corresponding DSA of SA sign does not exist or the DSA of SA sign appointment is using and do not allowing deletion or the like.
Step S103, first communication entity carries out respective handling according to acknowledge message to dynamic security association.
Create a certain DSA with first communication entity, sending SA_Addition message is example.If second communication entity is confirmed the DSA of establishment this time, if start encryption function, then start Business Stream encryption key TEK state machine, be sent to second communication entity to the data encryption and with keys for encryption/decryption; If the DSA that second communication entity refusal is this time created, then first communication entity carries out respective handling according to the error reason sign indicating number (ErrCode) in the SA_ACK message of second communication entity feedback, for example, interrupts the follow-up interaction flow with second communication entity.
Revise a certain DSA with first communication entity, sending SA_Change message is example.If second communication entity is confirmed the DSA of modification this time, then first communication entity is after receiving the affirmation message of SA_Change message, DSA after the due in of the frame that the frame number (Frame Number) of SA_Change message appointment is represented is changed modification with former DSA, that is enable when, the frame of representing at described frame number arrives and revise DSA afterwards; If the startup encryption function then starts Business Stream encryption key TEK state machine.If SA_Change message is not carried frame number, then first communication entity is receiving that frame of acknowledge message begins to enable amended DSA, and same second communication entity begins to enable amended DSA at that frame that sends acknowledge message.
Delete a certain DSA with first communication entity again, sending SA_Delete message is example.If second communication entity is accepted this DSA deletion, at the due in deletion DSA of the frame of frame number (Frame Number) expression of SA_Delete message appointment, that is, and the professional DSA that stops using and will the delete when frame of representing at described frame number arrives; If the startup encryption function then stops to delete Business Stream encryption key TEK state machine equally.If SA_Delete message is not carried frame number, then first communication entity is after receiving the affirmation message of SA_Delete message, first communication entity stop using the Business Stream encryption key TEK among the described deleted DSA decipher function and discharge described Business Stream encryption key TEK state machine.
From the invention described above embodiment one as can be known, technical scheme of the present invention makes communication entity one side when operating at a certain DSA, can allow communication entity the opposing party in time know Action Events and feed back corresponding message, not need production firm to carry out interoperability test in advance.Based on these operations, first communication entity and second communication entity can be known ability each other, set up good cooperation, thereby use DSA better Business Stream to be protected.
See also Fig. 2, the management method basic procedure schematic diagram of a kind of dynamic security association that the embodiment of the invention two provides.In the present embodiment, second communication entity can be user terminal or subscriber station SS, and first communication entity can be the base station.Embodiment illustrated in fig. 2 two mainly comprise:
Step S201, second communication entity receive that first communication entity sends is used for negotiation message with the second communication entity negotiation dynamic security association;
Step S202, second communication entity is operated described dynamic security association according to described negotiation message and self-ability parameter, and sends response message to first communication entity;
Step S203, second communication entity receives from first communication entity at affirmation message that response message sent, if this acknowledge message is represented first communication entity and accepts the operation of second communication entity to dynamic security association that then second communication entity carries out respective handling to dynamic security association.
Be example to create, to revise and delete a certain DSA respectively below,, the technical scheme of embodiment two and embodiment three be described by illustrating mutual between second communication entity and first communication entity.
As shown in Figure 3, the mutual schematic diagram when creating a certain DSA between first communication entity and second communication entity comprises:
S301, first communication entity sends the negotiation message of consulting to create a certain dynamic security association with second communication entity.For example, first communication entity sends SA_Addition_Req message, consults to create a certain DSA with second communication entity, and its form can be as shown in table 5 below:
Table 5
| The attribute item | Particular content |
| ?Transaction?ID | Unique identification is created the shake hands Transaction Identifier of signaling procedure of this DSA |
| The attribute item | Particular content |
| ?Random | Create newly-generated random number in this DSA process |
| ?Key?Sequence?Number | Concrete KI sequence number |
| ?Key?Life?Time | The life span of KI |
| ?Security-Capabilities | Security capabilities, for example, the DEA of support, data authentication algorithm and traffic encryption key algorithm list etc. |
| ?Security?Negotiation?Parameters | The security negotiation parameter comprises protocol version, authentication policy, message authentication pattern, packet window size, Flow Control strategy and the peace of support |
| Complete shut-down connection number etc. | |
| ??(one?or?more)SA-Descriptor(s) | The security association characterising parameter, wherein, each security association comprises attributes such as security association sign, security association type, security association type of service, encryption suite, traffic encryption key and cryptographic key existence time |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
Because communication entity one side's ability or state all are unknown for the opposing party, therefore, first communication entity and second communication entity are at first consulted the association attributes of a certain DSA of establishment soon, promptly, in the present embodiment, SA_Addition_Req message should comprise the association attributes of a certain DSA that is about to establishment.
S302, first communication entity is waited for the response message of second communication entity;
In the present embodiment, first communication entity can start a waiting timer when sending negotiation message, if this waiting timer does not have overtime, then first communication entity can be waited for the response message of request message always, if also do not receive the response message of described request message after waiting timer is overtime, then first communication entity can resend with second communication entity and consult to create the negotiation message of a certain dynamic security association and restart the timer waiting timer once more.If do not receive acknowledge message yet after surpassing the time that waiting timer sets, then re-transmission request message once more surpasses the number of repetition of setting up to the number of times that sends a request message.
What S303, second communication entity received that first communication entity sends consults to create the negotiation message of a certain DSA with second communication entity, creates DSA according to association attributes and the self-ability parameter of DSA;
S304, second communication entity send the response message of negotiation message to first communication entity;
Response message, for example SA_Additon_Rsp message is indicated the first communication entity acceptable DSA association attributes, promptly, response message has comprised the first communication entity self-ability parameter and has been about to the common factor of the association attributes of a certain DSA of establishment (i.e. the association attributes of a certain DSA that second communication entity and first communication entity negotiation will soon be created), and its form can be as shown in table 6 below:
Table 6
| The attribute item | Particular content |
| ?Transaction?ID | Unique identification is created the shake hands Transaction Identifier of signaling procedure of this DsA |
| ?Random | Newly-generated random number |
| ?Key?Sequence?Number | Concrete KI sequence number |
| ?Key?Life?Time | The life span of KI |
| ?Security?Negotiation?Parameters | The security negotiation parameter comprises protocol version, authentication policy, message authentication pattern, packet window size, Flow Control strategy and the security association number etc. of support |
| ?(one?or?more)SA-Descriptor(s) | The security association characterising parameter, wherein, each security association comprises attributes such as security association sign, security association type, security association type of service, encryption suite, traffic encryption key and cryptographic key existence time |
| ?Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
S305, second communication entity wait for the affirmation message of first communication entity;
In the present embodiment, second communication entity can start a waiting timer after sending at the response message of negotiation message, before this waiting timer was overtime, second communication entity can be waited for the affirmation message of first communication entity always, for example, SA_Addition_ACK message; If also do not receive the affirmation message of first communication entity after waiting timer is overtime, then second communication entity resends response message and restarts waiting timer.If do not receive acknowledge message yet after the time above the waiting timer setting, then can retransmit response message once more, surpass the number of repetition of setting up to the number of times that sends response message.
S306, first communication entity are to the affirmation message of second communication entity transmission to response message, and this acknowledge message indicates whether first communication entity accepts the DSA that first communication entity is created, if do not accept, then acknowledge message also should be indicated the reason of not accepting.
S307 accepts second communication entity and creates DSA if acknowledge message is indicated first communication entity, and then second communication entity is enabled the association attributes of the DSA of establishment.
Need to prove, in the present embodiment, the affirmation message of response message can be carried a frame number (Frame Number), notifies second communication entity with this frame number: the association attributes of the dynamic security association after first communication entity will be enabled operation after the frame that this frame number is represented arrives or in reaching.For example, carry frame number in the SA_Addition_ACK message, then be actually first communication entity and notify second communication entity, it will arrive the association attributes of enabling the DSA that second communication entity creates after second communication entity at the frame that this frame number is represented.If acknowledge message is not carried frame number, then show from sending SA_Addition_ACK message frame first communication entity and enable the association attributes of the DSA of second communication entity establishment immediately.
See also Fig. 4, the mutual schematic diagram when revising a certain DSA between first communication entity and second communication entity comprises:
S401, first communication entity sends the negotiation message of consulting to revise a certain DSA with second communication entity.For example, first communication entity sends SA_Change_Req message, consults to revise a certain DSA with second communication entity, and its form can be as shown in table 7 below:
Table 7
| The attribute item | Particular content |
| ?Transaction?ID | Unique identification is revised the shake hands Transaction Identifier of signaling procedure of this DSA |
| ?Random | Revise newly-generated random number in this DSA process |
| ?Key?Sequence?Number | Concrete KI sequence number |
| ?Key?Life?Time | The life span of KI |
| ?Security-Capabilities | Security capabilities, for example, the DEA of support, data authentication algorithm and traffic encryption key algorithm list etc. |
| ?Security?Negotiation?Parameters | The security negotiation parameter comprises protocol version, authentication policy, message authentication pattern, packet window size, Flow Control strategy and the security association number etc. of support |
| ??(one?or?more)SA-Descriptor(s) | The security association characterising parameter, wherein, each security association comprises attributes such as security association sign, security association type, security association type of service, encryption suite, traffic encryption key and cryptographic key existence time |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
Because communication entity one side's ability or state all are unknown for the opposing party, therefore, first communication entity and second communication entity are at first consulted the association attributes of a certain DSA that is about to be modified, promptly, in the present embodiment, SA_Change_Req message should comprise the association attributes of the described a certain DSA that is about to be modified.
S402, first communication entity is waited for the response message of second communication entity;
In the present embodiment, first communication entity can start a waiting timer when sending negotiation message, if this waiting timer does not have overtime, then first communication entity can be waited for the response message of second communication entity always, if also do not receive the response message of request message after waiting timer is overtime, then first communication entity can resend the negotiation message of consulting to revise a certain dynamic security association with second communication entity, and starts waiting timer once more.If do not receive acknowledge message yet after surpassing the time that waiting timer sets, then re-transmission request message once more surpasses the number of repetition of setting up to the number of times that sends a request message.
What S403, second communication entity received that first communication entity sends consults to revise the negotiation message of a certain DSA with second communication entity, according to association attributes and the self-ability parameter modification DSA of DSA;
S404, second communication entity sends response message to first communication entity;
Response message, for example SA_Change_Rsp message is indicated the second communication entity acceptable DSA association attributes, promptly, this response message has comprised the common factor of the association attributes (promptly first communication entity and second communication entity are consulted the association attributes of a certain DSA of modification soon) of the second communication entity self-ability parameter and a certain DSA that is about to be modified, and its form can be as shown in table 8 below:
Table 8
| The attribute item | Particular content |
| ??Transaction?ID | Unique identification is revised the shake hands Transaction Identifier of signaling procedure of this DSA |
| ??Random | Revise newly-generated random number in this DSA process |
| ??Key?Sequence?Number | Concrete KI sequence number |
| ??Key?Life?Time | The life span of KI |
| ??Security-Capabilities | Security capabilities, for example, the DEA of support, data authentication algorithm and traffic encryption key algorithm list etc. |
| ??Security?Negotiation?Parameters | The security negotiation parameter comprises protocol version, authentication policy, message authentication pattern, packet window size, Flow Control strategy and the security association number etc. of support |
| ??(one?or?more)SA-Descriptor(s) | The security association characterising parameter, wherein, each security association comprises attributes such as security association sign, security association type, security association type of service, encryption suite, traffic encryption key and cryptographic key existence time |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
S405, second communication entity wait for the affirmation message of first communication entity to response message;
In the present embodiment, second communication entity can start a waiting timer after sending response message, and before this waiting timer was overtime, second communication entity is the affirmation message of wait-for-response message always, for example, and SA_Addition_ACK message; If also do not receive the affirmation message of response message after waiting timer is overtime, then first communication entity resends the response message of request message and starts waiting timer.If do not receive acknowledge message yet after the time above the waiting timer setting, then can retransmit response message once more, surpass the number of repetition of setting up to the number of times that sends response message.
S406, first communication entity sends acknowledge message to second communication entity, this acknowledge message represents whether first communication entity accepts the DSA that second communication entity is revised, if do not accept, then acknowledge message also should be indicated the reason of not accepting, and the reason of mistake for example can be that the DSA of the SA sign appointment of DSA does not exist or the DSA of SA sign appointment is using and do not allowing modification or the like.
S407 accepts second communication entity and revises DSA if acknowledge message is indicated first communication entity, and then second communication entity is enabled the association attributes of the DSA after revising.
Need to prove, in the present embodiment, acknowledge message can also be carried a frame number (FrameNumber), notifies second communication entity with this frame number: the association attributes of the dynamic security association after first communication entity will be enabled operation after the frame that this frame number is represented arrives or in reaching.For example, carry frame number in the SA_Change_ACK message, then be actually first communication entity and notify second communication entity, it will arrive the association attributes of enabling the DSA that second communication entity creates after second communication entity at the frame that this frame number is represented.If acknowledge message is not carried frame number, then show from sending SA_Change_ACK message frame first communication entity and enable the association attributes of the DSA that second communication entity revised immediately.
See also Fig. 5, the mutual schematic diagram when deleting a certain DSA between second communication entity and first communication entity comprises:
S501, first communication entity sends the negotiation message of consulting a certain DSA of deletion with second communication entity.For example, first communication entity sends SA_Delete_Req message, consults a certain DSA of deletion with second communication entity, and its form can be as shown in table 9 below:
Table 9
| The attribute item | Particular content |
| ??Transaction?ID | Unique identification is deleted the shake hands Transaction Identifier of signaling procedure of this DSA |
| ??SAID | The secure ID of deleted DSA |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI. |
Because communication entity one side's ability or state all are unknown for the opposing party, therefore, first communication entity and second communication entity at first consult to be about to deleted a certain DSA, promptly, in the present embodiment, SA_Delete_Req message should comprise and is about to deleted a certain DSA.
S502, first communication entity is waited for the response message of second communication entity;
In the present embodiment, first communication entity can start a waiting timer when sending negotiation message, and overtime if this waiting timer does not have, then first communication entity can be waited for the response message of second communication entity always; If change the response message that waiting timer is not also received second communication entity after overtime, then first communication entity can resend request second communication entity and deletes the request message of a certain dynamic security association and start waiting timer once more.If do not receive response message yet after surpassing the time that waiting timer sets, then re-transmission request message once more surpasses the number of repetition of setting up to the number of times that sends a request message.
What S503, second communication entity received that first communication entity sends consults the request message of a certain DSA of deletion with second communication entity, and the Business Stream encryption key TEK that is about among the deleted DSA that stops using carries out data encryption;
S504, second communication entity sends response message to first communication entity;
Response message, for example SA_Delete_Rsp message represents whether second communication entity accepts to delete DSA, that is and, response message has comprised second communication entity and whether has accepted the information that first communication entity is consulted a certain DSA of deletion, and its form can be as shown in table 10 below:
Table 10
| The attribute item | Particular content |
| ??Transaction?ID | Unique identification is deleted the shake hands Transaction Identifier of signaling procedure of this DSA |
| ??SAID | The secure ID of deleted DSA |
| The attribute item | Particular content |
| ??Digest | According to digest algorithm, calculate the eap-message digest that is used to be used for protecting message integrity with KI |
S505, second communication entity wait for the affirmation message of first communication entity;
In the present embodiment, second communication entity can start a waiting timer after sending response message, and before this waiting timer was overtime, second communication entity can be waited for the affirmation message of second communication entity always, for example, and SA_Delete_ACK message; If also do not receive the affirmation message of first communication entity after this waiting timer is overtime, then second communication entity resends the response message of request message and restarts this timer.If do not receive acknowledge message yet after the time above the waiting timer setting, then can retransmit response message once more, surpass the number of repetition of setting up to the number of times that sends response message.
S506, first communication entity sends acknowledge message to second communication entity, this acknowledge message indicates whether first communication entity accepts the deletion to a certain DSA that second communication entity is initiated, if do not accept, then acknowledge message also should be indicated the reason of not accepting, and the reason of mistake for example can be that the DSA of the SA sign appointment of DSA does not exist or the DSA of SA sign appointment is using and do not allowing deletion or the like.
S507 accepts second communication entity deletion DSA if acknowledge message is represented first communication entity, and then second communication entity is deleted this DSA.
From the invention described above embodiment two as can be known, technical scheme of the present invention makes communication entity one side when operating at a certain DSA, can allow communication entity the opposing party in time know Action Events and feed back corresponding message by more detailed negotiations process, not need production firm to carry out interoperability test in advance.Based on these operations, first communication entity and second communication entity can be known ability each other, set up good cooperation, thereby use DSA better Business Stream to be protected.
See also Fig. 6, a kind of communication entity basic logical structure schematic diagram that the embodiment of the invention one provides.For convenience of explanation, only show the part relevant with the embodiment of the invention.This communication entity can be the base station, and it comprises:
Creating unit 6011 is used to create dynamic security association and will creates incident being sent to described user terminal by operation information; Or
Revise unit 6012, be used to revise dynamic security association and will revise incident being sent to described user terminal by operation information; Or
For example, if the affirmation message table of creating a dynamic security association and receiver module 602 receptions that is operating as that operational module 601 is carried out shows when user terminal is accepted the dynamic security association of described establishment that processing module 603 is according to the keys for encryption/decryption of acknowledge message to user terminal to transmit data.
For another example, be operating as when revising the dynamic security association that affirmation message table that a dynamic security association and receiver module 602 receive shows that user terminal accepts to revise if operational module 601 is carried out, processing module 603 is enabled dynamic security association after revising at the due in of the frame of frame number (Frame Number) expression.
For another example, when deleting a dynamic security association as if being operating as of operational module 601 execution, processing module 603 is stopped using the decipher function of the Business Stream encryption key in the deleted dynamic security association and is discharged Business Stream encryption key state machine.
See also Fig. 7, a kind of communication entity basic logical structure schematic diagram that the embodiment of the invention two provides.For convenience of explanation, only show the part relevant with the embodiment of the invention.This communication entity can be a user terminal, and it comprises:
Need to prove, contents such as the information interaction between each module/unit of the said equipment, implementation since with the inventive method embodiment based on same design, particular content can repeat no more referring to the narration among the inventive method embodiment herein.
From the invention described above embodiment as can be known, technical scheme of the present invention makes communication entity one side (base station or user terminal) when operating at a certain DSA, can allow communication entity the opposing party in time know Action Events and feed back corresponding message, not need production firm to carry out interoperability test in advance.Based on these operations, first communication entity and second communication entity can be known ability each other, set up good cooperation, thereby use DSA better Business Stream to be protected.This dynamic security management method is as a kind of general dynamic security association management method, can be applied in equally in the safety management in other the system.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of the foregoing description is to instruct relevant hardware to finish by program, this program can be stored in the computer-readable recording medium, storage medium can comprise: read-only memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD etc.
More than management method and a kind of communication entity of the dynamic security association that the embodiment of the invention provided is described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (18)
1. the management method of a dynamic security association is characterized in that, comprising:
First communication entity is operated dynamic security association, and Action Events is sent to second communication entity by operation information;
Described first communication entity receives the affirmation message from second communication entity;
Described first communication entity carries out respective handling according to described acknowledge message to described dynamic security association.
2. the method for claim 1, it is characterized in that, if described Action Events represents to accept the dynamic security association of described establishment for creating dynamic security association and acknowledge message, then described first communication entity carries out respective handling according to described acknowledge message to described dynamic security association and comprises:
Described first communication entity sends the keys for encryption/decryption of data to described second communication entity.
3. the method for claim 1, it is characterized in that, described Action Events is when revising dynamic security association, described first communication entity comprises frame number at least to the operation information that described second communication entity sends, and described frame number is used to indicate first communication entity and second communication entity will be updated to former dynamic security association dynamic security association after revising in the due in of the frame that described frame number is represented.
4. method as claimed in claim 3 is characterized in that, if described acknowledge message represents to accept described amended dynamic security association, then described first communication entity carries out respective handling according to described acknowledge message to described dynamic security association and comprises:
First communication entity is enabled amended dynamic security association at the due in of the frame that described frame number is represented.
5. the method for claim 1, it is characterized in that, described Action Events is during for the described dynamic security association of deletion, and described first communication entity is operated dynamic security association, and described Action Events is sent to second communication entity by operation information comprises:
First communication entity sends the deletion message that is used to delete described dynamic security association to described second communication entity, forbid the encryption function of Business Stream encryption key in the described deleted dynamic security association simultaneously and keep decipher function, described deletion message comprises the sign with deleted dynamic security association at least.
6. method as claimed in claim 5 is characterized in that, described first communication entity carries out respective handling according to described acknowledge message to described dynamic security association and comprises:
If described acknowledge message represents to accept the described dynamic security association of deletion, then described first communication entity is forbidden the decipher function of the Business Stream encryption key in the described deleted dynamic security association and is discharged described Business Stream encryption key state machine.
7. as any described method of claim 1 to 6, it is characterized in that described first communication entity is operated dynamic security association, and after described Action Events was sent to second communication entity by operation information, described method comprised further:
First communication entity is waited for the affirmation message of described second communication entity to described operation information, if the stand-by period surpasses the time of setting, then described first communication entity repeats to send described operation information to second communication entity.
8. the method for claim 1 is characterized in that, described first communication entity is the base station, and second communication entity is a user terminal.
9. a communication entity is characterized in that, comprising:
Operational module is used for dynamic security association is operated, and Action Events is sent to second communication entity by operation information;
Receiver module is used to receive the affirmation message from described second communication entity;
Processing module is used for according to described acknowledge message described dynamic security association being carried out respective handling.
10. base station as claimed in claim 9 is characterized in that, described operational module comprises:
Creating unit is used to create dynamic security association and described establishment incident is sent to described user terminal by operation information; Or
Revise the unit, be used to revise dynamic security association and described modification incident is sent to described user terminal by operation information; Or
Delete cells is used to delete dynamic security association and described modification incident is sent to described user terminal by operation information.
11. the management method of a dynamic security association is characterized in that, comprising:
Second communication entity receives that first communication entity sends is used for negotiation message with the described second communication entity negotiation dynamic security association;
Described second communication entity is operated described dynamic security association according to described negotiation message and self-ability parameter, and sends response message to described first communication entity;
Described second communication entity receives from described first communication entity at affirmation message that described response message sent, if described acknowledge message is represented described first communication entity and accepts the operation of described second communication entity to described dynamic security association that then described second communication entity carries out respective handling according to described acknowledge message to described dynamic security association.
12. method as claimed in claim 11, it is characterized in that, the negotiation message that described second communication entity receives is when consulting the establishment dynamic security association with described second communication entity, described second communication entity is operated described dynamic security association according to described request message and self-ability parameter, and comprises to described first communication entity transmission response message:
Described second communication entity is created described dynamic security association;
Described second communication entity sends response message and waits for the affirmation message of described first communication entity to described first communication entity;
Described second communication entity carries out respective handling to described dynamic security association and comprises:
Described second communication entity is enabled the association attributes of the dynamic security association of described establishment.
13. method as claimed in claim 11, it is characterized in that, if the request message that described second communication entity receives is to consult to revise dynamic security association with described second communication entity, described second communication entity is operated described dynamic security association according to described request message and self-ability parameter, and comprises to described first communication entity transmission response message:
Described second communication entity is revised the association attributes of described dynamic security association;
Described second communication entity sends response message and waits for the affirmation message of described first communication entity to described first communication entity;
Described second communication entity carries out respective handling to dynamic security association and comprises:
Described second communication entity is enabled the association attributes of the dynamic security association after the described modification.
14. method as claimed in claim 13, it is characterized in that, described acknowledge message is carried frame number, described frame number is used to notify described second communication entity: after frame that described frame number is represented arrives or in reaching, described first communication entity will be enabled the association attributes of described modification dynamic security association afterwards.
15. method as claimed in claim 11, it is characterized in that, the request message that described second communication entity receives is when consulting the deletion dynamic security association with described second communication entity, described second communication entity is operated described dynamic security association according to described request message and self-ability parameter, and comprises to described first communication entity transmission response message:
Described second communication entity is stopped using and describedly is about to deleted dynamic security association data are encrypted;
Described second communication entity sends response message and waits for the affirmation message of described first communication entity to described first communication entity;
Described second communication entity carries out respective handling to dynamic security association and comprises:
Described second communication entity is deleted described dynamic security association.
16., it is characterized in that surpass setting-up time if wait for the time of the affirmation message of described first communication entity, then second communication entity sends described response message to described first communication entity once more as any described method of claim 11 to 15.
17. method as claimed in claim 11 is characterized in that, described first communication entity is the base station, and described second communication entity is a user terminal.
18. a communication entity is characterized in that, comprising:
Receiver module is used to receive that first communication entity sends is used for negotiation message with described communication entity negotiation dynamic security association;
Operational module is used for operating described dynamic security association and sending response message to described first communication entity according to described negotiation message and self-ability parameter;
Processing module, be used to receive from described first communication entity at affirmation message that described response message sent, when described acknowledge message represents that described base station is accepted described communication entity to the operation of described dynamic security association, the dynamic security association after the described operation is carried out respective handling according to described acknowledge message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010104374A CN101800981A (en) | 2010-01-25 | 2010-01-25 | Management method of dynamic security association and communication entity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010104374A CN101800981A (en) | 2010-01-25 | 2010-01-25 | Management method of dynamic security association and communication entity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101800981A true CN101800981A (en) | 2010-08-11 |
Family
ID=42596414
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010104374A Pending CN101800981A (en) | 2010-01-25 | 2010-01-25 | Management method of dynamic security association and communication entity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101800981A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023641A (en) * | 2012-10-25 | 2013-04-03 | 浪潮电子信息产业股份有限公司 | Serial number generating/verifying method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101227485A (en) * | 2008-02-04 | 2008-07-23 | 杭州华三通信技术有限公司 | Method and apparatus for negotiating internet cryptographic key exchanging safety coalition existence period |
| CN101375243A (en) * | 2006-03-02 | 2009-02-25 | 思科技术公司 | System and method for wireless network profile provisioning |
| WO2009114100A2 (en) * | 2008-03-14 | 2009-09-17 | Alcatel-Lucent Usa Inc. | Methods and apparatuses for dynamic management of security associations in a wireless network |
-
2010
- 2010-01-25 CN CN201010104374A patent/CN101800981A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101375243A (en) * | 2006-03-02 | 2009-02-25 | 思科技术公司 | System and method for wireless network profile provisioning |
| CN101227485A (en) * | 2008-02-04 | 2008-07-23 | 杭州华三通信技术有限公司 | Method and apparatus for negotiating internet cryptographic key exchanging safety coalition existence period |
| WO2009114100A2 (en) * | 2008-03-14 | 2009-09-17 | Alcatel-Lucent Usa Inc. | Methods and apparatuses for dynamic management of security associations in a wireless network |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023641A (en) * | 2012-10-25 | 2013-04-03 | 浪潮电子信息产业股份有限公司 | Serial number generating/verifying method |
| CN103023641B (en) * | 2012-10-25 | 2017-03-15 | 郑州云海信息技术有限公司 | A kind of serial number generates verification method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109858262B (en) | Process approval method, device and system based on block chain system and storage medium | |
| US9596220B2 (en) | Secure protocol for peer-to-peer network | |
| US10341107B2 (en) | Method, server, and communication device for updating identity-based cryptographic private keys of compromised communication devices | |
| EP2611227A1 (en) | Method, device and system for sending communication information | |
| CN110891269B (en) | Data protection method, equipment and system | |
| CN102036230B (en) | Method for implementing local route service, base station and system | |
| KR20200044117A (en) | Digital certificate management method and device | |
| CN103391540A (en) | Method and system for generating secret key information, terminal device and access network device | |
| JP2006079213A (en) | Relay device, authentication server, and authentication method | |
| CN113992427B (en) | Data encryption sending method and device based on adjacent nodes | |
| CN103297940A (en) | Short message encryption communication system and method | |
| CN1791098B (en) | Method for realizing safety coalition synchronization | |
| CN102255723A (en) | Asynchronous key updating method | |
| JP5795591B2 (en) | Service flow encryption processing method and system | |
| CN101800981A (en) | Management method of dynamic security association and communication entity | |
| CN100499649C (en) | Method for realizing safety coalition backup and switching | |
| CN101378313A (en) | Method for establishing safety association, user equipment and network side equipment | |
| CN112906032B (en) | File secure transmission method, system and medium based on CP-ABE and block chain | |
| CN102318259B (en) | Method and apparatus for traffic count key management and key count management | |
| JP2005184222A (en) | Work flow system and client terminal thereof | |
| CN115174188A (en) | Message transmission method and device, electronic equipment and storage medium | |
| CN114036576A (en) | Method and device for recovering ipsec tunnel and readable storage medium | |
| CN114663234A (en) | System and method for supervising abnormal transactions on block chain | |
| CN101056169B (en) | Method and system for improving the multicast service security of the radio communication system | |
| WO2016165429A1 (en) | Service processing method and apparatus, and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100811 |